CN113297576A - Threat detection method and device, behavior portrait method and device and electronic equipment - Google Patents
Threat detection method and device, behavior portrait method and device and electronic equipment Download PDFInfo
- Publication number
- CN113297576A CN113297576A CN202110668759.7A CN202110668759A CN113297576A CN 113297576 A CN113297576 A CN 113297576A CN 202110668759 A CN202110668759 A CN 202110668759A CN 113297576 A CN113297576 A CN 113297576A
- Authority
- CN
- China
- Prior art keywords
- resource
- behavior
- current
- access information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a threat detection method, a threat detection device, a behavior portrait method, a behavior portrait device, an electronic device and a readable storage medium, wherein the threat detection method comprises the following steps: acquiring a normal behavior baseline corresponding to each preset resource; the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in preset resources; detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline; therefore, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, and the abnormal behavior detection is carried out on the behavior to be detected on the basis of the resource access information, so that the unknown suspicious or malicious behavior can be detected, the situation that the defending party is passive and lagged in the information security attack and defense countermeasure is reversed, and the security protection effect of the information security product is improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a threat detection method and device, a behavior portrait method and device, electronic equipment and a readable storage medium.
Background
In the field of information security, both attacking and defending parties have continuous countermeasures, and the attacking party always tries to adopt a new means to avoid detection and bypass protection, so that a threat which is unknown to the defending party appears.
At present, detection and protection of threats in the industry are generally based on characteristics (such as traditional antivirus, failure indicator IOC detection and the like) or behaviors (such as active defense, behavior detection and the like) of known threats, so that the effect of the existing threat detection scheme on unknown threats is poor, and a defender always lags behind an attacker due to being in a passive position, so that the safety protection effect of an information security product is poor. Therefore, how to detect and protect unknown threats, and to reverse the situation that the defending party is passive and lagged in information security attack and defense countermeasures, and to improve the security protection effect of information security products is a problem which needs to be solved urgently at present.
Disclosure of Invention
The invention aims to provide a threat detection method and device, a behavior portrayal method and device, electronic equipment and a readable storage medium, which are used for detecting abnormal behaviors to protect unknown threats and improve the safety protection effect of information safety products.
In order to solve the above technical problem, the present invention provides a threat detection method, including:
acquiring a normal behavior baseline corresponding to each preset resource; wherein the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in the preset class of resources;
and detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
Optionally, after detecting an abnormal behavior in the behaviors to be detected according to the normal behavior baseline, the method further includes:
and carrying out threat processing on the abnormal behaviors.
Optionally, the obtaining the normal behavior baseline corresponding to each preset resource includes:
acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises the accessed resource information and the visitor information;
and according to the resource access information, establishing a normal behavior baseline corresponding to each preset resource.
Optionally, the detecting, according to the normal behavior baseline, an abnormal behavior in the behaviors to be detected includes:
acquiring current resource access information; the current resource access information comprises accessed resource information and visitor information corresponding to the current behavior to be detected;
determining a target base line according to accessed resource information in the current resource access information; the target baseline is a normal behavior baseline of a preset resource corresponding to the current resource access information;
comparing the current resource access information with the target baseline, and determining the difference between the current resource access information and the target baseline;
and detecting whether the current behavior to be detected is the abnormal behavior or not according to the difference.
Optionally, the comparing the current resource access information with the target baseline to determine the difference between the current resource access information and the target baseline includes:
calculating the similarity between the current resource access information and the target baseline; the similarity is the similarity of the current resource access information and the accessed resource of the target baseline or the similarity of the current resource access information and the visitor of the target baseline;
and taking the reciprocal of the similarity as the difference.
Optionally, the detecting, according to the difference, whether the current behavior to be detected is the abnormal behavior includes:
judging whether the difference is larger than a difference threshold value or not;
and if the difference threshold value is larger than the difference threshold value, determining the current behavior to be detected as the abnormal behavior.
The invention also provides a threat detection apparatus, comprising:
the base line acquisition module is used for acquiring the normal behavior base lines corresponding to the preset resources; wherein the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in the preset class of resources;
and the abnormal detection module is used for detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
The invention also provides a behavior portrait method, which comprises the following steps:
acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises accessed resource information and visitor information;
according to the resource access information, establishing a normal behavior baseline corresponding to each preset resource; and the normal behavior baseline comprises accessed resource information and/or visitor information in the preset class of resources.
Optionally, the constructing a normal behavior baseline corresponding to each preset resource according to the resource access information includes:
acquiring a resource access information set corresponding to the current preset resource according to the accessed resource information; the resource access information set comprises resource access information for accessing the current preset resource;
and generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
Optionally, before generating the normal behavior baseline corresponding to the current preset resource according to the resource access information set, the method further includes:
according to the resource access information set, counting the access distribution condition of each resource in the current preset resource;
judging whether the current preset resources finish normal behavior portraits or not according to the access distribution condition;
if so, executing the step of generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set;
and if not, executing the step of acquiring the resource access information corresponding to each normal behavior.
