GB/T 37027-2025 Cybersecurity technology―Criteria for determing network attack and network attack incident English, Anglais, Englisch, Inglés, えいご
This is a draft translation for reference among interesting stakeholders. The finalized translation (passing through draft translation, self-check, revision and verification) will be delivered upon being ordered.
ICS 35.030
CCS L 80
National Standard of the People's Republic of China
GB/T 37027-2025
Replaces GB/T 37027-2018
Cybersecurity technology - Criteria for determing network attack and network attack incident
网络安全技术 网络攻击和网络攻击事件判定准则
(English Translation)
Issue date: 2025-02-28 Implementation date: 2025-09-01
Issued by the State Administration for Market Regulation
the Standardization Administration of the People's Republic of China
Contents
Foreword
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Descriptive information elements
6 Determination conditions
7 Counting methods
Annex A (Informative) Typical types of attack targets
Annex B (Informative) Typical network attack processes
Annex C (Informative) Typical determination methods for network attacks and network attack incidents
Annex D (Informative) Overview of network attacks and network attack incidents
Annex E (Informative) Information elements and counting examples for describing network attacks and network attack incidents
Bibliography
Cybersecurity technology - Criteria for determing network attack and network attack incident
1 Scope
This document establishes the descriptive information elements, determination and counting methods for network attacks and network attack incidents.
This document is applicable to guiding organizations in conducting activities such as monitoring and analysis, situational awareness, and information reporting of network attacks and network attack incidents.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20986-2023 Information security technology - Guidelines for category and classification of cybersecurity incidents
GB/T 30279-2020 Information security technology - Guidelines for categorization and classification of cybersecurity vulnerability
3 Terms and definitions
The terms and definitions defined in GB/T 20986-2023 and GB/T 30279-2020 as well as the following apply to this document.
3.1
network attack
acts that use information network technologies and various means to exploit security vulnerabilities and flaws existing in the network to interfere with, control, or damage the network, affecting its normal operation, as well as steal, abuse, tamper with, or destroy network data, endangering data security
3.2
network attack incident
security incident caused or potentially caused by a network attack (3.1) that results in business losses or harms
4 Abbreviations
The following abbreviations apply to this document.
APT: advanced persistent threat
ARP: address resolution protocol
AS: autonomous system
BGP: border gateway protocol
DNS: domain name system
HTTP: hypertext transfer protocol
IOC: indicators of compromise
IP: internet protocol
WLAN: wireless local area network
5 Descriptive information elements
5.1 Network attacks
The basic descriptive information elements for network attacks are shown in Table 1.
The extended descriptive information elements for network attacks are shown in Table 2.
5.2 Network attack incidents
The basic descriptive information elements for network attack incidents are shown in Table 3.
The extended descriptive information elements for network attack incidents are shown in Table 4.
6 Determination conditions
6.1 Overview of determination
The determination of network attacks and network attack incidents refers to identifying different network attacks and network attack incidents within a specific determination period by combining with determination methods (see Annex D). In the determination process, if the relevant determination conditions are met, it can be considered that the corresponding network attack or network attack incident has been identified.
6.2 Determination conditions for network attacks
6.2.1 Network scanning and probing attacks
A network scanning and probing attack is determined to have occurred if one of the following conditions is met:
a) Within a certain time period, the number of network requests targeting ports, paths, configurations, etc. exceeds the normal threshold range, or the content of network requests is traversal and constructive;
b) Network traffic or device/system/software logs contain characteristics of network scanning software, such as unique string features of a certain type of network scanning software in the UA and Cookie fields of HTTP headers.
6.2.2 Phishing attacks
A phishing attack is determined to have occurred when information disseminated through the network (such as web pages, web emails, software, files, images, etc.) is fraudulent or forged, and there are situations such as inducing visitors to submit important data, personal information, download malware, or obtain economic benefits by scanning QR codes for money transfers.
6.2.3 Vulnerability exploitation attacks
A vulnerability exploitation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain string characteristics of typical vulnerability exploitation attack packets;
b) Network traffic or device/system/software logs contain characteristics of vulnerability exploitation tools, such as relevant string features in the UA and Cookie fields of HTTP headers.
6.2.4 Backdoor exploitation attack
A backdoor exploitation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain characteristics of backdoor exploitation attack packets, such as features of backdoor exploitation tools or code;
b) Networks, applications, or operating systems contain traces of backdoor exploitation, such as the existence of web backdoor executable files or login behaviors of backdoor accounts.
6.2.5 Backdoor implantation attack
A backdoor implantation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain characteristics of backdoor implantation attack packets, such as features of backdoor implantation tools or code;
b) Networks, applications, or operating systems contain traces of backdoor implantation, such as the detection of backdoor files that allow attackers to obtain greater privileges, or the existence of an implanted backdoor account.
Standard
GB/T 37027-2025 Cybersecurity technology―Criteria for determing network attack and network attack incident (English Version)
Standard No.
GB/T 37027-2025
Status
valid
Language
English
File Format
PDF
Word Count
14500 words
Price(USD)
435.0
Implemented on
2025-9-1
Delivery
via email in 1~5 business day
Detail of GB/T 37027-2025
Standard No.
GB/T 37027-2025
English Name
Cybersecurity technology―Criteria for determing network attack and network attack incident
GB/T 37027-2025 Cybersecurity technology―Criteria for determing network attack and network attack incident English, Anglais, Englisch, Inglés, えいご
This is a draft translation for reference among interesting stakeholders. The finalized translation (passing through draft translation, self-check, revision and verification) will be delivered upon being ordered.
ICS 35.030
CCS L 80
National Standard of the People's Republic of China
GB/T 37027-2025
Replaces GB/T 37027-2018
Cybersecurity technology - Criteria for determing network attack and network attack incident
网络安全技术 网络攻击和网络攻击事件判定准则
(English Translation)
Issue date: 2025-02-28 Implementation date: 2025-09-01
Issued by the State Administration for Market Regulation
the Standardization Administration of the People's Republic of China
Contents
Foreword
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Descriptive information elements
6 Determination conditions
7 Counting methods
Annex A (Informative) Typical types of attack targets
Annex B (Informative) Typical network attack processes
Annex C (Informative) Typical determination methods for network attacks and network attack incidents
Annex D (Informative) Overview of network attacks and network attack incidents
Annex E (Informative) Information elements and counting examples for describing network attacks and network attack incidents
Bibliography
Cybersecurity technology - Criteria for determing network attack and network attack incident
1 Scope
This document establishes the descriptive information elements, determination and counting methods for network attacks and network attack incidents.
This document is applicable to guiding organizations in conducting activities such as monitoring and analysis, situational awareness, and information reporting of network attacks and network attack incidents.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20986-2023 Information security technology - Guidelines for category and classification of cybersecurity incidents
GB/T 30279-2020 Information security technology - Guidelines for categorization and classification of cybersecurity vulnerability
3 Terms and definitions
The terms and definitions defined in GB/T 20986-2023 and GB/T 30279-2020 as well as the following apply to this document.
3.1
network attack
acts that use information network technologies and various means to exploit security vulnerabilities and flaws existing in the network to interfere with, control, or damage the network, affecting its normal operation, as well as steal, abuse, tamper with, or destroy network data, endangering data security
3.2
network attack incident
security incident caused or potentially caused by a network attack (3.1) that results in business losses or harms
4 Abbreviations
The following abbreviations apply to this document.
APT: advanced persistent threat
ARP: address resolution protocol
AS: autonomous system
BGP: border gateway protocol
DNS: domain name system
HTTP: hypertext transfer protocol
IOC: indicators of compromise
IP: internet protocol
WLAN: wireless local area network
5 Descriptive information elements
5.1 Network attacks
The basic descriptive information elements for network attacks are shown in Table 1.
The extended descriptive information elements for network attacks are shown in Table 2.
5.2 Network attack incidents
The basic descriptive information elements for network attack incidents are shown in Table 3.
The extended descriptive information elements for network attack incidents are shown in Table 4.
6 Determination conditions
6.1 Overview of determination
The determination of network attacks and network attack incidents refers to identifying different network attacks and network attack incidents within a specific determination period by combining with determination methods (see Annex D). In the determination process, if the relevant determination conditions are met, it can be considered that the corresponding network attack or network attack incident has been identified.
6.2 Determination conditions for network attacks
6.2.1 Network scanning and probing attacks
A network scanning and probing attack is determined to have occurred if one of the following conditions is met:
a) Within a certain time period, the number of network requests targeting ports, paths, configurations, etc. exceeds the normal threshold range, or the content of network requests is traversal and constructive;
b) Network traffic or device/system/software logs contain characteristics of network scanning software, such as unique string features of a certain type of network scanning software in the UA and Cookie fields of HTTP headers.
6.2.2 Phishing attacks
A phishing attack is determined to have occurred when information disseminated through the network (such as web pages, web emails, software, files, images, etc.) is fraudulent or forged, and there are situations such as inducing visitors to submit important data, personal information, download malware, or obtain economic benefits by scanning QR codes for money transfers.
6.2.3 Vulnerability exploitation attacks
A vulnerability exploitation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain string characteristics of typical vulnerability exploitation attack packets;
b) Network traffic or device/system/software logs contain characteristics of vulnerability exploitation tools, such as relevant string features in the UA and Cookie fields of HTTP headers.
6.2.4 Backdoor exploitation attack
A backdoor exploitation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain characteristics of backdoor exploitation attack packets, such as features of backdoor exploitation tools or code;
b) Networks, applications, or operating systems contain traces of backdoor exploitation, such as the existence of web backdoor executable files or login behaviors of backdoor accounts.
6.2.5 Backdoor implantation attack
A backdoor implantation attack is determined to have occurred if one of the following conditions is met:
a) Network traffic or device/system/software logs contain characteristics of backdoor implantation attack packets, such as features of backdoor implantation tools or code;
b) Networks, applications, or operating systems contain traces of backdoor implantation, such as the detection of backdoor files that allow attackers to obtain greater privileges, or the existence of an implanted backdoor account.
