CN112784268A - Method, device, equipment and storage medium for analyzing host behavior data - Google Patents
Method, device, equipment and storage medium for analyzing host behavior data Download PDFInfo
- Publication number
- CN112784268A CN112784268A CN202110121714.8A CN202110121714A CN112784268A CN 112784268 A CN112784268 A CN 112784268A CN 202110121714 A CN202110121714 A CN 202110121714A CN 112784268 A CN112784268 A CN 112784268A
- Authority
- CN
- China
- Prior art keywords
- event
- behavior
- host
- data
- behavior data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for analyzing host behavior data; in the scheme, behavior data of the host computer is collected through a preset event monitoring module; the event monitoring module includes: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module; and carrying out standardized processing on the behavior data to generate a host behavior event, sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result. Therefore, in order to effectively acquire the behavior data of the host, the kernel monitoring acquisition module, the ETW event acquisition module and the user mode hook event acquisition module in the event monitoring module are used for acquiring the behavior data of the host together.
Description
Technical Field
The present invention relates to the field of data analysis technologies, and in particular, to a method, an apparatus, a device, and a storage medium for analyzing host behavior data.
Background
At present, most of traditional host behavior data acquisition is projects utilizing open sources, and the realization principle of the traditional host behavior data acquisition is that host data is acquired mostly through a user mode hook (used for intercepting system messages), a monitoring log of a multiplexing sysmon (system monitoring tool) and a simple system information increment change detection mode. However, when data is collected in the above manner, although the number of monitoring points is small, the data volume is often large, the data validity is low, and the core operation of an attacker cannot be collected, so that analysis based on the data is often ineffective.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a storage medium for analyzing host behavior data, so as to effectively acquire the behavior data of a host and analyze and detect the abnormal condition of the host according to the acquired behavior data.
In order to achieve the above object, the present invention provides a method for analyzing host behavior data, including:
acquiring behavior data of a host through a preset event monitoring module; the event monitoring module comprises: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
carrying out standardization processing on the behavior data to generate a corresponding host behavior event;
and sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
Wherein, gather the behavioral data of host computer through the event monitoring module that sets up in advance, include:
acquiring first behavior data of a host through the kernel monitoring and acquiring module; the first behavior data includes: process/thread behavior data, file/registry operation behavior data, network connection behavior data;
collecting second behavior data of the host through the ETW event collection module; the second behavior data includes: plan task behavior data and DNS behavior data;
acquiring third behavior data of the host through the user mode hook event acquisition module; the third behavior data includes: service behavior data, function call behavior data.
Wherein, before the normalizing the behavior data and generating the corresponding host behavior event, the method further comprises: filtering the behavior data by using a preset matching rule to generate event data after rule matching;
then, the normalizing the behavior data to generate a corresponding host behavior event includes: and carrying out standardization processing on the event data to generate a corresponding host behavior event.
Wherein, the analyzing and processing the host behavior event by the data analysis system to obtain a corresponding analysis result includes: and analyzing and processing the host behavior event by utilizing at least one analysis engine in the data analysis system to obtain a corresponding analysis result.
Wherein, the analyzing and processing the host behavior event by using at least one analysis engine in the data analysis system to obtain a corresponding analysis result includes:
detecting attack behaviors in the host behavior event by using an IOC scanning engine to obtain an attack analysis result; and/or detecting the threat behavior in the host behavior event by utilizing a behavior state learning engine to obtain a threat analysis result.
Wherein if the attack analysis result indicates that an attack behavior exists in the host behavior event, or if the threat analysis result indicates that a threat behavior exists in the host behavior event, the analysis method further includes: and determining an attacker corresponding to the attack behavior through an event tracing engine.
Wherein if the attack analysis result indicates that an attack behavior exists in the host behavior event, or if the threat analysis result indicates that a threat behavior exists in the host behavior event, the analysis method further includes:
generating a security policy corresponding to the attack/threat behavior using a security rules engine;
and issuing the security policy to the kernel monitoring acquisition module and/or the user mode hook event acquisition module through a security handling engine, so as to execute the operation corresponding to the security policy through the kernel monitoring acquisition module and/or the user mode hook event acquisition module.
To achieve the above object, the present invention further provides an apparatus for analyzing host behavior data, comprising:
the acquisition module is used for acquiring behavior data of the host through a preset event monitoring module; the event monitoring module comprises: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
the processing module is used for carrying out standardized processing on the behavior data and generating a corresponding host behavior event;
and the analysis module is used for sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
To achieve the above object, the present invention further provides an electronic device comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the analysis method of the host behavior data when executing the computer program.
To achieve the above object, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, realizes the steps of the above method for analyzing host behavior data.
According to the scheme, the method for analyzing the host behavior data provided by the embodiment of the invention comprises the following steps: acquiring behavior data of a host through a preset event monitoring module; the event monitoring module includes: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module; and carrying out standardized processing on the behavior data to generate a host behavior event, sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result. Therefore, in order to effectively acquire the behavior data of the host, the kernel monitoring acquisition module, the ETW event acquisition module and the user mode hook event acquisition module in the event monitoring module are used for acquiring the behavior data of the host together.
The invention also discloses a device, equipment and a storage medium for analyzing the host behavior data, and the technical effects can be realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of a system for analyzing host behavior data according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating a method for analyzing host behavior data according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart illustrating another method for analyzing host behavior data according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart illustrating another method for analyzing host behavior data according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of system components disclosed in an embodiment of the present invention;
FIG. 6 is a schematic overall flow chart of the system according to the embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an apparatus for analyzing host behavior data according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
When the behavioral data of host computer is gathered at present, because traditional mode has: the problems of few monitoring points, large data collection amount, low data effectiveness and the like are set, and the core operation of an attacker cannot be collected, so that the analysis based on the data is often ineffective.
Therefore, in order to effectively acquire the behavior data of the host, the behavior data of the host is acquired by the kernel monitoring acquisition module, the Event logging for Windows (Event logging for Windows) Event acquisition module and the user mode hook Event acquisition module in the Event monitoring module together.
For convenience of understanding, a system architecture applicable to the technical solution of the present application is introduced below, and refer to fig. 1, which is a schematic structural diagram of an analysis system for host behavior data disclosed in the embodiment of the present invention; as can be seen from fig. 1, the system comprises: a host 11 and a server 12;
the host 11 is preset with an event monitoring module for collecting behavior data, for example: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module; the three acquisition modules can acquire behavior data of the host 11 from different dimensions. After the host 11 collects the behavior data, the behavior data can be standardized by the host 11 and then analyzed by a data analysis system of the host 11; or after the host 11 collects the behavior data, the host 11 standardizes the behavior data, and then sends the host behavior event generated after the standardization to the server 12, and the behavior data is analyzed by a data analysis system in the server 12; or, after the host 11 collects the behavior data, the behavior data may be directly sent to the server 12, the server 12 performs a standardized process on the behavior data to generate a host behavior event, and the data analysis system in the server 12 analyzes the behavior data.
In this embodiment, the server may be a local server or a cloud server; moreover, after the server analyzes and processes the host behavior event, the server may send the corresponding analysis result to the host 11, and the host 11 may perform different operations according to different analysis results, for example: if the abnormal phenomenon does not exist in the host computer in the analysis result, no operation is executed; if the host is determined to have threat behavior in the analysis result, some operations may be performed on the host to eliminate the threat, such as: the analysis result is as follows: if there is a threat activity and a virus creates a file through the threat activity, the host may delete the file created by the virus to eliminate the threat. Moreover, the host 11 and the server 12 send data through a communication network, which may be determined according to network conditions and application requirements in an actual application process, and may be a wireless communication network, such as a mobile communication network or a WIFI network, or a wired communication network; the network may be a wide area network or a local area network, and is not particularly limited herein.
