CN115033889A - Illegal copyright detection method and device, storage medium and computer equipment - Google Patents
Illegal copyright detection method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN115033889A CN115033889A CN202210716028.XA CN202210716028A CN115033889A CN 115033889 A CN115033889 A CN 115033889A CN 202210716028 A CN202210716028 A CN 202210716028A CN 115033889 A CN115033889 A CN 115033889A
- Authority
- CN
- China
- Prior art keywords
- event
- detection
- illegal
- data
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 168
- 238000000034 method Methods 0.000 claims abstract description 236
- 238000013475 authorization Methods 0.000 claims abstract description 24
- 230000006870 function Effects 0.000 claims description 85
- 238000000605 extraction Methods 0.000 claims description 24
- 238000012549 training Methods 0.000 claims description 18
- 238000001914 filtration Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000012706 support-vector machine Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000007637 random forest analysis Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present disclosure provides an illegal entitlement detection method and apparatus, a storage medium, a computer device; relates to the technical field of computers. The method comprises the following steps: acquiring a first event set corresponding to a first process, and determining safety baseline information based on the first event set; acquiring a second event set corresponding to the process to be detected, and performing illegal authorization detection based on the second event set to obtain a second detection result; the second event set comprises a second user space function call event and a second kernel space capability call event; and determining whether the process to be detected is illegal authorization operation or not based on the second detection result and the safety baseline information. The method and the device can solve the problems of high false detection rate and low detection accuracy rate of illegal authorization-raising detection in the related technology.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an illegal entitlement control method and apparatus, a storage medium, and a computer device.
Background
The privilege escalation attack generally refers to that a low-privilege user carries out illegal privilege escalation through a hardware vulnerability and/or a processor vulnerability of equipment and upgrades the privilege to a high privilege so as to carry out safe intrusion operation on a computer system and seriously affect the system safety.
In the related art, the illegal right-lifting judgment is mostly carried out through the log data of the operating system, and the problems of high false detection rate and low illegal right-lifting detection accuracy rate exist, so how to effectively detect the illegal right-lifting operation is a technical problem to be solved urgently in the field.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of the embodiments of the present disclosure is to provide an illegal privilege escalation detection method and apparatus, a storage medium, and a computer device, thereby solving the problems of high false detection rate and low detection accuracy rate of illegal privilege escalation detection in the related art to a certain extent
According to a first aspect of the present disclosure, there is provided an illegal entitlement detection method, the method including: acquiring a first event set corresponding to a first process, and determining safety baseline information based on the first event set; acquiring a second event set corresponding to a process to be detected, and performing illegal authorization detection based on the second event set to obtain a second detection result; the second event set comprises a second user space function call event and a second kernel space capability call event; and determining whether the process to be detected is illegal authorization-improving operation or not based on a second detection result and the safety baseline information.
Optionally, the first set of events includes a first user-space function call event and a first kernel-space capability call event; determining security baseline information based on the first set of events, comprising: performing feature extraction on the first user space function call event and the first kernel space capacity call event to obtain first feature data; detecting the first characteristic data by adopting a weight-lifting detection model to obtain a first detection result; determining the safety baseline information based on the first detection result; the weight-increasing detection model is obtained by training a training sample set, wherein the training sample set comprises a normal weight-increasing event and an illegal weight-increasing event.
Optionally, the performing illegal right-granting detection based on the second event set includes: performing feature extraction on the second user space function calling event and the second kernel space capacity calling event to obtain second feature data; and carrying out illegal authorization detection on the second characteristic data by adopting the authorization detection model to obtain a second detection result.
Optionally, the first event set further includes first process identification information, the second event set further includes second process identification information, and before feature extraction is performed on the first event set, the method further includes: grouping the first user space function calling event and the first kernel space capacity calling event according to a time window and the first process identification information, so that processes related to the same first process identification information are divided into a group according to the time window; prior to feature extracting the second set of events, the method further comprises: and grouping the second user space function calling event and the second kernel space capacity calling event according to a time window and the second process identification information, so that processes related to the same second process identification information are divided into a group according to the time window.
Optionally, the performing illegal right-granting detection based on the second event set includes: extracting process creation characteristic data, system call timing characteristic data, user space function call characteristic data and capability call path characteristic data of each group of data corresponding to the second event set; and fusing the process creation characteristic data, the system calling time sequence characteristic data, the user space function calling characteristic data and the kernel capacity calling path characteristic data by adopting a weight-lifting detection model to obtain a second detection result.
Optionally, the determining, based on the second detection result and the security baseline information, whether the process to be detected is an illegal authorization operation includes: and when the detection result is larger than the safety baseline information, determining that the process to be detected is illegal authorization-giving operation.
Optionally, before performing the illegal right-lifting detection based on the second event set, the method further includes: and performing data filtering on the second event set to filter out trusted function call data and/or capability call data.
According to a second aspect of the present disclosure, there is provided an illegal entitlement detection apparatus, the apparatus comprising: the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for acquiring a first event set corresponding to a first process and determining safety baseline information based on the first event set; the detection module is used for acquiring a second event set corresponding to a process to be detected and carrying out illegal authorization detection based on the second event set so as to obtain a second detection result; the second event set comprises a second user space function call event and a second kernel space capability call event; and the second determining module is used for determining whether the process to be detected is illegal authorization-giving operation or not based on the detection result and the safety baseline information.