Optionally, the determining, according to the access distribution status, whether the current preset resource completes the normal behavior portrait includes:
when the statistical time of the current access distribution condition does not reach the preset portrait time or the difference between the current access distribution condition and the dispersion degree of the previous access distribution condition is not smaller than the dispersion degree threshold value, determining that the current preset resource does not complete the normal behavior portrait, and executing the step of acquiring the resource access information corresponding to each normal behavior;
and when the statistical time reaches the preset portrait drawing time and the dispersion degree difference is smaller than the dispersion degree threshold value, determining that the current preset resource finishes normal behavior portrait drawing, and executing the step of generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
The invention also provides a behavior portrayal device, comprising:
the information acquisition module is used for acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises accessed resource information and visitor information;
the base line construction module is used for constructing a normal behavior base line corresponding to each preset type resource according to the resource access information; and the normal behavior baseline comprises accessed resource information and/or visitor information in the preset class of resources.
The present invention also provides an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the threat detection method as described above and/or the behavioural portrayal method as described above when said computer program is executed.
The invention also provides a readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the threat detection method as described above and/or the behaviour portrayal method as described above.
The invention provides a threat detection method, which comprises the following steps: acquiring a normal behavior baseline corresponding to each preset resource; the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in preset resources; detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline;
therefore, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, and the abnormal behavior detection is carried out on the behavior to be detected on the basis of the resource access information, so that the unknown suspicious or malicious behavior can be detected, the situation that the defending party is passive and lagged in the information security attack and defense countermeasure is reversed, and the security protection effect of the information security product is improved. In addition, the invention also provides a threat detection device, a behavior portrait method, a behavior portrait device, electronic equipment and a readable storage medium, and the threat detection device, the behavior portrait method and the behavior portrait device also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a threat detection method provided by an embodiment of the invention;
FIG. 2 is a flow chart of an abnormal behavior detection process of another threat detection method provided by an embodiment of the invention;
FIG. 3 is a block diagram of a threat detection apparatus according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a behavior portrayal method according to an embodiment of the present invention;
FIG. 5 is a flow chart of another exemplary method for providing a behavior portrayal based on a baseline process;
FIG. 6 is a block diagram of a behavior portrayal device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device provided in this embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a threat detection method according to an embodiment of the present invention. The method can comprise the following steps:
step 101: acquiring a normal behavior baseline corresponding to each preset resource; and the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in the preset class resources.
Specifically, the preset resource in this step may be a preset resource category. The present embodiment does not limit the specific category setting of the preset resources, for example, the resources that can be accessed in the terminal may be directly divided into preset resources such as file resources, network resources, and registry resources, or the resources such as files, networks, and registries may be further divided into preset resources such as multiple file resources, multiple network resources, and multiple registry resources.
It can be understood that the normal behavior baseline corresponding to each preset resource in this step may be accessed resource information and/or visitor information of the normal behavior corresponding to each preset resource that is baseline, that is, the accessed resource information of the normal behavior of accessing each preset resource and the baseline result of the visitor information; the normal behavior may be a normal behavior of a process on the terminal or a user, such as a normal behavior detected by an EDR (Endpoint Detection Response) device; accessed resource information and visitor information may be information in resource access information representing access by a process or user (i.e., visitor information) to a resource (i.e., accessed resource information such as a file, network, registry, or the like).
That is to say, in this step, the processor obtains the normal behavior baselines corresponding to the preset resources, so that the processor can perform abnormal behavior detection on the behavior to be detected by using the normal behavior baselines of the preset resources, thereby realizing detection on unknown suspicious or malicious behaviors.
Specifically, the specific manner in which the processor acquires the respective corresponding normal behavior baselines of the preset resources in this step may be set by the designer according to the practical scenario and the user requirement, for example, the processor may directly acquire the respective corresponding normal behavior baselines of the preset resources, or receive the respective corresponding normal behavior baselines of the preset resources transmitted by the server or the storage device. The processor can also generate a normal behavior baseline corresponding to each preset resource, for example, the processor can portray the normal behavior and construct a normal behavior baseline corresponding to each preset resource; for example, the processor may use the behavior portrayal method shown in fig. 4 to obtain resource access information corresponding to each normal behavior; according to the resource access information, a normal behavior baseline corresponding to each preset resource is established; the resource access information comprises accessed resource information and visitor information.
Step 102: and detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
It can be understood that the behavior to be detected in this step may be a behavior that requires abnormal behavior detection, such as a behavior of a process on the terminal or a user monitored by the EDR. The embodiment does not limit the specific selection of the behavior to be detected, for example, the behavior to be detected may be all behaviors detected by the EDR device, and the behavior to be detected may also be a behavior detected by the EDR device that cannot be determined as a normal behavior by the existing method.
Correspondingly, in this step, the processor may perform abnormal behavior detection on the behavior to be detected by using the normal behavior baseline of the preset resource accessed by the behavior to be detected, so as to detect and identify an abnormal behavior, i.e., a suspicious or malicious behavior, in the behavior to be detected, thereby implementing detection on an unknown suspicious or malicious behavior.
Specifically, in this step, the processor may first obtain resource access information corresponding to the behavior to be detected, and then determine the behavior category of the behavior to be detected by comparing the resource access information with a normal behavior baseline of a preset resource accessed by the resource access information.