Fig. 2 is a schematic flow chart of a method for analyzing host behavior data according to an embodiment of the present invention; the method specifically comprises the following steps:
s101, behavior data of a host are collected through a preset event monitoring module; the event monitoring module includes: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
in the scheme, an event monitoring module needs to be arranged in the host in advance, and behavior data of the host is collected through the event monitoring module. Specifically, the system behavior is monitored and collected mainly through three modules, namely a self-researched lightweight kernel monitoring collection module, a windows etw event collection module and a user mode hook event collection module, in the event monitoring module. Moreover, the behavior in the scheme is specifically as follows: the host acts on the object, in this embodiment, the host may refer to a process, and the object may be a process, a file, a registry, a web server, or the like.
Wherein, this scheme is specifically through the first behavioural data of kernel control collection module collection host computer, and this first behavioural data includes: process/thread behavior data, file/registry operation behavior data, network connection behavior data; specifically, the kernel monitoring and collecting module is mainly loaded with the host system in a driving manner, and can monitor and collect behavior data of processes/threads in the system, such as: creating, starting, destroying and other behavior data of the process/thread; the kernel monitoring and collecting module can collect all the behavior data of the file/registry operation, such as: creating, modifying, deleting and other behavior data of the file/registry; the kernel monitoring and collecting module can also collect network connection behaviors, such as: behavioral data for replacing the wireless network to which the host is connected from network 1 to network 2.
Wherein, this scheme is concrete through the second action data of ETW incident collection module collection host computer, and this second action data includes: plan task behavior data, DNS (Domain Name System) behavior data; specifically, the ETW event collection module mainly monitors and collects events that cannot be collected by the kernel monitoring collection module, for example, to make up for the deficiency of the kernel monitoring collection module: scheduling tasks and DNS requests, etc. Further, according to the scheme, third behavior data of the host computer is collected through a user mode hook event collection module, and the third behavior data comprises: service behavior data, function call behavior data. In particular, the user mode hook event collection module may monitor collection of service-related behavior data, call behavior data of a danger function.
S102, carrying out standardization processing on the behavior data to generate a corresponding host behavior event;
specifically, after the behavior data is acquired, in order to enable the data analysis system to analyze and process the behavior data more accurately and more quickly, the behavior data may be firstly standardized to generate a corresponding host behavior event, and the standardized processing may include: the processing method includes, but is not limited to, deduplication processing of behavior data, merge processing of behavior data, packetization processing of behavior data, format standardization processing of behavior data, and the like.
S103, sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
In this embodiment, after the behavior data is converted into the corresponding host behavior event, the host behavior event may be analyzed and processed by the data analysis system, so as to obtain a corresponding analysis result. Specifically, the analysis results obtained vary according to the functions of the data analysis system, for example: if the data analysis system has the function of detecting attacks, the generated analysis result is as follows: whether the host behavior event has an attack analysis result or not; if the data analysis system has the function of detecting threats, the generated analysis result is as follows: whether the host behavior event has a threat analysis result.
In conclusion, in order to effectively acquire the behavior data of the host, the kernel monitoring acquisition module, the ETW event acquisition module and the user mode hook event acquisition module in the event monitoring module are used for acquiring the behavior data of the host together.
Fig. 3 is a schematic flow chart of another method for analyzing host behavior data according to the embodiment of the present invention; it should be noted that, the same points of the analysis method described in this embodiment and the analysis method described in the previous embodiment may be referred to each other, and are not described herein again;
in this embodiment, the method specifically includes:
s201, behavior data of a host is collected through a preset event monitoring module; the event monitoring module includes: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
s202, filtering the behavior data by using a preset matching rule to generate event data after rule matching;
specifically, in order to obtain more effective behavior data, in the present embodiment, a matching rule for screening important behavior data from the behavior data may be set in advance. The matching rule can emphatically screen behavior data in the following aspects, 1) behavior data generated after a process executes operation on important resources of a system; 2) behavior data generated by operations frequently used by attackers; 3) network behavior data, such as network connection DNS requests, etc. It should be noted that, in this embodiment, the data screened by the matching rule is described only by taking screening of the three kinds of behavior data as an example, and when the data is actually used, the matching rule may be adjusted according to actual requirements to screen different behavior data.
