CN111881460B - Vulnerability exploitation detection method, system, equipment and computer storage medium - Google Patents
Vulnerability exploitation detection method, system, equipment and computer storage medium Download PDFInfo
- Publication number
- CN111881460B CN111881460B CN202010783766.7A CN202010783766A CN111881460B CN 111881460 B CN111881460 B CN 111881460B CN 202010783766 A CN202010783766 A CN 202010783766A CN 111881460 B CN111881460 B CN 111881460B
- Authority
- CN
- China
- Prior art keywords
- log
- exploit
- attack
- dangerous
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 172
- 230000002159 abnormal effect Effects 0.000 claims abstract description 90
- 238000000034 method Methods 0.000 claims abstract description 66
- 230000006399 behavior Effects 0.000 claims description 54
- 230000008569 process Effects 0.000 claims description 43
- 238000004590 computer program Methods 0.000 claims description 38
- 230000004931 aggregating effect Effects 0.000 claims description 7
- 230000000875 corresponding effect Effects 0.000 description 45
- 230000005856 abnormality Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method, a system, equipment and a computer readable storage medium for detecting vulnerability exploitation, wherein the method, the system, the equipment and the computer readable storage medium acquire a system log recorded by target equipment, and the system log comprises a system security protection log and/or a system dangerous operation log; detecting an abnormal log meeting an abnormal rule in the system log; and performing exploit detection on the abnormal log to obtain an exploit detection result. In the method, the system log can detect the abnormal log in the system log according to the abnormal rule, and perform the exploit detection on the abnormal log to obtain the corresponding exploit detection result, and because the system log accurately records the operation information in the target equipment, the abnormal log can accurately reflect all the exploits occurring in the target equipment, so that the exploit detection result obtained according to the abnormal log is necessarily all the exploits accurately occurring in the target equipment, and the detection accuracy of the exploit is high.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, a device, and a computer storage medium for detecting an exploit.
Background
Vulnerabilities are flaws in the specific implementation of hardware, software, protocols or operating system security policies, enabling an attacker to access or break out the system without authorization; exploit refers to exploiting some vulnerabilities in a program to gain control of a computer. In order to secure the network of a computer or the like, it is necessary to perform exploit detection, such as performing exploit detection by feature matching or fingerprint recognition.
However, in the feature recognition process, due to the diversity of the exploit features, a situation of missing the exploit may occur; in the fingerprint identification process, the exploit is difficult to detect in the first time due to the variability of the exploit.
In summary, how to improve the accuracy of the exploit detection is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide an exploit detection method, which can solve the technical problem of how to improve the accuracy of exploit detection to a certain extent. The application also provides an exploit detection system, equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
a exploit detection method, comprising:
acquiring a system log recorded by target equipment; the system log comprises a system security protection log and/or a system dangerous operation log;
detecting an abnormal log meeting an abnormal rule in the system log;
and performing exploit detection on the abnormal log to obtain an exploit detection result.
Preferably, the performing the exploit detection on the exception log to obtain a exploit detection result includes:
obtaining an operation result corresponding to the abnormal log;
judging whether the operation result is safe or not;
if the operation result is unsafe, taking the abnormal log corresponding to the unsafe operation result as a dangerous log;
and determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
Preferably, the determining the exploit detection result based on the dangerous log, the operation result corresponding to the dangerous log, and the exception rule satisfied by the dangerous log includes:
determining attack time of the corresponding vulnerability exploitation based on the dangerous log;
determining an attack mode of the vulnerability exploitation based on the operation result corresponding to the dangerous log;
determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs;
and taking the attack time, the attack mode and the attack type as the detection result of the exploit.
Preferably, the taking the attack time, the attack mode and the attack type as the exploit detection result includes:
tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit;
and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as the detection result of the exploit.
Preferably, the performing the exploit detection on the exception log, after obtaining the exploit detection result, further includes:
and displaying the detection result of the exploit.
Preferably, the determining whether the operation result is safe includes:
judging whether the operation type of the operation result is a dangerous operation type or not;
if the operation type of the operation result is the dangerous operation type, judging that the operation result is unsafe;
if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe;
wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
Preferably, the performing the exploit detection on the exception log, after obtaining the exploit detection result, further includes:
and aggregating all the detection results of the loopholes in the network to obtain the attacker behavior portrayal of the same loopholes or a single attack event.
Preferably, after obtaining the attack behavior portrayal of the attacker or the single attack event of the same exploit, the method further comprises:
and displaying the attacker behavior portrayal of the attacker of the same exploit or the attack event of a single exploit.
Preferably, the exception rules comprise process exception call rules and/or network exception connection rules and/or file exception operation rules.
An exploit detection system, comprising:
the first acquisition module is used for acquiring a system log recorded by the target equipment; the system log comprises a system security protection log and/or a system dangerous operation log;
the first detection module is used for detecting an abnormal log meeting an abnormal rule in the system log;
and the second detection module is used for carrying out the exploit detection on the abnormal log to obtain the exploit detection result.
An exploit detection device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the exploit detection method as claimed in any one of the above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor performs the steps of the exploit detection method as claimed in any one of the preceding claims.
According to the vulnerability exploitation detection method, a system log recorded by target equipment is obtained, wherein the system log comprises a system security protection log and/or a system dangerous operation log; detecting an abnormal log meeting an abnormal rule in the system log; and performing exploit detection on the abnormal log to obtain an exploit detection result. In the method, the system log can detect the abnormal log in the system log according to the abnormal rule, and perform the exploit detection on the abnormal log to obtain the corresponding exploit detection result, and because the system log accurately records the operation information in the target equipment, the abnormal log can accurately reflect all the exploits occurring in the target equipment, so that the exploit detection result obtained according to the abnormal log is necessarily all the exploits accurately occurring in the target equipment, and the detection accuracy of the exploit is high. The vulnerability exploitation detection system, the vulnerability exploitation detection equipment and the computer readable storage medium also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a first flowchart of an exploit detection method according to an embodiment of the present application;
FIG. 2 is a second flowchart of an exploit detection method according to an embodiment of the present application;
FIG. 3 is a flow chart of an exploit detection method in practical application;
FIG. 4 is a schematic structural diagram of an exploit detection system according to an embodiment of the present disclosure;
FIG. 5 is a schematic structural diagram of an exploit detection device according to an embodiment of the present application;
fig. 6 is another schematic structural diagram of an exploit detection apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a first flowchart of an exploit detection method according to an embodiment of the present application.
The method for detecting the exploit provided by the embodiment of the application can comprise the following steps:
step S101: acquiring a system log recorded by target equipment; the system log includes a system security protection log and/or a system dangerous operation log.
In practical application, since the exploit relates to the security protection and dangerous operation of the system, the system log recorded by the target device may be obtained first, so that the exploit in the target device may be detected according to the system log, and the system log may include the system security protection log and/or the system dangerous operation log.
It should be noted that in a specific application scenario, the device may not start the function of collecting the system security log and the system dangerous operation log, and at this time, the function of collecting the system security log and the system dangerous operation log may be started in advance for the device, so as to be able to obtain the system log recorded by the target device. In addition, the system security protection log refers to a log generated in the security protection process of equipment, and the system dangerous operation log refers to a log generated after the equipment discovers the dangerous operation of the equipment, wherein the content of the system security protection log and the content of the system dangerous operation log can be determined according to actual needs.
Step S102: in the system log, an abnormality log satisfying an abnormality rule is detected.
In practical application, because the exploit belongs to attack on the device, the device with the exploit has an abnormality, so after the system log recorded by the target device is obtained, an abnormality log meeting an abnormality rule can be detected in the system log, so that the exploit detection can be carried out on the target device according to the abnormality log.
It should be noted that the abnormality rule may be determined according to actual needs as long as an abnormality log in the system log can be detected. And when detecting the abnormal log, the characteristics of the system log can be compared with the characteristics of the abnormal rule, whether the characteristics of the system log hit the characteristics of the abnormal rule is judged, and whether the system log is the abnormal log is determined according to the hit condition of the characteristics, for example, the system log which hits the characteristics of the abnormal rule completely can be used as the abnormal log.
Step S103: and performing exploit detection on the abnormal log to obtain an exploit detection result.
In practical application, if an exception log exists in the target device, the target device cannot be represented that the exploit must occur, and in order to accurately identify the exploit in the target device, after the exception log meeting the exception rule is detected in the system log, the exploit detection is further required to be performed on the exception log, so as to obtain an accurate exploit detection result.
It should be noted that, because the exploit refers to some vulnerabilities in the exploit program to obtain the control right of the computer, the exploit can attack the control right of the device, so in the process of detecting the exception log to obtain the exploit detection result, whether the exception condition reflected by the exception log attacks the control right of the device or not can be judged, if the exception condition reflected by the exception log attacks the control right of the device, the exception log can be judged to reflect the related information of the exploit, the corresponding exploit detection result can be obtained according to the exception log later, and the information type of the exploit detection result can be determined according to actual needs, for example, the attack mode, attack time and the like of the exploit can be included.
According to the vulnerability exploitation detection method, a system log recorded by target equipment is obtained; detecting an abnormal log meeting an abnormal rule in the system log; performing exploit detection on the abnormal log to obtain exploit detection results; the system log types comprise a system security protection log and a system dangerous operation log. In the method, the system log can detect the abnormal log in the system log according to the abnormal rule, and perform the exploit detection on the abnormal log to obtain the corresponding exploit detection result, and because the system log accurately records the operation information in the target equipment, the abnormal log can accurately reflect all the exploits occurring in the target equipment, so that the exploit detection result obtained according to the abnormal log is necessarily all the exploits accurately occurring in the target equipment, and the detection accuracy of the exploit is high.
Referring to fig. 2, fig. 2 is a second flowchart of an exploit detection method according to an embodiment of the present application.
The method for detecting the exploit provided by the embodiment of the application can comprise the following steps:
step S201: acquiring a system log recorded by target equipment; the system log includes a system security protection log and/or a system dangerous operation log.
Step S202: in the system log, an abnormality log satisfying an abnormality rule is detected.
Step S203: and obtaining an operation result corresponding to the exception log.
In practical application, since the exploit can bring harm to the equipment, the appearance form of the harm in the equipment is that the operation result after the equipment executes corresponding operation is unsafe, so that the exploit detection is carried out on the abnormal log according to the operation result of the log, the operation result corresponding to the abnormal log can be obtained first in the process of obtaining the detection result of the exploit, and whether the exploit exists in the abnormal log is judged according to whether the operation result is safe or not.
It should be noted that the operation result corresponding to the exception log, that is, the result obtained after the target device performs the operation recorded in the exception log, may be a newly added file, a changed file, a transmitted file, or the like.
Step S204: judging whether the operation result is safe or not; if the operation result is not safe, step S205 is performed.
Step S205: and taking the abnormal log corresponding to the unsafe operation result as a dangerous log, and executing step S206.
Step S206: and determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
In practical application, after the operation result corresponding to the abnormal log is obtained, whether the operation result is safe or not can be judged, if the operation result is unsafe, the log corresponding to the unsafe operation result is indicated to carry the exploit, and at the moment, the abnormal log corresponding to the unsafe operation result can be used as a dangerous log; and determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
In the method for detecting the exploit, in order to facilitate understanding of the exploit occurring in the device, in the process of determining the detect result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log, and the abnormal rule satisfied by the dangerous log, attack time of the corresponding exploit can be determined based on the dangerous log; determining an attack mode of the vulnerability exploitation based on an operation result corresponding to the dangerous log; determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs; and taking the attack time, the attack mode and the attack type as the detection result of the vulnerability exploitation. The user and the like can acquire the information such as attack time, attack mode, attack type and the like of the exploit according to the exploit detection result.
It should be noted that, the information included in the exploit detection result may be flexibly determined according to actual needs, which is not specifically limited herein.
In the method for detecting the vulnerability exploitation provided by the embodiment of the application, although the dangerous logs can reflect the attack information of the vulnerability exploitation, the source information and the like of the vulnerability exploitation can not be obtained from the dangerous logs, the logs record event information generated in the equipment, and the event information generated in the equipment has the relations of sequence, causal sequence and the like, so the system logs recorded by the equipment also have the relations, the attack process of the vulnerability exploitation can be traced based on the relations among the system logs, the attack behavior of the vulnerability exploitation can be obtained, and a user and the like can know the attack process of the vulnerability exploitation according to the attack behavior; namely, in the process of taking the attack time, the attack mode and the attack type as the detection result of the vulnerability exploitation, the attack process of the vulnerability exploitation can be traced back based on the association among the system logs to obtain the attack behavior of the vulnerability exploitation; and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as an exploit detection result.
It should be noted that the information carried by the attack behavior may be log information related to the exploit, or may be operation information related to the exploit, etc., and the type of the information carried by the attack behavior may be determined according to actual needs. In order to facilitate users and the like to check the detection results of the exploit, the detection results of the exploit can be displayed after the detection results of the exploit are obtained.
In the method for detecting the exploit provided by the embodiment of the application, in the process of judging whether the operation result is safe, in order to facilitate determining whether the operation result is safe, the operation type of the operation result can be compared with a preset dangerous operation type, so that whether the operation result is safe or not can be determined, and whether the operation type of the operation result is dangerous operation type can be judged; if the operation type of the operation result is a dangerous operation type, judging that the operation result is unsafe; if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe; wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
It should be noted that the remote downloading of files, executing high-authority commands, etc. listed in the present application are only possible dangerous operation types, and the specific types of dangerous operation types can be flexibly determined according to actual needs, and the present application does not specifically limit the types.
In the method for detecting the vulnerability exploitation provided by the embodiment of the invention, after the vulnerability exploitation detection is carried out on the target equipment, only the vulnerability exploitation detection result in the target equipment is obtained, which can only reflect the vulnerability type occurring in the target equipment, but in practical application, a situation that a certain attacker issues a plurality of similar vulnerability exploitation exists, for example, the attacker sends the vulnerability exploitation to each equipment in the local area network in the process of attacking the local area network, in the process, although the vulnerability exploitation on each equipment cannot be completely the same, commonalities exist among the vulnerability exploitation on each equipment, and the commonalities can reflect relevant information of the attacker when the vulnerability exploitation is designed, for example, the vulnerability exploitation design principle of the attacker, and the like, namely, the vulnerability design information of the attacker can be reversely deduced according to the vulnerability exploitation detection results of a plurality of equipment, or the attack commonalities of a certain class of the vulnerability event can be reversely deduced, for example, after the abnormality log is detected, the vulnerability detection results of all the loophole detection results in the local area network can be aggregated, and the behavior of the attacker or a single figure of the same vulnerability in the vulnerability can be obtained.
It should be noted that, in the present application, the process of aggregating all the exploit detection results, that is, the process of refining the commonalities of all the exploit detection results, so that the obtained behavior information of the attacker can reflect the design information of the attacker when designing the exploit of the same type, or reflect the attack commonalities of attack events of some types of exploits. In addition, all the exploit detection results in the network comprise exploit detection results detected by the device and other devices. In a specific application scenario, in order to facilitate users and the like to know the aggressor behavior portraits, after the aggressor behavior portraits of the aggressors or single attack events of the same exploit are obtained, the aggressor behavior portraits of the aggressors or single attack events of the same exploit can be displayed.
In the method for detecting the exploit provided by the embodiment of the application, the exception rule may include a process exception calling rule, a network exception connection rule, a file exception operation rule, and the like.
Referring to fig. 3, fig. 3 is a flowchart of an exploit detection method in practical application.
In order to facilitate understanding of the exploit detection method provided in the present application, a process for detecting a exploit related to a process will be described by taking a windows operating system as an example, where the process may include the following steps:
step S301: and starting the functions of collecting the system security protection log, the system dangerous operation log and the like for the windows operating system.
Step S302: and acquiring a system log recorded by the current windows operating system.
Step S303: and analyzing the process calling relation in the system log.
Step S304: and judging whether the process calling relationship is a relationship other than the preset calling relationship, if so, executing step S305.
It should be noted that, if the process calling relationship is a process other than the preset calling relationship, that is, in the system log, a process of detecting an abnormal log meeting the abnormal rule, for example, the video playing process calls the video forwarding process, and the calling relationship is not the calling relationship set by the device itself, then the relevant system log of the video playing process calling the video forwarding process can be determined as the abnormal log.
Step S305: and determining the system log corresponding to the process call relation as an abnormal log.
Step S306: and obtaining an operation result corresponding to the exception log.
Step S307: judging whether the operation type of the operation result is a dangerous operation type or not; if the operation type of the operation result is the dangerous operation type, step S308 is performed.
Step S308: step S309 is executed with the exception log corresponding to the unsafe operation result as the dangerous log.
Step S309: determining an attack mode of the vulnerability exploitation based on an operation result corresponding to the dangerous log; determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs; tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit; and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as an exploit detection result.
Step S310: and carrying out association aggregation on all the detection results of the exploit in the network to obtain the attacker of the exploit or the attacker behavior portrayal of a single attack event.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an exploit detection system according to an embodiment of the present application.
The system for detecting exploit provided in the embodiment of the present application may include:
a first obtaining module 101, configured to obtain a system log recorded by a target device; the system log comprises a system security protection log and/or a system dangerous operation log;
a first detection module 102, configured to detect an exception log that satisfies an exception rule in the system log;
and the second detection module 103 is configured to perform exploit detection on the exception log, so as to obtain an exploit detection result.
According to the exploit detection system provided by the embodiment of the application, the second detection module may include:
the first acquisition sub-module is used for acquiring an operation result corresponding to the abnormal log;
the first judging submodule is used for judging whether an operation result is safe or not; if the operation result is unsafe, taking an abnormal log corresponding to the unsafe operation result as a dangerous log;
the first detection sub-module is used for determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
According to the exploit detection system provided by the embodiment of the application, the first detection sub-module may include:
the first determining submodule is used for determining attack time of the corresponding vulnerability exploitation based on the dangerous log;
the second determining submodule is used for determining an attack mode of the vulnerability exploitation based on an operation result corresponding to the dangerous log;
the third determining submodule is used for determining the attack type of the vulnerability exploitation based on the abnormal rules met by the dangerous logs;
the first setting submodule is used for taking attack time, attack mode and attack type as the detection result of the vulnerability exploitation.
According to the exploit detection system provided by the embodiment of the application, the first setting submodule may include:
the first tracing unit is used for tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit;
the first setting unit is used for generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as the detection result of the vulnerability exploitation.
The system for detecting exploit provided in the embodiment of the present application may further include:
the first display module is used for displaying the detection result of the exploit after the first detection module obtains the detection result of the exploit.
According to the exploit detection system provided by the embodiment of the application, the first judging sub-module may include:
the first judging unit is used for judging whether the operation type of the operation result is a dangerous operation type or not; if the operation type of the operation result is a dangerous operation type, judging that the operation result is unsafe; if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe; wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
The system for detecting exploit provided in the embodiment of the present application may further include:
the first aggregation module is used for aggregating all the detection results of the loopholes in the network to obtain the attacker behavior portrayal of the attacker of the same loopholes or the attacker of a single attack event.
According to the vulnerability exploitation detection system provided by the embodiment of the application, the exception rules can comprise a process exception calling rule and/or a network exception connection rule and/or a file exception operation rule.
The system for detecting exploit provided in the embodiment of the present application may further include:
and the second display module is used for displaying the attacker behavior portrayal of the same vulnerability exploitation or the attacker behavior portrayal of a single attack event after the first clustering module obtains the attacker behavior portrayal of the same vulnerability exploitation or the attacker of a single attack event.
The application also provides an exploit detection device and a computer-readable storage medium, which have the corresponding effects of the exploit detection method provided by the embodiment of the application. Referring to fig. 5, fig. 5 is a schematic structural diagram of an exploit detection apparatus according to an embodiment of the present application.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program:
acquiring a system log recorded by target equipment; the system log comprises a system security protection log and/or a system dangerous operation log;
detecting an abnormal log meeting an abnormal rule in the system log;
and performing exploit detection on the abnormal log to obtain an exploit detection result.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: obtaining an operation result corresponding to the abnormal log; judging whether the operation result is safe or not; if the operation result is unsafe, taking an abnormal log corresponding to the unsafe operation result as a dangerous log; and determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: determining attack time of the corresponding vulnerability exploitation based on the dangerous log; determining an attack mode of the vulnerability exploitation based on an operation result corresponding to the dangerous log; determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs; and taking the attack time, the attack mode and the attack type as the detection result of the vulnerability exploitation.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit; and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as an exploit detection result.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: and performing exploit detection on the abnormal log, and displaying the exploit detection result after obtaining the exploit detection result.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: judging whether the operation type of the operation result is a dangerous operation type or not; if the operation type of the operation result is a dangerous operation type, judging that the operation result is unsafe; if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe; wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: and performing exploit detection on the exception log, and after obtaining exploit detection results, aggregating all exploit detection results in the network to obtain attacker behavior portraits of attackers of the same exploit or single attack event.
According to the vulnerability exploitation detection device provided by the embodiment of the application, the exception rules comprise a process exception calling rule and/or a network exception connection rule and/or a file exception operation rule.
The exploit detection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: after obtaining the aggressor behavior figures of the same exploit or single attack event, the aggressor behavior figures of the same exploit or single attack event are displayed.
Referring to fig. 6, another exploit detection apparatus provided in the embodiment of the present application may further include: an input port 203 connected to the processor 202 for transmitting an externally input command to the processor 202; a display unit 204 connected to the processor 202, for displaying the processing result of the processor 202 to the outside; and the communication module 205 is connected with the processor 202 and is used for realizing the communication between the exploit detection equipment and the outside. The display unit 204 may be a display panel, a laser scanning display, or the like; communication means employed by the communication module 205 include, but are not limited to, mobile high definition link technology (HML), universal Serial Bus (USB), high Definition Multimedia Interface (HDMI), wireless connection: wireless fidelity (WiFi), bluetooth communication, bluetooth low energy communication, ieee802.11s based communication.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
acquiring a system log recorded by target equipment; the system log comprises a system security protection log and/or a system dangerous operation log;
detecting an abnormal log meeting an abnormal rule in the system log;
and performing exploit detection on the abnormal log to obtain an exploit detection result.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: obtaining an operation result corresponding to the abnormal log; judging whether the operation result is safe or not; if the operation result is unsafe, taking an abnormal log corresponding to the unsafe operation result as a dangerous log; and determining the detection result of the exploit based on the dangerous log, the operation result corresponding to the dangerous log and the abnormal rule satisfied by the dangerous log.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: determining attack time of the corresponding vulnerability exploitation based on the dangerous log; determining an attack mode of the vulnerability exploitation based on an operation result corresponding to the dangerous log; determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs; and taking the attack time, the attack mode and the attack type as the detection result of the vulnerability exploitation.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit; and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as an exploit detection result.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: and performing exploit detection on the abnormal log, and displaying the exploit detection result after obtaining the exploit detection result.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: judging whether the operation type of the operation result is a dangerous operation type or not; if the operation type of the operation result is a dangerous operation type, judging that the operation result is unsafe; if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe; wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: and performing exploit detection on the exception log, and after obtaining exploit detection results, aggregating all exploit detection results in the network to obtain attacker behavior portraits of attackers of the same exploit or single attack event.
The embodiment of the application provides a computer readable storage medium, and the exception rules comprise a process exception calling rule and/or a network exception connection rule and/or a file exception operation rule.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented: after obtaining the aggressor behavior figures of the same exploit or single attack event, the aggressor behavior figures of the same exploit or single attack event are displayed.
The computer readable storage medium referred to in this application includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The description of the relevant parts in the exploit detection system, the exploit detection device and the computer readable storage medium provided in the embodiments of the present application refers to the detailed description of the corresponding parts in the exploit detection method provided in the embodiments of the present application, and is not repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The vulnerability exploitation detection method is characterized by comprising the following steps:
acquiring a system log recorded by target equipment; the system log comprises a system security protection log and a system dangerous operation log;
comparing the characteristics of the system log with the characteristics of the abnormal rules in the system log to detect an abnormal log meeting the abnormal rules;
obtaining an operation result corresponding to the abnormal log; the operation result is obtained after the target equipment executes the operation recorded by the abnormal log;
judging whether the operation result is safe or not;
if the operation result is unsafe, taking the abnormal log corresponding to the unsafe operation result as a dangerous log;
determining attack time of the corresponding vulnerability exploitation based on the dangerous log;
determining an attack mode of the vulnerability exploitation based on the operation result corresponding to the dangerous log;
determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous logs;
and taking the attack time, the attack mode and the attack type as the detection result of the vulnerability exploitation.
2. The method of claim 1, wherein the taking the attack time, the attack pattern, and the attack type as the exploit detection results comprises:
tracing the attack process of the exploit based on the association among the system logs to obtain the attack behavior of the exploit;
and generating an attack behavior portrait based on the attack time, the attack mode, the attack type and the attack behavior, and taking the attack behavior portrait as the detection result of the exploit.
3. The method according to any one of claims 1 to 2, wherein performing exploit detection on the anomaly log to obtain an exploit detection result, further comprises:
and displaying the detection result of the exploit.
4. The method of claim 1, wherein said determining whether the operation result is safe comprises:
judging whether the operation type of the operation result is a dangerous operation type or not;
if the operation type of the operation result is the dangerous operation type, judging that the operation result is unsafe;
if the operation type of the operation result is not the dangerous operation type, judging that the operation result is safe;
wherein the dangerous operation includes remotely downloading a file and/or executing a high-authority command.
5. The method of claim 1, wherein performing exploit detection on the exception log, after obtaining an exploit detection result, further comprises:
and aggregating all the detection results of the loopholes in the network to obtain the attacker behavior portrayal of the same loopholes or a single attack event.
6. The method of claim 5, wherein the aggregating all exploit detection results in the network to obtain an attacker behavior representation of an attacker or a single attack event of the same exploit, further comprises:
and displaying the attacker behavior portrayal of the attacker of the same exploit or the attack event of a single exploit.
7. The method according to claim 1, wherein the exception rules comprise process exception call rules and/or network exception connection rules and/or file exception operation rules.
8. An exploit detection system, comprising:
the first acquisition module is used for acquiring a system log recorded by the target equipment; the system log comprises a system security protection log and a system dangerous operation log;
the first detection module is used for comparing the characteristics of the system log with the characteristics of the abnormal rules in the system log to detect the abnormal log meeting the abnormal rules;
the operation result acquisition module is used for acquiring an operation result corresponding to the abnormal log; the operation result is obtained after the target equipment executes the operation recorded by the abnormal log;
the judging module is used for judging whether the operation result is safe or not;
the dangerous log determining module is used for taking the abnormal log corresponding to the unsafe operation result as a dangerous log if the operation result is unsafe;
the attack time determining module is used for determining the attack time of the corresponding vulnerability exploitation based on the dangerous log;
an attack mode determining module, configured to determine an attack mode of the exploit based on the operation result corresponding to the dangerous log;
the attack type determining module is used for determining the attack type of the vulnerability exploitation based on the abnormal rules satisfied by the dangerous log;
and the vulnerability exploitation detection result determining module is used for taking the attack time, the attack mode and the attack type as vulnerability exploitation detection results.
9. An exploit detection device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the exploit detection method according to any of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium having stored therein a computer program which when executed by a processor performs the steps of the exploit detection method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010783766.7A CN111881460B (en) | 2020-08-06 | 2020-08-06 | Vulnerability exploitation detection method, system, equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010783766.7A CN111881460B (en) | 2020-08-06 | 2020-08-06 | Vulnerability exploitation detection method, system, equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111881460A CN111881460A (en) | 2020-11-03 |
| CN111881460B true CN111881460B (en) | 2024-04-09 |
Family
ID=73210263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010783766.7A Active CN111881460B (en) | 2020-08-06 | 2020-08-06 | Vulnerability exploitation detection method, system, equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111881460B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112565226A (en) * | 2020-11-27 | 2021-03-26 | 深信服科技股份有限公司 | Request processing method, device, equipment and system and user portrait generation method |
| CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN114003903B (en) * | 2021-12-28 | 2022-03-08 | 北京微步在线科技有限公司 | Network attack tracing method and device |
| CN116628694B (en) * | 2023-07-25 | 2023-11-21 | 杭州海康威视数字技术股份有限公司 | Anti-serialization 0day security risk defense method, device and equipment |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109255240A (en) * | 2018-07-18 | 2019-01-22 | 北京明朝万达科技股份有限公司 | A kind of loophole treating method and apparatus |
| CN110135166A (en) * | 2019-05-08 | 2019-08-16 | 北京国舜科技股份有限公司 | A kind of detection method and system for the attack of service logic loophole |
| CN110188013A (en) * | 2019-05-30 | 2019-08-30 | 苏州浪潮智能科技有限公司 | A kind of log read-write capability test method, device and electronic equipment and storage medium |
| US10454963B1 (en) * | 2015-07-31 | 2019-10-22 | Tripwire, Inc. | Historical exploit and vulnerability detection |
| CN110472414A (en) * | 2019-07-23 | 2019-11-19 | 中国平安人寿保险股份有限公司 | Detection method, device, terminal device and the medium of system vulnerability |
| CN110636076A (en) * | 2019-10-12 | 2019-12-31 | 北京安信天行科技有限公司 | Host attack detection method and system |
| CN110674508A (en) * | 2019-09-23 | 2020-01-10 | 北京智游网安科技有限公司 | Android component detection processing method, detection terminal and storage medium |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111367807A (en) * | 2020-03-08 | 2020-07-03 | 苏州浪潮智能科技有限公司 | Log analysis method, system, device and medium |
| CN111435393A (en) * | 2019-01-14 | 2020-07-21 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9876813B2 (en) * | 2015-02-11 | 2018-01-23 | Qualys, Inc. | System and method for web-based log analysis |
-
2020
- 2020-08-06 CN CN202010783766.7A patent/CN111881460B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10454963B1 (en) * | 2015-07-31 | 2019-10-22 | Tripwire, Inc. | Historical exploit and vulnerability detection |
| CN109255240A (en) * | 2018-07-18 | 2019-01-22 | 北京明朝万达科技股份有限公司 | A kind of loophole treating method and apparatus |
| CN111435393A (en) * | 2019-01-14 | 2020-07-21 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
| CN110135166A (en) * | 2019-05-08 | 2019-08-16 | 北京国舜科技股份有限公司 | A kind of detection method and system for the attack of service logic loophole |
| CN110188013A (en) * | 2019-05-30 | 2019-08-30 | 苏州浪潮智能科技有限公司 | A kind of log read-write capability test method, device and electronic equipment and storage medium |
| CN110472414A (en) * | 2019-07-23 | 2019-11-19 | 中国平安人寿保险股份有限公司 | Detection method, device, terminal device and the medium of system vulnerability |
| CN110674508A (en) * | 2019-09-23 | 2020-01-10 | 北京智游网安科技有限公司 | Android component detection processing method, detection terminal and storage medium |
| CN110636076A (en) * | 2019-10-12 | 2019-12-31 | 北京安信天行科技有限公司 | Host attack detection method and system |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111367807A (en) * | 2020-03-08 | 2020-07-03 | 苏州浪潮智能科技有限公司 | Log analysis method, system, device and medium |
Non-Patent Citations (2)
| Title |
|---|
| Web应用系统信息安全漏洞利用技术研究;万紫骞;吴波;;电子产品可靠性与环境试验(第06期);全文 * |
| 针对未知PHP反序列化漏洞利用的检测拦截系统研究;陈震杭;王张宜;彭国军;夏志坚;;信息网络安全(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111881460A (en) | 2020-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111881460B (en) | Vulnerability exploitation detection method, system, equipment and computer storage medium | |
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| US9183383B1 (en) | System and method of limiting the operation of trusted applications in presence of suspicious programs | |
| US20140380478A1 (en) | User centric fraud detection | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| US8640233B2 (en) | Environmental imaging | |
| US11777961B2 (en) | Asset remediation trend map generation and utilization for threat mitigation | |
| CN108932428B (en) | Lesog software processing method, device, equipment and readable storage medium | |
| US20200065481A1 (en) | Suspicious event analysis device and related computer program product for generating suspicious event sequence diagram | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| US10372907B2 (en) | System and method of detecting malicious computer systems | |
| US11762991B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| CN112541181A (en) | Method and device for detecting server security | |
| CN113987509A (en) | Risk rating method, device, equipment and storage medium for information system security vulnerability | |
| CN107070845B (en) | System and method for detecting phishing scripts | |
| CN112087455B (en) | WAF site protection rule generation method, system, equipment and medium | |
| EP3252645A1 (en) | System and method of detecting malicious computer systems | |
| CN113364766A (en) | APT attack detection method and device | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| Al-Zadjali | Penetration testing of vulnerability in android Linux kernel layer via an open network (Wi-Fi) | |
| Teufl et al. | Android-On-device detection of SMS catchers and sniffers | |
| US10135868B1 (en) | Defeating wireless signal interference hacks by manipulating signal strength | |
| US11637862B1 (en) | System and method for surfacing cyber-security threats with a self-learning recommendation engine | |
| CN118114254A (en) | Vulnerability risk assessment method, vulnerability risk assessment system and computer-readable storage medium | |
| EP3151148B1 (en) | System and method for generating sets of antivirus records for detection of malware on user devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |