The CNCERT Annual Conference organized by CNCERT/CC has added innovative selection process. Based on the principles of fairness, justice, objectivity and authority, it publicly collects and selects innovative products and innovative technological achievements in the field of cyber security in China, and issues reward certificates. After three sessions of material collection, material preliminary review and on-site reply campaign, Antiy Persistent Threat Analysis System (hereinafter referred to as PTA) was awarded the “2018 Network Security Innovation Product (Technology)”.

PTA is an independent in-depth threat analysis product developed by Antiy. It can analyze various documents collected, restored and extracted during endpoint protection, flow monitoring and emergency disposal. In addition, it can also discover various format vulnerabilities, fine-grained reveal file execution behavior, and realize threat intelligence production. Antiy is the leading vendor of automatic handling of malware threats. Since 2004, Antiy has realized automatic identification processing and rule output of daily full-volume newly added files, thus laying the work foundation of automatic processing of massive threats. Starting from 2006, relying on automation capabilities, Antiy has provided object identification and document sorting services for security partners, and provided threat response and identification support for customers deploying its products.

With the development of security threats, the malware antagonism mechanism based only on the “black or white” mode is easy to be eliminated and circumvented by zero-day exploit, which results in single point failure. According to the high-level network security requirements, it will gradually become a rigid demand to extract and retain all unrecognized executable files for identification, and to retain and restore all files that may be attack loads in the traffic side. The response cycle required for user threat identification is shortening, at the same time, attack payloads are no longer just traditional executable programs and script files, format files such as Office, PDF, and WPS, while the number of redirected execution attacks is increasing with the use of compression packages such as 7z and ZIP. The user submits the document file to the manufacturer for security identification which results in risk of leakage, so there forms the contradiction between the security requirements and the confidentiality requirements determined by the document.
In 2013, Antiy timely followed up the above demands, cut and encapsulated the background analysis ability, and launched persistent threat analysis system. It establishes the linkage capability with the security end point protection and flow monitoring products, and assists users to form the self-operation closed loop of document collection and authentication to threat intelligence feedback. PTA delivers threat intelligence generated by Antiy’s analysis of advanced network space behavior to products such as situational awareness so as to continuously improve the ability to detect high-level threats.
The new PTA comprehensively increases the environmental simulation support for the domestic system, utilizes the vector disassembly output ability of the next generation threat detection engine by Antiy, and forms and verifies the dynamic behavior. It establishes a decision forest decision mechanism based on tag logic, supports user customization to scale to order of magnitude rules, and transforms dynamic and static vectors into analytical data resources available to upper security control and situational awareness platforms. Through the enhancement of these features, it won the “2018 Cybersecurity Innovation Product (Technology) Award”.

PTA CASE STUDY:

 Antiy’s Detection and Defense against CVE-2017-11882 Exploit Sample
（https://mp.weixin.qq.com/s/ymq6jol8pPDUcCEgZ-yK9g）
 PTA’s Monitoring and Analysis against Virus Variants exploiting the “0199” Vulnerability
（http://mp.weixin.qq.com/s/CJtrhy9XjnC9u77-Jt3rqQ）