It should be noted that, the present embodiment does not limit the sequence of step 101 and step 102, for example, the processor may first perform step 101 and then perform step 102, that is, after acquiring the normal behavior baselines corresponding to all the preset resources, the processor may detect the abnormal behavior of the behavior to be detected by using the acquired normal behavior baselines; step 102 may also be performed in the process of step 101, that is, after the normal behavior baselines corresponding to the partial preset resources are acquired, the behavior categories of the behaviors to be detected may be identified by using the acquired normal behavior baselines in the process of acquiring the normal behavior baselines corresponding to the remaining preset resources.
Further, in this embodiment, the processor may further perform threat processing on the detected abnormal behavior to eliminate a security threat of the abnormal behavior. The embodiment does not limit the specific way of threat handling performed on the abnormal behavior, for example, the processor may intercept the abnormal behavior, that is, the processor may intercept the behavior to be detected after determining that the behavior to be detected is the abnormal behavior, so as to avoid execution of suspicious or malicious behavior in the terminal and ensure the use safety of the terminal; the processor can also isolate the initiator (such as a process) of the abnormal behavior; the processor can also delete the file added by the abnormal behavior, repair the file modified by the abnormal behavior and the like, so as to avoid the influence of suspicious or malicious behavior in the terminal on resources in the terminal.
In the embodiment of the invention, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, and the abnormal behavior detection is carried out on the behavior to be detected on the basis of the resource access information, so that the unknown suspicious or malicious behavior can be detected, the passive and lagging situation of the defending party in the information security attack and defense countermeasure is reversed, and the security protection effect of the information security product is improved.
Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. The process of detecting abnormal behavior in the behaviors to be detected according to the normal behavior baseline in the above embodiment may be as shown in fig. 2, and includes:
step 1021: acquiring current resource access information; the current resource access information comprises accessed resource information and visitor information corresponding to the current behavior to be detected.
It should be noted that the current resource access information in this step may be resource access information corresponding to any behavior to be detected (i.e., the current behavior to be detected), for example, resource access information corresponding to any behavior to be detected, which is currently monitored by the EDR device; the resource access information can comprise accessed resource information and visitor information; that is to say, in this embodiment, the processor may abstract the current behavior to be detected into current resource access information, that is, information of access of a process or a user (that is, visitor information) to a certain resource (that is, accessed resource information, such as a file, a network, or a registry, and the like), by performing behavior modeling on the obtained current behavior to be detected.
Step 1022: determining a target base line according to accessed resource information in the current resource access information; and the target baseline is a normal behavior baseline of the preset resource corresponding to the current resource access information.
Specifically, in this step, the processor may determine a normal behavior baseline (i.e., a target baseline) of a preset resource where the resource is located according to a process in the current resource access information or a resource to be accessed by the user (i.e., accessed resource information), so that abnormal behavior detection of the current behavior to be detected is achieved by comparing the target baseline with the current resource access information.
Step 1023: and comparing the current resource access information with the target baseline to determine the difference between the current resource access information and the target baseline.
It should be noted that, in this step, the processor may determine the difference between the current resource access information and the target baseline by comparing the current resource access information and the target baseline. The specific manner of comparing the current resource access information with the target baseline and determining the difference between the current resource access information and the target baseline in the step can be set by a designer, for example, the processor can calculate the similarity between the current resource access information and the target baseline, and the reciprocal of the calculated similarity is used as the difference between the current resource access information and the target baseline.
Specifically, the similarity between the current resource access information obtained by the calculation and the target baseline may be a similarity between the current resource access information obtained by the quantitative calculation and the accessed resource information of the target baseline (that is, an accessed resource similarity), for example, a similarity between the accessed resource information of the current resource access information and the accessed resource information corresponding to the same visitor information in the target baseline, that is, a similarity between resource information (such as resource attribute and size) to be accessed in the current resource access information by the same user or process and resource information to be accessed in the target baseline; the similarity between the current resource access information obtained by the above calculation and the target baseline may also be a similarity between the current resource access information obtained by quantitative calculation and visitor information of the target baseline (that is, a similarity between accessed resources), for example, a similarity between the visitor information of the current resource access information and visitor information corresponding to the same accessed resource information in the target baseline, that is, a similarity between information of a user or a process accessing a certain resource in the current resource access information and information of a user or a process corresponding to the resource in the target baseline.
Step 1024: and detecting whether the current behavior to be detected is abnormal behavior or not according to the difference.
In this step, the processor may determine whether the current behavior to be detected corresponding to the current resource access information is an abnormal behavior by using the determined difference between the current resource access information and the target baseline, that is, determine the behavior category of the current behavior to be detected, thereby implementing the abnormal behavior detection on the current behavior to be detected.
Specifically, the embodiment does not limit the specific manner in which the processor detects whether the current behavior to be detected is an abnormal behavior according to the difference, for example, the processor may directly determine the behavior category of the current behavior to be detected, in which the difference from the target baseline is greater than the difference threshold, as the abnormal behavior, that is, the processor may determine whether the difference is greater than the difference threshold in this step; if the difference threshold value is larger than the difference threshold value, the current behavior to be detected can be determined as abnormal behavior, namely the behavior category of the current behavior to be detected is determined as abnormal behavior; if the difference threshold value is not greater than the difference threshold value, the current behavior to be detected can be determined as the normal behavior, that is, the behavior category of the current behavior to be detected is determined as the normal behavior.
