一种应对APT攻击的安全架构:异常发现

威胁是一种对特定系统、组织及其资产造成破坏的潜在因素，反映的是攻击实施者依照其任务需求对被攻击对象长期持续地施以各种形式攻击的过程.面对高级可持续威胁(advanced persistent threat, APT)，在其造成严重经济损失之前，现有的安全架构无法协助防御者及时发现威胁的存在.在深入剖析威胁的外延和内涵的基础上，详细探讨了威胁防御模型.提出了一种应对APT攻击的安全防御理论架构:异常发现，以立足解决威胁发现的难题.异常发现作为防御策略和防护部署工作的前提,通过实时多维地发现环境中存在的异常、解读未知威胁、分析攻击实施者的目的，为制定具有针对性的应对策略提供必要的信息.设计并提出了基于异常发现的安全体系技术架构:“慧眼”，通过高、低位协同监测的技术，从APT攻击的源头、途径和终端3个层面监测和发现.

Security Architecture to Deal with APT Attacks: Abnormal Discovery

Threat is a potential damage to specific systems, organizations and their assets. It exists in the process of various prolonged attacks to the targets by attackers in light of their task requirement. Facing advanced persistent threat (APT), the existing security architecture cannot help the victims to detect the threat in time before serious economic losses are caused. Based on the in-depth analysis of the denotation and connotation of threat, this paper explores defense models to threat in details and proposes a theoretic security and defense framework to deal with the APT: abnormal discovery, so as to solve the problem of threats detection. As the prerequisite of defensing policy and protective deployment, abnormal discovery can provide the necessary information for making an effective and targeted defensing policy through discovering the abnormal in the environment in real time and in multi dimension, unscrambling unknown thread and analyzing the attackers purpose. “Wizeye”, a security architecture based on abnormal discovery is designed and proposed. With high and low monitoring technology coordination, it can monitor and detect the APT from its source, pathway and terminal.