According to a third aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any one of the above.
According to a fourth aspect of the present disclosure, there is provided a computer device comprising: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the method of any of the above via execution of the executable instructions.
Exemplary embodiments of the present disclosure may have some or all of the following benefits:
in the illegal right-giving detection method provided by the exemplary embodiment of the disclosure, on one hand, by acquiring a first event set corresponding to a first process, determining security baseline information based on the first event set, determining whether the process to be detected is an illegal right-giving operation according to the security baseline information, and providing a basic reference security baseline for an illegal right-giving detection result, a false detection rate in an illegal right-giving detection process can be reduced, and a workload of system security maintenance personnel is reduced. On the other hand, the illegal right-lifting detection is carried out by acquiring the second event set corresponding to the process to be detected, the user space function calling event and the kernel space capacity calling event are combined, the illegal right-lifting detection can be carried out through event data of multiple dimensions, and the detection accuracy can be improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 schematically illustrates an application scenario diagram of an illegal entitlement detection method and apparatus according to an embodiment of the present disclosure.
Fig. 2 schematically shows a flow diagram of an illegal entitlement detection method according to one embodiment of the present disclosure.
Fig. 3 schematically illustrates a flow diagram for determining secure baseline information according to one embodiment of the present disclosure.
Fig. 4 schematically shows one of the flow diagrams of the illegal entitlement detection according to one embodiment of the present disclosure.
Fig. 5 schematically shows a second flow diagram of illegal entitlement detection according to an embodiment of the present disclosure.
Fig. 6 schematically shows a block diagram of a configuration of an illegal right-granting detection apparatus according to an embodiment of the present disclosure.
FIG. 7 schematically shows a block diagram of an exemplary computer device, according to one embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
To facilitate an understanding of the present disclosure, the following terms are explained.
Capability (CAP for short) is a Capability concept of a Linux kernel, the introduction of the Capability breaks the concept of a super user/a common user in a UNIX/LINUX operating system, and the common user can also do work which can be completed by only the super user.
The main idea of Capabilities is to split the privilege of the root user, i.e. split the privilege of the root into different Capabilities, each capability representing a certain privileged operation. For example: the capability CAP _ SYS _ MODULE represents privileged operations that a user can load (or unload) a kernel MODULE, and CAP _ SETUID represents privileged operations that a user can modify the identity of a process user. In Capbilties, the system will perform access control of privileged operations based on the capabilities owned by the process.
Referring to fig. 1, a schematic diagram of a system architecture 100 of an exemplary application environment of the illegal entitlement detection method and apparatus provided in some embodiments of the present disclosure. As shown in fig. 1, system architecture 100 may include one or more of computer devices 110 and a server 120. The network serves as a medium for providing communication links between computer devices 110 and server 120. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The computer device 110 may be a variety of network devices having a display screen including, but not limited to, desktop computers, portable computers, smart phones, and tablets, among others.
The server 120 may be hardware or software. When the server 120 is hardware, it may be implemented as a distributed server cluster composed of a plurality of servers, or may be implemented as a single server. When the server 120 is software, it may be implemented as a plurality of software or software modules, or may be implemented as a single software or software module. And is not particularly limited herein.
It should be understood that the number of computer devices, networks, and servers in FIG. 1 is illustrative only. There may be any number of computer devices, networks, and servers, as desired for an implementation. For example, the server 120 may be a server cluster composed of a plurality of servers.
The illegal right-granting detection method provided by the embodiment of the present disclosure may be executed in the server 120, and accordingly, the illegal right-granting detection apparatus is generally disposed in the server 120. The illegal right-granting detection method provided by the embodiment of the present disclosure may also be executed in the computer device 110, and accordingly, the illegal right-granting detection apparatus is generally disposed in the computer device 110.
Referring to fig. 2, the illegal entitlement rights detection method of one embodiment provided by the present disclosure may be applied to a Linux computer device, including the following steps S210-S230.
Step S210, a first event set corresponding to the first process is obtained, and the security baseline information is determined based on the first event set.
In this example embodiment, the first process may include a process similar to the privilege offering process in a common software process, a normal high-privilege process (e.g., a root privilege process), or a special user group process (e.g., a common user group with special privileges). For example, the first process may include a process similar to or related to the right-lifting process in the following software runs: FTP (File Transfer Protocol), SSH (Secure Shell), KVM (Kernel-Based Virtual Machines), VMWare (Virtual Machines Ware, virtualized computer software), Apache, Nginx, Redis database, relational database management system software MySQL, PostgreSQL, framework Spark Based on memory computing, and so on.
Illustratively, the eBPF event of the first process may be captured as a first event set, eBPF (Extended Berkeley Packet Filter), which may be used for network Packet capture, fast processing and forwarding of kernel-state network packets, and hook point through LSM (Linux Security Module), and may perform Security monitoring and access control on the Linux kernel. The higher version kernel of Linux can convert any kernel function call into a user space event that can take any data based on eBPF.