It should be noted that, if the analysis processing on the host behavior event is implemented by the server, the filtering process on the behavior data may also be performed by the host or by the server. If the host executes the filtering operation, the performance of the host is affected, but after the host executes the filtering operation, the data sent to the server becomes less, so that the amount and time of the transmitted data are reduced, and therefore, a person skilled in the art can select an execution main body of data filtering according to actual requirements, for example: to reduce the impact on host performance, filtering operations may be performed by the server, and to reduce the time required for data transmission, filtering operations may be performed by the host.
S203, carrying out standardization processing on the event data to generate a corresponding host behavior event;
in this embodiment, after the event data is obtained by filtering the behavior data through the matching rule, the event data needs to be standardized, and the standardized processing may specifically be: and supplementing the data of the event data packet by using a preset standard event format to generate a corresponding host behavior event. Specifically, the method comprises the following steps: when the event monitoring module collects behavior data, in order to avoid affecting the system performance, only basic information is collected, for example: if the behavior of creating the process B by the process a occurs in the host, the collected behavior data only includes: the a process creates the basic information of the B process. Therefore, in order to enable the data analysis system to obtain a more accurate analysis result by using a more comprehensive and richer host behavior event, in the scheme, additional information corresponding to the event data can be obtained through a standardized processing mode, so that a corresponding host behavior event is generated. For example: if the event creates a B process for the a process, the obtained additional information may specifically be file MD5(MD5 Message-Digest Algorithm, MD5 information Digest Algorithm) information, file signature, and the like of the a process/the B process, and is not specifically limited herein.
And S204, sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
In summary, in this embodiment, after behavior data of the host is collected, the behavior data needs to be filtered by using a preset matching rule, and by this means, more effective and more important behavior data can be screened out from the behavior data, so that the data analysis system can use the screened behavior data to purposefully detect abnormal situations of the host, and improve data processing efficiency.
Fig. 4 is a schematic flow chart of another method for analyzing host behavior data according to the embodiment of the present invention; it should be noted that, the same points of the analysis method described in this embodiment and the analysis method described in any previous embodiment may be referred to each other, and are not described herein again;
in this embodiment, the method specifically includes:
s301, behavior data of the host are collected through a preset event monitoring module; the event monitoring module includes: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
s302, filtering the behavior data by using a preset matching rule to generate event data after rule matching;
s303, carrying out standardized processing on the event data to generate a corresponding host behavior event;
s304, analyzing and processing the host behavior event by utilizing at least one analysis engine in the data analysis system to obtain a corresponding analysis result.
Specifically, the data analysis system may be a system deployed on the host or a system deployed on the server, and in this embodiment, in order to improve the analysis processing speed and reduce the influence on the performance of the host, the data analysis system deployed on the server may perform analysis processing on the host behavior event. And, the server may be a local server or a cloud server.
In this embodiment, the data analysis system has a plurality of analysis engines, so that the host behavior event can be analyzed and processed by different analysis engines. Such as: the analysis engine may include an IOC (Indicators of threats, which are usually used to describe evidence that a computer or a network is attacked, and may be a network IP (Internet Protocol Address) or a file hash (hash), etc.), and the data analysis system may use the IOC scan engine to detect an attack behavior in the host behavior event, so as to obtain an attack analysis result; specifically, the IOC scan engine mainly uses the known IOC intelligence repository to match the current events of all terminals to verify if an attack has occurred.
The analysis engine may further include a behavior state learning engine, and the data analysis system may detect a threat behavior in the host behavior event by using the behavior state learning engine to obtain a threat analysis result. Specifically, the behavior state learning engine is used for performing simulation execution on all detected behaviors of a process from the start, wherein each execution of one behavior has a threat level, and the threat level may become high when the execution behaviors gradually increase. Such as: these actions are pressed in turn: and if the similarity of the state value at the moment and a certain known virus is extremely high, the behavior is considered to be a threatening behavior, and the alarm engine is informed to give an alarm prompt to an administrator or an end user at the moment.
The analysis engine may also include an event source engine, specifically: if the attack analysis result is that the attack behavior exists in the host behavior event or the threat analysis result is that the threat behavior exists in the host behavior event, the scheme can also determine an attacker corresponding to the attack behavior through the event tracing source engine. Specifically, according to the scheme, the kernel monitoring acquisition module, the ETW event acquisition module and the user mode hook event acquisition module are used for acquiring the behavior data, so that the acquired behavior data are relatively complete and reliable, and therefore when the attack behavior is judged to exist in the behavior data, the event tracing source engine can precisely trace the source to a real attacker through the event correlation map. For example: the user opens a document A carrying viruses through word software, a conventional source can only be used for carrying out malicious operation on a word process, but the conventional source is not a real reason, and by the scheme, the word can be checked from behavior data, and before the malicious operation is executed, a document B carrying viruses is opened, so that the source is malicious to the document B, and then through the document B, the document B can be continuously found forward by the source, and the document B is specifically released by which process on which machine of which user is, so that a real 'responsible person' is found.
Further, the analysis engine may also include a security rules engine and a security disposition engine, in particular: if the attack analysis result is that an attack behavior exists in the host behavior event or the threat analysis result is that a threat behavior exists in the host behavior event, the scheme can also utilize the security rule engine to generate a security policy corresponding to the attack behavior/threat behavior and issue the security policy to the kernel monitoring acquisition module and/or the user mode hook event acquisition module through the security handling engine so as to execute an operation corresponding to the security policy through the kernel monitoring acquisition module and/or the user mode hook event acquisition module. It should be noted that, if it is detected that the host is attacked, the security rules engine may generate a corresponding security policy, and the security policy may achieve the purposes of mitigating the attack, preventing further spreading of the threat, and the like, such as: the virus creates a registry, and when it is determined that the host is attacked, the generated security policy may be: and if the security policy is issued to other hosts which are not attacked by the virus, the host will not run the virus, so as to prevent the virus from executing the operation from the source.
In summary, in this embodiment, the data analysis system can perform different analysis processing on the host behavior event through different engines, and the engines in the data analysis system are extensible, not limited to the above-mentioned engines, and can add, delete, modify, etc. the engines in the data analysis system according to actual needs; the data analysis system adopts the extensible multi-engine to analyze and process data, and can feed back and process the abnormal condition of the current host to the host in real time; and if the behavior data has an attack behavior, the scheme can also generate a corresponding security policy in time and send the security policy to the kernel monitoring acquisition module and/or the user mode hook event acquisition module, so that the kernel monitoring acquisition module and the user mode hook event acquisition module in the scheme have monitoring acquisition functions, and also have the capability of preventing the behavior, and further improve the security of the host.
