CN110597690A - System behavior situation perception method, system and equipment - Google Patents
System behavior situation perception method, system and equipment Download PDFInfo
- Publication number
- CN110597690A CN110597690A CN201910870313.5A CN201910870313A CN110597690A CN 110597690 A CN110597690 A CN 110597690A CN 201910870313 A CN201910870313 A CN 201910870313A CN 110597690 A CN110597690 A CN 110597690A
- Authority
- CN
- China
- Prior art keywords
- data
- system behavior
- calling
- computer
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 230000008447 perception Effects 0.000 title claims abstract description 48
- 239000000523 sample Substances 0.000 claims abstract description 99
- 230000006399 behavior Effects 0.000 claims description 215
- 230000006870 function Effects 0.000 claims description 46
- 239000013598 vector Substances 0.000 claims description 31
- 230000008569 process Effects 0.000 claims description 27
- 230000002085 persistent effect Effects 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000003542 behavioural effect Effects 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 15
- 238000004590 computer program Methods 0.000 description 8
- 238000001914 filtration Methods 0.000 description 6
- 238000002372 labelling Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 102100021662 Baculoviral IAP repeat-containing protein 3 Human genes 0.000 description 4
- 101000896224 Homo sapiens Baculoviral IAP repeat-containing protein 3 Proteins 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- SPBWHPXCWJLQRU-FITJORAGSA-N 4-amino-8-[(2r,3r,4s,5r)-3,4-dihydroxy-5-(hydroxymethyl)oxolan-2-yl]-5-oxopyrido[2,3-d]pyrimidine-6-carboxamide Chemical group C12=NC=NC(N)=C2C(=O)C(C(=O)N)=CN1[C@@H]1O[C@H](CO)[C@@H](O)[C@H]1O SPBWHPXCWJLQRU-FITJORAGSA-N 0.000 description 3
- 102100021677 Baculoviral IAP repeat-containing protein 2 Human genes 0.000 description 3
- 101000896157 Homo sapiens Baculoviral IAP repeat-containing protein 2 Proteins 0.000 description 3
- 241000700605 Viruses Species 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 3
- 238000004220 aggregation Methods 0.000 description 3
- 230000008713 feedback mechanism Effects 0.000 description 3
- 230000008676 import Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000003071 parasitic effect Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 102100037024 E3 ubiquitin-protein ligase XIAP Human genes 0.000 description 1
- 101000804865 Homo sapiens E3 ubiquitin-protein ligase XIAP Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011065 in-situ storage Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000013403 standard screening design Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a method, a system and equipment for sensing system behavior situation. The method comprises the following steps: acquiring system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, wherein the plurality of data probes are deployed inside the plurality of computers in the local area network; and determining a system behavior situation perception result according to the acquired system behavior data sample. According to the method provided by the embodiment of the invention, the data quantity of the system behavior data sample is increased and the diversity of the data is increased by distributing the data probes in the local area network, so that the reliability and the accuracy of the perception of the system behavior situation are improved.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a method, a system and equipment for sensing system behavior situation.
Background
Situational awareness is the ability to learn about security risks, covering three levels of awareness, understanding, and prediction. With the emphasis on computer security importance, situation awareness began to emerge in the field of computer security technology. The system behavior refers to the calling of each process/service in an operating system to system resources, and the perception of the system behavior situation is a novel subdivision technical field in computer security and is used for monitoring and analyzing the system behavior.
The conventional system behavior situation perception method is usually performed for an operating system of a single computer, however, according to the 'two-eight law' of software, only two pieces of software are usually used in one operating system, and the calling sequences of the common functions of the software to system resources are always the same, so that the problem that collected data samples of system behaviors are small in data quantity and data tend to be the same exists, and the system behavior situation perception cannot be effectively performed.
Disclosure of Invention
The embodiment of the invention provides a method, a system and equipment for sensing system behavior situation, which are used for solving the problems of small data sample data amount and data convergence in the existing system behavior situation sensing, so as to improve the reliability and accuracy of the system behavior situation sensing.
In a first aspect, an embodiment of the present invention provides a method for sensing a system behavior situation, including:
the method comprises the steps that system behavior data samples of a plurality of computers in a local area network are obtained through a plurality of data probes, and the data probes are deployed inside the computers in the local area network;
and determining a system behavior situation perception result according to the acquired system behavior data sample.
In one possible implementation, the system behavior data sample includes vector data and traffic data, the vector data includes at least one of a calling function name, a calling parameter, a called function name, and a calling relationship, and the traffic data includes at least one of a target address, a source address, a protocol type, an operation type, and operation data; vector data is obtained by a data probe from a function calling sequence of a user mode and a kernel mode in a hook mode; the flow data is acquired from the input/output request packet of the network protocol stack and/or the file system by the data probe through the filter type driver.
In a possible implementation manner, before determining a system behavior situation awareness result according to the acquired system behavior data sample, the method further includes:
and converting the data format of the system behavior data sample into a graph data format.
In one possible implementation, converting the data format of the system behavior data sample into the graph data format includes converting the data format of the system behavior data sample according to the following rules:
the node represents a calling function or a called function, the edge represents a function calling relation, and the degree represents the called times of the function;
and/or the presence of a gas in the gas,
the node represents either a source address or a destination address and the edge represents the direction of transmission and the protocol type.
In one possible implementation, the method further includes:
acquiring the labeling of a user on the system behavior situation perception result, wherein the labeling comprises interception and release;
and correcting the system behavior situation perception result according to the label.