Corresponding to the above method embodiments, the embodiments of the present invention further provide a threat detection apparatus, and the threat detection apparatus described below and the threat detection method described above may be referred to in correspondence with each other.
Referring to fig. 3, fig. 3 is a block diagram of a threat detection apparatus according to an embodiment of the present invention. The apparatus may include:
a baseline acquisition module 10, configured to acquire a normal behavior baseline corresponding to each preset resource; the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in preset resources;
and the anomaly detection module 20 is used for detecting the abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
Optionally, the apparatus may further include:
and the threat processing module is used for carrying out threat processing on the abnormal behaviors.
Optionally, the baseline acquisition module 10 may include:
the information acquisition submodule is used for acquiring resource access information corresponding to each normal behavior; the resource access information comprises accessed resource information and visitor information;
and the base line construction submodule is used for constructing the normal behavior base line corresponding to each preset type resource according to the resource access information.
Optionally, the anomaly detection module 20 may include:
the abstract submodule is used for acquiring current resource access information; the current resource access information comprises accessed resource information and visitor information corresponding to the current behavior to be detected;
the base line determining submodule is used for determining a target base line according to accessed resource information in the current resource access information; the target baseline is a normal behavior baseline of a preset resource corresponding to the current resource access information;
the base line comparison submodule is used for comparing the current resource access information with a target base line and determining the difference between the current resource access information and the target base line;
and the anomaly detection submodule is used for detecting whether the current behavior to be detected is an abnormal behavior or not according to the difference.
Optionally, the baseline comparison sub-module may be specifically configured to calculate a similarity between the current resource access information and the target baseline; the similarity is the similarity of the current resource access information and the accessed resource of the target baseline or the similarity of the current resource access information and the visitor of the target baseline; the inverse of the similarity is taken as the difference.
Optionally, the anomaly detection sub-module may be specifically configured to determine whether the difference is greater than a difference threshold; and if the difference threshold value is larger than the difference threshold value, determining the current behavior to be detected as abnormal behavior.
In the embodiment of the invention, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, and the abnormal behavior detection is carried out on the behavior to be detected on the basis of the resource access information, so that the unknown suspicious or malicious behavior can be detected, the passive and lagging situation of the defending party in the information security attack and defense countermeasure is reversed, and the security protection effect of the information security product is improved.
Based on the above embodiments, the embodiment provides a behavior portrayal method, so as to portray a normal behavior and generate a normal behavior baseline corresponding to each preset resource, thereby performing anomaly detection on a behavior to be detected by using the generated normal behavior baseline. Specifically, please refer to fig. 4, fig. 4 is a flowchart of a behavior portrait method according to an embodiment of the present invention. The method can comprise the following steps:
step 201: acquiring resource access information corresponding to each normal behavior; the resource access information comprises accessed resource information and visitor information.
It is understood that the normal behavior in this step may be normal behavior of a process on the terminal or a user, such as normal behavior detected by the EDR device. The resource access information in this step may represent access of a process or a user (i.e., visitor information) to a certain resource (i.e., accessed resource information, such as a file, a network, or a registry), that is, the resource access information may include the visitor information and the accessed resource information. In this step, the processor abstractly converts the normal behavior into corresponding resource access information by performing behavior modeling on the acquired normal behavior, so as to facilitate subsequent processing.
Specifically, the behavior portrayal method provided by the embodiment can be applied to EDR equipment, for example, a processor of the EDR equipment can construct a normal behavior baseline corresponding to each preset resource by using a normal behavior obtained through self-monitoring, so that abnormal behavior detection is performed on a monitored behavior to be detected, and unknown suspicious or malicious behavior detection is realized; the behavior portrayal method provided in this embodiment may also be applied to other devices connected to the EDR device, for example, the processor of the server connected to the EDR device may construct a normal behavior baseline corresponding to each of the preset resources by using the normal behavior monitored by the EDR device, so that the processor or the EDR device can perform abnormal behavior detection on the behavior to be detected monitored by the EDR device, which is not limited in this embodiment.
Correspondingly, the step may further include the processor acquiring the normal behavior before the step, and this embodiment does not limit the specific manner in which the processor acquires the normal behavior, for example, the processor may continuously acquire the normal behavior of the process or the user on the terminal monitored by the EDR device, for example, the processor of the EDR device may monitor and acquire the normal behavior of the process or the user on the terminal; the processor may also obtain all preset normal behaviors for generating the normal behavior baselines corresponding to the respective preset resources at one time, which is not limited in this embodiment.
Step 202: according to the resource access information, a normal behavior baseline corresponding to each preset resource is established; and the normal behavior baseline comprises accessed resource information and/or visitor information in preset resources.
It can be understood that, in this step, the processor may perform baselining on the access condition of each resource in each preset resource by using the resource access information of the normal behavior of accessing the resource in each preset resource to obtain the normal behavior baseline corresponding to each preset resource, so that the processor can subsequently perform abnormal behavior detection on the behavior to be detected by using the normal behavior baseline of each preset resource to realize detection on unknown suspicious or malicious behavior.