Referring to fig. 5, a schematic diagram of a system component disclosed in the embodiment of the present invention is that, in the event collection part, the kernel monitoring collection module, the ETW event collection module, and the user mode hook event collection module mainly include: collecting process events, network behaviors and Windows system logs; after behavior data are collected, event data are generated after the behavior data are filtered and are sent to an event storage part, the event storage part mainly comprises various services, an event receiving service is used for receiving the event data, an event information standardization service is used for carrying out standardization processing on the event data to generate a host behavior event, and a database read-write service is used for storing the generated host behavior event to a database. The event analysis part comprises various data engines, wherein the evidence obtaining engine is used for obtaining evidence of the virus after the virus appears outside, so that other engines can identify the virus through the evidence. The security policy to be issued by the security handling engine may be issued to the kernel monitoring and collecting module and the user mode hook event collecting module for execution, and may also be issued to the security handling service of the event storage part, and corresponding operations are executed through the security handling service, for example: after the virus creates the file, the file is deleted by the secure handling service. Other engines in the event analysis engine have been specifically described in the previous embodiment, and are not described herein again.
Referring to fig. 6, which is a schematic view of an overall process of the system disclosed in the embodiment of the present invention, it can be seen from fig. 6 that after a kernel monitoring acquisition module, an ETW event acquisition module, and a user mode hook event acquisition module in an event monitoring acquisition module acquire behavior data, the behavior data is filtered by a rule matching module to generate event data, and an initial host behavior event is obtained after event information is encapsulated; and then, after the steps of event receiving, event standardization and database writing are executed, the obtained host behavior event is stored in a database and then reported to the cloud, the host behavior event is analyzed and processed through a data analysis engine of the cloud, if an attack behavior or a threat behavior is detected, an alarm is given through a terminal alarm engine, if a security policy is generated by the data analysis engine of the cloud, the security policy is sent to a kernel monitoring and collecting module and a user mode hook event collecting module, the specific analysis process of the data analysis engine of the cloud is specifically described in the previous embodiment, and the detailed description is omitted here.
The following describes an analysis apparatus, a device, and a storage medium according to embodiments of the present invention, and the analysis apparatus, the device, and the storage medium described below and the analysis method described above may be referred to each other.
Referring to fig. 7, a schematic structural diagram of an apparatus for analyzing host behavior data according to an embodiment of the present invention includes:
the acquisition module 21 is used for acquiring behavior data of the host through a preset event monitoring module; the event monitoring module comprises: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
the processing module 22 is configured to perform standardized processing on the behavior data to generate a corresponding host behavior event;
and the analysis module 23 is configured to send the host behavior event to a data analysis system, and analyze and process the host behavior event through the data analysis system to obtain a corresponding analysis result.
Wherein, the collection module includes:
the first acquisition unit is used for acquiring first behavior data of the host through the kernel monitoring acquisition module; the first behavior data includes: process/thread behavior data, file/registry operation behavior data, network connection behavior data;
the second acquisition unit is used for acquiring second behavior data of the host through the ETW event acquisition module; the second behavior data includes: plan task behavior data and DNS behavior data;
the third acquisition unit is used for acquiring third behavior data of the host through the user mode hook event acquisition module; the third behavior data includes: service behavior data, function call behavior data.
Wherein, this scheme still includes:
the filtering module is used for filtering the behavior data by using a preset matching rule to generate event data after rule matching;
the processing module is specifically configured to: and carrying out standardization processing on the event data to generate a corresponding host behavior event.
Wherein the analysis module is specifically configured to: and analyzing and processing the host behavior event by utilizing at least one analysis engine in the data analysis system to obtain a corresponding analysis result.
Wherein the analysis module comprises:
the first detection unit is used for detecting the attack behavior in the host behavior event by using an IOC scanning engine to obtain an attack analysis result; and/or the presence of a gas in the gas,
and the second detection unit is used for detecting the threat behaviors in the host behavior event by using a behavior state learning engine to obtain a threat analysis result.
Wherein the analysis module further comprises: an event source unit;
and the event tracing source unit is used for determining an attacker corresponding to the attack behavior through an event tracing source engine when the attack analysis result indicates that the attack behavior exists in the host behavior event or the threat analysis result indicates that the threat behavior exists in the host behavior event.
Wherein the analysis module further comprises:
a policy generating unit, configured to generate a security policy corresponding to the attack behavior/threat behavior by using a security rule engine when an attack analysis result indicates that an attack behavior exists in the host behavior event, or the threat analysis result indicates that a threat behavior exists in the host behavior event;
and the policy issuing unit is used for issuing the security policy to the kernel monitoring acquisition module and/or the user mode hook event acquisition module through a security handling engine so as to execute the operation corresponding to the security policy through the kernel monitoring acquisition module and/or the user mode hook event acquisition module.
Referring to fig. 8, a schematic structural diagram of an electronic device provided in an embodiment of the present invention includes:
a memory 31 for storing a computer program;
a processor 32, configured to implement the steps of the method for analyzing host behavior data according to any of the above-mentioned method embodiments when executing the computer program.
In this embodiment, the device may be a PC (Personal Computer), or may be a terminal device such as a smart phone, a tablet Computer, a palmtop Computer, or a portable Computer.
The device may include a memory 31, a processor 32, and a bus 33.
The memory 31 includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program, and the memory provides an environment for the operating system and the execution of computer readable instructions in the non-volatile storage medium. The processor 32 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip in some embodiments, and provides computing and controlling capability for the gateway device, and when executing the computer program stored in the memory 31, the steps of executing the analysis method disclosed in any of the foregoing embodiments may be implemented.
The bus 33 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
Further, the device may further include a network interface 34, and the network interface 34 may optionally include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), which are generally used to establish a communication connection between the device and other electronic devices.
Fig. 8 shows only the device with the components 31-34, and it will be understood by those skilled in the art that the structure shown in fig. 8 does not constitute a limitation of the device, and may comprise fewer or more components than those shown, or some components may be combined, or a different arrangement of components.
A computer-readable storage medium is further provided for an embodiment of the present invention, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the steps of the method for analyzing host behavior data according to any of the above-mentioned method embodiments.
Wherein the storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for analyzing host behavior data, comprising:
acquiring behavior data of a host through a preset event monitoring module; the event monitoring module comprises: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
carrying out standardization processing on the behavior data to generate a corresponding host behavior event;
and sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
2. The analysis method according to claim 1, wherein the collecting behavior data of the host computer by the preset event monitoring module comprises:
acquiring first behavior data of a host through the kernel monitoring and acquiring module; the first behavior data includes: process/thread behavior data, file/registry operation behavior data, network connection behavior data;
collecting second behavior data of the host through the ETW event collection module; the second behavior data includes: plan task behavior data and DNS behavior data;
acquiring third behavior data of the host through the user mode hook event acquisition module; the third behavior data includes: service behavior data, function call behavior data.
3. The analysis method according to claim 1, wherein before normalizing the behavior data to generate the corresponding host behavior event, the method further comprises:
filtering the behavior data by using a preset matching rule to generate event data after rule matching;
then, the normalizing the behavior data to generate a corresponding host behavior event includes: and carrying out standardization processing on the event data to generate a corresponding host behavior event.
4. The analysis method according to any one of claims 1 to 3, wherein the analyzing and processing the host behavior event by the data analysis system to obtain a corresponding analysis result comprises:
and analyzing and processing the host behavior event by utilizing at least one analysis engine in the data analysis system to obtain a corresponding analysis result.
5. The analysis method according to claim 4, wherein the analyzing and processing the host behavior event by using at least one analysis engine in the data analysis system to obtain a corresponding analysis result comprises:
detecting attack behaviors in the host behavior event by using an IOC scanning engine to obtain an attack analysis result; and/or detecting the threat behavior in the host behavior event by utilizing a behavior state learning engine to obtain a threat analysis result.
6. The analysis method according to claim 5, wherein if the attack analysis result indicates that there is an attack behavior in the host behavior event, or if the threat analysis result indicates that there is a threat behavior in the host behavior event, the analysis method further comprises:
and determining an attacker corresponding to the attack behavior through an event tracing engine.
7. The analysis method according to claim 5, wherein if the attack analysis result indicates that there is an attack behavior in the host behavior event, or if the threat analysis result indicates that there is a threat behavior in the host behavior event, the analysis method further comprises:
generating a security policy corresponding to the attack/threat behavior using a security rules engine;
and issuing the security policy to the kernel monitoring acquisition module and/or the user mode hook event acquisition module through a security handling engine, so as to execute the operation corresponding to the security policy through the kernel monitoring acquisition module and/or the user mode hook event acquisition module.
8. An apparatus for analyzing host behavior data, comprising:
the acquisition module is used for acquiring behavior data of the host through a preset event monitoring module; the event monitoring module comprises: the system comprises a kernel monitoring acquisition module, an ETW event acquisition module and a user mode hook event acquisition module;
the processing module is used for carrying out standardized processing on the behavior data and generating a corresponding host behavior event;
and the analysis module is used for sending the host behavior event to a data analysis system, and analyzing and processing the host behavior event through the data analysis system to obtain a corresponding analysis result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of analyzing host behavior data according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of analyzing host behavior data according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110121714.8A CN112784268A (en) | 2021-01-28 | 2021-01-28 | Method, device, equipment and storage medium for analyzing host behavior data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110121714.8A CN112784268A (en) | 2021-01-28 | 2021-01-28 | Method, device, equipment and storage medium for analyzing host behavior data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112784268A true CN112784268A (en) | 2021-05-11 |
Family
ID=75759594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110121714.8A Pending CN112784268A (en) | 2021-01-28 | 2021-01-28 | Method, device, equipment and storage medium for analyzing host behavior data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112784268A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113641991A (en) * | 2021-07-21 | 2021-11-12 | 的卢技术有限公司 | Automobile safety audit method and system |
| CN115460066A (en) * | 2022-10-26 | 2022-12-09 | 北京安帝科技有限公司 | Edge aggregation probe device and method for industrial host behavior data |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457958A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Cloud computing network server inner core safe access method |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
-
2021
- 2021-01-28 CN CN202110121714.8A patent/CN112784268A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457958A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Cloud computing network server inner core safe access method |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 刘剑;苏璞睿;杨珉;和亮;张源;朱雪阳;林惠民;: "软件与网络安全研究综述", 软件学报 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113297577B (en) * | 2021-06-16 | 2024-05-28 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113641991A (en) * | 2021-07-21 | 2021-11-12 | 的卢技术有限公司 | Automobile safety audit method and system |
| CN115460066A (en) * | 2022-10-26 | 2022-12-09 | 北京安帝科技有限公司 | Edge aggregation probe device and method for industrial host behavior data |
| CN115460066B (en) * | 2022-10-26 | 2023-01-03 | 北京安帝科技有限公司 | Edge aggregation probe device and method for industrial host behavior data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11936666B1 (en) | Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk | |
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| US11240262B1 (en) | Malware detection verification and enhancement by coordinating endpoint and malware detection systems | |
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| CN112784268A (en) | Method, device, equipment and storage medium for analyzing host behavior data | |
| US8805995B1 (en) | Capturing data relating to a threat | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN110417778B (en) | Access request processing method and device | |
| US20080141376A1 (en) | Determining maliciousness of software | |
| WO2014179805A1 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| CN101385012A (en) | Apparatus and method for using information on malicious application behaviors among devices | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| CN103379099A (en) | Hostile attack identification method and system | |
| US11277438B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| CN116860489A (en) | System and method for threat risk scoring of security threats | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| CN113886814A (en) | Attack detection method and related device | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN114969744A (en) | Process interception method and system, electronic device and storage medium | |
| CN114257403A (en) | False alarm detection method, equipment and readable storage medium | |
| CN109255243B (en) | Method, system, device and storage medium for repairing potential threats in terminal | |
| KR100961438B1 (en) | System and method for real-time intrusion detection, and record media recoded program for implement thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |