CN109040136A - A kind of detection method and electronic equipment of network attack - Google Patents
A kind of detection method and electronic equipment of network attack Download PDFInfo
- Publication number
- CN109040136A CN109040136A CN201811152350.4A CN201811152350A CN109040136A CN 109040136 A CN109040136 A CN 109040136A CN 201811152350 A CN201811152350 A CN 201811152350A CN 109040136 A CN109040136 A CN 109040136A
- Authority
- CN
- China
- Prior art keywords
- program
- operating system
- behavior record
- detected
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The embodiment of the present invention provides the detection method and electronic equipment of a kind of network attack, is related to network safety filed.The embodiment of the present invention can utilize the behavior record of known rogue program, detect to rogue program unknown in operating system.This method comprises: obtaining the behavior record of program to be detected in an operating system;According to the behavior record of program to be detected in an operating system, determine whether program to be detected is suspect program.The present invention is applied to detection network attack.
Description
Technical field
The present invention relates to network safety filed more particularly to the detection methods and electronic equipment of a kind of network attack.
Background technique
With the development of social informatization, internet has been deep into the various aspects of social life.Consequent, net
The problems such as Malware in network, malicious attack, there is very big threat to network security.In order to guarantee network security, existing skill
By way of generalling use the cryptographic Hash detecting file in art, to detect virus document, and cleared up.
For the above-mentioned prior art, inventor's discovery, it is i.e. sick that isolated object is only utilized in above-mentioned detection method
Malicious file itself is determined that decision process is context missing, and then can only be detected to known attack.Once attacking
As long as the person of hitting is modified slightly certain parameters of attack, such as carries out virus mutation, the cryptographic Hash for attacking file will be made to occur
Change, existing detection method also just fails.Therefore, it is badly in need of a kind of method for being able to detect unknown attack at present.
Summary of the invention
The present invention provides the detection method and electronic equipment of a kind of network attack, can utilize the row of known rogue program
For record, rogue program unknown in operating system is detected.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of detection method of network attack, this method comprises: obtaining to be detected
The behavior record of program in an operating system;According to the behavior record of program to be detected in an operating system, ranging to be checked is determined
Whether sequence is suspect program.
Optionally, the behavior record according to program to be detected in an operating system determines whether program to be detected is suspicious
Program specifically includes: the behavior record in program to be detected behavior record and rule base in an operating system compared,
If the behavior record in the behavior record and rule base of program to be detected in an operating system matches, it is determined that program to be detected
For suspect program;It wherein, include the behavior record of at least one rogue program in an operating system in rule base.
Optionally, it is carried out pair by the behavior record in program to be detected behavior record and rule base in an operating system
Than before, method further include: according to the behavior record of at least one rogue program in an operating system, generate at least one
OpenIOC rule, at least one OpenIOC rule is saved into OpenIOC rule base;By program to be detected in operating system
In behavior record and rule base in behavior record compare, if the behavior record of program to be detected in an operating system with
Behavior record in rule base matches, it is determined that program to be detected is suspect program, is specifically included: will be at least one
OpenIOC rule is converted to structured query language SQL query statement;Using SQL query statement, judge that program to be detected is being grasped
Whether the behavior record made in system matches with the behavior record of at least one rogue program in an operating system, true if matching
Fixed program to be detected is suspect program.
Optionally, obtain the behavior record of program to be detected in an operating system, specifically include: obtain operating system is
System snapshot;The behavior record of program to be detected in an operating system is obtained from the system snapshot of operating system.
Second aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising: acquiring unit, for obtaining ranging to be checked
The behavior record of sequence in an operating system;Determination unit, for the behavior record according to program to be detected in an operating system, really
Whether fixed program to be detected is suspect program.
Optionally, determination unit, specifically for will be in program to be detected behavior record and rule base in an operating system
Behavior record compare, if the behavior record of program to be detected in an operating system and the behavior record phase in rule base
Match, it is determined that program to be detected is suspect program;Wherein, include in rule base at least one rogue program in an operating system
Behavior record.
Optionally, electronic equipment further include: rule generating unit;Rule generating unit, being used for will be to be checked in determination unit
Before behavior record in the behavior record and rule base of ranging sequence in an operating system compares, according at least one malice
The behavior record of program in an operating system generates at least one OpenIOC rule, at least one OpenIOC rule is saved
Into OpenIOC rule base;Determination unit, specifically at least one OpenIOC rule is converted to SQL query statement;Benefit
With SQL query statement, judge that the behavior record of program to be detected in an operating system and at least one rogue program are in operation
Whether the behavior record in system matches, and determines that program to be detected is suspect program if matching.