In this example embodiment, the first event set may include function/capability call data (function/capability call path, identifier, time, etc.) of a kernel space corresponding to the first process, call stack data (user space call path, identifier, time, etc.) of a user space, system call data (system call name, call time, etc.), and new process creation data (number of new processes created within a predetermined time, mean value, etc., new process creation path, new process creation time difference, etc.).
In this example embodiment, a trained random forest model or support vector machine may be employed to determine the security baseline information corresponding to the first set of events. The security baseline information may change dynamically or may remain unchanged for a period of time, which is not limited in this example.
Step S220, a second event set corresponding to the process to be detected is obtained, and illegal right-lifting detection is performed based on the second event set to obtain a second result.
In this example embodiment, the second set of events includes a second userspace function call event and a second kemel-space capability call event. The second user space function call event may include system call data corresponding to the process to be detected, related data of a new process creation event, call event identification information, identification information of adjacent events before and after the call event, function call time information, process identification information (such as a process number) corresponding to the call event, function information (such as a function name) executed by the user space, and the like. The second kernel space Capabilities (Capabilities) invoking event may include current capability invoking path information (which may include a current invocation and related information of the previous and subsequent invocations thereof) corresponding to the process to be detected, user information of the current invoking capability, a command of the current invoking capability, and current invoking capability information (such as a Linux CAP name).
In this example embodiment, illegal privilege detection may be performed using a random forest model and/or a support vector machine (e.g., a support vector machine).
And step S230, determining whether the process to be detected is illegal authorization operation or not based on the second detection result and the safety baseline information.
In this example embodiment, the second detection result and the security baseline information may be compared, and whether the process to be detected is an illegal authorization operation may be determined based on the comparison result. When the security baseline information is a value, a process in which the second detection result is greater than the security baseline information may be determined as an illegal authorization operation. When the safety baseline information is a value set, a process in which the second detection result is greater than the average value/maximum value of the safety baseline value set may be determined as an illegal right-lifting operation, or a process in which a value in the safety baseline value set is weighted and then compared with the second detection result may be set to determine whether the operation is an illegal complete operation, or other determination conditions may be set, which is not limited in this example.
In the illegal right-giving detection method provided by the embodiment of the disclosure, on one hand, by acquiring the first event set corresponding to the first process, determining the safety baseline information based on the first event set, determining whether the process to be detected is an illegal right-giving operation according to the safety baseline information, and providing a basic reference safety baseline for an illegal right-giving detection result, the false detection rate in the illegal right-giving detection process can be reduced, and the workload of system safety maintenance personnel is reduced. On the other hand, the illegal right-lifting detection is carried out by acquiring the second event set corresponding to the process to be detected, the user space function calling event and the kernel space capacity calling event are combined, the illegal right-lifting detection can be carried out through event data of multiple dimensions, and the detection accuracy can be improved.
In some embodiments, referring to FIG. 3, the first set of events includes a first user-space function call event and a first kernel-space capability call event; determining security baseline information based on a first set of events, including: feature extraction is performed on the first user space function call event and the first kernel space capability call event to obtain first feature data.
In this example embodiment, the first user space function call event may include system call data corresponding to the first process, data related to a new process creation event, call event identification information, identification information of events adjacent to and before the call event, function call time information, process identification information (such as a process number) corresponding to the call event, function information (such as a function name) executed in a user space, and the like. The first kernel space capability calling event may include current capability calling path information (which may include current calling and related information of the previous and subsequent calls) corresponding to the first process, user information of the current calling capability, a command of the current calling capability, and current calling capability information (such as Linux CAP name). The data in part or all of the first user space function call event and the first kernel space capability call event may be used as the first feature data, or the data in part or all of the first user space function call event and the first kernel space capability call event may be processed and then used as the first feature data, which is not limited in this example.
Illustratively, the first feature data may include, in the first process: information of the number of created new processes (such as the maximum value, the mean value, the variance and the like of the number of created new processes per second within a preset time), a system call timing set (such as a system call name arranged in time), user space function call data (such as the current event number, the number of adjacent times before and after the current event, a function call timestamp, a process number, the name of a function executed by a user space and the like, the function call time difference of the same sub-process), a new process creation path (such as the new process number, the number of adjacent processes before and after the new process, parent process identification information of the new process, a command for starting the new process, the execution result of the new process, a parameter for starting the new process command, the creation time difference of the new process and the sub-process of the same parent process), a capability call path (such as the capability call process number, the adjacent process numbers before and after the capability call process, the capability call process number, the function call time difference, Capability calls user information, commands to call capabilities, parameters, names, etc.).
And detecting the first characteristic data by adopting a weight-lifting detection model to obtain a first detection result.
In this example embodiment, the weight detection model may be obtained by training a training sample set, where the training sample set includes a normal weight event and an illegal weight event. The normal privilege escalation event can be obtained by running common software, a normal high-privilege process or a special privilege escalation user group process. The illegal right-lifting event can be obtained by capturing historical illegal right-lifting events or running malicious right-lifting software. The data in the training sample set is labeled data.
For example, the weight-lifting detection model may be a random forest model, and may perform replaced random sampling on samples in the training sample set, randomly select a part of features in the first feature data each time, and completely split the selected data to obtain the decision tree. And determining a final result through the classification result of each decision tree, and taking the ratio of the number of each category as a first detection result.
In another example embodiment, the privilege detection model may also be a support vector machine. The feature value corresponding to the first feature data can be mapped to a high-dimensional space through a function, a classifier is generated in the high-dimensional space according to learning of the feature value corresponding to each training sample, and the classifier can output a corresponding class probability value as a first detection result.
Based on the first detection result, safety baseline information is determined.
In this example embodiment, the maximum value in the first detection result may be used as the safety baseline information, the first few bits of the first detection result with the maximum value may be selected as the safety baseline information, and the maximum value of the first detection result may be multiplied by a preset safety factor to be used as the safety baseline information, which is not limited in this example.
In some embodiments, referring to fig. 4, the illegal entitlement detection based on the second set of events comprises: and performing feature extraction on the second user space function calling event and the second kernel space capacity calling event to obtain second feature data.
In this exemplary embodiment, the second feature data may be data corresponding to a process to be detected similar to the first feature data, that is, in the process to be detected: newly created process number, newly created process peace, user space function call path, kernel control capability call path, system call and other information.
And carrying out illegal authorization detection on the second characteristic data by adopting an authorization detection model to obtain a second detection result.
In this exemplary embodiment, for the random forest model, if the decision result greater than a preset threshold (e.g., 70%) is an illegal privilege escalation process, it may be determined that the current process is an illegal privilege escalation process. For the support vector machine, a probability threshold value can be set for judgment.
In some embodiments, the first set of events further includes first process identification information, the second set of events further includes second process identification information, and prior to feature extraction of the first set of events, the method further comprises:
and grouping the first user space function calling event and the first kernel space capacity calling event according to the time window and the first process identification information, so that processes related to the same first process identification information are divided into a group according to the time window.
In this exemplary embodiment, the first process identification information may be a parent process number in the first process, and the relevant data of the function call event and the capability call event of the parent process and the child processes corresponding to the parent process number may be divided into a group according to a time window. For example, function call and capability call event-related data of processes (parent process and child process) related to the same parent process number generated within ten minutes are divided into a set of data.
Prior to feature extracting the second set of events, the method further comprises:
and grouping the second user space function calling event and the second kernel space capacity calling event according to the time window and the second process identification information, so that processes related to the same second process identification information are divided into a group according to the time window.
In this exemplary embodiment, the second process identification information may be a parent process number in the process to be detected, or may also be a group of function call events and capability call events of a parent process and a child process corresponding to the parent process number, which are divided into a group according to a time window (5-10 minutes).
Based on the grouping result of the above embodiment, the illegal right-lifting detection is performed based on the second event set, and includes: and extracting the process creation characteristic data, the system call timing characteristic data, the user space function call characteristic data and the capability call path characteristic data of each group of data corresponding to the second event set.
In the exemplary embodiment, feature extraction can be performed on each group of data, detection is performed by taking each group of data as a unit, a process running mode is met, and result accuracy is guaranteed.
And adopting a right-lifting detection model to fuse the process creation characteristic data, the system call time sequence characteristic data, the user space function call characteristic data and the kernel capacity call path characteristic data so as to obtain a second detection result.
In the exemplary embodiment, the feature data in each group of data is fused by using the model parameters in the weight-lifting detection model, so that the features of multiple dimensions can be fused, and the detection accuracy is improved.
In some embodiments, prior to performing the illegitimate right detection based on the second set of events, the method further comprises: data filtering is performed on the second set of events to filter out trusted function call data and/or capability call data.
In the present example embodiment, trusted function call data and/or capability call data may be made white-listed (e.g., function name, capability name, i.e., Linux CAP name, etc., user ID) to reduce the data throughput of the detection process.
In some embodiments, referring to fig. 5, the illegal entitlement detection method of a specific embodiment of the present disclosure may include the following steps.
The first step is to obtain a first event set corresponding to a first process.
In this example, the first process may include a portion of a common software process similar to the privilege escalation process and a normal high privilege escalation process. The first set of times may be eBPF events during the course of the process running.
And secondly, grouping the first user space function calling event and the first kernel space capacity calling event according to the time window and the first process identification information, so that the data of the same first process identification information is divided into a group according to the time window.
In this example, the processes may be grouped according to process identification information (e.g., process ID) of the parent process, one parent process and its related child processes are divided into a group in chronological order, and the division is performed according to time windows, where each time window corresponds to a group of data.
And thirdly, performing feature extraction on each group of first process data after grouping to obtain first feature data.
In this example, the first feature data may include process creation feature data, system call timing feature data, user space function call feature data, and capability call path feature data corresponding to the first process. The process creation characteristic data may include a new process creation path, a number, and a time difference between adjacent created processes, the creation time difference between a current process and a child process of the same parent process in the process tree. The user space function call feature data may include information such as a function call path (the number of the current function call event and the numbers of the preceding and following adjacent function call events) and a time difference between the adjacent function call events, user space execution function information, time information, and a corresponding process number. The system call timing characteristic data may include a system call time and a name (SYSCALL name). The capability calling path feature data may include information such as a current capability calling number and information of previous and next adjacent capability calling numbers, capability calling time information, a process ID of the currently called CAP, a user ID of the currently called CAP, a command of the currently called CAP, a name of the currently called CAP, and the like.
And fourthly, determining the safety baseline information according to the extracted first characteristic data.
In this example, the first feature data may be input into the weight detection model, and then the maximum value of the output data may be selected as the security baseline.
And fifthly, acquiring a second event set of the process to be detected.
In this example, the second set of events may be obtained by grabbing the eBPF events that the pending process runs on.
And sixthly, performing data filtering on the second event set to filter out trusted function call data and/or capability call data.
And seventhly, grouping the second event set according to the time window and the second process identification information so as to divide the data of the same second process identification information into a group according to the time window.
And eighthly, extracting the characteristics of each group of process data to be detected to obtain corresponding process creation characteristic data (creating a path and time difference), system call time sequence characteristic data, user space function call characteristic data (calling the path and time difference) and capability call path characteristic data, namely second characteristic data.
And ninthly, detecting the extracted second characteristic data by adopting a weight-extracting detection model to obtain a second detection result.
And step ten, judging whether the second detection result is larger than the safety baseline information, if so, determining that the process to be detected is illegal authorization operation, and otherwise, returning to the step three to continue monitoring.
The sequence of the steps in the above embodiments is only exemplary, and the sequence of the steps may be adjusted accordingly as needed. For example, the first step and the fifth step may be performed simultaneously.
According to the method, the eBPF data are used, monitoring data are called from a real-time function calling process and CAP capacity, the characteristics of multiple dimensions such as new process creating characteristics (including quantity and paths), SYSCALL system calling time sequence characteristics, user space function calling characteristics (including calling paths and time differences), sub-process creating time differences corresponding to process trees, CAP capacity calling characteristics (including paths and time differences) and the like are fused, the characteristics of normal right lifting and illegal right lifting can be comprehensively distinguished from the multiple dimensions, and therefore the detection accuracy of illegal right lifting operation (such as abnormal right lifting behaviors of a Linux system) is improved.
According to the method and the device, the problem that a special service process is mistakenly detected as an illegal access process when a specific user group accesses the special service, namely a common user with special service access authority (such as a common user with mysql service access authority) can be avoided by setting the safety baseline information, and the condition that the common user calls the normal access of the special service process can be effectively eliminated, so that the false alarm rate is reduced, and the detection accuracy is further improved. The safety baseline information of the method can be dynamically adjusted, the flexible management and discrimination of normal process behaviors can be realized, the identification capability of the Linux host for privilege escalation is greatly enhanced, and the stable and sustainable optimization of the security detection capability of the host is ensured.
Referring to fig. 6, in this exemplary embodiment, an illegal authorization detection apparatus 600 is further provided, where the apparatus 600 includes: the system comprises a first determining module 610, a detecting module 620 and a second determining module 630, wherein the first determining module 610 is configured to obtain a first event set corresponding to a first process, and determine security baseline information based on the first event set; the detecting module 620 is configured to obtain a second event set corresponding to the process to be detected, and perform illegal right-lifting detection based on the second event set to obtain a second detection result; the second event set comprises a second user space function calling event and a second kernel space capability calling event; and a second determining module 630, configured to determine whether the process to be detected is an illegal authorization operation based on the second detection result and the security baseline information.
In one embodiment of the present disclosure, the first set of events includes a first userspace function call event and a first kemel-space capability call event; the first determination module 610 includes: the system comprises a first feature extraction submodule, a first detection submodule and a first determination submodule, wherein the feature extraction submodule is used for performing feature extraction on a first user space function calling event and a first kernel space capacity calling event to obtain first feature data; the first detection submodule is used for detecting the first characteristic data by adopting a weight-lifting detection model to obtain a first detection result; the first determining submodule is used for determining safety baseline information based on the first detection result; the weight-increasing detection model is obtained by training a training sample set, and the training sample set comprises a normal weight-increasing event and an illegal weight-increasing event.
In an embodiment of the present disclosure, the detection module 620 includes a second feature extraction sub-module and a second detection sub-module, where the second feature extraction sub-module is configured to perform feature extraction on a second user space function call event and a second kernel space capability call event to obtain second feature data; the second detection submodule is used for carrying out illegal right-lifting detection on the second characteristic data by adopting the right-lifting detection model so as to obtain a second detection result.
In one embodiment of the present disclosure, the first event set further includes first process identification information, the second event set further includes second process identification information, the apparatus 600 further includes a first grouping module and a second grouping module, the first grouping module is configured to group the first user-space function call event and the first kernel-space capability call event according to the time window and the first process identification information before performing feature extraction on the first event set, so that data of the same first process identification information is divided into a group according to the time window;
and the second grouping module is used for grouping the second user space function calling event and the second kernel space capacity calling event according to the time window and the second process identification information before the characteristic extraction is carried out on the second event set, so that the data of the same second process identification information is divided into a group according to the time window.
In one embodiment of the present disclosure, the detection module 620 may be further configured to: extracting process creation characteristic data, system call timing characteristic data, user space function call characteristic data and capability call path characteristic data of each group of data corresponding to the second event set; and adopting a right-lifting detection model to fuse the process creation characteristic data, the system call time sequence characteristic data, the user space function call characteristic data and the kernel capacity call path characteristic data so as to obtain a second detection result.
In one embodiment of the disclosure, the second determining module is further configured to: and when the second detection result is larger than the safety baseline information, determining that the process to be detected is illegal authorization-giving operation.
In one embodiment of the present disclosure, the apparatus 600 further includes a data filtering module, which may be configured to perform data filtering on the second set of events to filter out trusted function call data and/or capability call data before performing illegal right-lifting detection based on the second set of events.
The details of each module/unit involved in the illegal right-lifting detection device in the above embodiment have been described in detail in the corresponding illegal right-lifting detection method, and therefore are not described herein again.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to perform the method as in the embodiments described below. For example, a device may implement the various steps shown in fig. 2-5, etc.
It should be noted that the computer readable media shown in the present disclosure may be computer readable signal media or computer readable storage media or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
In addition, in an exemplary embodiment of the present disclosure, an apparatus capable of implementing the above method is also provided. As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure. As shown in fig. 7, the computer device 700 includes a processor 710, a memory 720, an input output interface 730, and a communication bus 740. Processor 710 is coupled to memory 720 and input-output interface 730, for example, processor 710 may be coupled to memory 720 and input-output interface 730 via communication bus 740. The processor 710 is configured to support the computer device to perform corresponding functions in the illegitimate right detection methods of fig. 2-5. The Processor 710 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof. The hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a Field-Programmable Gate Array (FPGA), General Array Logic (GAL), or any combination thereof. The memory 720 is used for storing program codes and the like. Memory 720 may include Volatile Memory (VM), such as Random Access Memory (RAM); the Memory 720 may also include a Non-Volatile Memory (NVM), such as a Read-Only Memory (ROM), a flash Memory (flash Memory), a Hard Disk (Hard Disk Drive, HDD) or a Solid-State Drive (SSD); memory 720 may also include combinations of the above types of memory.
The input/output interface 730 is used for inputting or outputting data.
The processor 710 may call the above program code to perform the following operations:
acquiring a first event set corresponding to a first process, and determining safety baseline information based on the first event set; acquiring a second event set corresponding to the process to be detected, and performing illegal authorization detection based on the second event set to obtain a second detection result; the second event set comprises a second user space function calling event and a second kernel space capability calling event; and determining whether the process to be detected is illegal authorization operation or not based on the second detection result and the safety baseline information.
Optionally, the first event set includes a first user space function call event and a first kernel space capability call event, and the processor 710 may further determine, based on the first event set, security baseline information and perform the following operations: performing feature extraction on a first user space function call event and a first kernel space capability call event to obtain first feature data; detecting the first characteristic data by adopting a weight-lifting detection model to obtain a first detection result; determining safety baseline information based on the first detection result; the weight-increasing detection model is obtained by training a training sample set, wherein the training sample set comprises a normal weight-increasing event and an illegal weight-increasing event.
Optionally, the processor 710 may further perform illegal right-granting detection based on the second event set, and perform the following operations: performing feature extraction on a second user space function call event and a second kernel space capacity call event to obtain second feature data; and carrying out illegal authorization detection on the second characteristic data by adopting an authorization detection model to obtain a second detection result.
Optionally, the first event set further includes first process identification information, and before performing feature extraction on the first event set, the processor 710 may further perform the following operations:
and grouping the first user space function calling event and the first kernel space capacity calling event according to the time window and the first process identification information, so that the data with the same first process identification information are divided into a group according to the time window.
Optionally, the second event set further includes second process identification information, and before performing feature extraction on the second event set, the processor 710 may further perform the following operations:
and grouping the second user space function calling event and the second kernel space capacity calling event according to the time window and the second process identification information, so that the data of the same second process identification information is divided into a group according to the time window.
Optionally, the processor 710 may further perform the following operations based on the detection result and the safety baseline information: and when the second detection result is larger than the safety baseline information, determining that the process to be detected is illegal authorization-giving operation.
Optionally, the processor 710 may further perform the following operations: data filtering is performed on the second set of events to filter out trusted function call data and/or capability call data.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in fig. 2 to fig. 5; the processor 710 may also cooperate with the i/o interface 730 to perform other operations in the above method embodiments.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to make a device execute the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although the various steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc., are all considered part of this disclosure.
It should be understood that the disclosure disclosed and defined in this specification extends to all alternative combinations of two or more of the individual features mentioned or evident from the text and/or drawings. All of these different combinations constitute various alternative aspects of the present disclosure. The embodiments of this specification illustrate the best mode known for carrying out the disclosure and will enable those skilled in the art to utilize the disclosure.
Claims (10)
1. An illegal entitlement detection method, characterized in that the method comprises:
acquiring a first event set corresponding to a first process, and determining safety baseline information based on the first event set;
acquiring a second event set corresponding to a process to be detected, and performing illegal authorization detection based on the second event set to obtain a second detection result; the second event set comprises a second user space function call event and a second kernel space capability call event;
and determining whether the process to be detected is illegal authorization operation or not based on the second detection result and the safety baseline information.
2. The illegitimate right-lifting detection method of claim 1, wherein the first set of events includes a first userspace function call event and a first kemel-space capability call event; determining security baseline information based on the first set of events, comprising:
performing feature extraction on the first user space function call event and the first kernel space capacity call event to obtain first feature data;
detecting the first characteristic data by adopting a weight-lifting detection model to obtain a first detection result;
determining the safety baseline information based on the first detection result;
the weight-increasing detection model is obtained by training a training sample set, wherein the training sample set comprises a normal weight-increasing event and an illegal weight-increasing event.
3. The illegitimate right detection method according to claim 2, wherein the illegal right detection based on the second event set includes:
performing feature extraction on the second user space function calling event and the second kernel space capacity calling event to obtain second feature data;
and carrying out illegal authorization detection on the second characteristic data by adopting the authorization detection model to obtain a second detection result.
4. The illegitimate right extraction method of claim 3, wherein the first set of events further includes first process identification information, the second set of events further includes second process identification information, and before feature extraction is performed on the first set of events, the method further includes:
grouping the first user space function calling event and the first kernel space capacity calling event according to a time window and the first process identification information, so that data with the same first process identification information are divided into a group according to the time window;
prior to feature extracting the second set of events, the method further comprises:
and grouping the second user space function calling event and the second kernel space capacity calling event according to a time window and the second process identification information, so that the data of the same second process identification information is divided into a group according to the time window.
5. The unauthorized right-granting detection method according to claim 4, wherein said performing unauthorized right-granting detection based on said second event set comprises:
extracting process creation characteristic data, system call timing characteristic data, user space function call characteristic data and capability call path characteristic data of each group of data corresponding to the second event set;
and fusing the process creation characteristic data, the system calling time sequence characteristic data, the user space function calling characteristic data and the kernel capacity calling path characteristic data by adopting a weight-lifting detection model to obtain a second detection result.
6. The unauthorized right-lifting detection method according to any one of claims 1-5, wherein the determining whether the process to be detected is an unauthorized right-lifting operation based on the second detection result and the security baseline information includes:
and when the second detection result is larger than the safety baseline information, determining that the process to be detected is illegal authorization-giving operation.
7. The illegitimate rights detection method of claim 1, wherein prior to performing illegitimate rights detection based on the second set of events, the method further comprises:
and performing data filtering on the second event set to filter out trusted function call data and/or capability call data.
8. An unauthorized right-granting detection apparatus, comprising:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for acquiring a first event set corresponding to a first process and determining safety baseline information based on the first event set;
the detection module is used for acquiring a second event set corresponding to the process to be detected and carrying out illegal right-lifting detection based on the second event set so as to obtain a second detection result; the second event set comprises a second user space function call event and a second kernel space capability call event;
and the second determining module is used for determining whether the process to be detected is illegal authorization-giving operation or not based on the second detection result and the safety baseline information.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
10. A computer device, comprising: a processor; and
a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any of claims 1-7 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210716028.XA CN115033889B (en) | 2022-06-22 | 2022-06-22 | Illegal right-raising detection method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210716028.XA CN115033889B (en) | 2022-06-22 | 2022-06-22 | Illegal right-raising detection method and device, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115033889A true CN115033889A (en) | 2022-09-09 |
| CN115033889B CN115033889B (en) | 2023-10-31 |
Family
ID=83127617
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210716028.XA Active CN115033889B (en) | 2022-06-22 | 2022-06-22 | Illegal right-raising detection method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115033889B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116049817A (en) * | 2023-01-17 | 2023-05-02 | 安芯网盾(北京)科技有限公司 | Real-time detection and blocking process weighting method and device based on Linux kernel |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104679593A (en) * | 2015-03-13 | 2015-06-03 | 浪潮集团有限公司 | Task scheduling optimization method based on SMP system |
| CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | Operating system mandatory access control method based on security marker randomization |
| CN108038049A (en) * | 2017-12-13 | 2018-05-15 | 西安电子科技大学 | Real-time logs control system and control method, cloud computing system and server |
| WO2019033973A1 (en) * | 2017-08-18 | 2019-02-21 | 阿里巴巴集团控股有限公司 | Privilege escalation prevention detection method and device |
| US20190311115A1 (en) * | 2018-04-06 | 2019-10-10 | Palo Alto Networks, Inc. | Privilege escalation protection |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN111259386A (en) * | 2018-12-03 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| CN111291364A (en) * | 2018-12-07 | 2020-06-16 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| CN111782416A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Data reporting method, device, system, terminal and computer readable storage medium |
| CN113821316A (en) * | 2021-06-10 | 2021-12-21 | 腾讯科技(深圳)有限公司 | Abnormal process detection method and device, storage medium and electronic equipment |
| CN113868626A (en) * | 2021-09-29 | 2021-12-31 | 杭州默安科技有限公司 | Method and system for detecting permission promotion vulnerability and computer readable storage medium |
| CN113987435A (en) * | 2021-09-26 | 2022-01-28 | 奇安信科技集团股份有限公司 | Illegal copyright detection method and device, electronic equipment and storage medium |
| CN114143037A (en) * | 2021-11-05 | 2022-03-04 | 山东省计算中心(国家超级计算济南中心) | Malicious encrypted channel detection method based on process behavior analysis |
| US11314859B1 (en) * | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
| CN114547175A (en) * | 2022-03-01 | 2022-05-27 | 北京京东振世信息技术有限公司 | Data processing method, device, storage medium and computer system |
-
2022
- 2022-06-22 CN CN202210716028.XA patent/CN115033889B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104679593A (en) * | 2015-03-13 | 2015-06-03 | 浪潮集团有限公司 | Task scheduling optimization method based on SMP system |
| CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | Operating system mandatory access control method based on security marker randomization |
| WO2019033973A1 (en) * | 2017-08-18 | 2019-02-21 | 阿里巴巴集团控股有限公司 | Privilege escalation prevention detection method and device |
| CN108038049A (en) * | 2017-12-13 | 2018-05-15 | 西安电子科技大学 | Real-time logs control system and control method, cloud computing system and server |
| US20190311115A1 (en) * | 2018-04-06 | 2019-10-10 | Palo Alto Networks, Inc. | Privilege escalation protection |
| US11314859B1 (en) * | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
| CN111259386A (en) * | 2018-12-03 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| CN111291364A (en) * | 2018-12-07 | 2020-06-16 | 阿里巴巴集团控股有限公司 | Kernel security detection method, device, equipment and storage medium |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN111782416A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Data reporting method, device, system, terminal and computer readable storage medium |
| CN113821316A (en) * | 2021-06-10 | 2021-12-21 | 腾讯科技(深圳)有限公司 | Abnormal process detection method and device, storage medium and electronic equipment |
| CN113987435A (en) * | 2021-09-26 | 2022-01-28 | 奇安信科技集团股份有限公司 | Illegal copyright detection method and device, electronic equipment and storage medium |
| CN113868626A (en) * | 2021-09-29 | 2021-12-31 | 杭州默安科技有限公司 | Method and system for detecting permission promotion vulnerability and computer readable storage medium |
| CN114143037A (en) * | 2021-11-05 | 2022-03-04 | 山东省计算中心(国家超级计算济南中心) | Malicious encrypted channel detection method based on process behavior analysis |
| CN114547175A (en) * | 2022-03-01 | 2022-05-27 | 北京京东振世信息技术有限公司 | Data processing method, device, storage medium and computer system |
Non-Patent Citations (4)
| Title |
|---|
| TOSHIHIRO YAMAUCHI 等: "Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes", 2018 IEEE CONFERENCE ON DEPENDABLE AND SECURE COMPUTING(DSC) * |
| 徐其望;陈震杭;彭国军;张焕国;: "一种基于预警信息的漏洞自动化快速防护方法", 信息安全学报, no. 01, pages 78 - 86 * |
| 王文伟;刘培顺;: "Row Hammer漏洞攻击研究", 网络与信息安全学报, no. 01, pages 73 - 79 * |
| 陈驰 等: "Linux中基于eBPF的恶意利用与检测机制", pages 12 - 13, Retrieved from the Internet <URL:https://tech.meituan.com/2022/04/07/how-to-detect-bad-ebpf-used-in-linux.html> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116049817A (en) * | 2023-01-17 | 2023-05-02 | 安芯网盾(北京)科技有限公司 | Real-time detection and blocking process weighting method and device based on Linux kernel |
| CN116049817B (en) * | 2023-01-17 | 2023-09-08 | 安芯网盾(北京)科技有限公司 | Real-time detection and blocking process weighting method and device based on Linux kernel |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115033889B (en) | 2023-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10609079B2 (en) | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management | |
| US20210092150A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| US10432660B2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
| US10248910B2 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US10133866B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
| US10176321B2 (en) | Leveraging behavior-based rules for malware family classification | |
| US9690606B1 (en) | Selective system call monitoring | |
| US9282112B2 (en) | System and method for determining category of trust of applications performing interface overlay | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US9838405B1 (en) | Systems and methods for determining types of malware infections on computing devices | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN112602081A (en) | Enhancing network security and operational monitoring with alarm confidence assignment | |
| CN105389197A (en) | Operation capture method and apparatus for container based virtualized system | |
| US11222115B2 (en) | Data scan system | |
| JP2023550974A (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
| CN106775971A (en) | Data processing equipment | |
| EP3655878A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| CN115033889B (en) | Illegal right-raising detection method and device, storage medium and computer equipment | |
| US11436327B1 (en) | System and method for circumventing evasive code for cyberthreat detection | |
| CN112035831A (en) | Data processing method, device, server and storage medium | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| US20230359737A1 (en) | System and method of anomaly detection in the behavior of trusted process | |
| EP3504597A1 (en) | Identification of deviant engineering modifications to programmable logic controllers | |
| EP3679506A2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
| CN115296849A (en) | Associated alarm method and system, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20220909 Assignee: Tianyiyun Technology Co.,Ltd. Assignor: CHINA TELECOM Corp.,Ltd. Contract record no.: X2024110000020 Denomination of invention: Methods and devices for detecting illegal claims, storage media, and computer equipment Granted publication date: 20231031 License type: Common License Record date: 20240315 |
|
| EE01 | Entry into force of recordation of patent licensing contract |