In a possible implementation manner, determining a system behavior situation perception result according to the obtained system behavior data sample includes:
and if a plurality of processes exist in the system behavior data sample and all establish connection with the same target node, and data packets of the same type of protocol are sent to the target node, determining the target node as a potential advanced persistent threat point.
In a possible implementation manner, determining a system behavior situation perception result according to the obtained system behavior data sample includes:
determining high-level persistent threats existing in a computer corresponding to each calling sequence according to each calling sequence in the system behavior data sample and a preset high-level persistent threat feature code;
and/or the presence of a gas in the gas,
and determining the high-level persistent threat existing in the local area network, and the common process of the behaviors and the representation of the multiple calling sequences according to the behaviors and the preset high-level persistent threat feature codes of the multiple calling sequences in the system behavior data sample.
In a second aspect, an embodiment of the present invention provides a system behavior situational awareness system, including:
the system comprises an acquisition module, a data acquisition module and a data processing module, wherein the acquisition module is used for acquiring system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, and the plurality of data probes are deployed in the plurality of computers in the local area network;
and the processing module is used for determining a system behavior situation perception result according to the acquired system behavior data sample.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes computer-executable instructions stored by the memory to cause the at least one processor to perform the system behavior situational awareness method of any of the first aspects.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, the computer-executable instructions are used to implement the system behavior situation awareness method according to any one of the first aspect.
According to the method, the system and the equipment for perceiving the system behavior situation provided by the embodiment of the invention, the system behavior data samples of a plurality of computers in the local area network are obtained through a plurality of data probes, the plurality of data probes are deployed in the plurality of computers in the local area network, and the perception result of the system behavior situation is determined according to the obtained system behavior data samples, so that the situation perception of the system behavior of each computer in the local area network is realized. The system behavior data samples of the computers can be obtained through the data probes distributed in the computers, the number of the samples is increased, and due to the difference of using habits of computer users, calling sequence codes generated by the computers are different, so that the similarity of the samples is reduced, the difference of time and space is shielded, the reliability and reliability of the data samples are improved, and the reliability and accuracy of system behavior situation perception results can be improved.
Drawings
FIG. 1 is a flowchart of an embodiment of a system behavior situation awareness method according to the present invention;
FIG. 2 is a diagram illustrating vector data acquisition according to an embodiment of the present invention;
FIG. 3 is a schematic view of a hook principle of an inline hook;
fig. 4 is a schematic diagram of acquiring traffic data according to an embodiment of the present invention;
FIG. 5 is a sample diagram of system behavior data in a graph data format according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a method for system behavior situational awareness in accordance with another embodiment of the present invention;
FIG. 7 is a diagram illustrating an embodiment of determining a system behavior situation awareness result according to the present invention;
FIG. 8 is a schematic structural diagram of an embodiment of a system behavior situational awareness system provided in the present invention;
FIG. 9 is a schematic structural diagram of a system behavior situation awareness system according to another embodiment of the present invention;
fig. 10 is a schematic structural diagram of an embodiment of an electronic device provided in the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. Wherein like elements in different embodiments are numbered with like associated elements. In the following description, numerous details are set forth in order to provide a better understanding of the present application. However, those skilled in the art will readily recognize that some of the features may be omitted or replaced with other elements, materials, methods in different instances. In some instances, certain operations related to the present application have not been shown or described in detail in order to avoid obscuring the core of the present application from excessive description, and it is not necessary for those skilled in the art to describe these operations in detail, so that they may be fully understood from the description in the specification and the general knowledge in the art.
Furthermore, the features, operations, or characteristics described in the specification may be combined in any suitable manner to form various embodiments. Also, the various steps or actions in the method descriptions may be transposed or transposed in order, as will be apparent to one of ordinary skill in the art. Thus, the various sequences in the specification and drawings are for the purpose of describing certain embodiments only and are not intended to imply a required sequence unless otherwise indicated where such sequence must be followed.
The numbering of the components as such, e.g., "first", "second", etc., is used herein only to distinguish the objects as described, and does not have any sequential or technical meaning. The term "connected" and "coupled" when used in this application, unless otherwise indicated, includes both direct and indirect connections (couplings).
The method provided by the embodiment of the invention can be applied to a local area network, wherein the local area network refers to a computer group formed by interconnection of a plurality of computers in a certain area, for example, a plurality of computers in a company or a campus can be interconnected to form the local area network. The computers in the local area network may be interconnected by wire and/or wirelessly.
In a local area network environment, the possibility that each computer is attacked by Advanced Persistent Thread (APT) is often equal in probability, and particularly, the infection of worm viruses is ubiquitous and universal, and generally, only one computer individual is attacked. Meanwhile, due to the difference of usage habits and usage purposes of computer users, it is impossible for all computers in a lan to run the same software/process at the same time. Therefore, the APT attack in the local area network has the following three characteristics:
1) behavior state consistency: the phenomena caused by APT attacks are generally consistent, that is, the behavior in the infected software is the same, for example, a connection is established to a remote end through the same Socket Application Programming Interface (API), the remote address and port are the same, the messages of the session handshake are the same, and so on.
2) Temporal variability of behavior: because computers in a lan do not typically run infected software at the same time, there may be few individuals tested in a lan at the same time that exhibit abnormal behavior.
3) Parasitic host similarity: the APT attack needs to have a certain parasitic environment (bug), such as a Data memory page without Data Execution Protection (DEP) mechanism, an environment causing stack overflow, and the like, and the attacked process may be the same process in the local area network or different processes with the same bug. Thus, APT host processes have the identity or similarity of a leak.
The existing system behavior situation perception method is generally carried out aiming at an operating system of a single computer, for example, antivirus software, Intrusion Detection Systems (IDS) and the like are installed in the computer, the important focus of the existing system behavior situation perception method is antivirus, vulnerability scanning and the like, and situation perception characteristics are not obvious; due to the 'two-eight law' of software, the system behavior data samples are small in amount and have the problem of data convergence, and the system behavior situation cannot be effectively perceived. How the present application solves the above problems will be described below by means of detailed examples.
Fig. 1 is a flowchart of an embodiment of a system behavior situation awareness method provided in the present invention. As shown in fig. 1, the method for sensing system behavior situation provided by this embodiment may include:
s101, obtaining system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, wherein the plurality of data probes are deployed in the plurality of computers in the local area network.
In this embodiment, first, the data probes need to be deployed in a distributed manner in the local area network, that is, for a computer in the local area network that needs to perform system behavior situational awareness, the data probes need to be deployed in the computer in advance. The data probe is used for acquiring system behavior data samples of the computer, and can be implemented in a software, hardware or combination of software and hardware, for example, by installing a client in the computer. The system behavior data sample in this embodiment is a data sample generated in a process in which each process/service in the operating system of the computer calls a system resource.
And S102, determining a system behavior situation perception result according to the acquired system behavior data sample.
In this embodiment, after the system behavior data samples of the multiple computers are obtained, the system behavior situation can be perceived according to the obtained system behavior data samples, so as to determine a system behavior situation perception result. The system behavior situation awareness result in this embodiment may be for a single computer, for example, a computer faces the risk of APT attack, or may be for the entire local area network or multiple computers in the local area network.
Optionally, in this embodiment, after the system behavior situation awareness result is determined, the system behavior situation awareness result may be sent to the relevant computers, so that each relevant computer can perform corresponding processing according to the result, for example, to prohibit running of risk software, delete a file with potential safety hazard, and the like. If the system behavior situation perception result is specific to a single computer, the result can be sent to the specific computer according to computer identification, such as an Internet Protocol (IP) address, a Media Access Control (MAC) address, and the like; if the system behavior situation awareness result is for the entire lan, the result may be sent to all computers in the lan.
It can be understood that, after receiving the system behavior situation perception result, the computer may further display the relevant information of the system behavior situation perception result to the user through the human-computer interaction interface, provide the user with operation options, such as interception, release, and the like, and execute subsequent operations according to the feedback of the user.
It should be noted that the method provided in this embodiment may be executed by any computer in the local area network, and may be a computer of a certain user, or may be a computer that is deployed in the local area network and is dedicated to system behavior situational awareness.
In the method for sensing the system behavior situation provided by this embodiment, the system behavior data samples of the multiple computers in the local area network are obtained through the multiple data probes, the multiple data probes are deployed inside the multiple computers in the local area network, and the system behavior situation sensing result is determined according to the obtained system behavior data samples, so that the situation sensing of the system behavior of each computer in the local area network is realized. The system behavior data samples of the computers can be obtained through the data probes distributed in the computers, the number of the samples is increased, and due to the difference of using habits of computer users, calling sequence codes generated by the computers are different, so that the similarity of the samples is reduced, the difference of time and space is shielded, the reliability and reliability of the data samples are improved, and the reliability and accuracy of system behavior situation perception results can be improved.
On the basis of the above embodiments, in order to further increase the diversity of the samples, the method provided by the present embodiment further improves the sampling manner of the data samples. Specifically, in the method provided by this embodiment, the system behavior data sample includes vector data and traffic data, the vector data includes at least one of a calling function name, a calling parameter, a called function name, and a calling relationship, and the traffic data includes at least one of a target address, a source address, a protocol type, an operation type, and operation data; vector data is obtained by a data probe from a function calling sequence of a user mode and a kernel mode in a hook mode; the flow data is acquired from the input/output request packet of the network protocol stack and/or the file system by the data probe through the filter type driver.
Two specific embodiments will be used below to illustrate how vector data and traffic data are obtained, respectively.
Fig. 2 is a schematic diagram of obtaining vector data according to an embodiment of the present invention. In this embodiment, vector data is obtained by hooking HOOK. As shown in FIG. 2, the top half of the diagram represents a user-mode process and the bottom half represents a kernel-mode process. In the figure, the solid line part represents the original calling sequence of the software function, and the dotted line part represents the data probe deployed in the embodiment. As shown in fig. 2, for the user mode process, the HOOK in this embodiment is performed in a ShellCode manner, that is, a plurality of bytes of the hooked API entry are replaced by replacing skip bytes, so as to skip from the entry to the ShellCode, collect information such as API name, parameters, virtual address, etc. in the ShellCode, and then skip back to the original service logic of the hooked function to continue execution. Therefore, the ShellCode in this embodiment plays a role of springboard for 'holding up and down' and a role of 'snooping' for information acquisition. In this embodiment, the ShellCode may be implemented by using an Inline Hook (Inline Hook), an Import Address Table (IAT), an Export Address Table (EAT), and the like. For the kernel-mode process, the HOOK in this embodiment may adopt a System Service Descriptor Table (SSDT), an Interrupt Descriptor Table (IDT), an Input/Output Request packet Handler (IRP Handler), and the like.
