CN110837639A - Active defense method and system for unknown threat - Google Patents
Active defense method and system for unknown threat Download PDFInfo
- Publication number
- CN110837639A CN110837639A CN201911091953.2A CN201911091953A CN110837639A CN 110837639 A CN110837639 A CN 110837639A CN 201911091953 A CN201911091953 A CN 201911091953A CN 110837639 A CN110837639 A CN 110837639A
- Authority
- CN
- China
- Prior art keywords
- file
- identified
- traffic
- flow
- track
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention provides an active defense method and system for unknown threats, which are applied to a server and comprise the following steps: acquiring a file to be identified and/or flow to be identified; performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track; based on the file track and/or the flow track, carrying out threat analysis on the file to be identified and/or the flow to be identified to obtain the maliciousness of the file to be identified and/or the maliciousness of the flow to be identified; and judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified. The invention solves the technical problem that the unknown threats can not be identified and processed in the prior art.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an active defense method and system for unknown threats.
Background
With the rapid spread of malicious software such as Lesovirus, mining Trojan and the like, various novel unknown network security threats emerge endlessly. For a network, it is important to actively discover unknown network security threats and actively handle them. Known threat types include, among others, known malicious files and known malicious traffic. Unknown threats include unknown malicious files and unknown malicious traffic.
However, since conventional network security schemes are primarily rule-based, active discovery and handling of known threats is possible. For unknown threats, existing rules cannot be used to discover and handle the threat. Therefore, the threat processing engine in the prior art will pass through unknown malicious files and unknown malicious traffic, thereby causing damage to the system.
Disclosure of Invention
In view of the above, the present invention provides an active defense method and system for an unknown threat, so as to alleviate the technical problem existing in the prior art that the unknown threat cannot be identified and handled.
In a first aspect, an embodiment of the present invention provides an active defense method for an unknown threat, which is applied to a server, and includes: acquiring a file to be identified and/or flow to be identified; performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track; based on the file track and/or the flow track, carrying out threat analysis on the file to be identified and/or the flow to be identified to obtain the maliciousness of the file to be identified and/or the maliciousness of the flow to be identified; and judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
Further, the step of performing behavior analysis on the file to be recognized to obtain a file track includes: mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function; acquiring a file track of the file to be identified by using the first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
Further, the step of performing behavior analysis on the traffic to be identified to obtain a traffic track includes: mounting a second hook function on a network protocol stack; acquiring a flow track of the flow to be identified by using the second hook function; the flow trajectory includes: link creation time, link closing time, the destination IP of the traffic to be identified, the destination port of the traffic to be identified, process information and an operation user name.
Further, based on the file track, performing threat analysis on the file to be identified to obtain the maliciousness of the file to be identified, including: based on the file track, carrying out threat analysis on the file to be identified to respectively obtain a first threat degree of a user to which the file to be identified belongs operating the file to be identified and a second threat degree of a process after the file to be identified runs; and summing the first threat degree and the second threat degree to obtain the maliciousness of the file to be identified.
Further, based on the traffic trajectory, performing threat analysis on the traffic to be identified to obtain a maliciousness of the traffic to be identified, including: based on the flow track, carrying out threat analysis on the flow to be identified to respectively obtain a third threat degree of the user to which the flow to be identified belongs operating on the flow to be identified and a fourth threat degree of the process to which the flow to be identified belongs; and summing the third threat degree and the fourth threat degree to obtain the maliciousness of the traffic to be identified.
In a second aspect, an embodiment of the present invention further provides an active defense system for an unknown threat, which is applied to a server, and includes: the system comprises a terminal module, a first analysis module, a second analysis module and an unknown threat processing module, wherein the terminal module is used for acquiring files to be identified and/or flow to be identified; the first analysis module is used for performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track; the second analysis module is used for carrying out threat analysis on the file to be identified and/or the traffic to be identified based on the file track and/or the traffic track to obtain the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified; the unknown threat processing module is configured to determine whether the file to be identified and/or the traffic to be identified are/is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
Further, the first analysis module further comprises a file analysis unit configured to: mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function; acquiring a file track of the file to be identified by using the first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
Further, the first analysis module further comprises a flow analysis unit configured to: mounting a second hook function on a network protocol stack; acquiring a flow track of the flow to be identified by using the second hook function; the flow trajectory includes: link creation time, link closing time, the destination IP of the traffic to be identified, the destination port of the traffic to be identified, process information and an operation user name.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect when executing the computer program.
In a fourth aspect, the present invention further provides a computer-readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the method according to the first aspect.
The invention provides an active defense method and system for unknown threats, which comprises the following steps: acquiring a file to be identified and/or flow to be identified; performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track; based on the file track and/or the flow track, carrying out threat analysis on the file to be identified and/or the flow to be identified to obtain the maliciousness of the file to be identified and/or the maliciousness of the flow to be identified; and judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified. According to the method and the device, whether the file to be identified and the flow to be identified are malicious files or malicious flows can be judged by performing behavior portrayal on the file to be identified and the flow to be identified and analyzing the obtained portrayal, so that the technical problem that the unknown threats cannot be identified and processed in the prior art is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an active defense method for an unknown threat according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an active defense system for an unknown threat provided in an embodiment of the present invention;
fig. 3 is a schematic diagram of another active defense system for unknown threats according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
since conventional network security schemes are primarily rule-based, active discovery and handling of known threats is possible. The threat processing engine for the discovery processing of the known threats in the prior art mainly identifies and processes the known malicious files and the known malicious traffic based on the rule matching technology for the known threats. For unknown threats, the existing rules cannot be used for discovering and processing, and the active identification technology and the active defense technology are required to deal with the threats.
The invention provides an active defense method for unknown threats, which actively discovers and processes the unknown threats based on a file and flow deep behavior analysis technology.
Fig. 1 is a flowchart of an active defense method for an unknown threat, which is provided by an embodiment of the present invention and is applied to a server. As shown in fig. 1, the method specifically includes the following steps:
and step S102, acquiring a file to be identified and/or flow to be identified.
And step S104, performing behavior analysis on the file to be recognized and/or the traffic to be recognized to obtain a file track and/or a traffic track.
And S106, carrying out threat analysis on the file to be identified and/or the traffic to be identified based on the file track and/or the traffic track to obtain the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
And S108, judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the malicious degree of the file to be identified and/or the malicious degree of the traffic to be identified.
According to the active defense method for the unknown threat, provided by the invention, whether the file to be identified and the flow to be identified are malicious files or malicious flows can be judged by performing behavior portrayal on the file to be identified and the flow to be identified and analyzing the obtained portrayal, so that the technical problem that the unknown threat cannot be identified and processed in the prior art is solved.
Optionally, step S104 includes performing behavior analysis on the file to be recognized and performing behavior analysis on the traffic to be recognized, where the step of performing the behavior analysis on the file to be recognized includes:
mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function;
acquiring a file track of a file to be identified by using a first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
Among them, it should be noted that: (1) hooks need to be hung on the virtual file system level, and the hooks cannot be hung on a specific file system; (2) the hook function usually works in an operating system kernel, and a user mode which needs to be sent to a terminal after acquiring the file behavior data is used for storing relevant information; (3) the data that needs to be gathered includes: operation starting time, operation ending time, operation items, operation process names, operation user names, file authorities and other information.
Optionally, the method provided in the embodiment of the present invention further includes: and after the corresponding file track is acquired, the file track is required to be sent to a file track library of the behavior database. Wherein, the file track library of the behavior database records file tracks from all the terminals.
Optionally, the step of performing behavior analysis on the traffic to be recognized in step S104 to obtain a traffic trajectory includes:
mounting a second hook function on a network protocol stack;
acquiring a flow track of the flow to be identified by using a second hook function; the flow trajectory includes: link creation time, link closing time, destination IP of traffic to be identified, destination port of traffic to be identified, process information, and operation user name.
Among them, it should be noted that: (1) a hook needs to be hung on a network layer of a network protocol stack, and the hook cannot be hung on an application layer; (2) the hook function usually works in an operating system kernel, and a user mode which needs to be sent to a terminal after acquiring the file behavior data is used for storing relevant information; (3) the data that needs to be gathered includes: the connection creation time, the closing time, the destination IP, the destination port, the process information, the operation user name and the like.
Optionally, the method provided in the embodiment of the present invention further includes: and after the corresponding flow track is acquired, the flow track is required to be sent to a flow track library of the behavior database. The traffic trajectory library of the behavior database records traffic trajectories from the respective terminals.
Optionally, step S106 specifically includes: based on the file track, carrying out threat analysis on the file to be identified to obtain the maliciousness of the file to be identified, wherein the method comprises the following steps:
based on the file track, carrying out threat analysis on the file to be identified to respectively obtain a first threat degree of the user to which the file to be identified belongs to the operation of the file to be identified and a second threat degree of the process after the file to be identified runs;
and summing the first threat degree and the second threat degree to obtain the maliciousness of the file to be identified.
For example, the first threat degree of the operation on the file to be identified by the user to which the file to be identified belongs may be obtained by the following scoring method:
the method for reading the data of the behavior database and calculating the user maliciousness comprises the following steps:
the default user is a normal user and is counted as 0 point;
the user has more than 3 password attempts, and the number is increased by 5 points;
a user establishes a file needing admin or root authority, and 5 points are added;
the user executes the file needing admin or root authority, and 5 points are added;
the user establishes known malicious files, and each file is increased by 50 points;
a user initiates communication to a known threat ip through a file established by the user, and 50 minutes is added to each communication;
the user maliciousness degree has no highest upper limit, and the lowest degree is 0 point.
And after the judgment, summing the obtained scores to obtain a score as a first threat degree, wherein the higher the score is, the higher the maliciousness of the file to be identified is.
The second threat degree of the process after the file to be identified runs can be obtained in the following scoring mode:
the method for reading the behavior database and calculating the process maliciousness comprises the following steps:
the default process is a normal process and is counted as 0 point;
the process has more than 3 right-lifting attempts, and the number is increased by 5;
the process establishes a known malicious file, and the number of the files is increased by 50;
the process executes known malicious files, and the number of the files is increased by 50;
the known threat ip of the process initiates communication, and the number of times is increased by 50;
the process maliciousness degree has no highest upper limit, and the lowest degree is 0 point.
And after the judgment, summing the obtained scores to obtain a score as a second threat degree, wherein the higher the score is, the higher the maliciousness of the file to be identified is.
And finally, summing the scores of the first threat degree and the second threat degree to obtain the maliciousness of the file to be identified, and identifying and judging the file to be identified based on the maliciousness of the file to be identified.
For example:
the file malice degree score is the malice degree value of a user to which the file to be identified belongs plus the process malice degree value of the operated file to be identified;
if the value of the file maliciousness degree is less than or equal to 20 points, judging the file to be identified as a normal file; and the processing strategy is: releasing;
if the value of the file maliciousness degree is more than 20 points and less than 60 points, judging that the file to be identified is a suspicious file; and a processing strategy: releasing and entering a new judgment period;
if the score of the file maliciousness degree is more than 100 points, judging that the file to be identified is a malicious file; and a processing strategy: blocking the new creation of the file and blocking the execution of the file.
Optionally, step S106 further includes: based on the flow track, carrying out threat analysis on the flow to be identified to obtain the maliciousness of the flow to be identified, wherein the method comprises the following steps:
based on the flow track, carrying out threat analysis on the flow to be identified to respectively obtain a third threat degree of the user to which the flow to be identified belongs to the operation on the flow to be identified and a fourth threat degree of the process to which the flow to be identified belongs;
and summing the third threat degree and the fourth threat degree to obtain the maliciousness of the traffic to be identified.
For example, the third threat degree of the operation on the file to be identified by the user to which the traffic to be identified belongs may be obtained in the following scoring manner:
the method for reading the data of the behavior database and calculating the user maliciousness comprises the following steps:
the default user is a normal user and is counted as 0 point;
the user has more than 3 password attempts, and the number is increased by 5 points;
a user establishes a file needing admin or root authority, and 5 points are added;
the user executes the file needing admin or root authority, and 5 points are added;
the user establishes known malicious files, and each file is increased by 50 points;
a user initiates communication to a known threat ip through a file established by the user, and 50 minutes is added to each communication;
the user maliciousness degree has no highest upper limit, and the lowest degree is 0 point.
And after the judgment, summing the obtained scores to obtain a score as a third threat degree, wherein the higher the score is, the higher the maliciousness of the traffic to be identified is.
The fourth threat degree of the process after the traffic operation to be identified can be obtained in the following scoring mode:
the method for reading the behavior database and calculating the process maliciousness comprises the following steps:
the default process is a normal process and is counted as 0 point;
the process has more than 3 right-lifting attempts, and the number is increased by 5;
the process establishes a known malicious file, and the number of the files is increased by 50;
the process executes known malicious files, and the number of the files is increased by 50;
the known threat ip of the process initiates communication, and the number of times is increased by 50;
the process maliciousness degree has no highest upper limit, and the lowest degree is 0 point.
And after the judgment, summing the obtained scores to obtain a score as a fourth threat degree, wherein the higher the score is, the higher the maliciousness of the traffic to be identified is.
And finally, summing the fraction of the third threat degree and the fraction of the fourth threat degree to obtain the maliciousness of the traffic to be identified, and identifying and judging the traffic to be identified based on the maliciousness of the traffic to be identified.
For example:
the flow maliciousness degree score is equal to the maliciousness degree value of the user to which the flow belongs plus the process maliciousness degree value to which the flow belongs;
if the malicious degree of the flow is less than or equal to 20 minutes, judging that the flow to be identified is normal flow; and a processing strategy: releasing;
if the malicious degree score of the flow is greater than 20 minutes and less than 60 minutes, judging that the flow to be identified is suspicious flow; and a processing strategy: releasing and entering a new judgment period;
if the malicious degree score of the flow is greater than 100 points, judging that the flow to be identified is malicious flow; and the processing strategy is: preventing new communications from being initiated with the IP and blocking the traffic.
From the above description, the present application provides a method for defending a location threat based on a host behavior portrait, including: acquiring a file to be identified and/or flow to be identified; performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track; based on the file track and/or the flow track, carrying out threat analysis on the file to be identified and/or the flow to be identified to obtain the maliciousness of the file to be identified and/or the maliciousness of the flow to be identified; and judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified. According to the method and the device, whether the file to be identified and the flow to be identified are malicious files or malicious flows can be judged by performing behavior portrayal on the file to be identified and the flow to be identified and analyzing the obtained portrayal, so that the technical problem that the unknown threats cannot be identified and processed in the prior art is solved.
Example two:
fig. 2 is a schematic diagram of an active defense system for an unknown threat, applied to a server, according to an embodiment of the present invention, including: a terminal module 10, a first analysis module 20, a second analysis module 30 and an unknown threat handling module 40.
Specifically, the terminal module 10 is configured to obtain a file to be identified and/or a traffic to be identified.
The first analysis module 20 is configured to perform behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file trajectory and/or a traffic trajectory.
And the second analysis module 30 is configured to perform threat analysis on the file to be identified and/or the traffic to be identified based on the file track and/or the traffic track, so as to obtain the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
And the unknown threat processing module 40 is configured to determine whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
According to the active defense system for the unknown threats, whether the files to be identified and the flow to be identified are malicious files or malicious flows can be judged by means of behavior portrayal of the files to be identified and the flow to be identified and analysis of the obtained portrayal, so that the technical problem that the unknown threats cannot be identified and processed in the prior art is solved.
Optionally, the first analysis module further comprises a file analysis unit, configured to:
mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function;
acquiring a file track of a file to be identified by using a first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
Optionally, the first analysis module further comprises a flow analysis unit, configured to:
mounting a second hook function on a network protocol stack;
acquiring a flow track of the flow to be identified by using a second hook function; the flow trajectory includes: link creation time, link closing time, destination IP of traffic to be identified, destination port of traffic to be identified, process information, and operation user name.
Optionally, the second analysis module further comprises a second file analysis unit, configured to:
based on the file track, carrying out threat analysis on the file to be identified to respectively obtain a first threat degree of the user to which the file to be identified belongs to the operation of the file to be identified and a second threat degree of the process after the file to be identified runs;
and summing the first threat degree and the second threat degree to obtain the maliciousness of the file to be identified.
Optionally, the second analysis module further comprises a second flow analysis unit for:
based on the flow track, carrying out threat analysis on the flow to be identified to respectively obtain a third threat degree of the user to which the flow to be identified belongs to the operation on the flow to be identified and a fourth threat degree of the process to which the flow to be identified belongs;
and summing the third threat degree and the fourth threat degree to obtain the maliciousness of the traffic to be identified.
Example three:
an embodiment of the present invention further provides another active defense system for an unknown threat, as shown in fig. 3, where the system includes: a known threat handling engine 31, a signature library 32, an unknown threat handling engine 33, a behavior database 34 and a terminal 35. As shown in fig. 3, the number of the terminals 35 may be plural.
In particular, the known threat handling engine 31 is configured to: known malicious files and known malicious traffic are identified and processed.
The feature library 32 is used to: recording fingerprint characteristics (for example, the MD5 value) of known malicious files, and using the fingerprint characteristics for file matching to find the malicious files; fingerprint features (for example, an IP method or a domain name method) of known malicious traffic are recorded and used for traffic matching to find the malicious traffic.
The feature repository 32 provides known threat handling engines to match known threats.
The unknown threat processing engine 33 is to: and identifying and processing the unknown malicious files and the unknown malicious traffic. Alternatively, the unknown threat processing engine 33 in this embodiment may be the unknown threat processing module 40 in the second embodiment described above.
The behavior database 34 is used for storing file tracks and flow tracks, wherein the file tracks include: process data such as file creation, movement, copying, starting and the like; the flow trajectory includes: time, frequency, destination IP, destination port and flow size of the communication.
The terminal 35 is used for collecting the file track and the flow track through an agent program working on the terminal, and reporting the file track and the flow track to the behavior database.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method in the first embodiment when executing the computer program.
The embodiment of the present invention further provides a computer readable medium having a non-volatile program code executable by a processor, where the program code causes the processor to execute the method in the first embodiment.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. An active defense method for unknown threats is applied to a server and comprises the following steps:
acquiring a file to be identified and/or flow to be identified;
performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track;
based on the file track and/or the flow track, carrying out threat analysis on the file to be identified and/or the flow to be identified to obtain the maliciousness of the file to be identified and/or the maliciousness of the flow to be identified;
and judging whether the file to be identified and/or the traffic to be identified is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
2. The method according to claim 1, wherein the step of performing behavior analysis on the file to be recognized to obtain a file track comprises:
mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function;
acquiring a file track of the file to be identified by using the first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
3. The method according to claim 1, wherein the step of performing behavior analysis on the traffic to be identified to obtain a traffic trajectory comprises:
mounting a second hook function on a network protocol stack;
acquiring a flow track of the flow to be identified by using the second hook function; the flow trajectory includes: link creation time, link closing time, the destination IP of the traffic to be identified, the destination port of the traffic to be identified, process information and an operation user name.
4. The method according to claim 1, wherein the step of performing threat analysis on the file to be identified based on the file track to obtain the maliciousness of the file to be identified comprises:
based on the file track, carrying out threat analysis on the file to be identified to respectively obtain a first threat degree of a user to which the file to be identified belongs operating the file to be identified and a second threat degree of a process after the file to be identified runs;
and summing the first threat degree and the second threat degree to obtain the maliciousness of the file to be identified.
5. The method according to claim 1, wherein the step of performing threat analysis on the traffic to be identified based on the traffic trajectory to obtain the maliciousness of the traffic to be identified comprises:
based on the flow track, carrying out threat analysis on the flow to be identified to respectively obtain a third threat degree of the user to which the flow to be identified belongs operating on the flow to be identified and a fourth threat degree of the process to which the flow to be identified belongs;
and summing the third threat degree and the fourth threat degree to obtain the maliciousness of the traffic to be identified.
6. An active defense system for unknown threats, applied to a server, comprising: a terminal module, a first analysis module, a second analysis module and an unknown threat processing module, wherein,
the terminal module is used for acquiring files to be identified and/or flow to be identified;
the first analysis module is used for performing behavior analysis on the file to be identified and/or the traffic to be identified to obtain a file track and/or a traffic track;
the second analysis module is used for carrying out threat analysis on the file to be identified and/or the traffic to be identified based on the file track and/or the traffic track to obtain the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified;
the unknown threat processing module is configured to determine whether the file to be identified and/or the traffic to be identified are/is a malicious file and/or a malicious traffic based on the maliciousness of the file to be identified and/or the maliciousness of the traffic to be identified.
7. The system of claim 6, wherein the first analysis module further comprises a file analysis unit to:
mounting a first hook function on an operation function of a file system; wherein the operation function comprises at least one of: opening operation function of the file, creating operation function, reading operation function, writing operation function, closing operation function of the file and changing file attribute operation function;
acquiring a file track of the file to be identified by using the first hook function; the file track includes: file operation starting time, file operation ending time, operation items, operation process names, operation user names and file permissions.
8. The system of claim 6, wherein the first analysis module further comprises a flow analysis unit to:
mounting a second hook function on a network protocol stack;
acquiring a flow track of the flow to be identified by using the second hook function; the flow trajectory includes: link creation time, link closing time, the destination IP of the traffic to be identified, the destination port of the traffic to be identified, process information and an operation user name.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of the preceding claims 1 to 5 are implemented when the computer program is executed by the processor.
10. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911091953.2A CN110837639A (en) | 2019-11-08 | 2019-11-08 | Active defense method and system for unknown threat |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911091953.2A CN110837639A (en) | 2019-11-08 | 2019-11-08 | Active defense method and system for unknown threat |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110837639A true CN110837639A (en) | 2020-02-25 |
Family
ID=69575022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911091953.2A Pending CN110837639A (en) | 2019-11-08 | 2019-11-08 | Active defense method and system for unknown threat |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110837639A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN107426196A (en) * | 2017-06-30 | 2017-12-01 | 全球能源互联网研究院 | A kind of method and system of identification WEB invasions |
| CN110399720A (en) * | 2018-12-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of file detection |
-
2019
- 2019-11-08 CN CN201911091953.2A patent/CN110837639A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN107426196A (en) * | 2017-06-30 | 2017-12-01 | 全球能源互联网研究院 | A kind of method and system of identification WEB invasions |
| CN110399720A (en) * | 2018-12-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of file detection |
Non-Patent Citations (1)
| Title |
|---|
| 曹明静: "基于网络异常行为的智能终端恶意软件检测技术研究", 《中国优秀硕士学位论文全文数据库•信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11044264B2 (en) | Graph-based detection of lateral movement | |
| CN1773417B (en) | System and method of aggregating the knowledge base of antivirus software applications | |
| US8214905B1 (en) | System and method for dynamically allocating computing resources for processing security information | |
| Arora et al. | Minimizing network traffic features for android mobile malware detection | |
| CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
| US10574630B2 (en) | Methods and apparatus for malware threat research | |
| US8209758B1 (en) | System and method for classifying users of antivirus software based on their level of expertise in the field of computer security | |
| US8214904B1 (en) | System and method for detecting computer security threats based on verdicts of computer users | |
| KR100910761B1 (en) | Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique | |
| US11159542B2 (en) | Cloud view detection of virtual machine brute force attacks | |
| CN110958257B (en) | Intranet permeation process reduction method and system | |
| CN108337219B (en) | Method for preventing Internet of things from being invaded and storage medium | |
| CN101894225A (en) | The system and method for assembling the knowledge base of antivirus software applications | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| RU2634181C1 (en) | System and method for detecting harmful computer systems | |
| CN109684833B (en) | System and method for adapting program dangerous behavior patterns to user computer system | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| EP3623983A1 (en) | Method and device for identifying security threats, storage medium, processor and terminal | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| CN109800569A (en) | Program identification method and device | |
| RU2481633C2 (en) | System and method for automatic investigation of safety incidents | |
| EP2584488B1 (en) | System and method for detecting computer security threats based on verdicts of computer users | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN110837639A (en) | Active defense method and system for unknown threat | |
| EP3252645B1 (en) | System and method of detecting malicious computer systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200225 |
|
| RJ01 | Rejection of invention patent application after publication |