CN101068168A - Main machine invading detecting method and system - Google Patents
Main machine invading detecting method and system Download PDFInfo
- Publication number
- CN101068168A CN101068168A CN 200710098609 CN200710098609A CN101068168A CN 101068168 A CN101068168 A CN 101068168A CN 200710098609 CN200710098609 CN 200710098609 CN 200710098609 A CN200710098609 A CN 200710098609A CN 101068168 A CN101068168 A CN 101068168A
- Authority
- CN
- China
- Prior art keywords
- behavior
- rule
- main frame
- event
- control end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
A method for detecting intrusion on host includes correlating intrusion with abnormal behavior on host and defining out response mode, setting arrangement mode to support multilevel cascade being able to be suitable to complicated network environment, defining how to make interaction between supervisor and intrusion detection system and defining characters of system operation.
Description
Technical field
The present invention relates to the HIDS (HIDS:Host Intrusion Detection System) of one of a kind of staple product as network security and the core key technology of method---rule definition, response are handled and self-protection, belong to networking technology area.
Background technology
HIDS is installed on the protected main frame, analyzes the behavior of host's main frame, and security incident is monitored in real time and responded.Active process after at present HIDS generally lacks rule base flexibly and finds intrusion behavior, regular coverage rate is little, the incomplete situation of invasion feature extraction is more common.
Summary of the invention
The purpose of this invention is to provide host computer intrude detecting method and system, the uniform rules define method of the more comprehensive monitor host behavior of design one cover, the main frame abnormal behavior that network intrusions is caused defines, when finding these phenomenons, carry out suitable processing and obtain effective warning message, undertaken from dynamic response by computer according to rule.
The technical scheme that technical solution problem of the present invention is adopted is:
A kind of HIDS, this system comprises the Windows main frame of one or more deployment control end, the Windows main frame of one or more deployment engine, network access device etc.It is characterized in that: control end forms level and disposes, and the main frame of disposing the master control end has only one.The control of control end accepted by all engines and to its feedback warning message, rule match takes place at engine end.
A kind of host computer intrude detecting method is characterized in that: be on the basis of intercepting and capturing the main frame behavior, seek the relevance between main frame behavior and intrusion behavior, and according to rule definition, produce and report to the police and other appointment behavior; This method comprises the steps:
Step 1, definition rule;
Step 2, in control centre's application rule, rule is issued on the All hosts engine automatically and is employed;
Step 3, increase, change, inefficacy update rule storehouse according to intrusion behavior.
A kind of host computer intrude detecting method; Rule definition, deployment and mode of operation.Rule definition associates the abnormal behaviour on invasion and the main frame, and the mode of definition response.The mode of disposing is supported multi-level cascade, can adapt to complicated network environment.How mutual with intruding detection system mode of operation defined the characteristics of manager's and system works.
Beneficial effect of the present invention is specific as follows:
1. event variable has coverage rate widely, can more comprehensively hold the vestige that intrusion behavior stays in system.
2. behavior sign and event variable tight association, the behavior of main body in the display systems clearly.
3. rule base upgrades flexibly, can steadily finish when operation, and is less to the main business influence of host's main frame.
4. response mode more flexibly is provided, can provides certain egodefense ability malicious act.
5. have incident and merge the conclusion function, avoid redundant warning to influence validity as a result.
6. has self-protection ability.
Description of drawings
Fig. 1 entire system block diagram.
Embodiment
Embodiment 1; Host computer intrude detecting method, the security professional defines intrusion behavior and forms the event rules storehouse, by HIDS system monitoring host's main frame and according to note abnormalities behavior and handling of event base.This method comprises the steps:
(1) definition event rules: can define at the unusual condition of registration table, file system, log system, network-driven and the critical applications of host computer system.
(2) definition event response rule: provide the only processing of warning, a daily record, blocking-up, warning+daily record, daily record+blocking-up, warning+blocking-up, warning+daily record+blocking-up unusually at what define in the event rules.
(3) the main frame engine is caught main frame abnormal behaviour and processing automatically according to the incident and the rule of response of definition, concludes automatically for redundant information.
Host event specifically comprises following aspect:
1. to the specific operation of registry key, value, comprise establishment, modification, deletion, rename.
2. file system is created, revises, deleted.
3. produce dangerous system journal behavior, as administrator's password be modified, newly-built Admin Account etc.
4. produce the sql server behavior database of system journal, such as the newdata library manager.
5. produce the IIS behavior of system journal, such as the ActiveX control that uses unauthenticated.
6. the network behavior that clear and definite feature is arranged is such as find a large amount of DNS (being domain name mapping) behavior on the main frame that never disposes domain name mapping.
Rule definition comprises event variable and behavior sign two large divisions.
Event variable need comprise incident title, event id (being the incident unique identification), and event classification ID (being the event classification unique identification) can support logical operator to describe and 5 key elements of incident text description.
Behavior is designated for the significant behavior of event object, and the classification that relies on event variable is different and different.
Detected unusual for system, often have a source and the repeatedly situation of warning occurs, the native system definition " incident " and the notion of " secondary incident " are controlled, and when definition rule, provide the method for concluding for condition according to " time of origin " and " number of repetition ".When condition was triggered, " incident " can generate " secondary incident ", had " incident " that similitude can be merged in any case and can not repeat.
Native system uses the kernel surveillance technology to guarantee the fail safe of process and monitoring result, when the discovery process by the people for stopping, reporting when restarting this injurious act.When finding that monitoring result is distorted in violation of rules and regulations, stop this behavior and report this injurious act.
The rule definition storehouse of a typical HIDS described herein system is to upgrade according to the life cycle of intrusion behavior.Specific inbreak method from initial generation, propagate into analyzed, produce corresponding patch, the understanding of behavior rule to it deepens constantly, can all be repaired by the system of this inbreak method or be eliminated up to all and this, the event definition related with the method also loses meaning, need reject from event base.
As shown in Figure 1, as follows in steps;
Step 1: read the host event rule, enter step 3;
Step 2: record is carried out in the behavior in the monitoring range in the main frame behavior, enter step 3;
Step 3: main frame behavior and the event rules found are mated;
Step 4: judge whether coupling; Otherwise change step 3; Be then to change step 5;
Step 5: the requirement according to event rules is handled; Change step 3.
Embodiment 2;
A kind of HIDS, the object of action of supervision comprises:
1, registry key, value;
2, file and catalogue;
3, dangerous system management behavior;
4, noticeable sql server (being the most important relevant database of Microsoft)
Database manipulation;
5, noticeable IIS (being the Internet information server of Microsoft) behavior;
6, irregular access to netwoks.
A kind of HIDS can merge according to " time " and " repetition degree " and conclude warning message; Has the ability that can monitor that self process and monitoring result are distorted.
Claims (8)
1. a host computer intrude detecting method is characterized in that: be on the basis of intercepting and capturing the main frame behavior, seek the relevance between main frame behavior and intrusion behavior, and according to rule definition, produce and report to the police and other appointment behavior;
This method comprises the steps:
Step 1, definition rule;
Step 2, in control centre's application rule, rule is issued on the All hosts engine automatically and is employed;
Step 3, increase, change, inefficacy update rule storehouse according to intrusion behavior.
2. a kind of host computer intrude detecting method according to claim 1, it is characterized in that: definition rule comprises the steps:
(1) definition event rules: can define at the unusual condition of registration table, file system, log system, network-driven and the critical applications of host computer system;
(2) definition event response rule: provide the only processing of warning, a daily record, blocking-up, warning+daily record, daily record+blocking-up, warning+blocking-up, warning+daily record+blocking-up unusually at what define in the event rules.
3. according to claim 1,2 described a kind of host computer intrude detecting methods, it is characterized in that: definition rule comprises event variable and behavior sign two large divisions;
Event variable need comprise incident title, event id, and event classification ID can support logical operator to describe and 5 key elements of incident text description;
Behavior is designated for the significant behavior of event object, and the classification that relies on event variable is different and different.
4. a kind of host computer intrude detecting method according to claim 1 is characterized in that: merge according to " time " and " repetition degree " and conclude warning message.
5. a kind of host computer intrude detecting method according to claim 1 is characterized in that: monitor the incident that self process and monitoring result are distorted.
6. a kind of HIDS of detection method according to claim 1, this system comprises the Windows main frame of one or more deployment control end, the Windows main frame of one or more deployment engine, network access device etc., it is characterized in that: control end forms level and disposes, and the main frame of disposing the master control end has only one; The control of control end accepted by all engines and to its feedback warning message, rule match takes place at engine end.
7. a kind of HIDS of detection method according to claim 3, this system comprises the Windows main frame of one or more deployment control end, the Windows main frame of one or more deployment engine, network access device etc., it is characterized in that: control end forms level and disposes, and the main frame of disposing the master control end has only one; The control of control end accepted by all engines and to its feedback warning message, rule match takes place at engine end.
8. a kind of HIDS according to claim 6 is characterized in that: the object of action of supervision comprises:
1) registry key, value;
2) file and catalogue;
3) dangerous system management behavior;
4) noticeable sql server database manipulation;
5) noticeable IIS behavior;
6) irregular access to netwoks.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710098609 CN101068168A (en) | 2007-04-23 | 2007-04-23 | Main machine invading detecting method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710098609 CN101068168A (en) | 2007-04-23 | 2007-04-23 | Main machine invading detecting method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101068168A true CN101068168A (en) | 2007-11-07 |
Family
ID=38880612
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200710098609 Pending CN101068168A (en) | 2007-04-23 | 2007-04-23 | Main machine invading detecting method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101068168A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102025739A (en) * | 2010-12-14 | 2011-04-20 | 汉柏科技有限公司 | Multidimensional protocol identification method based on host behavior |
CN103605592A (en) * | 2013-11-29 | 2014-02-26 | 中国航空工业集团公司第六三一研究所 | Mechanism of detecting malfunctions of distributed computer system |
CN105208009A (en) * | 2015-08-27 | 2015-12-30 | 腾讯科技(深圳)有限公司 | Safety detection method and apparatus of account number |
CN105512561A (en) * | 2015-12-02 | 2016-04-20 | 北京安信天行科技有限公司 | Network host information safety detection method and device |
CN103984902B (en) * | 2014-05-26 | 2017-06-30 | 中电长城网际系统应用有限公司 | A kind of recognition methods of newly-increased data assets and system |
CN110457468A (en) * | 2019-07-05 | 2019-11-15 | 武楚荷 | A kind of classification method of event, device and storage device |
CN114070611A (en) * | 2018-03-23 | 2022-02-18 | 瞻博网络公司 | Enforcing threat policy actions based on network addresses of host threats |
CN115102706A (en) * | 2022-04-27 | 2022-09-23 | 麦格纳斯太尔汽车技术(上海)有限公司 | HOST-IDS safety detection system and method for vehicle ECU |
-
2007
- 2007-04-23 CN CN 200710098609 patent/CN101068168A/en active Pending
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102025739B (en) * | 2010-12-14 | 2013-06-19 | 汉柏科技有限公司 | Multidimensional protocol identification method based on host behavior |
CN102025739A (en) * | 2010-12-14 | 2011-04-20 | 汉柏科技有限公司 | Multidimensional protocol identification method based on host behavior |
CN103605592A (en) * | 2013-11-29 | 2014-02-26 | 中国航空工业集团公司第六三一研究所 | Mechanism of detecting malfunctions of distributed computer system |
CN103984902B (en) * | 2014-05-26 | 2017-06-30 | 中电长城网际系统应用有限公司 | A kind of recognition methods of newly-increased data assets and system |
CN105208009A (en) * | 2015-08-27 | 2015-12-30 | 腾讯科技(深圳)有限公司 | Safety detection method and apparatus of account number |
CN105512561B (en) * | 2015-12-02 | 2018-11-23 | 北京安信天行科技有限公司 | A kind of safety detection method and device of network host information |
CN105512561A (en) * | 2015-12-02 | 2016-04-20 | 北京安信天行科技有限公司 | Network host information safety detection method and device |
CN114070611A (en) * | 2018-03-23 | 2022-02-18 | 瞻博网络公司 | Enforcing threat policy actions based on network addresses of host threats |
US11979415B2 (en) | 2018-03-23 | 2024-05-07 | Juniper Networks, Inc. | Enforcing threat policy actions based on network addresses of host threats |
CN110457468A (en) * | 2019-07-05 | 2019-11-15 | 武楚荷 | A kind of classification method of event, device and storage device |
CN110457468B (en) * | 2019-07-05 | 2022-08-23 | 武楚荷 | Event classification method and device and storage device |
CN115102706A (en) * | 2022-04-27 | 2022-09-23 | 麦格纳斯太尔汽车技术(上海)有限公司 | HOST-IDS safety detection system and method for vehicle ECU |
CN115102706B (en) * | 2022-04-27 | 2023-10-20 | 麦格纳斯太尔汽车技术(上海)有限公司 | HOST-IDS safety detection system and method of vehicle ECU |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101068168A (en) | Main machine invading detecting method and system | |
CN113515433B (en) | Alarm log processing method, device, equipment and storage medium | |
CN102160048B (en) | Collecting and analyzing malware data | |
US10354066B2 (en) | Retention and accessibility of data characterizing events on an endpoint computer | |
EP3616115B1 (en) | Endpoint detection and response system event characterization data transfer | |
CA2629279C (en) | Log collection, structuring and processing | |
CN1841397A (en) | Aggregating the knowledge base of computer systems to proactively protect a computer from malware | |
CN1885794A (en) | System and method for identifying and preventing malicious intrusions | |
CN112134877A (en) | Network threat detection method, device, equipment and storage medium | |
CN102902928A (en) | Method and device for webpage integrity assurance | |
CN1588889A (en) | Abnormal detection method for user access activity in attached net storage device | |
CN112115482A (en) | Big data-based data security monitoring system for protecting data | |
CN1282081C (en) | Invasion detecting method | |
CN112416872A (en) | Cloud platform log management system based on big data | |
CN113177205B (en) | Malicious application detection system and method | |
KR101031786B1 (en) | Malicious code prevention apparatus and method using level classification of suspicious behavior and isolated execution, and computer-readable medium storing program for method thereof | |
CN101719846A (en) | Security monitoring method, device and system | |
CN113034028A (en) | Responsibility traceability confirmation system | |
CN114928462A (en) | Web safety protection method based on user behavior recognition | |
CN108900505B (en) | Cluster audit management and control method based on block chain technology | |
CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
CN1707383A (en) | Method for analysing and blocking computer virus through process and system trace | |
CN101252578B (en) | Host computer intrude detecting method decomposed based on inherent subsequence mode | |
CN111726355A (en) | Network security situation perception system based on big data | |
CN115361182B (en) | Botnet behavior analysis method, device, electronic equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20071107 |