Optionally, acquiring unit, specifically for obtaining the system snapshot of operating system;From the system snapshot of operating system
Obtain the behavior record of program to be detected in an operating system.
The third aspect, the embodiment of the present invention also provide a kind of electronic equipment characterized by comprising processor, storage
Device, bus and communication interface;For storing computer executed instructions, processor is connect with memory by bus memory, when
When electronic equipment is run, processor executes the computer executed instructions of memory storage, so that electronic equipment executes above-mentioned first
The detection method of network attack provided by aspect.
Fourth aspect, the embodiment of the present invention also provide a kind of computer storage medium, which is characterized in that including instructing, when
When it runs on an electronic device, so that electronic equipment executes the detection side of the network attack as provided by above-mentioned first aspect
Method.
The embodiment of the present invention, although the contents such as specific code may become when carrying out mutation using rogue program
Change, but the behavior record of rogue program in other words its threaten behavioral chain to be usually no variation in, this principle.And then it proposes
According to the behavior record of program to be detected in an operating system, come determine program to be detected whether be suspect program method.This
Sample one causes the cryptographic Hash of malicious file to be changed if hacker has modified code, in the entirely ineffective feelings of virus code
Under condition, but its threat behavioral chain be will not be changed easily.Therefore, using detection method provided by the present invention,
We not only can capture known threat, additionally it is possible to capture unknown, potential threaten.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of example for detecting rogue program using cryptographic Hash;
Fig. 2 is a kind of example for detecting rogue program using STIX;
Fig. 3 is a kind of performed flow diagram operated of rogue program;
Fig. 4 is a kind of flow diagram of the detection method for network attack that the embodiment of the present invention provides;
Fig. 5 is a kind of structural schematic diagram of OpenIOC interpreter;
Fig. 6 is a kind of structural schematic diagram for OpenIOC interpreter that the embodiment of the present invention provides;
Fig. 7 is a kind of structural schematic diagram for OpenIOC processing module that the embodiment of the present invention provides;
Fig. 8 is the structural schematic diagram for a kind of electronic equipment that the embodiment of the present invention provides;
Fig. 9 is the structural schematic diagram for a kind of electronic equipment that the embodiment of the present invention provides;
Figure 10 is the structural schematic diagram for a kind of electronic equipment that the embodiment of the present invention provides.
Specific embodiment
With reference to the accompanying drawing, the embodiment of the present invention is described.
The embodiment of the present invention is applied to in the detection scene of network attack.It can specifically apply in enterprise, government etc.
In tissue, under the scene to detect the network attack for the Advanced threat that electronic equipment may be subject in tissue.
Firstly, being described as follows for the technical term that the embodiment of the present invention is used:
--- --- -- advanced duration threatens Advanced threat: APT (Advanced Persistent Threat).It is one
Kind carries out the attack form of long duration network attack using advanced attack means to specific objective.Advanced threat attack
Principle is more advanced and advanced relative to other attack forms, and advanced property is mainly reflected in Advanced threat before offensive attack
It needs accurately to collect the operation flow and goal systems of object of attack.During collecting herein, this attack can be led
It is dynamic to excavate by the loophole of object of attack accredited system and application program, network needed for setting up attacker using these loopholes, and
It is attacked using 0day loophole.
Threaten index: IOC (Indicator of Compromise), it is the MANDIANT (network of a famous American
Security firm) it can reflect the technical indicators of host or network behavior defined in the long-term digital evidence obtaining practice;And
OpenIOC is a set of standard for threatening intelligence sharing, and by following the standard, we can establish the logic groups of IOC, is realized
Threaten the exchange of information shared, for example event response team can be used the specification of OpenIOC and write multiple IOCs to describe one
The technology general character of a threat.
Inventive concept of the invention introduced below:
As described in the background art, generally use in the prior art detection file cryptographic Hash whether with known threat
Virus document the whether matched mode of cryptographic Hash, to search that may be present in electronic equipment known threaten.In addition, existing
Also by online prestige library is inquired in technology, carry out killing using the information in prestige library, effect with utilize cryptographic Hash
Killing is the same, can only all be detected to known virus document, killing.In addition, some novel manufacturers attempt to use at present
Novel artificial intelligence technology and machine learning techniques goes to be judged, but still uses in this method and utilize isolated pair
As the mode determined, decision process is all that context lacks, therefore these above-mentioned methods all can not effectively detect not
The threat known.
For example, link known malicious website can be found out using OpenIOC rule when being detected using cryptographic Hash
The program of supnewdmn.com, and obtain the sha1 value of the process.Then malice journey can quickly be positioned using the sha1 value
Sequence, as shown in Figure 1.Although the information that can be to provide is too simple this mechanism provides the information about the behavior of threat, once
Attacker changes the title of website, and OpenIOC rule just fails, even known threat can not also detect that there are no legal
The position threat unknown with confirmation.In addition, existing OpenIOC rule is can not to confirm whether the parent process for calling it deposits at all
That is, it can not position and confirm unknown threat, this is the critical defect of existing OpenIOC rule.
For another example as shown in Fig. 2, using STIX (Structured Threat Informatione Xpression,
Structuring threat information expression formula) detection threaten when, be all to pass through definition since STIX is similar with the working principle of OpenIOC
Rule go to find out known threat, once therefore attacker threat is modified slightly, then the threat may can be considered as not
The threat known, and can not be positioned and confirm to come.
In addition, when threatening the network attack of APT in face of advanced duration, since the attack can be directed to specific target,
Actively excavate by the loophole of object of attack accredited system and application program.Therefore after APT is found, even if anti-virus manufacturer
The virus of discovery is responded, such as virus code is generated according to the cryptographic Hash of the virus document of the APT, to remove virus.
But it is exactly that virus code is allowed to fail that the author of APT, which only may need to modify line code, since virus code is to rely on virus document
Cryptographic Hash, but once virus document is modified, cryptographic Hash is just changed, and virus code before again can not be generated newly
Advanced threat attack relevant virus document, hacker can easily be again introduced into the network of client, the calculating to client very much
Machine network carries out the Advanced threat attack of a new round.Therefore, it can be seen that existing network attack detecting method attacks APT
Protection effect it is unsatisfactory.
Based on the above situation, inventor has found, in order not to easily be found, now many Advanced threats are attacked
The program hit often utilizes the system process inside operating system, for example, explorer.exe, svchost.exe or
These processes of iexplorer.exe go to execute the operation of some malice, then much the program of network attack understands oneself execution
Some operations.After study, inventors have found that usually having fixed threat behavior in activity for each network attack
Chain, just as offender enters the implementation crime of injured party's family, the dressing of offender, image may change, but
How it, which to enter injured party's family, how to implement the operating processes such as criminal offence will not generally change.For example, every kind of network
Attack has the process of beginning, it is referred to as starting point by we.Starting point is injected into malicious code and is linked by Chen Zuowei
The B of object, B are often the process of some operating systems, such as can be Svchost.exe and system.exe etc..At the beginning,
We will receive the event that event starting point A is injected into link target B, then will receive link target B release malice again
The event of code C, after a while, we will receive the event of link target B connection C&C hacker's server again, these three
Event has an identical object B, and according to identical object B, we can be associated complete these three events
Come, it is specific as shown in Figure 3 material is thus formed the chain that one threatens behavior.
And then inventor expects, can use the behavioral chain of program at runtime, whether to judge a program
For suspect program, and then the operations such as corresponding cleaning are carried out to the program, thus realize detection to unknown attack and
The effect of removing.
Embodiment one:
Conceived based on foregoing invention, the embodiment of the present invention provides a kind of detection method of network attack.As shown in figure 4, should
Method includes:
S101, the behavior record of rogue program in an operating system is collected.
Specifically, the threat information of a large amount of rogue programs can be obtained by modes such as purchases.Then to each threat feelings
Report is classified, concluded and is summarized.Threat information is showed according to initiative grammer and passivity grammer, generates malice journey
The behavior record of sequence in an operating system, or be known as threatening behavioral chain.On the other hand, the behavior hand of rogue program can also be passed through
Machine after taking the sample of threat, removes the behavior record rogue program by some tools, such as Process Monitor
Get off.After recording, it would be desirable to the information of collection is filtered and is analyzed, find out wherein comprising initiative grammer and
The behavior record of passivity grammer.
Specifically, by taking OpenIOC rule as an example, wherein generally including following grammer:
What the type (Indicator type) of threat index defined is the OpenIOC the rule whether rule belongs to extension
Then, if be for detecting potential security threat event, if value is unknowthreat, just representing it is extension
OpenIOC rule, it is for detecting potential security threat event.
Threaten the operator (Indicator operator) of index: definition is such as usual feelings of unknown threat
It can include multiple threat indexs under condition, threaten index for these, if need all to meet condition (relationship of sum) or be
It only needs individually to meet (or relationship), here it is define by this part.
Contextual search (Context Search): definition is the range searched for, and is also much needed among operating system
The position of search, such as file system, registration table, network parameter etc. can reduce the range of search using contextual search,
The speed for accelerating search, improves the performance of search.
Content type (Content type): definition is the object that needs to scan for based on search range before.
Behavior (action): being the concrete action for defining rogue program in the operating system of client.Extend IOC
Rule supports the description of actual unknown threat event.By the classification to attack, it can be divided into initiative and passivity,
In specifically include following common grammer and rule:
Initiative grammer generally includes: Inject (injection), Create (creation), Access (access), Delete (are deleted
Except), Query (inquiry), Connect (connection), Drop (leaving behind);
Passivity grammer generally includes: InjectedBy (by injecting), CreatedBy (being created), AccessedBy (quilt
Access), DeletedBy (deleted).
Illustratively, there are three the events of rogue program here: (1) rogue program A.exe injects a string of malicious codes
(inject) the process Svchost.exe of operating system is arrived;(2) Svchost.exe process, which is deliberately left behind, (drop) guarantor
Protect the program of malicious code;(3) server (is ordered and controlled) to Svchost.exe connection (connection) to C&C.And then we can be with
Using the initiative grammer and passivity grammer wherein included defined before, the behavior record of rogue program A.exe is recorded.By
It in each rogue program or threatens when being executed, there is the process and subsequent processes of beginning, for example, in starting point malice
Malicious code is injected into the process that some operating systems are often by the B of Chen Zuowei link target, B by program, e.g.
Svchost.exe and system.exe.At the beginning, we will receive the event that event starting point A is injected into link target B,
Then it will receive the event of link target B release malicious code C again, after a while, we will receive link target B again
The event of C&C hacker's server is connected, these three events have an identical object B, and according to identical object B, we are just
Can these three events are complete associated, material is thus formed the chains that one threatens behavior.Therefore we can also
To regard the behavior record of rogue program as a threat behavioral chain.
It should be noted that in the behavior record or threat behavioral chain of the rogue program mentioned in the embodiment of the present invention
Generally include the operation of rogue program execution, such as certain active behaviors that rogue program executes.In addition it can including quilt
The operation that other programs that rogue program utilizes execute, such as the passive type behavior of some certain system process being utilized.Cause
This, what is recorded in behavior record is not limited to the behavior of rogue program, further includes other processes controlled by rogue program, program
The record of behavior.In this regard, the present invention is with no restriction.
S102, the behavior record for the rogue program being collected into is saved into rule base.
Specifically, in one implementation, we can use OpenIOC mechanism, by increasing extension OpenIOC rule
Mode then saves the behavior record of rogue program into the rule base of OpenIOC.
Therefore, step S102 can specifically include:
S1021, the behavior record according at least one rogue program being collected into an operating system, generate corresponding
OpenIOC rule.
For example, the initiative grammer and passivity grammer that define before can use make the behavior record of rogue program
The xml document format that can be understood with computer be depicted come.For example, starting point A is injected into link target B, we are used
Initiative grammer Inject goes to describe.Link target B discharges malicious code C, we go to describe using initiative grammer Drop.
Linked object B connection C&C hacker's server, we go to describe using initiative grammer Connect.And then it generates
OpenIOC rule.
S1022, it at least one OpenIOC rule of generation is saved to OpenIOC rule saves to OpenIOC rule base
In.
S103, the behavior record of program to be detected in an operating system is obtained.
Specifically, can use the system snapshot for obtaining operating system, and then get each using journey in operating system
The behavior record of degree, to obtain the behavior record of program to be detected in an operating system from the system snapshot of operating system.
S104, the behavior record according to program to be detected in an operating system determine whether program to be detected is suspicious journey
Sequence.
Specifically, can use the rogue program that saves in the rule base of above-mentioned steps S102 generation in an operating system
Behavior record determines whether program to be detected is suspect program.And then step S104 can specifically include:
Behavior record in the behavior record and rule base of program to be detected in an operating system is compared.If to be checked
Behavior record in the behavior record and rule base of ranging sequence in an operating system matches, it is determined that program to be detected is suspicious
Program.It wherein, include the behavior record of at least one rogue program in an operating system in rule base.
Further, it specifically, when utilizing OpenIOC mechanism, by way of increasing extension OpenIOC rule, will dislike
When the behavior record of meaning program is saved into the rule base of OpenIOC, above-mentioned steps S104 is specifically included:
S1041, by the behavior record institute in the rule base of OpenIOC according at least one rogue program in an operating system
At least one OpenIOC rule of generation is converted to SQL (Structured Query Language, structured query language)
Query statement.
S1042, using SQL query statement, judge the behavior record of program to be detected in an operating system and at least one
Whether the behavior record of rogue program in an operating system matches, and determines that program to be detected is suspect program if matching.
Specifically, as shown in figure 5, traditional OpenIOC interpreter is such that memory module is single part before this
OpenIOC rule stores, and then converts OpenIOC module OpenIOC rule and is converted into SQL query statement, Zhi Houcha
Module is ask using these query statements to inquire the system snapshot being ready for before, if it find that matched record,
Logging modle is recorded, and report generation module ultimately forms report according to the record of logging modle.
In order to support the OpenIOC rule generated in the embodiment of the present invention using the behavior record of rogue program, we are right
Original OpenIOC rule is optimized and upgrades.In OpenIOC interpreter provided in an embodiment of the present invention, firstly, I
Increasing rule classification function newly.For original old single factor test rule, we continue to use before regular storage scheme.For
Using the correlation rule that rogue program is newly-generated, we establish a set of new memory mechanism, be used to record the process and process it
Preceding correlation and interaction.Specifically, as shown in fig. 6, rule classification module storage when, according to rule inhomogeneity
Rule is respectively stored in single factor test rule memory module and correlation rule memory module by type.Then according to different storages
Mechanism, conversion OpenIOC module will call different methods, OpenIOC rule are converted into corresponding SQL query statement.
Then snapshot of the enquiry module to the operating system recorded before, is inquired, finding out is wherein using SQL query statement
It is no that there is potential threaten.If threatening, logging modle is recorded, and final message generation module generates report.It is logical
Above-mentioned classification storage mechanism is crossed, when conversion OpenIOC module converts OpenIOC rule, can be advised according to OpenIOC
When the position then stored in single factor test rule memory module still in correlation rule memory module, to carry out different conversions
Mode is realized through OpenIOC mechanism, utilizes the effect of the behavior note detection suspect program of rogue program.
It should be noted that being the behavior record by collecting rogue program in the embodiment of the present invention, and utilize malice journey
The behavior record of sequence establishes rule base, then again by the behavior of the behavior record of the rogue program in rule base and program to be detected
The mode compared is recorded, to determine whether program to be detected is suspect program.In the specific implementation, those skilled in the art
Member it is also contemplated that other utilize program to be detected behavior record, determine program to be detected whether be suspect program method.
For example, usually can all use by summarizing rogue program, there is the threat behavioral chain of general character in many rogue programs,
To carry out matched mode with the behavior record of program to be detected, to determine whether program to be detected is suspect program.Work as use
Other can not be executed when determining whether program to be detected is the method for suspect program using the behavior record of program to be detected
The content of above-mentioned steps S101 and S102.In this regard, the present invention can be with no restrictions.
In addition, it is necessary to illustrate, by the way that the behavior record of rogue program is generated extension in the embodiment of the present invention
The mode of OpenIOC rule.Do not need to rebuild new testing mechanism to realize, and by existing OpenIOC machine
System, can both complete the detection of the rogue program to unknown threat.In the specific implementation, those skilled in the art can also be unfavorable
With OpenIOC mechanism, and new mechanism is re-established to complete the behavior record by program to be detected, judge whether it is suspicious
It the step of program, can also be with no restrictions to this present invention.
S105, above-mentioned judgement is carried out to each program in system snapshot, forms the system of suspect program according to judging result
Report is counted, and executes the operations such as sending alarm.So that these suspect programs are purged etc. with processing.
It should be noted that suspect program alleged by the embodiment of the present invention, the behavior note including behavior record and rogue program
Record the application program with certain relevance.It, can be directly to these after filtering out these suspect programs in system snapshot
Suspect program cleared up, killing, can also further be screened using other methods to the program in statistical report form, to keep away
Exempt from the appearance of wrong report situation.
S106, statistical correlation is carried out to the suspect program in electronic equipment each in grid, determines whole system net
The attack graph of network.
The embodiment of the present invention, although the contents such as specific code may become when carrying out mutation using rogue program
Change, but the behavior record of rogue program in other words its threaten behavioral chain to be usually no variation in, this principle.And then it proposes
According to the behavior record of program to be detected in an operating system, come determine program to be detected whether be suspect program method.This
Sample one causes the cryptographic Hash of malicious file to be changed if hacker has modified code, in the entirely ineffective feelings of virus code
Under condition, but its threat behavioral chain be will not be changed easily.Therefore, using detection method provided by the present invention,
We not only can capture known threat, additionally it is possible to capture unknown, potential threaten.
Below in conjunction with attached drawing 7, to the OpenIOC processing module for applying detection method provided by the embodiment of the present invention
The course of work is introduced:
Firstly, rules administration module: being mainly responsible for newly-built and old OpenIOC rule in OpenIOC processing module
Then classified and is managed.The expired time of newly-built OpenIOC rule can be set in it, or extends old OpenIOC's
Expired time.Using it, we, which can concentrate, is managed OpenIOC rule, also facilitates us to some OpenIOC
The search of rule.Event execution module: the major responsibility of event execution module is to receive the instruction of safety officer, to client's net
An operating system or more operating systems inside network are comprehensively analyzed, it is determined whether receive threat attack.Number
According to memory module: being mainly responsible for storage OpenIOC rule into database.Statistical classification module: mainly to a certain and more
The security incident of the machine of platform carries out information collection and intelligent classification, counts really having had been subjected to for which machine in this way
Attack, which machine are not attacked.Source Tracing module: a series of security incident that specific machine is occurred above carries out
Association, draws whole picture attack graph.
Embodiment two:
The embodiment of the present invention provides a kind of electronic equipment, for executing the detection method of above-mentioned network attack.The present invention is real
Electronic equipment provided in example is applied, can be computer when having and implementing, the embodiment of the present invention is mentioned in some instances
The electronic equipment of confession is also likely to be the electronic products such as mobile phone, laptop, with no restrictions to this present invention.
Fig. 8 shows a kind of possible structural schematic diagram of the electronic equipment.Specifically, the electronic equipment 20 includes: to obtain
Take unit 201 and determination unit 202.Wherein:
Acquiring unit 201, for obtaining the behavior record of program to be detected in an operating system;
Determination unit 202 determines that program to be detected is for the behavior record according to program to be detected in an operating system
No is suspect program.
Optionally, determination unit 202, specifically for the behavior record and rule base by program to be detected in an operating system
In behavior record compare, if the behavior record of program to be detected in an operating system and the behavior record phase in rule base
Matching, it is determined that program to be detected is suspect program;Wherein, include in rule base at least one rogue program in an operating system
Behavior record.
Optionally, as shown in the figure, electronic equipment 20 further include: rule generating unit 203;
Rule generating unit 203, for determination unit 202 by program to be detected behavior record in an operating system with
It is raw according to the behavior record of at least one rogue program in an operating system before behavior record in rule base compares
At at least one OpenIOC rule, at least one OpenIOC rule is saved into OpenIOC rule base;
Determination unit 202, specifically at least one OpenIOC rule is converted to SQL query statement;It is looked into using SQL
Sentence is ask, judges the behavior record of program to be detected in an operating system and the row of at least one rogue program in an operating system
Whether matched for record, determines that program to be detected is suspect program if matching.
Optionally, acquiring unit 201, specifically for obtaining the system snapshot of operating system;It is fast from the system of operating system
The behavior record of program to be detected in an operating system is obtained according to middle.
It should be noted that other are accordingly retouched corresponding to each unit in the electronic equipment provided in the embodiment of the present invention
It states, can be with reference to Fig. 4 and above to the correspondence description content of Fig. 4, details are not described herein.
Using integrated unit, attached drawing 9 shows one of electronic equipment involved in above-described embodiment
The possible structural schematic diagram of kind.Electronic equipment 30 includes: processing module 301 and communication module 302.Processing module 301 for pair
The movement of electronic equipment 30 carries out control management, such as processing module 301 for supporting electronic equipment 30 to execute S101- in Fig. 4
S105 and etc..Communication module 302 is used to support the communication of electronic equipment 30 Yu other entity devices.Electronic equipment 30 can be with
Including storage module 303, for storing the program code and data of electronic equipment 30.
Wherein, processing module 301 can be processor or controller, such as can be central processing unit (Central
Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP),
Specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array
It is (Field Programmable Gate Array, FPGA) or other programmable logic device, transistor logic, hard
Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention
Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places
Manage device combination, DSP and the combination of microprocessor etc..Communication module 302 can be transceiver, transmission circuit or communication interface
Deng.Storage module 303 can be memory.
When processing module 301 is processor, communication module 302 is communication interface, when storage module 303 is memory, this
Electronic equipment involved in inventive embodiments can be electronic equipment shown in attached drawing 10.
Refering to shown in attached drawing 10, which includes: processor 401, communication interface 402, memory 403 and total
Line 404.Wherein, communication interface 402, processor 401 and memory 403 are connected with each other by bus 404;Bus 404 can be with
It is Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or extension industrial standard knot
Structure (Extended Industry Standard Architecture, EISA) bus etc..It is total that the bus can be divided into address
Line, data/address bus, control bus etc..Only to be indicated with a thick line in attached drawing 10, it is not intended that only one convenient for indicating
Bus or a type of bus.
The step of method in conjunction with described in the disclosure of invention or algorithm can realize in a manner of hardware, can also
It is realized in a manner of being to execute software instruction by processor.The embodiment of the present invention also provides a kind of storage medium, which is situated between
Matter may include memory 403, and for computer software instructions used in stored electrons equipment, it includes execute above-described embodiment
Program code designed by the radiotherapy apparatus collimator bearing calibration of middle offer.Specifically, software instruction can be by corresponding soft
Part module composition, software module can be stored on random access memory (Random Access Memory, RAM), flash memory,
Read-only memory (Read Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable
ROM, EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), register, hard disk, movement
In the storage medium of hard disk, CD-ROM (CD-ROM) or any other form well known in the art.One kind is illustratively deposited
Storage media is coupled to processor, to enable a processor to from the read information, and can be written to the storage medium
Information.Certainly, storage medium is also possible to the component part of processor.
The embodiment of the present invention also provides a kind of computer program, which can be loaded directly into memory 403,
And contain software code, which is loaded into via computer and can be realized net provided by above-described embodiment after executing
The detection method of network attack.
Those skilled in the art are it will be appreciated that in said one or multiple examples, function described in the invention
It can be realized with hardware, software, firmware or their any combination.It when implemented in software, can be by these functions
Storage in computer-readable medium or as on computer-readable medium one or more instructions or code transmitted.
Computer-readable medium includes computer storage media and communication media, and wherein communication media includes convenient for from a place to another
Any medium of one place transmission computer program.Storage medium can be general or specialized computer can access it is any
Usable medium.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all any modification, equivalent substitution, improvement and etc. on the basis of technical solution of the present invention, done should all
Including within protection scope of the present invention.
Claims (10)
1. a kind of detection method of network attack characterized by comprising
Obtain the behavior record of program to be detected in an operating system;
According to the behavior record of the program to be detected in an operating system, determine whether the program to be detected is suspicious journey
Sequence.
2. the detection method of network attack according to claim 1, which is characterized in that described to be existed according to the program to be detected
Behavior record in operating system determines whether the program to be detected is suspect program, is specifically included:
Behavior record in the behavior record and rule base of the program to be detected in an operating system is compared, if described
Behavior record in the behavior record and rule base of program to be detected in an operating system matches, it is determined that the ranging to be checked
Sequence is suspect program;It wherein, include the behavior record of at least one rogue program in an operating system in the rule base.
3. the detection method of network attack according to claim 2, which is characterized in that the program to be detected exists described
Before the behavior record in behavior record and rule base in operating system compares, the method also includes:
According to the behavior record of at least one rogue program in an operating system, at least one OpenIOC rule is generated, it will
At least one OpenIOC rule is saved into OpenIOC rule base;
The behavior record by the program to be detected behavior record and rule base in an operating system compares, if
Behavior record in the behavior record and rule base of the program to be detected in an operating system matches, it is determined that described to be checked
Ranging sequence is suspect program, is specifically included:
At least one OpenIOC rule is converted into structured query language SQL query statement;
Using the SQL query statement, the behavior record of the program to be detected in an operating system and described at least one is judged
Whether the behavior record of kind rogue program in an operating system matches, and determines that the program to be detected is suspicious journey if matching
Sequence.
4. the detection method of any one of -3 network attacks according to claim 1, which is characterized in that described to obtain ranging to be checked
The behavior record of sequence in an operating system, specifically includes:
Obtain the system snapshot of the operating system;
The behavior record of program to be detected in an operating system is obtained from the system snapshot of the operating system.
5. a kind of electronic equipment characterized by comprising
Acquiring unit, for obtaining the behavior record of program to be detected in an operating system;
Determination unit determines the program to be detected for the behavior record according to the program to be detected in an operating system
It whether is suspect program.
6. electronic equipment according to claim 6, which is characterized in that
The determination unit, specifically for by the row in the program to be detected behavior record and rule base in an operating system
It is compared for record, if the behavior record of the program to be detected in an operating system and the behavior record phase in rule base
Match, it is determined that the program to be detected is suspect program;It wherein, include that at least one rogue program is operating in the rule base
Behavior record in system.
7. electronic equipment according to claim 6, which is characterized in that the electronic equipment further include: rule generating unit;
The rule generating unit, for the behavior record in the determination unit by the program to be detected in an operating system
Before being compared with the behavior record in rule base, remembered according to the behavior of at least one rogue program in an operating system
Record generates at least one OpenIOC rule, at least one OpenIOC rule is saved into OpenIOC rule base;
The determination unit, specifically for at least one OpenIOC rule is converted to SQL query statement;Using described
SQL query statement judges that the behavior record of the program to be detected in an operating system and at least one rogue program exist
Whether the behavior record in operating system matches, and determines that the program to be detected is suspect program if matching.
8. according to any one of the claim 5-7 electronic equipment, which is characterized in that
The acquiring unit, specifically for obtaining the system snapshot of the operating system;From the system snapshot of the operating system
It is middle to obtain the behavior record of program to be detected in an operating system.
9. a kind of electronic equipment characterized by comprising processor, memory, bus and communication interface;The memory is used
In storage computer executed instructions, the processor is connect with the memory by the bus, when the electronic equipment is transported
When row, the processor executes the computer executed instructions of the memory storage, so that the electronic equipment executes such as
The detection method of network attack described in any one of claim 1-4.
10. a kind of computer storage medium, which is characterized in that including instruction, when it runs on an electronic device, so that described
Electronic equipment executes the detection method of the network attack as described in any one of claim 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811152350.4A CN109040136A (en) | 2018-09-29 | 2018-09-29 | A kind of detection method and electronic equipment of network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811152350.4A CN109040136A (en) | 2018-09-29 | 2018-09-29 | A kind of detection method and electronic equipment of network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109040136A true CN109040136A (en) | 2018-12-18 |
Family
ID=64615454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811152350.4A Pending CN109040136A (en) | 2018-09-29 | 2018-09-29 | A kind of detection method and electronic equipment of network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109040136A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110222715A (en) * | 2019-05-07 | 2019-09-10 | 国家计算机网络与信息安全管理中心 | A kind of sample homogeneous assays method based on dynamic behaviour chain and behavioral characteristics |
| CN111680296A (en) * | 2020-06-15 | 2020-09-18 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for identifying malicious program in industrial control system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
-
2018
- 2018-09-29 CN CN201811152350.4A patent/CN109040136A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
Non-Patent Citations (3)
| Title |
|---|
| WILL GIBB: "threat research OpenIOC:back to the basics", 《THREAT RESEARCH OPENIOC:BACK TO THE BASICS》 * |
| 刘立平: "XML与SQL数据库", 《学术论坛》 * |
| 郝桂英,王静: "《数据库原理及应用教程 Visual FoxPro》", 31 January 2016 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110222715A (en) * | 2019-05-07 | 2019-09-10 | 国家计算机网络与信息安全管理中心 | A kind of sample homogeneous assays method based on dynamic behaviour chain and behavioral characteristics |
| CN111680296A (en) * | 2020-06-15 | 2020-09-18 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for identifying malicious program in industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| US10740463B2 (en) | Method and system for proactive detection of malicious shared libraries via a remote reputation system | |
| Kara et al. | The rise of ransomware: Forensic analysis for windows based ransomware attacks | |
| RU2485577C1 (en) | Method of increasing reliability of detecting malicious software | |
| US20190207969A1 (en) | Anomaly-based malicious-behavior detection | |
| KR102160659B1 (en) | Detection of anomalous program execution using hardware-based micro-architectural data | |
| US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
| US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| EP2465068A1 (en) | Malware detection | |
| Chen et al. | Detecting filter list evasion with event-loop-turn granularity javascript signatures | |
| EP3531329A1 (en) | Anomaly-based-malicious-behavior detection | |
| Lokuketagoda et al. | R-killer: An email based ransomware protection tool | |
| CN109040136A (en) | A kind of detection method and electronic equipment of network attack | |
| Mahmoud et al. | APTHunter: Detecting advanced persistent threats in early stages | |
| Supriya et al. | Malware detection techniques: a survey | |
| Wen et al. | Detecting and predicting APT based on the study of cyber kill chain with hierarchical knowledge reasoning | |
| Chen et al. | Improving web content blocking with event-loop-turn granularity javascript signatures | |
| Poonia et al. | Malware detection by token counting | |
| Rao et al. | Advances in Malware Analysis and Detection in Cloud Computing Environments: A Review. | |
| US20240126879A1 (en) | Cyber recovery forensic kit -- application-based granularity | |
| Hassan et al. | Extraction of malware iocs and ttps mapping with coas | |
| US20240070261A1 (en) | Malware identification and profiling | |
| Liu et al. | MalPEFinder: fast and retrospective assessment of data breaches in malware attacks | |
| El Emary et al. | Machine Learning Classifier Algorithms for Ransomware Lockbit Prediction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181218 |
|
| RJ01 | Rejection of invention patent application after publication |