Specifically, the specific manner in which the processor constructs the normal behavior baseline corresponding to each preset resource according to the resource access information in this step can be set by a designer according to a practical scene and user requirements, for example, the processor can directly utilize the resource access information of all normal behaviors to generate the normal behavior baseline corresponding to each preset resource; the processor may also determine whether the resource access information of the normal behavior corresponding to each preset resource is enough to complete the baselining, so as to generate a corresponding normal behavior baseline by using the resource access information corresponding to the preset resource capable of completing the baselining, thereby ensuring the accuracy of the normal behavior baseline. The present embodiment does not set any limit to this.
That is to say, in this step, the processor may obtain, according to accessed resource information in the obtained resource access information, a resource access information set corresponding to the current preset resource, that is, a resource access information set of a normal behavior of accessing the current preset resource; generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set; the resource access information set comprises resource access information for accessing the current preset resources; the current preset class resource may be any preset class resource.
Correspondingly, the specific manner of determining whether the resource access information of the normal behavior corresponding to each preset resource is enough to complete the baselining by the processor can be set by a designer, for example, the processor can use the access distribution condition of the resource in each preset resource to perform normal behavior portrayal on the access of the normal behavior of the preset resource, thereby determining that the resource access information corresponding to the preset resource with the access distribution condition meeting the requirement (namely, the normal behavior portrayal is completed) is enough to complete the baselining, so that the corresponding normal behavior baseline is generated by using the resource access information corresponding to the preset resource with the normal behavior portrayal completed; and determining the preset resource of the unfinished normal behavior portrait, continuously acquiring normal behaviors, and entering step 101 to obtain resource access information for accessing the preset resource until the normal behavior portrait of the preset resource is finished.
That is to say, after the processor acquires the resource access information set corresponding to the current preset resource according to the accessed resource information in the acquired resource access information, the processor may count the access distribution status of each resource in the current preset resource according to the resource access information set; judging whether the current preset resources finish the normal behavior portrait or not according to the access distribution condition; if so, generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set; if not, step 201 is entered, and the resource access information for accessing the current preset resource is continuously obtained.
In the embodiment of the invention, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, the normal behavior of accessing each preset resource is represented by the resource access information of the normal behavior, and the normal behavior baseline corresponding to each preset resource is constructed, so that the abnormal behavior detection can be carried out on the behavior to be detected by using the normal behavior baseline of each preset resource subsequently, and the detection on unknown suspicious or malicious behavior is realized.
Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. In one embodiment, the normal behavior may be a normal behavior obtained by continuously monitoring the EDR during the application process. In this case, the process of constructing the normal behavior baseline corresponding to each preset class resource according to the resource access information in the foregoing embodiment may be as shown in fig. 5, and includes:
step 2021: acquiring a resource access information set corresponding to the current preset resource according to the accessed resource information; the resource access information set comprises resource access information for accessing the current preset resource.
It can be understood that, in the embodiment, the construction of the normal behavior baseline corresponding to any one preset resource (i.e., the current preset resource) is taken as an example for illustration, and the construction of the normal behavior baseline corresponding to all preset resources may be implemented in a manner the same as or similar to the method provided in the embodiment, which is not limited in this embodiment.
Specifically, in this step, the processor determines a set of resource access information (i.e., a resource access information set) for accessing resources in the current preset resource by using accessed resource information in the acquired resource access information of the normal behavior.
Step 2022: and according to the resource access information set, counting the access distribution condition of each resource in the current preset resource.
In this step, the processor may use the resource access information set corresponding to the current preset resource to count the distribution status of the access of each resource access information in the resource access information set to the resource in the current preset resource (i.e., access distribution status), so as to use the access distribution status of each resource in the current preset resource as a representation of the normal behavior of the current preset resource (i.e., a normal behavior representation).
Step 2023: judging whether the current preset resources finish the normal behavior portrait or not according to the access distribution condition; if yes, go to step 2024; if not, go to step 2025.
It can be understood that, in this step, the processor determines whether the normal behavior portrayal of the current preset resource meets the requirement by using the access distribution status of each resource in the current preset resource, that is, whether the portrayal stage of the current preset resource can be ended, so that the normal behavior baseline corresponding to the current preset resource is generated by using the resource access information set corresponding to the current preset resource, which is completed by using the normal behavior portrayal.
Specifically, the specific manner of determining whether the current preset resource completes the normal behavior portrayal or not according to the access distribution status by the processor in this step may be set by the designer according to the practical scenario and the user requirement, for example, the processor may determine whether the current preset resource completes the normal behavior portrayal or not by comparing the dispersion degree (e.g., entropy, variance, or standard deviation) of the access distribution status (i.e., current access distribution status) at the current time with the dispersion degree of the access distribution status (i.e., last access distribution status) at the last time, that is, determining whether the portrayal stage of the current preset resource can be ended or not by the variation trend of the access distribution status at two times. The processor can also determine whether the current preset resource completes the normal behavior portrait by comparing the access times of each resource in the access distribution condition with a time threshold value; for example, when the access times of each resource in the access distribution condition reach the time threshold, determining that the current preset resource completes the normal behavior portrait, and entering step 2024; and when the access times of all the resources in the access distribution condition do not reach the time threshold value, determining that the normal behavior portrait is not completed by the current preset resources, and entering step 2025. The processor can also compare the statistical time of the access distribution condition (namely the current access distribution condition) of the current preset resource with the preset portrait time to determine whether the current preset resource completes the normal behavior portrait or not; for example, when the statistical time reaches the time of the preset portrait, it is determined that the current preset resource completes the normal behavior portrait, and step 2024 is performed; when the statistical time does not reach the time of the preset portrait, it is determined that the normal behavior portrait is not completed by the current preset resource, and step 2025 is performed.
