CN110866246A - Malicious code attack detection method and device and electronic equipment - Google Patents

Abstract

The embodiment of the invention discloses a method and a device for detecting malicious code attack and electronic equipment, relates to the technical field of network security, and can detect and identify a network attack means based on malicious codes. The method comprises the following steps: monitoring a security audit event of an operating system of a current host; the security audit event comprises a login current host event; acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time; acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information; judging whether the first generation frequency exceeds a first preset threshold value or not; if yes, determining that the current host event is a malicious attack. The invention can be applied to network security detection, interception and defense scenes.

Description

Malicious code attack detection method and device and electronic equipment

Technical Field

The invention relates to the technical field of network security, in particular to a method and a device for detecting malicious code attacks and electronic equipment.

Background

Malicious code refers to computer code that is deliberately programmed or set up to pose a threat or potential threat to a network or system.

The inventor discovers that in the process of implementing the invention: at present, in a network attack means, after the malicious code permeates into an enterprise local area network, a host in the local area network is searched through a malicious code host to carry out irregular, irregular and means-evolved transverse diffusion attack, and further carry out secondary transverse permeation, stealing, strangling and other behaviors on a server or a host in the attacked local area network.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method and an apparatus for detecting a malicious code attack, and an electronic device, which can detect and identify a network attack means based on a malicious code, so as to reduce loss of the network attack means to a host in a local area network as much as possible.

In a first aspect, an embodiment of the present invention provides a method for detecting a malicious code attack, where the method includes:

monitoring a security audit event of an operating system of a current host; the security audit event comprises a login current host event;

acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time;

acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information;

judging whether the first generation frequency exceeds a first preset threshold value or not;

if yes, determining that the current host event is a malicious attack.

With reference to the first aspect, in a first implementation manner of the first aspect, the first log information further includes: logging in the identification information of the host;

the method also comprises the following steps after first log information of audit failure events in the current host events logged in a preset period is acquired:

judging whether the events which occur each time and are checked by the current host are the same login host or not according to the identification information of the login host;

if yes, determining that the event logging in the current host is a malicious attack;

if not, re-acquiring a second occurrence frequency of the current host auditing failure event of the corresponding login host in a preset period;

judging the threshold range of the second generation frequency;

and determining whether the current host event is a malicious attack according to the threshold range of the second occurrence frequency.

With reference to the first aspect and the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the first log information further includes: the occurrence time of the audit failure event;

if the first generation frequency is judged to exceed the preset threshold value, the method further comprises the following steps: according to the occurrence time, determining the time interval of the successive occurrence of the audit failure events which are input in the preset period and are consistent with the login account;

judging whether the time intervals are consistent;

and if the current host event is consistent with the current host event, determining that the current host event is a malicious attack.

With reference to the first aspect, the first and second implementation manners of the first aspect, in a third implementation manner of the first aspect, after the listening for the security audit event of the operating system of the current host, the method further includes:

acquiring second log information of a successful event of the current host event logging in a preset period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in;

according to the second log information, tracking and analyzing historical login information of the login host in a preset time period before the current login event; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event;

judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in the successful login;

if yes, judging whether the login password input by the login host in the historical login event is consistent with the login password input by the current host in successful login;

if not, determining the occurrence frequency of the historical login events according to the occurrence time of the historical login events;

and determining whether the current host event is a malicious attack according to whether the occurrence frequency of the historical login event exceeds a first preset threshold.

With reference to the first aspect, the first, second, and third implementation manners of the first aspect, in a fourth implementation manner of the first aspect, the second log information further includes a time when the current host is successfully logged;

if the login password input in the historical login event is judged to be inconsistent with the login password input by the current host computer which is successfully logged in, the method further comprises the following steps:

acquiring the occurrence time of a first login event in the historical login events;

determining the first time spent from the occurrence of the first login event to the successful login of the current host according to the occurrence time of the first login event and the time spent in the successful login of the current host;

judging whether the first time exceeds a preset required time threshold value;

and if so, determining that the current login event is a malicious attack.

With reference to the first aspect, the first, second, third and fourth embodiments of the first aspect, in a fifth embodiment of the first aspect, the method further includes: after determining that the event of logging in the current host is a malicious attack;

determining the level of malicious attack according to the first generation frequency;

determining a defense strategy according to the grade; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

With reference to the first aspect, the first, second, third, fourth, and fifth implementation manners of the first aspect, in a sixth implementation manner of the first aspect, the level of the malicious attack includes a low-frequency blasting-level attack and/or a high-frequency blasting-level attack;

the determining the level of the malicious attack according to the occurrence frequency comprises:

judging whether the occurrence frequency is within a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time;

if so, determining the level of the malicious attack as a low-frequency blasting level;

otherwise, judging whether the occurrence frequency is in a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time;

if so, determining the level of the malicious attack as a high-frequency blasting level;

the determining a defense policy according to the level comprises:

after the malicious attack level is determined to be a low-frequency blasting level, temporarily closing the remote login service of the current host for a preset time;

and after the malicious attack level is determined to be a high-frequency blasting level, permanently closing the remote login service of the current host.

With reference to the first aspect, any one of the first to sixth implementation manners of the first aspect, in a seventh implementation manner of the first aspect, at the same time or after the determining that the login current host event is a malicious attack, the method further includes:

sending the first log information and the detection result to a server so that the server cuts off the communication between the current host and the login host and sends a message for closing the remote login service to the host in the local area network based on the first log information and the detection result; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

In a second aspect, an embodiment of the present invention provides an apparatus for detecting a malicious code attack, where the apparatus includes: the monitoring module is used for monitoring the security audit event of the operating system of the current host; the security audit event comprises a login current host event;

the first acquisition module is used for acquiring first log information of an audit failure event in a current host event logged in within a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time;

the second acquisition module is used for acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information;

a first judgment determination module; for determining whether the first generation frequency exceeds a first predetermined threshold;

and if the first occurrence frequency exceeds a first preset threshold value, determining that the event logging in the current host is a malicious attack.

With reference to the second aspect, in a first implementation manner of the second aspect, the first log information further includes: logging in the identification information of the host;

the device further comprises: the first judging module is used for judging whether the events which occur each time and are checked and failed by logging in the current host are the same logging host or not according to the identification information of the logging host;

the first determining module is used for determining that the current host logging event is a malicious attack if the same logging host is judged in the current host logging event which is logged in each time after first log information of the auditing failure event in the current host logging event is acquired in a preset period;

the second determining module is used for acquiring a second occurrence frequency of the corresponding login host in the current host audit failure event in a preset period again if the login current host audit failure event occurring each time is judged not to be the same login host;

the first judgment module is used for judging the threshold range of the second generation frequency;

and the third determining module is used for determining whether the current host login event is a malicious attack according to the threshold range of the second occurrence frequency.

With reference to the second aspect, the first implementation manner of the second aspect, and in the second implementation manner of the second aspect, the first log information further includes: the occurrence time of the audit failure event;

the device further comprises:

a fourth determining module, configured to determine, according to the occurrence time after it is determined that the first occurrence frequency exceeds a predetermined threshold, a time interval in which audit failure events consistent with the login account input in the predetermined period successively occur;

the second judging module is used for judging whether the time intervals are consistent or not;

and the fifth determining module is used for determining that the current host login event is a malicious attack if the time intervals are judged to be consistent.

With reference to the second aspect, the first or second embodiment of the second aspect, and in a third embodiment of the second aspect, the apparatus further comprises:

a third obtaining module, configured to obtain, after the security audit event of the operating system of the current host is monitored, second log information of an audit success event among events logged in the current host in a predetermined period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in;

the tracking analysis module is used for tracking and analyzing the historical login information of the login host in a preset time period before the current login event according to the second log information; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event;

the third judging module is used for judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in successful login;

the fourth judgment module is used for judging whether the login password input by the login host in the historical login event is consistent with the login password input by the current host when the login host successfully logs in if the judgment result of the third judgment module is consistent;

the second judgment and determination module is used for determining the occurrence frequency of the historical login event according to the occurrence time of the historical login event if the login password input by the login host in the historical login event is judged to be inconsistent with the login password input by the current host in successful login;

and the sixth determining module is used for determining whether the current host login event is a malicious attack according to the occurrence frequency of the historical login event.

With reference to the second aspect, in a fourth implementation manner of the second aspect, the second log information further includes a time of successful login to the current host;

the device further comprises: the fourth acquisition module is used for acquiring the occurrence time of the first login event in the historical login event after judging that the login password input in the historical login event is inconsistent with the login password input by successfully logging in the current host;

a seventh determining module, configured to determine, according to the occurrence time of the first login event and the time of successfully logging in to the current host, a first time taken from the occurrence of the first login event to the successful login to the current host;

a third judgment determining module, configured to judge whether the first time exceeds a predetermined required time threshold;

and if so, determining that the current login event is a malicious attack.

With reference to the second aspect, in a fifth implementation form of the second aspect, the apparatus further comprises:

the attack level determining module is used for determining the level of the malicious attack according to the first generation frequency after determining that the current host login event is the malicious attack;

the defense strategy determining module is used for determining a defense strategy according to the grade; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

With reference to the second aspect, any one of the first to fifth embodiments of the second aspect, in a sixth embodiment of the second aspect, the level of malicious attack comprises a low frequency blast level attack and/or a high frequency blast level attack;

the attack level determination module comprises:

the first judgment unit is used for judging whether the occurrence frequency is in a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time;

the first determining unit is used for determining the level of the malicious attack as a low-frequency blasting level if the occurrence frequency is judged to be within a first frequency threshold range;

if the occurrence frequency is not within the first frequency threshold range, continuing to judge whether the occurrence frequency is within a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time;

the second determining unit is used for determining the level of the malicious attack as a high-frequency blasting level if the occurrence frequency is judged to be within a second frequency threshold range;

the defense strategy determination module comprises:

the first defense unit is used for temporarily closing the current host remote login service for a preset time after the malicious attack level is determined to be a low-frequency blasting level;

and the second defense unit is used for permanently closing the remote login service of the current host after the malicious attack level is determined to be the high-frequency blasting level.

With reference to the second aspect, any one of the first to sixth embodiments of the second aspect, in a seventh embodiment of the second aspect, the apparatus further comprises: the sending module is used for sending the first log information and the detection result to the server when or after the current host login event is determined to be a malicious attack, so that the server cuts off the communication between the current host and the login host based on the first log information and the detection result and sends a message for closing the remote login service to the host in the local area network; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

In a third aspect, an embodiment of the present invention provides an electronic device, including: one or more processors;

a memory;

the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory to execute the programs corresponding to the executable program codes, so as to be used for the method of any one of the first aspect.

In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the method of any one of the first aspects

According to the detection method, the detection device and the electronic equipment for malicious code attack, provided by the embodiment of the invention, a security audit event of an operating system of a current host is monitored; the security audit event comprises a login current host event; acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time; acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information; judging whether the first generation frequency exceeds a first preset threshold value or not; if yes, determining that the current host event is a malicious attack. After first log information of audit failure of current host events logged in a preset period is acquired, because the first log information comprises the occurrence frequency of audit failure of the current host events logged in the preset period and a login account input by the audit failure event in the current host events logged in each time, the first occurrence frequency of events which are consistent with the login account input in the audit failure events logged in each time can be calculated and obtained according to the first log information; and then, whether the current host login event is a malicious attack is determined according to whether the first generation frequency exceeds a threshold value, and a network attack means based on a malicious code can be detected and identified, so that the loss of the host in the local area network caused by the network attack means is reduced as much as possible.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a flowchart of a malicious code attack detection method according to an embodiment of the present invention;

FIG. 2 is a flowchart of another embodiment of a method for detecting malicious code attacks according to the present invention;

FIG. 3 is a flowchart illustrating a method for detecting malicious code attacks according to another embodiment of the present invention;

FIG. 4 is a flowchart illustrating a method for detecting malicious code attacks according to another embodiment of the present invention;

FIG. 5 is a block diagram of an embodiment of a device for detecting malicious code attacks according to the present invention;

FIG. 6 is a block diagram of another embodiment of a device for detecting malicious code attacks according to the present invention;

FIG. 7 is a block diagram of a malicious code attack detection apparatus according to another embodiment of the present invention;

fig. 8 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a flowchart of an embodiment of a method for detecting malicious code attacks according to the present invention, and as shown in fig. 1, the method of the present embodiment may be applied to a network security detection, interception, and defense scenario, and is particularly suitable for detection, identification, and active defense of a remote network attack means based on malicious codes or programs, and when being applied specifically, may be integrated in an electronic device having a networking function in a local area network. The malicious code refers to computer code that is deliberately programmed or set up to pose a threat or potential threat to a network or system. The method may include:

step 101, monitoring a security audit event of an operating system of a current host; the security audit event comprises a log-in current host event.

In this embodiment, it can be understood that the current host refers to the electronic device currently being monitored or a main body part of the electronic device, and has a networking function, for example, an electronic device with a networking function, such as a personal computer, a tablet computer, a smart phone, and the like. In the embodiment of the present invention, a security audit event in the operating system may be monitored according to the standard data Interface provided by the operating system, that is, the operating system successfully/unsuccessfully authenticates an event occurring in an event generator, or successfully or unsuccessfully authorizes the event, and the operating system may log the event under the condition of success or failure of the audit event, that is, form a security audit log list; for example, when logging in a computer, the event generator will confirm whether the login event is successful, and record the information related to the login audit event in the security audit log list.

It can be understood that there are many kinds of security audit events, and since malicious code usually logs in a host through a remote server to perform a network attack, the scheme provided in this embodiment is mainly a means for detecting and defending the network attack of this kind, therefore, in this embodiment, the events logging in the host are mainly concerned, and the events related to the following events are mainly about the events logging in the host. The login event is interactive login or network connection to a local computer; for a login event, the security audit policy of the operating system will simultaneously audit the success and failure events of the login.

102, acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the auditing failure event and the login account input when the auditing failure event occurs each time.

In this embodiment, it can be understood that, when a malicious code logs in a current host through a remote server, an attempt login can be performed using any login account, and an Administrator account (Administrator account) is usually attempted, because it generally cannot be blasted (logged in) successfully at one time, records in a security audit event log are generally identified as an audit-failed event.

In this embodiment, a trigger may be set to obtain the security audit event at regular time, an event that the security audit fails to be obtained may be set, or an event that the security audit succeeds is also obtained may be set as required. It is understood that the auditing of the security audit event by the operating system may be performed in real time, or the settings may be manually changed to change the auditing period. The predetermined period refers to a preset period of time; the specific time can be set to 3min, 5min or 10min, etc. as required, and can also be set to be acquired at intervals.

In addition, it can be understood that, in the predetermined period, besides the audit failure event, the audit success event is included, all events are recorded in the audit log information, and the occurrence frequency information about the audit failure event in the login event can be calculated according to the number of the audit failure events occurring in the predetermined period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time; specifically, the audit failure event log-in method may further include occurrence frequency information of the audit failure event (actually, the log-in frequency of the audit failure).

And 103, acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information.

In this embodiment, the first occurrence frequency may be a proportion of the audit failure events related to login, which are consistent with the login account, in the total number of events in a predetermined period, or a proportion of the audit failure events related to login, which are consistent with the login account, in all the audit failure events related to login in the predetermined period; specifically, the first occurrence frequency of the event that the login account is consistent and is input in the audit failure events occurring each time may be: screening out a first event with consistent login accounts in the audit failure events which occur each time; counting the occurrence frequency of the first event; calculating the frequency of occurrence of events which are consistent with the input login account in the audit failure events which occur each time according to the frequency of occurrence of a first event in a preset period divided by the frequency of occurrence of the audit failure events; or, calculating the frequency of events consistent with the login account input in the audit failure events occurring each time according to the frequency of the first event occurring in a preset period divided by the frequency of the total events occurring in the preset period. Preferably, the frequency of the events which are consistent with the login account and are input in the audit failure events of each occurrence is calculated according to the frequency of the first event occurrence in a preset period divided by the frequency of the audit failure events. For example, twenty login failure events are performed in the predetermined period, wherein fifteen login failures are input to the same login account, the frequency of the occurrence of the audit failure events consistent with the login account reaches 75%, so that a relatively accurate judgment basis can be provided for determining whether to be a malicious attack.

The consistency refers to whether events which occur for a plurality of times in a period of time are the same; in this embodiment, it is specifically referred to whether the login account input by the current host attempt at each remote login is the same in the event of failure to verify the current host login occurring within the predetermined period. Since there are many login events that occur within a predetermined period, if it is determined that login to the login account is attempted the same number of times within the period or the frequency of occurrence exceeds a first predetermined threshold, it may be determined that the attack is malicious.

Step 104, judging whether the first generation frequency exceeds a first preset threshold value; if yes, step 105 is executed to determine that the event logging on the current host is a malicious attack.

In this embodiment, in practice, a first relationship model between the occurrence frequency of events that are consistent with a login account input in an audit failure event and malicious attack behaviors may be constructed by recording a remote network attack based on a malicious code and performing a historical login behavior of password attempt login each time; and storing the relation model as a malicious code attack detection model, when a malicious code is subjected to an attack action by remotely logging in a current host computer next time, acquiring a first generation frequency of an event which is failed in the security audit and is consistent with an input account when the malicious code attempts to log in the current host computer, and matching or comparing the first generation frequency with relation data between the generation frequency stored in the detection model and the malicious attack action to determine whether the malicious attack action is performed. Or further, the malicious attack behavior can be divided into a plurality of grades, and the occurrence frequency of login and audit failure events corresponding to the corresponding grades is respectively established to determine the grade of the malicious attack behavior as a basis for implementing which defense strategy.

The detection method for malicious code attack provided by the embodiment of the invention monitors the security audit event of the operating system of the current host; the security audit event comprises a login current host event; acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time; acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information; judging whether the first generation frequency exceeds a first preset threshold value or not; if yes, determining that the current host event is a malicious attack. After first log information of audit failure of current host events logged in a preset period is acquired, because the first log information comprises the occurrence frequency of audit failure of the current host events logged in the preset period and a login account input by the audit failure event in the current host events logged in each time, the first occurrence frequency of events which are consistent with the login account input in the audit failure events logged in each time can be calculated and obtained according to the first log information; and then, whether the current host login event is a malicious attack is determined according to whether the first generation frequency exceeds a threshold value, and a network attack means based on a malicious code can be detected and identified, so that the loss of the host in the local area network caused by the network attack means is reduced as much as possible.

In this embodiment, as an optional embodiment, the first log information further includes: and logging in the identification information of the host.

It can be understood that, each time a malicious code performs a remote network login to a certain host, it needs to perform multiple login password (also called password) attempts to an account of the host, that is, continuously attempt to log in the account until the explosive login is successful, where the input login password may be consistent with the login password corresponding to the security ID (account) of the current host, when consistent, the malicious code performs a remote login attempt successfully, and performs multiple false inputs before the successful login attempt, and the operating system may lock the current host once detecting an abnormal login, or temporarily disconnect the remote login server, so as to prevent any suspected malicious code network attack.

Specifically, the attempted login password (password) corresponding to the login account attempted to be input in each detected malicious code attack behavior may be stored in the blacklist, and a login account matching the login account in the blacklist is monitored next time, and then the login account is determined to be a malicious attack, so that when the same attempted login account is encountered, whether the login account is a malicious attack or not may be quickly determined. Specifically, the account with the input error during normal account login can be stored in a white list, so as to avoid misjudgment; normal login here is in contrast to malicious attack login.

Referring to fig. 2, after acquiring the first log information of the audit failure event in the current host event logged in within the predetermined period, the method further includes:

and step 110, judging whether the events which happen each time the current host is logged in and the current host fails to be checked are the same login host according to the identification information of the login host.

In this embodiment, the login host refers to a remote host that remotely logs in a current host, and may be an attack source host, where the attack source host corresponds to a malicious attack behavior, and if the attack is a malicious attack, the remote host is referred to as an attack source host. Before the attack source host is not determined, all login events failing in security audit of the operating system can be assumed as network attack behaviors in order to prevent the network attack behaviors of possible malicious codes from being missed, so that comprehensive defense can be performed to ensure the security of the current host. The identification information of the login host includes an Internet Protocol Address (Internet Protocol Address) of the login host, an IP Address for short, and a mac (media Access Control Address) Address, which is also referred to as a physical Address.

And if the events which occur each time and are checked to fail by the current login host are judged to be the same login host according to the identification information of the login host, executing the step 105, and determining that the events which log in the current host are malicious attacks.

It is understood that when it is detected that the event of failure of logging on the current host every time of attempting is the host of the same IP address or MAC address, the logging event can be determined to be a network attack behavior.

In addition, it is understood that there may be partial login events within a predetermined period for the same login host: therefore, whether the attack is malicious or not can be comprehensively determined according to the occurrence frequency and the identification information of the login host. And if the events which occur for multiple times and fail in the audit of the current login host are determined to be the same login host according to the identification information of the login host, and the first occurrence frequency of the login host for logging in the current host exceeds a first preset threshold, determining that the current login host event is a malicious attack.

If not, step 111 is executed to retrieve a second occurrence frequency of the current host auditing failure event of the corresponding login host within the predetermined period.

And 112, judging the threshold range of the second generation frequency. And step 113, determining whether the current host event is a malicious attack according to the threshold range of the second occurrence frequency.

In this embodiment, it can be understood that when a plurality of attack source hosts try to remotely log in to a current host to implement secondary transverse penetration, stealing, lasso and other attack behaviors on a server or a host in a local area network, when determining that the hosts are not the same host according to identification information of the login host, whether a current login event is a malicious code attack behavior needs to be respectively judged, and the occurrence frequency of event audit failure of the current login host logged in a predetermined period of the corresponding login host can be obtained again; and determining whether the attack behavior is malicious or not according to the threshold range of the occurrence frequency. Therefore, the detection of the attack behaviors of a plurality of attack source hosts is realized. The threshold refers to an occurrence frequency threshold.

In this embodiment, as an optional embodiment, the first log information further includes: the occurrence time of the audit failure event; if the first generation frequency is judged to exceed the preset threshold value, the method further comprises the following steps: according to the occurrence time, determining the time interval of the successive occurrence of the audit failure events which are input in the preset period and are consistent with the login account; judging whether the time intervals are consistent; and if the current host event is consistent with the current host event, determining that the current host event is a malicious attack. It can be understood that in the existing malicious code network attack, an attacker can attempt to input a login password (password) to decipher the password of a corresponding account of a logged host through some tool programs, the password is automatically input by a computer program, the time interval of the periodic attempt input is usually fixed, and the detection accuracy can be improved by comprehensively determining whether the attack is a malicious attack based on the occurrence frequency and the time interval consistency.

It can be understood that when the malicious code performs a network attack through the remote login host, the malicious code may not perform timely defense after the blasting attempt fails due to the carelessness of the security protection system of the system itself or security protection software such as other antivirus software or other reasons, and a situation that the blasting login of the malicious code is successful occurs. And in the current login event, the security audit event identifier of the operating system is successful in audit. If only the first log information of the audit failure is obtained and analyzed, the threat event that the blasting is successfully carried out to enter the local area network host machine may be released.

In order to implement comprehensive detection and defense, referring to fig. 3, as an optional embodiment, in this embodiment, after the step 101, listening for a security audit event of the operating system of the current host, the method further includes:

step 120, obtaining second log information of a successful event of the current host event logging in a preset period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in.

Step 121, according to the second log information, performing tracking analysis on historical login information of the login host in a predetermined time period before the current login event; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event. The historical login event refers to a set of events of the current login host which is successful in current login and logins the current host historically, the events are not one event but are logins for multiple times, and the events of successful audit and failure are determined according to the log records of the security audit events of the operating system in the historical login events. The predetermined period of time may be 1 hour or 30 minutes.

The time of occurrence of the historical login events may be used to determine the time interval and frequency of occurrence of the login events. Checking whether an audit failure record exists in a safety audit event log according to the login account input by the historical login event; if yes, traversing the login times of the failure of the audit; and if the login times exceed a preset threshold value, determining that the login event is a suspected malicious attack event or a malicious attack event.

And step 122, judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in successful login. In the embodiment, the first login account input in each login can be obtained by traversing the failure record of the security audit log; and detecting whether the first login account is consistent with the login account input by the current host computer after successfully logging in through a matching method. Specifically, after the detecting, by the matching method, whether the first login account is consistent with the login account input by successfully logging in the current host, the method further includes: if the input login accounts are consistent, counting the occurrence times of the event with the consistent input login account; and determining the event occurrence frequency of the login auditing failure and the login account consistency according to the occurrence frequency.

If yes, go to step 123, determine whether the login password entered by the login host in the historical login event is consistent with the login password entered by the current host in the successful login.

If the login password input by the login host in the historical login event is judged to be inconsistent with the login password input by the current host in successful login, step 124 is executed to determine the occurrence frequency of the historical login event according to the occurrence time of the historical login event; and step 125, determining whether the current host login event is a malicious attack according to the occurrence frequency of the historical login event. In this embodiment, it can be understood that, if the login passwords are not consistent, it indicates that the current historical login event is a login audit failure event; the occurrence frequency of the historical login events is determined according to the occurrence time of the historical login events, and the frequency of the events can be determined by counting the occurrence time, so that the occurrence frequency of the auditing failure events with consistent login accounts in the historical login events is indirectly determined; the frequency of occurrence of historical login events may also be determined by other means, such as directly from the previously counted number of occurrences.

In this embodiment, specifically, after determining that the login account input in the historical login event of the login host is inconsistent with the login account input in the current host that is successfully logged in, the method further includes: and determining that the event of logging in the current host is suspected malicious attack.

In this embodiment, it can be understood that the historical login events may only include an audit success event or an audit failure event, and may also include an audit failure and success event;

the tracking and analyzing the historical login information of the login host within a preset time period before the current login event according to the second log information comprises: and determining the auditing result of the historical login event according to the security auditing event log.

If the failure is only the failure, judging whether the occurrence frequency exceeds a preset threshold value; if yes, determining whether the current host event is a malicious attack.

And determining whether the auditing result of the historical login event comprises an event of auditing failure and success or not according to the safety auditing event log.

Acquiring the first occurrence time of the current login event which is successfully checked; judging whether a first login event with a failure of audit exists in a preset time period before the first occurrence time, wherein the first login event refers to a set of a plurality of login events with failure of audit; if yes, determining the occurrence frequency of a first login event which fails to be checked; and if the occurrence frequency of the first login event which fails to be checked is greater than a first preset threshold value, determining that the current login host event is a malicious attack.

In this embodiment, specifically, in the historical login event, if there are both events that are successfully checked and events that are unsuccessfully checked, whether the event is a malicious attack is determined according to the continuity of the time of the failure of the check before the event that is successfully checked.

Or, as another optional embodiment, after determining whether the audit result of the historical login event includes an event of an audit failure and an event of an audit success according to the security audit event log, the method further includes: respectively counting a first frequency of events which are successfully checked and a second frequency of events which are failed in checking in the historical login events; comparing the first times with the second times; if the first time is greater than the second time, determining that the event logging in the current host is not a malicious attack; and if the first time is less than the second time, determining that the current host event is a malicious attack.

In the implementation, by tracking and analyzing the event which is successfully checked, the threat event which is successfully blasted and enters the host machine in the local area network can be detected, so that timely defense processing is carried out, and comprehensive detection and defense of network attack means based on malicious codes are realized.

In this embodiment, as another optional embodiment, the second log information further includes a time when the current host computer is successfully logged in;

if the login password input in the historical login event is judged to be inconsistent with the login password input by the current host computer which is successfully logged in, the method further comprises the following steps: acquiring the occurrence time of a first login event in the historical login events; determining the first time spent from the occurrence of the first login event to the successful login of the current host according to the occurrence time of the first login event and the time spent in the successful login of the current host; judging whether the first time exceeds a preset required time threshold value; and if so, determining that the current login event is a malicious attack.

In this embodiment, it can be understood that since deciphering and logging in the current host account password is not generally completed once, but may be successful only by continuous attempts, by determining the first time taken from the occurrence of the first login event to the successful logging in the current host, and determining whether the first time exceeds the predetermined required time threshold value to determine whether the attack is a malicious attack, the attack threat that has been submerged in the local area network can be detected more accurately,

in this embodiment, as another optional embodiment, after determining whether the current event logged in is a malicious attack according to the frequency of occurrence of audit failures of the current event logged in within the predetermined period and the consistency of the login account input for the current event audit failures of the current event logged in each occurrence, the method includes the steps of: if the current host login event is determined to be a malicious attack, determining a defense strategy according to the first log information; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

In this embodiment, the level of an attack is determined according to the occurrence frequency of a login event included in the first log information, the location of an attack source host is determined according to the identification information of the login host, and a specific defense strategy is determined according to a protocol used by the login host in communication with the current host, for example, an IPSec security strategy "Ping prevention protocol" is used, Ping is a command, also belongs to a communication protocol, is a part of a TCP/IP protocol, and the IPSec security strategy is a built-in functional component of a Windows system; the corresponding defense strategy is used according to the ARP protocol. It should be noted that the examples herein should not be construed as exclusive limitations on other implementations.

In this embodiment, specifically, the method may further include: after judging whether the log-in event is a malicious attack or not according to the successful log-in event, if the log-in current host event is determined to be the malicious attack, determining a defense strategy according to the second log information; the second log information comprises identification information of the login host, a protocol used by the login host in communication with the current host, a process after successful login, and information of historical login failure or success.

It can be understood that after the real malicious code permeates into the intranet, the intranet host is retrieved through the malicious code host, the malicious code generally initiates blasting attack in the period of most loose and sleepy administrator, a trial (Test) password is firstly used for a first attempt, blasting is performed on the current host administrator account at intervals after the remote link is successful, if no interception is performed, the blasting login efficiency is switched to a higher-level blasting, once an account authority auditing mechanism is remotely accessed through a WINDOWS system platform, namely the current login event is audited successfully, the target base host is attacked, and therefore secondary transverse permeation, stealing, lasso and the like are performed on the server or the host in the local area network.

In order to defend against the detected malicious attack behaviors in a targeted manner, referring to fig. 4, as an optional embodiment in this embodiment, after determining that the current event logging in the host is a malicious attack in step 104, determining a defense policy according to the first log information specifically includes: step 105, determining the level of malicious attack according to the first generation frequency; step 106, determining a defense strategy according to the grade; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

The level of the malicious attack comprises a low-frequency blasting level attack and/or a high-frequency blasting level attack; the relationship between the frequency of the attack events and the attack level can be determined according to a large number of engineering practical cases. For example, if it is determined that the frequency of the audit failure of logging in the current host event is about 15 seconds, the level of the malicious attack is determined to be a low-frequency blasting level. And if the occurrence frequency is 2-3 seconds/time, determining the level of the malicious attack as high-frequency blasting.

Specifically, the determining the level of the malicious attack according to the occurrence frequency includes: judging whether the occurrence frequency is within a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time. And if so, determining the level of the malicious attack as a low-frequency blasting level. Otherwise, judging whether the occurrence frequency is in a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time; and if so, determining the level of the malicious attack as a high-frequency blasting level.

In addition, in order to eliminate the condition of failure of verification in normal login events, for example, the condition of failure of verification of the login events caused by the fact that the user forgets the login password; the inventor uses the natural science of statistics according to a large amount of historical data to determine that the interval between the second-time login attempt and the first-time login attempt after the normal login event fails is between 4 seconds and 6 seconds.

Therefore, as an optional embodiment, the determining whether the login current host event is a malicious attack according to the frequency of the audit failures of the login current host event in the predetermined period and the consistency of the login account input for each occurrence of the audit failures of the login current host event further includes:

if the occurrence frequency is detected to be 4-6 seconds/time, determining that the event logging in the current host is not a malicious attack; however, in order to prevent someone from using the frequency to make malicious attacks, as an optional embodiment, when the login events of the frequency occur for a certain number of times, the login account is temporarily locked to avoid possible malicious attacks.

In this embodiment, as another optional embodiment, the determining the defense policy according to the level includes: after the malicious attack level is determined to be a low-frequency blasting level, temporarily closing the remote login service of the current host for a preset time; and after the malicious attack level is determined to be high-frequency blasting, permanently closing the remote login service of the current host.

For example, after the level of the malicious attack is determined to be a low-frequency blasting level, the current host remote login service is temporarily closed for 10 minutes, and the first log information and the detection result are reported to the management server. Or, when the malicious code is switched to a high-frequency attack level, the remote login service of the current host is permanently closed. And reporting the first log information and the detection result to a management server.

Because the first log information comprises the occurrence frequency of event auditing failure of the current log-in host in a preset period, the identification information of the log-in host, the communication protocol used by the log-in host for remotely logging in the current host, the log-in account input by the log-in current host, the security ID and the identification information (comprising an IP address and an MAC address) of the current host, and the process information of the log-in request message received by the current host, the server can quickly know the attack details according to the first log information after receiving the reported first log information and the detection result, for example, the position and name of the attack source host, the communication protocol adopted by the attack source host to log in the current host, the level of attack of the attack source host, the corresponding process can be quickly positioned to check the corresponding message request, and the corresponding defense strategy can be quickly determined according to the information.

As another optional embodiment, at the same time or after determining that the login current host event is a malicious attack, the method further includes: and sending the first log information and the detection result to a server so that the server cuts off the communication between the current host and the login host and sends a message for closing the remote login service to the host in the local area network based on the first log information and the detection result. Specifically, the details of the current threat event can be sent to the administrator at the server end in the form of an email or a short message, so that the server end can timely acquire the detailed information of the current event while or after the defense strategy is determined, and further defense measures can be determined according to the detailed information. For example, the communication between the current host and the login host is cut off; and informing all hosts starting the remote service of the intranet to temporarily close the remote login service.

As another alternative embodiment, after the malicious code is processed, a message for starting the telnet service is sent to the host in the lan, so that the normal use of the host in the lan is not affected.

After first log information of an audit failure event in a current host event is acquired in a preset period, because the first log information comprises the occurrence frequency of the audit failure event of the current host event logged in the preset period and a login account input by the audit failure of the current host event logged in each occurrence, and according to the first log information, a first occurrence frequency of events consistent with the login account input in the audit failure event occurring in each occurrence is acquired; judging whether the first generation frequency exceeds a first preset threshold value or not; if yes, determining that the current host event is a malicious attack. The network attack means based on the malicious codes can be detected and identified, so that the loss of the network attack means to the host in the local area network is reduced as much as possible. Furthermore, when malicious code attack behaviors are detected, the malicious code attack behaviors can be timely discovered and disposed, and meanwhile, other hosts in the local area network are linked to carry out a deep defense mode, so that the network attack behaviors initiated based on the malicious codes can be effectively resisted.

Example two

Fig. 5 is a schematic structural diagram of an embodiment of a detection apparatus for malicious code attack according to the present invention, and as shown in fig. 5, the detection apparatus for malicious code attack according to the present embodiment is applied to an electronic device with a networking function, such as a computer, a smart phone, a tablet computer, and the like, and is used for detecting and defending a behavior of blasting attack based on a malicious code remotely logging in a current electronic device, such as a host computer; or for detecting and defending against malicious code-based cyber attack means that may be encountered in a cluster of electronic devices, where the apparatus may be in a network link connected to the cluster. The device comprises: the monitoring module 21 is used for monitoring a security audit event of the operating system of the current host; the security audit event comprises a login current host event; the first obtaining module 22 is configured to obtain first log information of an audit failure event in a current host event logged in within a predetermined period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time; a second obtaining module 23, configured to obtain, according to the first log information, a first occurrence frequency of events that are consistent with the login account and are input in the audit failure events occurring each time; a first judgment determination module 24; for determining whether the first generation frequency exceeds a first predetermined threshold; and if the first occurrence frequency exceeds a first preset threshold value, determining that the event logging in the current host is a malicious attack.

The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect of the apparatus of this embodiment are similar, and are not described herein again and may be referred to each other.

Referring to fig. 6, in this embodiment, as an alternative embodiment, an apparatus similar to the apparatus described in the previous embodiment is provided, except that the first log information further includes: logging in the identification information of the host; the device further comprises: the first judging module 25 is configured to, after first log information of an audit failure event in events of logging in a current host in a predetermined period is acquired, judge whether the events of logging in the current host that fail in audit each time are the same logging host according to identification information of the logging host; the first determining module 26 is configured to determine that an event logging on the current host is a malicious attack if it is determined that the events that occur each time the current host fails to be checked are the same logging host; a second determining module 27, configured to, if it is determined that the events that log in the current host and are subject to audit failure do not belong to the same login host each time, obtain a second occurrence frequency of the corresponding login host in the events that log in the current host and are subject to audit failure within a predetermined period again; a first determining module 28, configured to determine a threshold range in which the second occurrence frequency is located; and a third determining module 29, configured to determine whether the current event logging on the host is a malicious attack according to the threshold range where the second occurrence frequency is located.

In this embodiment, as another optional embodiment, the first log information further includes: the time of occurrence of the audit failure event.

The device further comprises: a fourth determining module, configured to determine, according to the occurrence time after it is determined that the first occurrence frequency exceeds a predetermined threshold, a time interval in which audit failure events consistent with the login account input in the predetermined period successively occur; the second judging module is used for judging whether the time intervals are consistent or not; and the fifth determining module is used for determining that the current host login event is a malicious attack if the time intervals are judged to be consistent.

As a further alternative, the apparatus further comprises: a third obtaining module, configured to obtain, after the security audit event of the operating system of the current host is monitored, second log information of an audit success event among events logged in the current host in a predetermined period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in; the tracking analysis module is used for tracking and analyzing the historical login information of the login host in a preset time period before the current login event according to the second log information; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event; the third judging module is used for judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in successful login; the fourth judgment module is used for judging whether the login password input by the login host in the historical login event is consistent with the login password input by the current host when the login host successfully logs in if the judgment result of the third judgment module is consistent; the second judgment and determination module is used for determining the occurrence frequency of the historical login event according to the occurrence time of the historical login event if the login password input by the login host in the historical login event is judged to be inconsistent with the login password input by the current host in successful login; and the sixth determining module is used for determining whether the current host login event is a malicious attack according to the occurrence frequency of the historical login event.

As another optional embodiment, the second log information further includes a time of successful login to the current host; the device further comprises: the fourth acquisition module is used for acquiring the occurrence time of the first login event in the historical login event after judging that the login password input in the historical login event is inconsistent with the login password input by successfully logging in the current host; a seventh determining module, configured to determine, according to the occurrence time of the first login event and the time of successfully logging in to the current host, a first time taken from the occurrence of the first login event to the successful login to the current host; a third judgment determining module, configured to judge whether the first time exceeds a predetermined required time threshold; and if so, determining that the current login event is a malicious attack.

Referring to fig. 7, in this embodiment, as another alternative embodiment, the apparatus further includes: the attack level determining module 30 is configured to determine a level of a malicious attack according to the first occurrence frequency after determining that the current host login event is the malicious attack; a defense strategy determining module 31, configured to determine a defense strategy according to the level; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

It can be understood that, after the sixth determining module or the third determining module determines whether the event logged in successfully is a malicious attack or not, if it is determined that the event logged in currently is a malicious attack, the defense policy determining module 31 may determine the defense policy according to the second log information; the second log information comprises identification information of the login host, a protocol used by the login host in communication with the current host, a process after successful login, and information of historical login failure or success.

In this embodiment, as a further optional embodiment, the level of the malicious attack includes a low frequency blasting level attack and/or a high frequency blasting level attack;

the attack level determination module comprises: the first judgment unit is used for judging whether the occurrence frequency is in a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time; the first determining unit is used for determining the level of the malicious attack as a low-frequency blasting level if the occurrence frequency is judged to be within a first frequency threshold range; if the occurrence frequency is not within the first frequency threshold range, continuing to judge whether the occurrence frequency is within a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time; the second determining unit is used for determining the level of the malicious attack as a high-frequency blasting level if the occurrence frequency is judged to be within a second frequency threshold range; the defense strategy determination module comprises: the first defense unit is used for temporarily closing the current host remote login service for a preset time after the malicious attack level is determined to be a low-frequency blasting level; and the second defense unit is used for permanently closing the remote login service of the current host after the malicious attack level is determined to be the high-frequency blasting level.

In this embodiment, as a further optional embodiment, the apparatus further includes: the sending module is used for sending the first log information and the detection result to the server when or after the current host login event is determined to be a malicious attack, so that the server cuts off the communication between the current host and the login host based on the first log information and the detection result and sends a message for closing the remote login service to the host in the local area network; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

For each embodiment of the detection device for malicious code attack provided by the invention, the description is simple because the detection device is basically similar to the method embodiment, and relevant points can be referred to the partial description of the method embodiment.

A further embodiment of the present invention provides an electronic device, including one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory to run programs corresponding to the executable program codes so as to execute the method of any one of the embodiments.

Fig. 8 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which may implement the method according to any one of the embodiments of the present invention, as shown in fig. 8, as an alternative embodiment, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to execute the detection method of malicious code attack described in any one of the embodiments.

For the specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code, reference may be made to the description of the first embodiment of the malicious code attack detection method of the present invention, which is not described herein again.

The electronic device exists in a variety of forms, including but not limited to: (1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others. (2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads. (3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio and video playing modules (such as an iPod), handheld game consoles, electronic books, and intelligent toys and portable car navigation devices. (4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service. (5) And other electronic equipment with data interaction function.

A further embodiment of the present invention provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method for detecting a malicious code attack according to any one of the foregoing embodiments.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.

For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may also be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.

The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (18)

1. A method for detecting malicious code attacks, the method comprising:

monitoring a security audit event of an operating system of a current host; the security audit event comprises a login current host event;

acquiring first log information of an audit failure event in a current host event logged in a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time;

acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information;

judging whether the first generation frequency exceeds a first preset threshold value or not;

if yes, determining that the current host event is a malicious attack.

2. The method of claim 1, wherein the first log information further comprises: logging in the identification information of the host;

the method also comprises the following steps after first log information of audit failure events in the current host events logged in a preset period is acquired:

judging whether the events which occur each time and are checked by the current host are the same login host or not according to the identification information of the login host;

if yes, determining that the event logging in the current host is a malicious attack;

if not, re-acquiring a second occurrence frequency of the current host auditing failure event of the corresponding login host in a preset period;

judging the threshold range of the second generation frequency;

and determining whether the current host event is a malicious attack according to the threshold range of the second occurrence frequency.

3. The method of claim 1, wherein the first log information further comprises: the occurrence time of the audit failure event;

if the first generation frequency is judged to exceed the preset threshold value, the method further comprises the following steps: according to the occurrence time, determining the time interval of the successive occurrence of the audit failure events which are input in the preset period and are consistent with the login account;

judging whether the time intervals are consistent;

and if the current host event is consistent with the current host event, determining that the current host event is a malicious attack.

4. The method of claim 1, further comprising, after the listening for a security audit event of an operating system of a current host:

acquiring second log information of a successful event of the current host event logging in a preset period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in;

according to the second log information, tracking and analyzing historical login information of the login host in a preset time period before the current login event; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event;

judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in the successful login;

if yes, judging whether the login password input by the login host in the historical login event is consistent with the login password input by the current host in successful login;

if not, determining the occurrence frequency of the historical login events according to the occurrence time of the historical login events;

and determining whether the current host event is a malicious attack according to whether the occurrence frequency of the historical login event exceeds a first preset threshold.

5. The method of claim 4, wherein the second log information further includes a time of successful login to the current host;

if the login password input in the historical login event is judged to be inconsistent with the login password input by the current host computer which is successfully logged in, the method further comprises the following steps:

acquiring the occurrence time of a first login event in the historical login events;

determining the first time spent from the occurrence of the first login event to the successful login of the current host according to the occurrence time of the first login event and the time spent in the successful login of the current host;

judging whether the first time exceeds a preset required time threshold value;

and if so, determining that the current login event is a malicious attack.

6. The method of claim 1, further comprising: after determining that the event of logging in the current host is a malicious attack;

determining the level of malicious attack according to the first generation frequency;

determining a defense strategy according to the grade; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

7. The method of claim 6, wherein the level of malicious attack comprises a low frequency shot level attack and/or a high frequency shot level attack;

the determining the level of the malicious attack according to the occurrence frequency comprises:

judging whether the occurrence frequency is within a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time;

if so, determining the level of the malicious attack as a low-frequency blasting level;

otherwise, judging whether the occurrence frequency is in a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time;

if so, determining the level of the malicious attack as a high-frequency blasting level;

the determining a defense policy according to the level comprises:

after the malicious attack level is determined to be a low-frequency blasting level, temporarily closing the remote login service of the current host for a preset time;

and after the malicious attack level is determined to be a high-frequency blasting level, permanently closing the remote login service of the current host.

8. The method of claim 6 or 7, further comprising, at the same time or after determining that the login current host event is a malicious attack:

sending the first log information and the detection result to a server so that the server cuts off the communication between the current host and the login host and sends a message for closing the remote login service to the host in the local area network based on the first log information and the detection result; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

9. An apparatus for detecting malicious code attacks, the apparatus comprising:

the monitoring module is used for monitoring the security audit event of the operating system of the current host; the security audit event comprises a login current host event;

the first acquisition module is used for acquiring first log information of an audit failure event in a current host event logged in within a preset period; the first log information comprises the occurrence frequency of the audit failure event and a login account input when the audit failure event occurs each time;

the second acquisition module is used for acquiring a first occurrence frequency of events which are consistent with the input login account in the auditing failure events which occur each time according to the first log information;

a first judgment determination module; for determining whether the first generation frequency exceeds a first predetermined threshold;

and if the first occurrence frequency exceeds a first preset threshold value, determining that the event logging in the current host is a malicious attack.

10. The apparatus of claim 9, wherein the first log information further comprises: logging in the identification information of the host;

the device further comprises: the first judging module is used for judging whether the events which are logged in the current host and failed in the auditing are the same logging host or not according to the identification information of the logging host after first log information of the auditing failure events in the events which are logged in the current host in a preset period is acquired;

the first determining module is used for determining that the event of logging in the current host is a malicious attack if the event of logging in the current host which fails to be checked is judged to be the same logging host every time;

the second determining module is used for acquiring a second occurrence frequency of the corresponding login host in the current host audit failure event in a preset period again if the login current host audit failure event occurring each time is judged not to be the same login host;

the first judgment module is used for judging the threshold range of the second generation frequency;

and the third determining module is used for determining whether the current host login event is a malicious attack according to the threshold range of the second occurrence frequency.

11. The apparatus of claim 9, wherein the first log information further comprises: the occurrence time of the audit failure event;

the device further comprises:

a fourth determining module, configured to determine, according to the occurrence time after it is determined that the first occurrence frequency exceeds a predetermined threshold, a time interval in which audit failure events consistent with the login account input in the predetermined period successively occur;

the second judging module is used for judging whether the time intervals are consistent or not;

and the fifth determining module is used for determining that the current host login event is a malicious attack if the time intervals are judged to be consistent.

12. The apparatus of claim 9, further comprising:

a third obtaining module, configured to obtain, after the security audit event of the operating system of the current host is monitored, second log information of an audit success event among events logged in the current host in a predetermined period; the second log information comprises a login account, a login password, a login process name, a login host address and a remote login communication protocol which are input when the current host is successfully logged in;

the tracking analysis module is used for tracking and analyzing the historical login information of the login host in a preset time period before the current login event according to the second log information; the historical login information comprises: the time of the occurrence of the historical login event, the login account and the login password input by the historical login event;

the third judging module is used for judging whether the login account input by the login host in the historical login event is consistent with the login account input by the current host in successful login;

the fourth judgment module is used for judging whether the login password input by the login host in the historical login event is consistent with the login password input by the current host when the login host successfully logs in if the judgment result of the third judgment module is consistent;

the second judgment and determination module is used for determining the occurrence frequency of the historical login event according to the occurrence time of the historical login event if the login password input by the login host in the historical login event is judged to be inconsistent with the login password input by the current host in successful login;

and the sixth determining module is used for determining whether the current host login event is a malicious attack according to the occurrence frequency of the historical login event.

13. The apparatus of claim 12, wherein the second log information further comprises a time of successful login to the current host;

the device further comprises: the fourth acquisition module is used for acquiring the occurrence time of the first login event in the historical login event after judging that the login password input in the historical login event is inconsistent with the login password input by successfully logging in the current host;

a seventh determining module, configured to determine, according to the occurrence time of the first login event and the time of successfully logging in to the current host, a first time taken from the occurrence of the first login event to the successful login to the current host;

a third judgment determining module, configured to judge whether the first time exceeds a predetermined required time threshold;

and if so, determining that the current login event is a malicious attack.

14. The apparatus of claim 9, further comprising:

the attack level determining module is used for determining the level of the malicious attack according to the first generation frequency after determining that the current host login event is the malicious attack;

the defense strategy determining module is used for determining a defense strategy according to the grade; the defense policies include temporarily shutting down and/or permanently shutting down the telnet service of the current host.

15. The apparatus of claim 14, wherein the level of malicious attack comprises a low frequency shot level attack and/or a high frequency shot level attack;

the attack level determination module comprises:

the first judgment unit is used for judging whether the occurrence frequency is in a first frequency threshold range; the first frequency threshold value ranges from 10 seconds to 20 seconds per time;

the first determining unit is used for determining the level of the malicious attack as a low-frequency blasting level if the occurrence frequency is judged to be within a first frequency threshold range;

if the occurrence frequency is not within the first frequency threshold range, continuing to judge whether the occurrence frequency is within a second frequency threshold range; the second frequency threshold value ranges from 2 seconds to 3 seconds per time;

the second determining unit is used for determining the level of the malicious attack as a high-frequency blasting level if the occurrence frequency is judged to be within a second frequency threshold range;

the defense strategy determination module comprises:

the first defense unit is used for temporarily closing the current host remote login service for a preset time after the malicious attack level is determined to be a low-frequency blasting level;

and the second defense unit is used for permanently closing the remote login service of the current host after the malicious attack level is determined to be the high-frequency blasting level.

16. The apparatus of any one of claims 14 to 15, further comprising: the sending module is used for sending the first log information and the detection result to the server when or after the current host login event is determined to be a malicious attack, so that the server cuts off the communication between the current host and the login host based on the first log information and the detection result and sends a message for closing the remote login service to the host in the local area network; the first log information also comprises identification information of the login host and a protocol used by the login host in communication with the current host.

17. An electronic device, comprising:

one or more processors;

a memory;

the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory to execute programs corresponding to the executable program codes for executing the method of any one of claims 1 to 7.

18. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any of the preceding claims 1 to 7.

Images