Table 1 illustrates the hook objects/methods and their uses that can be used in this embodiment. As shown in table 1, the hooking objects/ways include: IDT, SSDT, IRP Handler, IAT, EAT, Global Descriptor Table (GDT), special module Register (MSR), Asynchronous Procedure Call (APC), binary patch and runtime patch.
TABLE 1
| Hook object/mode | Description of the use |
| IDT | For interrupt handling routine hooks, to register and monitor interrupt service |
| SSDT | For system call routine hooks, to register and monitor system calls |
| IRP Handler | For driver specific IRP handling routine hooks, driver services, such as TCPIP drivers, can be registered and monitored |
| IAT/EAT | Import/export address table hooks to register and monitor static import user space modules |
| GDT | This way the operating system global descriptor table can be replaced |
| MSR | Special register for registering and monitoring fast system calls |
| APC | The method adopting asynchronous procedure call can introduce new module or create new thread in the monitored process |
| Binary patch | Modifying the module concerned of the process monitored on the disk, i.e. in-situ patches |
| Runtime patches | The related module for changing the monitored process on the memory can be realized by a roundabout patch |
The hooking principle for the inline hook is further illustrated using fig. 3. Fig. 3 is a schematic view of the hook principle of the inline hook. The software function call sequences, i.e. instruction sequence 1 call instruction sequence 2, instruction sequence 2 call instruction sequence 3 are shown in the left part of fig. 3. The calling sequence when the inline hook is adopted is shown in the right part of fig. 3, namely, the jump byte jmp0x12345678 is used for replacing the inlet of the hooked instruction sequence 1 so as to jump to execute a bypass instruction sequence, and after the required vector data is acquired in the bypass instruction sequence, the original hooked instruction sequence 1 is jumped back to and continuously executed.
Fig. 4 is a schematic diagram of acquiring traffic data according to an embodiment of the present invention. In this embodiment, a filter driver is used to obtain flow data. Fig. 4 illustrates a network protocol stack as an example, and as shown in fig. 4, the top Winsock in the figure represents a Socket mechanism in a user mode, and the Socket mechanism can be translated into an IRP and passed to a lower layer through an Auxiliary Function Driver (AFD). In this embodiment, a network protocol stack is provided with a high-low layer interface for a registration hook, and a high layer is a transport layer network transport provider interface (TLNPI) for filtering data packets with more than four layers (at this time, the data packets are not transmitted to a TCPIP driver responsible for 2-4 layer protocol analysis); the lower layer is the Network Driver Interface Specification (NDIS) for filtering NDIS packets (packets), which is a layer close to the network card driver for the underlying defense and interception. Both layers can be hooked by a registered bypass mode, the bypass mode is that the bypass mode coexists with the existing protocol stack driver, and data can be copied and distributed to a newly registered filter type driver without influencing the input and output (I/O) of the original network protocol stack. In this embodiment, the traffic information is obtained through the high-low two-layer filtering type driving hooking point, which may include a target address, a source address, a message type, and the like, for example. It should be noted that, this embodiment only takes two layers of interfaces as an example for description, and more or fewer interfaces may also be provided in actual operation. In addition to the network protocol stack driver framework shown in fig. 4, a similar protocol stack exists in the file system, and the hooking concept is mainly implemented by stacking a hook driver, which is not described herein again.
In summary, based on the above embodiments, the method for sensing the system behavior situation obtains the vector data from the function call sequences in the user mode and the kernel mode by the hook mode, and obtains the traffic data from the IRP of the network protocol stack and the file system by the filter driver, so that the diversity of the system behavior data samples is further increased, and the reliability and accuracy of sensing the system behavior situation can be further improved.
In the field of system behavior monitoring, the storage and association of call behaviors has been a difficult point and hot point. At present, a relational database is usually adopted for storing system behavior data samples, so that the relation between system resource calls cannot be reflected dynamically in real time, and a call sequence cannot be displayed in a topological graph manner, namely, quick association cannot be realized. To solve this problem, the graph data is used to represent the system behavior data samples in the present embodiment. In the method for sensing the system behavior situation provided by this embodiment, before determining a system behavior situation sensing result according to an acquired system behavior data sample, a data format of the system behavior data sample is converted into a graph data format. Specifically, the data format of the system behavior data sample may be converted according to the following rules: the node represents a calling function or a called function, the edge represents a function calling relation, and the degree represents the called times of the function; and/or, the node represents a source address or a destination address, and the edge represents a transmission direction and a protocol type.
For example, if the obtained system behavior data sample is API1 calling API2, and API2 calling API3, it may be converted into a graph data format, and represented in the manner shown in fig. 5. Fig. 5 is a schematic diagram of a system behavior data sample in a graph data format according to an embodiment of the present invention. As shown on the left side of fig. 5, the calling function API1 and the called function API2 are represented by nodes, and the calling relationship and parameter set are represented by edges. Graph databases are good at storing and associating vector relationship data and concatenating/paralleling vector relationship data to form larger-scale vectors. The two vector data shown on the left side of fig. 5 are concatenated to obtain vector data with a larger scale on the right side.
Invocation behavior is typically represented in a sequence in a relational database, such as system behavior monitoring based on sequence patterns and association rules. However, the expression of the sequence is usually long, generally, one sequence represents the whole call stack, and the sequence needs to be regenerated when updating iteration, so that the calculation overhead is large, and the flexibility is low. The graph database supports real-time dynamic reflection of the calling relationship of the system resources, expresses the calling relationship in a vector mode, and shows a system resource calling sequence in a topological graph mode. Compared with expressing the calling relationship in a sequence mode, the vector relationship data increment iteration/expansion is easy, and reconstruction is more flexible, so that the problem of iteration calling flexibility can be solved by adopting the graph database.
It will be appreciated that after converting the data format of the system behavior data samples to a graph data format, a graph database may be employed to store the converted system behavior data samples. In this embodiment, for example, a NoSQL database such as Neo4j may be used, and compared with a relational database, the query speed for highly-associated data such as graphic data is much faster, and the transaction operations of Atomicity, Consistency, Isolation, and Durability (ACID) are compatible. Furthermore, the APT rule study and judgment, the virus detection engine and the vulnerability detection engine can acquire system behavior data samples from the graph database and perform corresponding analysis processing.
The system behavior data samples converted into graph data format in this embodiment may be represented by an adjacency matrix, for example, for a call sequence with five nodes, the adjacency matrix may be represented as:
where M (i, j) represents the weight of an edge between nodes i and j, E represents the set of edges, wijIs a constant.
Based on the above embodiment, the method for sensing the system behavior situation provided by this embodiment uses graph data to represent a system behavior data sample, so that not only can the relationship between system resource calls be dynamically reflected in real time and the call sequence can be visually represented in a topological graph manner, but also the speed and efficiency of sensing the system behavior situation can be improved because the graph data has high query and access efficiency.
On the basis of any of the above embodiments, in order to further improve the accuracy of sensing the behavior situation of the system and avoid erroneous judgment, the method provided in this embodiment may further include: acquiring the labeling of a user on the system behavior situation perception result, wherein the labeling comprises interception and release; and correcting the system behavior situation perception result according to the label. The marking of the system behavior situation perception result can be determined according to the input of the user by providing an operation selection interface for the user by each computer.
According to the embodiment, the learning feedback mechanism is added, the system behavior situation perception result is corrected through participation of a user, the accuracy rate of the system behavior situation perception is further improved, and the misjudgment rate is reduced.
Fig. 6 is a flowchart of a system behavior situation awareness method according to another embodiment of the present invention. As shown in fig. 6, the method provided by this embodiment may include:
s601, obtaining system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, wherein the plurality of data probes are deployed in the plurality of computers in the local area network.
And S602, converting the data format of the acquired system behavior data sample into a graph data format.
And S603, determining a system behavior situation perception result according to the converted system behavior data sample.
And S604, obtaining the labeling of the system behavior situation perception result by the user, wherein the labeling comprises interception and release.
And S605, correcting the system behavior situation perception result according to the label.
The specific implementation manner of each step in this embodiment may refer to the above embodiments, and is not described herein again.
According to the system behavior situation perception method provided by the embodiment, the system behavior data samples of a plurality of computers can be obtained through a plurality of data probes distributed in the plurality of computers, so that the number of the samples is increased, the convergence of the samples is reduced, and the reliability and reliability of the data samples are improved; by adopting the graph data to represent the system behavior data sample, the relationship between system resource calling can be dynamically and visually reflected in real time, increment iteration/expansion is easy, reconstruction is more flexible, and the speed and efficiency of system behavior situation perception are improved; by adding a learning feedback mechanism, the system behavior situation perception result is corrected through the participation of a user, and the misjudgment rate can be reduced. In conclusion, the method provided by the embodiment can improve the reliability and accuracy of system behavior situation perception.
How to determine the system behavior situation awareness result will be explained by two specific embodiments.
In a possible implementation manner, determining a system behavior situation awareness result according to the obtained system behavior data sample may include: and if a plurality of processes exist in the system behavior data sample and all establish connection with the same target node, and data packets of the same type of protocol are sent to the target node, determining the target node as a potential Advanced Persistent Threat (APT) point.
Fig. 7 is a schematic diagram of an embodiment of determining a system behavior situation awareness result according to the present invention. As shown in fig. 7, by analyzing the obtained system behavior data samples, it is determined that processes for establishing connection with the same target node exist in the host 1, the host 2, and the host 3 in the local area network, and the processes also send data packets of the same type of protocol to the target node, so that the target node can be determined to be a potential APT point. And then, a warning can be sent to the user to inform the user of potential risks, and the annotation of the user on the system behavior situation perception result can be received.
In a possible implementation manner, determining a system behavior situation awareness result according to the obtained system behavior data sample may include:
determining high-level persistent threats existing in a computer corresponding to each calling sequence according to each calling sequence in the system behavior data sample and a preset high-level persistent threat feature code;
and/or the presence of a gas in the gas,
and determining the high-level persistent threat existing in the local area network, and the common process of the behaviors and the representation of the multiple calling sequences according to the behaviors and the preset high-level persistent threat feature codes of the multiple calling sequences in the system behavior data sample.
In the embodiment, the threat is identified based on the feature codes, and the system behavior situation is perceived. Specifically, in this embodiment, the threat is identified based on the APT feature code, and the APT feature code in this embodiment may be predetermined according to the historical data.
TABLE 2
| API name/address | Parameter A | Parameter B | ....... | Parameter N | Calling time | Number of calls |
| API1 | A1 | B1 | ....... | N1 | Time1 | X |
| API2 | A2 | B2 | ....... | N2 | Time2 | Y |
Table 2 is an API call relationship table. In a calling sequence, V represents vector data, KV represents weighted vector data, K represents vector weight, and the determining factors of K can include parameter legality, calling stack depth, calling type (quick calling/self-trapping calling), called interface criticality, calling times and the like.
Thus, one call sequence can be represented as: sigma (V) is equal to K1V1+K2V2+K3V3+……+KnVn. Each calling sequence formula in the system behavior data samples of each computer can be compared with the APT feature code formula to mine the feature behavior conforming to the feature code formula. The feature behavior conforming to the feature code formula fluctuates within the range allowed by the weight defined by the feature code, namely, the feature behavior is greater than or equal to the lower boundary value of the feature code and less than or equal to the upper boundary value of the feature code. According to the calling sequence and the APT feature code, the identification can be realizedPotential risks, the exploitation of APT threats present in computers.
In the present application, since a plurality of data probes are deployed in a distributed manner in a local area network, the call sequences acquired by the data probes are not identical, for example, the call sequences of two operating systems may be as follows:
the operating system 1: sigma (V) is equal to K1V1+K2V2+K3V3+……+KnVn;
The operating system 2: sigma (V) is M2V2+M3V3+M4V4+……+MiVi;
Wherein i > -n.
For the data probe deployed in a distributed manner, in this embodiment, a common process of behavior and representing multiple call sequences in multiple operating systems is adopted, specifically, a greatest common divisor is obtained, and weights serving as coefficients are accumulated, where the sum of behaviors of the operating system 1 and the operating system 2 may be represented as: (K)2+M2)V2+(K3+M3)V3+(K4+M4)V4+……+(Kn+Mn)Vn. Behaviors and procedures that can be used to analyze the suspicious phase of a call behavior throughout a distributed system.
Furthermore, in the process of determining the system behavior situation perception result, an active interception/release mechanism of a user can be added through a learning feedback mechanism, so that the APT behavior feature code can be generated or changed. Also, the vector weights are not invariant, but can be dynamically adjusted. For example, in a system call from a user mode to a kernel mode, the SSDT is an optimal ideal hook point for various security software and is also an ideal hook point for malware, so that the vector weight of the kernel-mode system call can be increased; the call parameter can also be used as a tool for stack overflow, so the proportion of the call parameter in the vector can be adjusted and strengthened.
Fig. 8 is a schematic structural diagram of an embodiment of a system behavior situational awareness system provided in the present invention. As shown in fig. 8, the system behavior situation awareness system 80 provided in this embodiment may include: an acquisition module 801 and a processing module 802.
The acquisition module 801 is configured to acquire system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, where the plurality of data probes are deployed inside the plurality of computers in the local area network.
The processing module 802 is configured to determine a system behavior situation awareness result according to the acquired system behavior data sample.
The system of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
Optionally, the system behavior data sample includes vector data and traffic data, the vector data includes at least one of a calling function name, a calling parameter, a called function name, and a calling relationship, and the traffic data includes at least one of a target address, a source address, a protocol type, an operation type, and operation data; vector data is obtained by a data probe from a function calling sequence of a user mode and a kernel mode in a hook mode; the flow data is acquired from the input/output request packet of the network protocol stack and/or the file system by the data probe through the filter type driver.
Optionally, the system behavior situation awareness system 80 may further include a convergence module (not shown in the figure) for converting the data format of the system behavior data sample into a graph data format before determining the system behavior situation awareness result according to the acquired system behavior data sample.
Optionally, the conversion module is configured to convert the data format of the system behavior data sample into a graph data format, and may specifically include converting the data format of the system behavior data sample according to the following rule:
the node represents a calling function or a called function, the edge represents a function calling relation, and the degree represents the called times of the function;
and/or the presence of a gas in the gas,
the node represents either a source address or a destination address and the edge represents the direction of transmission and the protocol type.
Optionally, the system behavior situation awareness system 80 may further include a learning module (not shown in the figure) for obtaining a label of the user on the system behavior situation awareness result, where the label includes interception and release; and correcting the system behavior situation perception result according to the label.
Optionally, the processing module 802 is configured to determine a system behavior situation awareness result according to the obtained system behavior data sample, and specifically may include:
and if a plurality of processes exist in the system behavior data sample and all establish connection with the same target node, and data packets of the same type of protocol are sent to the target node, determining the target node as a potential advanced persistent threat point.
Optionally, the processing module 802 is configured to determine a system behavior situation awareness result according to the obtained system behavior data sample, and specifically may include:
determining high-level persistent threats existing in a computer corresponding to each calling sequence according to each calling sequence in the system behavior data sample and a preset high-level persistent threat feature code;
and/or the presence of a gas in the gas,
and determining the high-level persistent threat existing in the local area network, and the common process of the behaviors and the representation of the multiple calling sequences according to the behaviors and the preset high-level persistent threat feature codes of the multiple calling sequences in the system behavior data sample.
Fig. 9 is a schematic structural diagram of another embodiment of the system behavior situational awareness system provided in the present invention. As shown in fig. 9, the system behavior situation awareness system provided in this embodiment may include: an acquisition module 901, an aggregation module 902, a message queue 903, a graph database 904, a processing module 905, and a learning module 906.
The acquisition module 901 is configured to acquire a system behavior data sample. Specifically, through N (N > ═ 2) data probes distributed and deployed in the local area network: data probe 1, data probe 2, … …, and data probe N perform data acquisition. In order to further increase the diversity of data samples, each data probe performs data acquisition by a variety of sampling means, including: the method comprises the steps of a user mode ShellCode, a kernel mode SSDT HOOK, a Windows Filtering Platform (WFP for short) HOOK, a file system Filtering driver and a network protocol stack Filtering driver.
The aggregation module 902 is configured to collect the system behavior data samples collected by the collection module 901, and perform format conversion. In this embodiment, the data collected by each data probe is converged and converted through the Proxy channel. In this embodiment, converting the collected system behavior data sample into a graph data format specifically includes: the node represents a calling function or a called function, the edge represents a function calling relation, and the degree represents the called times of the function; and/or, the node represents a source address or a destination address, and the edge represents a transmission direction and a protocol type.
The message queue 903 is used for sequencing and buffering data output by the aggregation module 902, so as to implement serialization and persistence of the data. When the data flow is large, the data loss can be effectively avoided. In practice, the setting may be selectively performed.
Graph database 904 is used to store, analyze, and correlate system behavior data samples formatted into graph data formats. For example, the Neo4j database may be used.
The processing module 905 is configured to determine a system behavior situation perception result according to the system behavior data samples stored in the graph database 904. For the specific determination method, reference may be made to the above method embodiments, which are not described herein again. It should be noted that the processing module 905 may further include an APT rule study module, a virus detection engine, a vulnerability detection engine, and other application modules. For example, the APT rule study module may study and determine the APT rule according to the system behavior data samples stored in the graph database 904.
The learning module 906 is configured to obtain a label of the system behavior situation perception result from the user, so as to perform correction according to the label of the user. In practice, the setting may be selectively performed.
According to the system behavior situation perception system provided by the embodiment, data are acquired through the data probes which are deployed in a distributed mode, and data samples are represented in a graph data format, so that the reliability and accuracy of system behavior situation perception can be improved.
Fig. 10 is a schematic view showing an electronic device according to an embodiment of the present invention, which is only illustrated in fig. 10, and the embodiment of the present invention is not limited thereto. Fig. 10 is a schematic structural diagram of an embodiment of an electronic device provided in the present invention. As shown in fig. 10, the electronic device 100 provided in this embodiment may include: memory 1001, processor 1002, and bus 1003. The bus 1003 is used to realize connection between the elements.
The memory 1001 stores a computer program, and the computer program can implement the technical solution of any of the above method embodiments when executed by the processor 1002.
Wherein, the memory 1001 and the processor 1002 are electrically connected directly or indirectly to realize data transmission or interaction. For example, these elements may be electrically connected to each other via one or more communication buses or signal lines, such as bus 1003. The memory 1001 stores a computer program for implementing the system behavior situational awareness method, and includes at least one software functional module that can be stored in the memory 1001 in the form of software or firmware, and the processor 1002 executes various functional applications and data processing by running the software program and the module stored in the memory 1001.
The Memory 1001 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 1001 is used for storing programs, and the processor 1002 executes the programs after receiving execution instructions. Further, the software programs and modules in the above-mentioned storage 1001 may also include an operating system, which may include various software components and/or drivers for managing system tasks (e.g., memory management, storage device control, power management, etc.), and may communicate with various hardware or software components to provide an operating environment for other software components.
The processor 1002 may be an integrated circuit chip having signal processing capabilities. The Processor 1002 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and so on. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. It will be appreciated that the configuration of fig. 10 is merely illustrative and may include more or fewer components than shown in fig. 10 or have a different configuration than shown in fig. 10. The components shown in fig. 10 may be implemented in hardware and/or software.
It should be noted that the electronic device provided in this embodiment includes, but is not limited to, at least one of the following: user side equipment and network side equipment. User-side devices include, but are not limited to, computers, smart phones, tablets, digital broadcast terminals, messaging devices, game consoles, personal digital assistants, and the like. The network-side device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a cloud consisting of a large number of computers or network servers based on cloud computing, wherein the cloud computing is one of distributed computing and is a super virtual computer consisting of a group of loosely coupled computers.
The embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, can implement the system behavior situation awareness method provided in any of the above method embodiments. The computer-readable storage medium in this embodiment may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, etc. that is integrated with one or more available media, and the available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., SSDs), etc.
Those skilled in the art will appreciate that all or part of the functions of the various methods in the above embodiments may be implemented by hardware, or may be implemented by computer programs. When all or part of the functions of the above embodiments are implemented by a computer program, the program may be stored in a computer-readable storage medium, and the storage medium may include: a read only memory, a random access memory, a magnetic disk, an optical disk, a hard disk, etc., and the program is executed by a computer to realize the above functions. For example, the program may be stored in a memory of the device, and when the program in the memory is executed by the processor, all or part of the functions described above may be implemented. In addition, when all or part of the functions in the above embodiments are implemented by a computer program, the program may be stored in a storage medium such as a server, another computer, a magnetic disk, an optical disk, a flash disk, or a removable hard disk, and may be downloaded or copied to a memory of a local device, or may be version-updated in a system of the local device, and when the program in the memory is executed by a processor, all or part of the functions in the above embodiments may be implemented.
The present invention has been described in terms of specific examples, which are provided to aid understanding of the invention and are not intended to be limiting. For a person skilled in the art to which the invention pertains, several simple deductions, modifications or substitutions may be made according to the idea of the invention.
Claims (10)
1. A system behavior situation awareness method is characterized by comprising the following steps:
acquiring system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, wherein the plurality of data probes are deployed inside the plurality of computers in the local area network;
and determining a system behavior situation perception result according to the acquired system behavior data sample.
2. The method of claim 1,
the system behavior data samples comprise vector data and flow data, the vector data comprise at least one of calling function names, calling parameters, called function names and calling relations, and the flow data comprise at least one of target addresses, source addresses, protocol types, operation types and operation data;
the vector data is obtained by the data probe from the function call sequences of the user mode and the kernel mode in a hook mode;
and the flow data is acquired from an input/output request packet of a network protocol stack and/or a file system by the data probe through a filter type driver.
3. The method of claim 2, wherein prior to determining the system behavior situational awareness results from the obtained system behavior data samples, the method further comprises:
and converting the data format of the system behavior data sample into a graph data format.
4. The method of claim 3, wherein converting the data format of the system behavior data samples to a graph data format comprises converting the data format of the system behavior data samples according to the following rules:
the node represents a calling function or a called function, the edge represents a function calling relation, and the degree represents the called times of the function;
and/or the presence of a gas in the gas,
the node represents either a source address or a destination address and the edge represents the direction of transmission and the protocol type.
5. The method of any one of claims 1-4, further comprising:
acquiring the label of a user on the system behavior situation perception result, wherein the label comprises interception and release;
and correcting the system behavior situation perception result according to the label.
6. The method according to any one of claims 1 to 4, wherein determining a system behavior situation awareness result from the obtained system behavior data samples comprises:
and if a plurality of processes exist in the system behavior data sample and all establish connection with the same target node, and a data packet of the same type of protocol is sent to the target node, determining that the target node is a potential advanced persistent threat point.
7. The method according to any one of claims 1 to 4, wherein determining a system behavior situation awareness result from the obtained system behavior data samples comprises:
determining high-level persistent threats existing in a computer corresponding to each calling sequence according to each calling sequence in the system behavior data sample and a preset high-level persistent threat feature code;
and/or the presence of a gas in the gas,
and determining the high-level persistent threat existing in the local area network according to the behaviors of a plurality of calling sequences in the system behavior data sample and a preset high-level persistent threat feature code, wherein the behaviors represent the common process of the calling sequences.
8. A system behavioral situational awareness system, comprising:
the system comprises an acquisition module, a data acquisition module and a data processing module, wherein the acquisition module is used for acquiring system behavior data samples of a plurality of computers in a local area network through a plurality of data probes, and the plurality of data probes are deployed in the plurality of computers in the local area network;
and the processing module is used for determining a system behavior situation perception result according to the acquired system behavior data sample.
9. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the memory-stored computer-executable instructions to cause the at least one processor to perform the system behavioral situational awareness method of any one of claims 1-7.
10. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, are configured to implement the system behavior situational awareness method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910870313.5A CN110597690A (en) | 2019-09-16 | 2019-09-16 | System behavior situation perception method, system and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910870313.5A CN110597690A (en) | 2019-09-16 | 2019-09-16 | System behavior situation perception method, system and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110597690A true CN110597690A (en) | 2019-12-20 |
Family
ID=68859768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910870313.5A Pending CN110597690A (en) | 2019-09-16 | 2019-09-16 | System behavior situation perception method, system and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110597690A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9094288B1 (en) * | 2011-10-26 | 2015-07-28 | Narus, Inc. | Automated discovery, attribution, analysis, and risk assessment of security threats |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108039959A (en) * | 2017-11-29 | 2018-05-15 | 深信服科技股份有限公司 | Situation Awareness method, system and the relevant apparatus of a kind of data |
| CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
-
2019
- 2019-09-16 CN CN201910870313.5A patent/CN110597690A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9094288B1 (en) * | 2011-10-26 | 2015-07-28 | Narus, Inc. | Automated discovery, attribution, analysis, and risk assessment of security threats |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108039959A (en) * | 2017-11-29 | 2018-05-15 | 深信服科技股份有限公司 | Situation Awareness method, system and the relevant apparatus of a kind of data |
| CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11736530B2 (en) | Framework for coordination between endpoint security and network security services | |
| US10972493B2 (en) | Automatically grouping malware based on artifacts | |
| US10530789B2 (en) | Alerting and tagging using a malware analysis platform for threat intelligence made actionable | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| US10200390B2 (en) | Automatically determining whether malware samples are similar | |
| US10200389B2 (en) | Malware analysis platform for threat intelligence made actionable | |
| EP3113063A1 (en) | System and method for detecting malicious code in random access memory | |
| CN109076063A (en) | Protection dynamic and short-term virtual machine instance in cloud environment | |
| CN109379347B (en) | Safety protection method and equipment | |
| WO2018191089A1 (en) | System and method for detecting creation of malicious new user accounts by an attacker | |
| WO2017151515A1 (en) | Automatically grouping malware based on artifacts | |
| CN111324891A (en) | System and method for container file integrity monitoring | |
| US8572729B1 (en) | System, method and computer program product for interception of user mode code execution and redirection to kernel mode | |
| JP2023550974A (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
| CN111464513A (en) | Data detection method, device, server and storage medium | |
| US20230376591A1 (en) | Method and apparatus for processing security events in container virtualization environment | |
| CN110597690A (en) | System behavior situation perception method, system and equipment | |
| JP7424395B2 (en) | Analytical systems, methods and programs | |
| CN111447199A (en) | Server risk analysis method, server risk analysis device, and medium | |
| KR20200075725A (en) | Method and apparatus for detecting a device abnormality symptom through comprehensive analysis of a plurality of pieces of device information | |
| CN113010268B (en) | Malicious program identification method and device, storage medium and electronic equipment | |
| KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
| US20240154992A1 (en) | Event-driven collection and monitoring of resources in a cloud computing environment | |
| CN116720195B (en) | Operating system vulnerability identification method and system | |
| JP7405162B2 (en) | Analytical systems, methods and programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191220 |
|
| RJ01 | Rejection of invention patent application after publication |