Correspondingly, the processor can also successively or simultaneously judge whether the statistical time of the current visit distribution condition reaches the preset portrait time and whether the dispersion degree difference between the current visit distribution condition and the previous visit distribution condition is smaller than the dispersion degree threshold value; when the statistical time of the current access distribution condition does not reach the preset portrait time or the difference between the current access distribution condition and the dispersion degree of the previous access distribution condition is not smaller than the dispersion degree threshold value, determining that the current preset resource does not complete the normal behavior portrait, and entering step 2025, continuing to obtain the normal behavior portrait of the current preset resource; and when the statistical time reaches the preset portrait time and the dispersion difference is smaller than the dispersion threshold, determining that the current preset resource completes the normal behavior portrait, and entering step 2024 to generate a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
For example, the processor in this step may detect whether the statistical time of the current access distribution reaches the preset portrait time, for example, detect whether the statistical time of the current access distribution reaches the preset portrait time at preset time intervals; if the image time does not reach the preset image time, go to step 2025; if the preset portrait time is reached, acquiring the entropy value of the current access distribution condition, and judging whether the difference (namely the dispersion degree difference) between the entropy value of the current access distribution condition and the entropy value of the previous access distribution condition is smaller than a threshold (namely the dispersion degree threshold); if the current access distribution state is smaller than the threshold value, the change trend of the two-time access distribution state can be determined to be small, namely the access condition of the normal behavior corresponding to the current preset resource is basically stable, the current preset resource can be determined to finish the normal behavior portrait, and the step 2024 is entered to finish the baseline of the normal behavior corresponding to the current preset resource; if the current access distribution status is not less than the threshold, it can be determined that the variation trend of the two access distribution statuses is large, it can be determined that the normal behavior portrait is not completed in the current preset resource, and step 2025 is performed to continue the normal behavior portrait of the current preset resource.
Step 2024: and generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
In this step, the processor may baseline the resource access information in the resource access information set corresponding to the current preset resource when it is determined that the current preset resource completes the normal behavior sketch, to obtain a normal behavior baseline of the current preset resource, perform abnormal behavior detection on the to-be-detected behavior accessing the resource in the current preset resource by using the normal behavior baseline of the current preset resource, and determine the to-be-detected behavior that is too different from the normal behavior baseline as an abnormal behavior, that is, a suspicious or malicious behavior.
Step 2025: normal behavior continues to be acquired.
It can be understood that, in this step, the processor may continue to acquire the normal behavior monitored by the EDR device when it is determined that the normal behavior portrait is not completed by the current preset resource, so as to continue to perform the normal behavior portrait of the current preset resource by using the resource access information of the normal behavior of accessing the resource in the current preset resource.
In the embodiment, whether the resource access information corresponding to the current preset resource is enough to complete the baseline is determined by using the access distribution condition of the resource in the current preset resource, so that the accuracy of the normal behavior baseline is ensured, and the accuracy of abnormal behavior detection is improved.
In accordance with the above method embodiments, the present invention further provides a behavior portrayal device, and the behavior portrayal device and the behavior portrayal method described above may be referred to in correspondence.
Referring to fig. 6, fig. 6 is a block diagram of a behavior portrayal device according to an embodiment of the present invention. The apparatus may include:
an information obtaining module 30, configured to obtain resource access information corresponding to each normal behavior; the resource access information comprises accessed resource information and visitor information;
the base line construction module 40 is used for constructing a normal behavior base line corresponding to each preset resource according to the resource access information; and the normal behavior baseline comprises accessed resource information and/or visitor information in preset resources.
Optionally, the baseline building module 40 may include:
the set submodule is used for acquiring a resource access information set corresponding to the current preset resource according to the accessed resource information; the resource access information set comprises resource access information for accessing the current preset resources;
and the generating submodule is used for generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
Optionally, the baseline building module 40 may further include:
the statistic submodule is used for counting the access distribution condition of each resource in the current preset resource according to the resource access information set;
the distribution judgment submodule is used for judging whether the current preset resources finish the normal behavior portrait or not according to the access distribution condition; if yes, sending a starting signal to the generating submodule; if not, a start signal is sent to the information acquisition module 30.
Optionally, the distribution determining sub-module may be specifically configured to: when the statistical time of the current access distribution condition does not reach the preset portrait time or the difference between the current access distribution condition and the dispersion degree of the previous access distribution condition does not reach the dispersion degree threshold value, determining that the current preset resource does not complete the normal behavior portrait, and sending a starting signal to the information acquisition module 30; and when the statistical time reaches the preset portrait time and the discrete degree does not reach the discrete degree threshold value, determining that the current preset resources finish normal behavior portrait, and sending a starting signal to the generation submodule.
In the embodiment of the invention, the behavior of the terminal is abstracted into the resource access information corresponding to the access of the visitor to the accessed resource, the normal behavior of accessing each preset resource is represented by the resource access information of the normal behavior, and the normal behavior baseline corresponding to each preset resource is constructed, so that the abnormal behavior detection can be carried out on the behavior to be detected by using the normal behavior baseline of each preset resource subsequently, and the detection on unknown suspicious or malicious behavior is realized.
Corresponding to the above method embodiment, the embodiment of the present invention further provides an electronic device, and the electronic device described below and the threat detection method and the behavior portrayal method described above may be referred to in correspondence.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device may include:
a memory D1 for storing computer programs;
a processor D2, configured to execute the computer program to implement the threat detection method provided by the above method embodiment and/or the steps of the behavior representation method provided by the above method embodiment.
Specifically, referring to fig. 8, fig. 8 is a schematic structural diagram of an electronic device provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the electronic device. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 310.
The electronic device 310 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The electronic device 310 may specifically be an EDR device, such as a normal behavior obtained by the EDR device through monitoring a terminal; and abnormal behavior detection is carried out on the behavior to be detected in the monitored terminal by using the normal behavior, so that unknown suspicious or malicious behavior detection is realized, and the safety protection effect of the EDR equipment is improved.
The steps in the threat detection method and/or the behavioral portrayal method described above may be implemented by the structure of an electronic device.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a threat detection method and a behavior portrayal method described above may be referred to in correspondence.
A readable storage medium having stored thereon a computer program which, when executed by a processor, implements the threat detection method provided by the above method embodiments and/or the steps of the behavior representation method provided by the above method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the electronic device and the readable storage medium disclosed by the embodiments correspond to the method disclosed by the embodiments, so that the description is simple, and the relevant points can be referred to the description of the method.
The threat detection method, the threat detection device, the behavior portrayal method, the behavior portrayal device, the electronic equipment and the readable storage medium are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (14)
1. A threat detection method, comprising:
acquiring a normal behavior baseline corresponding to each preset resource; wherein the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in the preset class of resources;
and detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
2. The threat detection method according to claim 1, after detecting abnormal behavior in the behaviors to be detected according to the normal behavior baseline, further comprising:
and carrying out threat processing on the abnormal behaviors.
3. The threat detection method according to claim 1, wherein the obtaining of the normal behavior baseline corresponding to each preset resource includes:
acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises the accessed resource information and the visitor information;
and according to the resource access information, establishing a normal behavior baseline corresponding to each preset resource.
4. The threat detection method according to any one of claims 1 to 3, wherein detecting abnormal behavior in the behavior to be detected based on the normal behavior baseline comprises:
acquiring current resource access information; the current resource access information comprises accessed resource information and visitor information corresponding to the current behavior to be detected;
determining a target base line according to accessed resource information in the current resource access information; the target baseline is a normal behavior baseline of a preset resource corresponding to the current resource access information;
comparing the current resource access information with the target baseline, and determining the difference between the current resource access information and the target baseline;
and detecting whether the current behavior to be detected is the abnormal behavior or not according to the difference.
5. The threat detection method of claim 4, wherein the comparing the current resource access information to the target baseline to determine the variance of the current resource access information from the target baseline comprises:
calculating the similarity between the current resource access information and the target baseline; the similarity is the similarity of the current resource access information and the accessed resource of the target baseline or the similarity of the current resource access information and the visitor of the target baseline;
and taking the reciprocal of the similarity as the difference.
6. The threat detection method according to claim 5, wherein the detecting whether the current behavior to be detected is the abnormal behavior according to the difference comprises:
judging whether the difference is larger than a difference threshold value or not;
and if the difference threshold value is larger than the difference threshold value, determining the current behavior to be detected as the abnormal behavior.
7. A threat detection apparatus, comprising:
the base line acquisition module is used for acquiring the normal behavior base lines corresponding to the preset resources; wherein the normal behavior baseline comprises accessed resource information and/or visitor information of normal behaviors in the preset class of resources;
and the abnormal detection module is used for detecting abnormal behaviors in the behaviors to be detected according to the normal behavior baseline.
8. A method for behavioral portrayal, comprising:
acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises accessed resource information and visitor information;
according to the resource access information, establishing a normal behavior baseline corresponding to each preset resource; and the normal behavior baseline comprises accessed resource information and/or visitor information in the preset class of resources.
9. The method for representing behavior images as claimed in claim 8, wherein the constructing a normal behavior baseline corresponding to each resource of the predetermined class according to the resource access information comprises:
acquiring a resource access information set corresponding to the current preset resource according to the accessed resource information; the resource access information set comprises resource access information for accessing the current preset resource;
and generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
10. The method for representing behavior images as claimed in claim 9, wherein before generating the normal behavior baseline corresponding to the current predetermined class of resources according to the resource access information set, the method further comprises:
according to the resource access information set, counting the access distribution condition of each resource in the current preset resource;
judging whether the current preset resources finish normal behavior portraits or not according to the access distribution condition;
if so, executing the step of generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set;
and if not, executing the step of acquiring the resource access information corresponding to each normal behavior.
11. The method for representing behavior images as claimed in claim 10, wherein said determining whether the current default resource completes normal behavior images according to the access distribution comprises:
when the statistical time of the current access distribution condition does not reach the preset portrait time or the difference between the current access distribution condition and the dispersion degree of the previous access distribution condition is not smaller than the dispersion degree threshold value, determining that the current preset resource does not complete the normal behavior portrait, and executing the step of acquiring the resource access information corresponding to each normal behavior;
and when the statistical time reaches the preset portrait drawing time and the dispersion degree difference is smaller than the dispersion degree threshold value, determining that the current preset resource finishes normal behavior portrait drawing, and executing the step of generating a normal behavior baseline corresponding to the current preset resource according to the resource access information set.
12. A behavior portrayal device, comprising:
the information acquisition module is used for acquiring resource access information corresponding to each normal behavior; wherein the resource access information comprises accessed resource information and visitor information;
the base line construction module is used for constructing a normal behavior base line corresponding to each preset type resource according to the resource access information; and the normal behavior baseline comprises accessed resource information and/or visitor information in the preset class of resources.
13. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the threat detection method of any one of claims 1 to 6 and/or the behaviour portrayal method of any one of claims 8 to 11 when executing the computer program.
14. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the threat detection method according to any one of claims 1 to 6 and/or the behavioural portrayal method according to any one of claims 8 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110668759.7A CN113297576A (en) | 2021-06-16 | 2021-06-16 | Threat detection method and device, behavior portrait method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110668759.7A CN113297576A (en) | 2021-06-16 | 2021-06-16 | Threat detection method and device, behavior portrait method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113297576A true CN113297576A (en) | 2021-08-24 |
Family
ID=77328502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110668759.7A Pending CN113297576A (en) | 2021-06-16 | 2021-06-16 | Threat detection method and device, behavior portrait method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113297576A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150082437A1 (en) * | 2013-09-13 | 2015-03-19 | Prelert Ltd. | Method and apparatus for detecting irregularities on a device |
| CN110020687A (en) * | 2019-04-10 | 2019-07-16 | 北京神州泰岳软件股份有限公司 | Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait |
| CN111125700A (en) * | 2019-12-11 | 2020-05-08 | 中山大学 | DGA family classification method based on host relevance |
| CN111191092A (en) * | 2019-12-31 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Portrait data processing method and portrait model training method |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
| US20210141900A1 (en) * | 2019-11-13 | 2021-05-13 | Vmware, Inc. | Methods and systems for troubleshooting applications using streaming anomaly detection |
| CN112804196A (en) * | 2020-12-25 | 2021-05-14 | 北京明朝万达科技股份有限公司 | Log data processing method and device |
-
2021
- 2021-06-16 CN CN202110668759.7A patent/CN113297576A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150082437A1 (en) * | 2013-09-13 | 2015-03-19 | Prelert Ltd. | Method and apparatus for detecting irregularities on a device |
| CN110020687A (en) * | 2019-04-10 | 2019-07-16 | 北京神州泰岳软件股份有限公司 | Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait |
| US20210141900A1 (en) * | 2019-11-13 | 2021-05-13 | Vmware, Inc. | Methods and systems for troubleshooting applications using streaming anomaly detection |
| CN111125700A (en) * | 2019-12-11 | 2020-05-08 | 中山大学 | DGA family classification method based on host relevance |
| CN111191092A (en) * | 2019-12-31 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Portrait data processing method and portrait model training method |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
| CN112804196A (en) * | 2020-12-25 | 2021-05-14 | 北京明朝万达科技股份有限公司 | Log data processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| JP6400758B2 (en) | System and method for protecting computers from unauthorized remote management | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
| CN107305611B (en) | Method and device for establishing model corresponding to malicious account and method and device for identifying malicious account | |
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| US9479521B2 (en) | Software network behavior analysis and identification system | |
| CN111193633B (en) | Method and device for detecting abnormal network connection | |
| CN108600145B (en) | Method and device for determining DDoS attack equipment | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| KR102280845B1 (en) | Method and apparatus for detecting abnormal behavior in network | |
| CN108804914B (en) | Abnormal data detection method and device | |
| CN110309154B (en) | Entity feature selection method, device and equipment based on map and storage medium | |
| CN111953665A (en) | Server attack access identification method and system, computer equipment and storage medium | |
| US11563654B2 (en) | Detection device and detection method | |
| CN112087455B (en) | WAF site protection rule generation method, system, equipment and medium | |
| CN114157480A (en) | Method, device, equipment and storage medium for determining network attack scheme | |
| CN112165498A (en) | Intelligent decision-making method for penetration test | |
| CN113297576A (en) | Threat detection method and device, behavior portrait method and device and electronic equipment | |
| JP6993575B2 (en) | Information processing program, information processing device and information processing method | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN115600195A (en) | Web attack detection method, device, equipment and readable storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| WO2020193331A1 (en) | Feature detection with neural network classification of images representations of temporal graphs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |