CN111901326B - Multi-device intrusion detection method, device, system and storage medium - Google Patents
Multi-device intrusion detection method, device, system and storage medium Download PDFInfo
- Publication number
- CN111901326B CN111901326B CN202010697621.5A CN202010697621A CN111901326B CN 111901326 B CN111901326 B CN 111901326B CN 202010697621 A CN202010697621 A CN 202010697621A CN 111901326 B CN111901326 B CN 111901326B
- Authority
- CN
- China
- Prior art keywords
- data
- detected
- strategy
- protective
- analyzing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The application relates to a multi-device intrusion detection method, a multi-device intrusion detection device, a multi-device intrusion detection system and a computer readable storage medium, wherein the multi-device intrusion detection method comprises the following steps: the method comprises the steps of obtaining protection information from a plurality of protection devices, wherein each protection device in the plurality of protection devices is isolated from each other; converting the protection information with the same attribute in the protection information into to-be-detected data with the same format; and analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by analysis. By the method and the device, the problem that the intrusion detection capability of the protective equipment on a single layer is weak in the related technology is solved, and the intrusion detection capability of the protective equipment is enhanced.
Description
Technical Field
The present application relates to the field of computer networks and information security technologies, and in particular, to a method and an apparatus for detecting multiple device intrusion, a system for detecting multiple device intrusion, and a computer-readable storage medium.
Background
With the increasing complexity of network environment, the problems of information leakage and asset destruction caused by network attacks bring great loss to countries, enterprises and individuals, and in the face of the phenomenon, the network intrusion detection method is generated in a cloud manner. The network intrusion detection method is a method capable of discovering network intrusion behavior. At present, network intrusion detection schemes in the market are generally based on detection of a single-layer protection device, and high-level sustainable threat behaviors are difficult to discover, which results in that an attacker can use escape means to damage an intruder to a certain extent.
On one hand, the current single-layer protection equipment is difficult to cope with the increasingly complex network environment, and only by means of the analysis result of the host protection equipment or the network protection equipment, threat information is easily missed to report, so that the intrusion detection capability is not strong enough, and the high-level network attack can easily complete the counterattack and escape.
At present, no effective solution is provided for the problem of weak intrusion detection capability of single-layer protection equipment in the related technology.
Disclosure of Invention
The embodiment of the application provides a multi-device intrusion detection method, a multi-device intrusion detection device, a multi-device intrusion detection system and a computer readable storage medium, so as to at least solve the problem that the intrusion detection capability of a single-layer protection device is weak in the related art.
In a first aspect, an embodiment of the present application provides a method for detecting intrusion of multiple devices, including:
the method comprises the steps of obtaining protection information from a plurality of protection devices, wherein each protection device in the plurality of protection devices is isolated from each other;
converting the protection information with the same attribute in the protection information into to-be-detected data with the same format;
and analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by analysis.
In some embodiments, analyzing the data to be detected by using at least one policy to obtain a decision result corresponding to each policy, where the decision result includes:
acquiring process parameters, process service identifiers and process loading module names in the data to be detected;
judging whether any one of the process parameters, the process service identifiers and the process loading module names hits a first strategy, wherein the first strategy is used for identifying dynamic behavior information carried by the data to be detected;
and determining that a decision result corresponding to the first strategy is in an abnormal state under the condition that any one of the process parameters, the process service identifier and the process loading module name hits the first strategy.
In some embodiments, analyzing the data to be detected by using at least one policy to obtain a decision result corresponding to each policy, where the decision result includes:
acquiring the time of logging in the protective equipment by an operating system user in the data to be detected, the shutdown time of the protective equipment, the startup time of the protective equipment, and upload flow and download flow;
judging whether any one of time when the operating system user logs in the protective device, time when the protective device is turned off, time when the protective device is turned on, and uploading flow and downloading flow hits a second strategy, wherein the second strategy is used for identifying abnormal behavior information carried by the data to be detected;
and determining that a decision result corresponding to the second policy is in an abnormal state under the condition that any one of the time for obtaining the login of the operating system user on the protective device, the shutdown time of the protective device, the startup time of the protective device, the upload flow and the download flow is hit in the second policy.
In some embodiments, analyzing the data to be detected by using at least one policy to obtain a decision result corresponding to each policy, where the decision result includes:
creating a machine learning model comprising at least one of: a hidden DNS tunnel communication model, a WebShell back door model and an ore excavation behavior model;
analyzing the data to be detected according to the machine learning model to obtain a corresponding machine learning result;
judging whether the machine learning result hits a third strategy, wherein the third strategy is used for identifying information which is carried by the data to be detected and accords with the characteristics of the machine learning model;
and determining that a decision result corresponding to the third strategy is in an abnormal state under the condition that the machine learning result is judged to hit the third strategy.
In some embodiments, analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by the analysis includes:
analyzing the data to be detected by adopting at least one strategy to obtain a decision result corresponding to each strategy;
and determining that dangerous behaviors exist in the plurality of protective devices under the condition that a plurality of decision results in the decision results are in abnormal states.
In some embodiments, after analyzing the data to be detected and determining the intrusion condition of the plurality of protection devices according to the result of the analysis, the method further includes:
according to the decision result showing the abnormal state, intrusion threat index data are obtained from the corresponding data to be detected, wherein the intrusion threat index data comprise at least one of the following data: IP, domain name, HASH value;
and sending the intrusion threat indicator data to the plurality of protective devices.
In some embodiments, converting the protection information with the same attribute in the protection information into the data to be detected with the same format includes:
deleting the repeated item when the protection information has the repeated item; and/or the presence of a gas in the gas,
and under the condition that the data to be detected has missing items, making up the missing items.
In a second aspect, an embodiment of the present application provides an apparatus for detecting multiple device intrusion, including:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring protection information from a plurality of protection devices, and each protection device in the plurality of protection devices is isolated from each other;
the conversion module is used for converting the protection information with the same attribute in the protection information into to-be-detected data with the same format;
and the determining module is used for analyzing the data to be detected and determining the intrusion condition of the plurality of protective devices according to the analysis result.
In a third aspect, an embodiment of the present application provides a system for detecting intrusion by multiple devices, including: the system comprises a plurality of protective devices and a cooperative analysis device, wherein each protective device in the plurality of protective devices is isolated from each other, and each protective device in the plurality of protective devices is coupled with the cooperative analysis device respectively; the protection devices are configured to generate protection information, and the cooperative analysis device is configured to obtain the protection information from the protection devices, and execute the method for detecting intrusion of multiple devices according to the protection information.
In a fourth aspect, an embodiment of the present application provides a storage medium, where a computer program is stored in the storage medium, where the computer program is configured to execute the method for detecting a multi-device intrusion according to the first aspect when running.
Compared with the related art, the multi-device intrusion detection method, the multi-device intrusion detection device, the multi-device intrusion detection system and the computer-readable storage medium provided by the embodiment of the application acquire the protection information from the plurality of protection devices, wherein each protection device in the plurality of protection devices is isolated from each other; converting the protection information with the same attribute in the protection information into to-be-detected data with the same format; the data to be detected are analyzed, the intrusion condition of a plurality of protective devices is determined according to the result obtained by analysis, the problem that the intrusion detection capability of the protective devices with a single layer is weak in the related technology is solved, and the intrusion detection capability of the protective devices is enhanced.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for detecting multiple device intrusion according to an embodiment of the present application;
FIG. 2 is a block diagram of a multi-device intrusion detection system according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating the operation of a multi-device intrusion detection system according to a preferred embodiment of the present application;
fig. 4 is a block diagram of a hardware configuration of a cooperative analysis apparatus according to a preferred embodiment of the present application;
fig. 5 is a block diagram of a multi-device intrusion detection apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any creative effort belong to the protection scope of the present application. Moreover, it should be appreciated that such a development effort might be complex and tedious, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, given the benefit of this disclosure, without departing from the scope of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (including a single reference) are to be construed in a non-limiting sense as indicating either the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The embodiment provides a method for detecting multi-device intrusion. Fig. 1 is a flowchart of a method for detecting intrusion into multiple devices according to an embodiment of the present application, where the flowchart includes the following steps, as shown in fig. 1:
step S101, protective information is acquired from a plurality of protective devices, wherein each protective device in the plurality of protective devices is isolated from each other.
This embodiment obtains protection information from a plurality of protective apparatus, and wherein, a plurality of protective apparatus include the protective apparatus of a plurality of different grade types, for example host computer protective apparatus and network protective apparatus, and the protective apparatus of these different grade types can generate the protection information of different grade type, can enrich the kind of protection information, is favorable to perfecting intrusion detection's dimension.
In view of safety, these protection devices are usually set in an isolated state from each other. The isolation comprises physical isolation and message isolation between the protective devices, wherein the physical isolation is adopted to avoid influencing other protective devices related to a certain protective device under the condition that the protective device is invaded; message isolation means that different types of guard devices are usually in a message isolation state, and there are differences in message formats between the different types of guard devices.
And step S102, converting the protection information with the same attribute in the protection information into the data to be detected with the same format.
Generally, the protection devices are set in an isolated state, so that the protection information between the protection devices of different types is difficult to intercommunicate, and therefore, the joint analysis cannot be directly performed in the process of analyzing the protection information between the protection devices of different types. In order to solve the problem, the embodiment formats the protection information acquired from the plurality of pieces of protection equipment, converts the formats of the protection information with the same attribute in the different pieces of protection equipment into the same format, and obtains the data to be detected with the standard information format, thereby achieving the effect of intercommunicating the protection information between the different pieces of protection equipment.
And step S103, analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by analysis.
Compared with the intrusion detection method based on the protection equipment of a single layer in the related art, the data to be detected of the embodiment combines the protection information of the protection equipment of different types, the analysis dimension is increased, the cooperative analysis mechanism is realized, and the intrusion detection result is more perfect.
Through the steps, the problem that the intrusion detection capability of the protective equipment with a single layer is weak in the related technology is solved, and the intrusion detection capability of the protective equipment is enhanced.
In step S102, the protection information with the same attribute in the protection information may be converted into the data to be detected with the same format by using a method including at least one of the following:
under the condition that the protection information has repeated items, the repeated items are deleted firstly to obtain the deleted protection information, and then the protection information with the same attribute in the protection information is converted into the data to be detected with the same format, so that the data analysis efficiency is improved.
Under the condition that the data to be analyzed has the missing item, the missing item is compensated to obtain compensated protection information, and then the protection information with the same attribute in the protection information is converted into the data to be analyzed in the same format, so that the data to be analyzed is further improved. For example, for a process loading module, the loading module of the process can be inferred through the list of previous and following processes, so as to complete the process.
Taking the host protection device and the network device as examples, the protection information obtained from the host protection device includes at least one of the following: process information, file information, system logs and user behavior information; the protection information acquired from the network protection device comprises at least one of the following: network traffic information, user behavior information. Obtaining corresponding data to be detected comprises at least one of the following: the System comprises process parameters, a process service identifier, a process loading module Name, time for logging in the protective equipment by an operating System user, shutdown time of the protective equipment, startup time of the protective equipment, uploading flow and downloading flow, domain Name System (DNS) access information, internet Protocol (IP), domain Name and HASH value.
In step S103, the data to be detected may be analyzed by using at least one policy to obtain a decision result corresponding to each policy, and an analysis method based on different policies is given below.
(1) Analyzing the data to be detected by adopting the first strategy to obtain a decision result corresponding to each strategy comprises the following steps:
acquiring process parameters, process service identifiers and process loading module names in data to be detected; judging whether any one of the process parameters, the process service identifier and the process loading module name hits a first strategy, wherein the first strategy is used for identifying dynamic behavior information carried by to-be-detected data; and under the condition that any one of the process parameter, the process service identifier and the process loading module name hits the first strategy, determining that a decision result corresponding to the first strategy is in an abnormal state.
The first strategy comprises at least one rule, and the first strategy is hit under the condition that any one of the process parameters, the process service identifier and the process loading module name hits the corresponding rule. An embodiment of analyzing the data to be detected by using the first policy will be described below with reference to a dynamic behavior analysis technique.
Rule A1: acquiring a process list with parameters from data to be detected, judging whether the process parameters carry the IP or the domain name, setting a preset identifier flag to be 1 under the condition that the process parameters carry the IP or the domain name, and otherwise, setting the flag1 to be 0. Wherein IP refers to an address such as 192.168.0.1 and domain names refer to website names such as www.baidu.com. If the process parameter carries an IP or a domain name, the network communication behavior exists in the process.
Rule A2: acquiring a corresponding process service identifier from the data to be detected, judging whether the process is a high-simulation system service and/or a third-party service, setting flag1 to be 1 under the condition that the process is judged to be the high-simulation system service and/or the third-party service, and otherwise, setting the flag1 to be 0. If the process is the high-simulation system service and/or the third-party service, the process is an abnormal process and has malicious behaviors.
Rule A3: acquiring a corresponding process loading module name from the data to be detected, judging whether the process loading module is a high-imitation system file module and/or a third-party signature module, setting flag1 to be 1 under the condition that the process loading module is judged to be the high-imitation system file module and/or the third-party signature module, and otherwise setting flag1 to be 0. If the process is the high-simulation system file module and/or the third-party signature module, the process is an abnormal process and has malicious behaviors.
In the above rules, if flag1 corresponding to a certain rule is set to 1, it is determined that the first policy is hit, and this indicates that an abnormal dynamic behavior exists in the protection device.
(2) Analyzing the data to be detected by adopting a second strategy to obtain a decision result corresponding to each strategy comprises the following steps:
acquiring the time of an operating system user logging in the protective equipment, the shutdown time of the protective equipment, the startup time of the protective equipment, the uploading flow and the downloading flow in the data to be detected; judging whether any one of time of logging in the protective equipment, shutdown time of the protective equipment, startup time of the protective equipment, uploading flow and downloading flow of an operating system user hits a second strategy, wherein the second strategy is used for identifying abnormal behavior information carried by the data to be detected; and under the condition that any one of the time when the operating system user logs in the protective device, the shutdown time of the protective device, the startup time of the protective device, the upload flow and the download flow hits the second strategy, determining that a decision result corresponding to the second strategy is in an abnormal state.
The second strategy comprises at least one rule, and the second strategy is hit under the condition that any one of time when the operating system user logs in the protective device, shutdown time of the protective device, startup time of the protective device, uploading flow and downloading flow hits the corresponding rule. An embodiment of analyzing the data to be detected by using the second strategy will be described below with reference to an abnormal behavior analysis technique.
Rule B1: acquiring the time of logging in the protective equipment by the operating system user from the data to be detected, judging whether the time of logging in the protective equipment by the operating system user is abnormal, setting a preset identifier flag2 to be 1 under the condition that the time of logging in the protective equipment by the operating system user is judged to be abnormal, and otherwise setting the flag2 to be 0.
Rule B2: the method comprises the steps of obtaining the shutdown time of the protective equipment and the startup time of the protective equipment from data to be detected, judging whether the shutdown time of the protective equipment and the startup time of the protective equipment are abnormal or not, setting a flag2 to be 1 under the condition that the shutdown time of the protective equipment and the startup time of the protective equipment are judged to be abnormal, and otherwise, setting the flag2 to be 0.
Rule B3: acquiring upload flow and download flow from data to be detected, judging whether the upload flow and the download flow exceed a preset threshold, setting flag2 to be 1 under the condition that the upload flow and the download flow exceed the preset threshold, and otherwise setting flag2 to be 0.
In the above rules, if flag2 corresponding to a certain rule is set to 1, it is determined that the second policy is hit, and this indicates that there is an abnormal behavior in the protection device.
(3) Analyzing the data to be detected by adopting a third strategy to obtain a decision result corresponding to each strategy, wherein the decision result comprises the following steps:
creating a machine learning model comprising at least one of: a hidden DNS tunnel communication model, a WebShell (code execution environment) backdoor model and a mining behavior model; analyzing the data to be detected according to the machine learning model to obtain a corresponding machine learning result; judging whether the machine learning result hits a third strategy, wherein the third strategy is used for identifying information which is carried by the data to be detected and accords with the characteristics of the machine learning model; and under the condition that the machine learning result is judged to hit the third strategy, determining that the decision result corresponding to the third strategy is in an abnormal state.
The third strategy comprises at least one rule, the machine learning result comprises characteristic information corresponding to any one of a hidden DNS tunnel communication model, a WebShell back door model and a mining behavior model, and the third strategy is hit when any one of the characteristic information hits the corresponding rule. In the following, an embodiment of analyzing the data to be detected by using the third strategy will be described in conjunction with the machine learning analysis technique.
Rule C1: and analyzing the data to be detected by adopting a hidden DNS tunnel communication model, judging whether a hidden DNS tunnel communication behavior exists, setting a preset identifier flag3 to be 1 under the condition of judging that the hidden DNS tunnel communication behavior exists, and setting a flag2 to be 0 otherwise.
Rule C2: and analyzing the data to be detected by adopting a WebShell back door model, judging whether the WebShell back door behavior exists, setting flag3 to be 1 under the condition that the WebShell back door behavior exists, and setting flag2 to be 0 otherwise.
Rule C3: and analyzing the data to be detected by adopting an ore excavation behavior model, judging whether an ore excavation behavior exists, setting flag3 to be 1 under the condition of judging that the ore excavation behavior exists, and setting flag2 to be 0 otherwise.
In the above rules, if flag3 corresponding to a certain rule is set to 1, that is, the third policy is hit, which represents that there is an abnormal behavior in the protection device.
In some embodiments, policies may be configured according to circumstances, including but not limited to: analyzing the data to be detected by adopting at least one strategy; each strategy uses at least one rule to analyze the data to be detected.
In step S103, the data to be detected may be analyzed by using at least one policy to obtain a decision result corresponding to each policy; and determining that dangerous behaviors exist in the plurality of protective devices under the condition that a plurality of decision results in the decision results are in abnormal states.
In some embodiments, after analyzing the data to be detected and determining the intrusion condition of the plurality of protection devices according to the result obtained by the analysis, the method further includes: according to the decision result showing the abnormal state, IOC (intrusion threat indicator) data is obtained from the corresponding data to be detected, wherein the intrusion threat indicator data comprises at least one of the following data: IP, domain name, HASH value; the IOC data is sent to a plurality of guard devices. According to the arrangement, the effects of real-time linkage and communication combination among different types of protective equipment can be realized, so that the intrusion detection capability of the protective equipment is further improved.
The embodiment of the application provides a multi-device intrusion detection system. Fig. 2 is a block diagram of a multi-device intrusion detection system according to an embodiment of the present application, where as shown in fig. 2, the multi-device intrusion detection system includes: the system comprises a plurality of protective devices 21 and a cooperative analysis device 22, wherein each protective device 21 in the plurality of protective devices 21 is isolated from each other, and each protective device 21 in the plurality of protective devices 21 is respectively coupled with the cooperative analysis device 22; the multiple protection devices 21 are configured to generate protection information, and the cooperative analysis device 22 is configured to obtain the protection information from the multiple protection devices and, according to the protection information, perform the method for detecting intrusion by multiple devices as described in the foregoing embodiment.
In some embodiments, the cooperative analysis device is provided with a device for judging threat intelligence information.
In some embodiments, a database for storing threat intelligence information is provided in the collaborative analysis apparatus.
The method for detecting a multi-device intrusion will be described below with reference to preferred embodiments. Fig. 3 is a schematic diagram illustrating an operation principle of a multi-device intrusion detection system according to a preferred embodiment of the present application, and as shown in fig. 3, the operation principle of the multi-device intrusion detection system includes the following steps:
step (1): the threat studying and judging center collects process information, network flow information, file information, system logs and user behavior information from the host computer protection equipment and the network protection equipment. Wherein, the threat research and judgment center is a device for judging threat information.
Step (2): and inputting the acquired protection information into a threat studying and judging center, cleaning the input format of the protection information by the threat studying and judging center, and outputting to-be-detected data in a standard information format.
And (3): the threat studying and judging center adopts a dynamic behavior analysis technology, an abnormal behavior analysis technology and a machine learning technology to carry out cooperative decision on data to be detected to obtain a cooperative decision result, wherein the cooperative decision result comprises the intrusion condition of the protective equipment and threat information.
And (4): and the threat studying and judging center sends the collaborative decision result to the knowledge base. Wherein, the knowledge base is a database used for storing threat intelligence information.
And (5): and the knowledge base sends the cooperative decision result to the host computer protection equipment and the network protection equipment.
It should be noted that the above steps may be performed in a computer system such as a set of computer executable instructions.
The multi-device intrusion detection system of the embodiment realizes a cooperative analysis mechanism and improves the intrusion detection capability of the protection device; threat information in the knowledge base is linked with the host protection equipment and the network protection equipment in real time, communication combination is achieved through the network, and the intrusion detection capability of the protection equipment is further improved.
The cooperative analysis device provided in this embodiment may perform any one of the methods for detecting an intrusion by multiple devices in the foregoing embodiments, where the cooperative analysis device includes, but is not limited to, a terminal, a computer, or a similar operation device. Fig. 4 is a block diagram of a hardware structure of a cooperative analysis device according to a preferred embodiment of the present application, and as shown in fig. 4, the cooperative analysis device may include one or more processors 402 (only one is shown in fig. 4) (the processor 402 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.) and a memory 404 for storing data, and optionally, the terminal may further include a transmission device 406 for communication function and an input/output device 408. It will be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration and is not intended to limit the structure of the terminal. For example, the collaborative analysis device may also include more or fewer components than shown in FIG. 4, or have a different configuration than shown in FIG. 4.
The memory 404 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the device intrusion detection method in the embodiment of the present invention, and the processor 402 executes various functional applications and data processing by running the computer programs stored in the memory 404, so as to implement the method described above. The memory 404 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 404 can further include memory located remotely from the processor 402, which can be connected to the co-analytic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 406 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the cooperative analysis apparatus. In one example, the transmission device 406 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmitting device 406 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment further provides a device for detecting intrusion of multiple devices, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not repeated for what has been described. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a multi-device intrusion detection apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus includes: an acquisition module 51, a conversion module 52 and a determination module 53; the obtaining module 51 is configured to obtain protection information from a plurality of pieces of protection equipment, where each piece of protection equipment is isolated from each other; the conversion module 52 is coupled to the obtaining module 51, and is configured to convert the protection information with the same attribute in the protection information into to-be-detected data with the same format; and the determining module 53 is coupled to the converting module 52, and is configured to analyze the data to be detected and determine the intrusion condition of the plurality of protective devices according to the result obtained by the analysis.
In some of these embodiments, the determining module 53 includes: the first acquisition unit is used for acquiring process parameters, process service identifiers and process loading module names in the data to be detected; the first judging unit is used for judging whether any one of the process parameters, the process service identifiers and the process loading module names hits a first strategy, wherein the first strategy is used for identifying dynamic behavior information carried by the data to be detected; and the first determining module is used for determining that a decision result corresponding to the first strategy is in an abnormal state under the condition that any one of the process parameters, the process service identifier and the process loading module name hits the first strategy.
In some of these embodiments, the determining module 53 includes: the second acquisition unit is used for acquiring the time of logging in the protective equipment by an operating system user in the data to be detected, the shutdown time of the protective equipment, the startup time of the protective equipment, the upload flow and the download flow; the second judgment unit is used for judging whether any one of time of logging in the protective equipment, shutdown time of the protective equipment, startup time of the protective equipment, uploading flow and downloading flow of an operating system user hits a second strategy, and the second strategy is used for identifying abnormal behavior information carried by the data to be detected; and the second determining module is used for determining that a decision result corresponding to the second strategy is in an abnormal state under the condition that any one of the time of logging in the protective equipment by the operating system user, the shutdown time of the protective equipment, the startup time of the protective equipment, the uploading flow and the downloading flow hits the second strategy.
In some of these embodiments, the determining module 53 includes: a creating unit for creating a machine learning model comprising at least one of: a hidden DNS tunnel communication model, a WebShell back door model and an ore excavation behavior model; the first analysis unit is used for analyzing the data to be detected according to the machine learning model to obtain a corresponding machine learning result; the third judging unit is used for judging whether the machine learning result hits a third strategy, wherein the third strategy is used for identifying information which is carried by the data to be detected and accords with the characteristics of the machine learning model; and the third determining module is used for determining that the decision result corresponding to the third strategy is in an abnormal state under the condition that the machine learning result is judged to hit the third strategy.
In some of these embodiments, the determining module 53 includes: the second analysis unit is used for analyzing the data to be detected by adopting at least one strategy to obtain a decision result corresponding to each strategy; and the determining submodule determines that dangerous behaviors exist in the plurality of protective devices under the condition that a plurality of decision results in the decision results are in abnormal states.
In some of these embodiments, the apparatus further comprises: a third obtaining unit, configured to obtain intrusion threat index data from corresponding data to be detected according to a decision result that shows an abnormal state, where the intrusion threat index data includes at least one of the following: IP, domain name, HASH value; and the sending unit is used for sending the intrusion threat index data to the plurality of protective devices.
In some of these embodiments, the conversion module 52 includes: a deleting unit configured to delete the duplicate entry in the case where the duplicate entry exists in the guard information; and/or the compensation unit is used for compensating the missing item under the condition that the missing item exists in the data to be detected.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, in combination with the method for detecting intrusion of multiple devices in the foregoing embodiments, the embodiments of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any one of the above-described embodiments of the method for detecting a multi-device intrusion.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.
Claims (7)
1. A method for detecting a multi-device intrusion, comprising:
the method comprises the steps of obtaining protection information from a plurality of protection devices, wherein each protection device in the plurality of protection devices is isolated from each other;
converting the protection information with the same attribute in the protection information into to-be-detected data with the same format;
analyzing the data to be detected, and determining the invasion condition of the plurality of protective devices according to the result obtained by analysis;
analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by the analysis comprises the following steps: analyzing the data to be detected by adopting at least two strategies to obtain a decision result corresponding to each strategy, and determining that the plurality of protective devices have dangerous behaviors under the condition that a plurality of decision results show abnormal states, wherein,
analyzing the data to be detected by adopting a first strategy comprises the following steps:
acquiring process parameters, process service identifiers and process loading module names in the data to be detected;
judging whether any one of the process parameters, the process service identification and the process loading module name hits a first strategy, wherein the first strategy is used for identifying dynamic behavior information carried by the data to be detected;
determining that a decision result corresponding to the first strategy is in an abnormal state under the condition that any one of the process parameter, the process service identifier and the process loading module name hits the first strategy;
the first strategy comprises three rules, wherein the rule A1 is used for judging whether the process parameter carries an IP (Internet protocol) or a domain name, the rule A2 is used for judging whether the corresponding process is a high-imitation system service and/or a third-party service according to the process service identifier, the rule A3 is used for judging whether the process loading module is a high-imitation system file module and/or a third-party signature module, and if any one of the rules is judged to be yes, the first strategy is hit;
analyzing the data to be detected by adopting a second strategy comprises the following steps:
acquiring the time of logging in the protective equipment by an operating system user in the data to be detected, the shutdown time of the protective equipment, the startup time of the protective equipment, the uploading flow and the downloading flow;
judging whether any one of time when the operating system user logs in the protective device, time when the protective device is turned off, time when the protective device is turned on, and uploading flow and downloading flow hits a second strategy, wherein the second strategy is used for identifying abnormal behavior information carried by the data to be detected;
determining that a decision result corresponding to the second policy is in an abnormal state under the condition that any one of time when the operating system user logs in the protective device, shutdown time of the protective device, startup time of the protective device, the upload flow and the download flow is judged to hit the second policy;
the second policy comprises three rules, a rule B1 is used for judging whether the time of logging in the protective equipment by the operating system user is abnormal, a rule B2 is used for judging whether the power-off time and the power-on time of the protective equipment are abnormal, a rule B3 is used for judging whether the upload flow and the download flow exceed preset thresholds, and if any one of the rules is judged to be yes, the second policy is hit;
analyzing the data to be detected by adopting a third strategy comprises the following steps:
creating a machine learning model comprising at least one of: a hidden DNS tunnel communication model, a WebShell back door model and an ore excavation behavior model;
analyzing the data to be detected according to the machine learning model to obtain a corresponding machine learning result;
judging whether the machine learning result hits a third strategy, wherein the third strategy is used for identifying information which is carried by the data to be detected and accords with the characteristics of the machine learning model;
determining that a decision result corresponding to the third strategy is in an abnormal state under the condition that the machine learning result is judged to hit the third strategy;
the third strategy comprises three rules, wherein the rule C1 is used for analyzing the data to be detected by adopting a hidden DNS tunnel communication model and judging whether a hidden DNS tunnel communication behavior exists, the rule C2 is used for analyzing the data to be detected by adopting a WebShell back door model and judging whether the WebShell back door behavior exists, the rule C3 is used for analyzing the data to be detected by adopting an excavation behavior model and judging whether the excavation behavior exists, and if any one of the rules is judged to be yes, the third strategy is hit.
2. The method for detecting the intrusion of the multiple devices according to claim 1, wherein analyzing the data to be detected and determining the intrusion condition of the multiple protection devices according to the result obtained by the analysis comprises:
analyzing the data to be detected by adopting at least one strategy to obtain a decision result corresponding to each strategy;
and under the condition that a plurality of decision results in the decision results are represented as abnormal states, determining that the plurality of protective devices have dangerous behaviors.
3. The method for detecting multiple device intrusions according to claim 1, wherein after analyzing the data to be detected and determining the intrusion situations of the multiple protection devices according to the analysis result, the method further comprises:
according to the decision result showing the abnormal state, intrusion threat index data are obtained from the corresponding data to be detected, wherein the intrusion threat index data comprise at least one of the following data: IP, domain name, HASH value;
and sending the intrusion threat indicator data to the plurality of protective devices.
4. The method for detecting the intrusion of multiple devices according to claim 1, wherein converting the protection information with the same attribute in the protection information into the data to be detected with the same format comprises:
deleting the repeated item when the protection information has the repeated item; and/or the presence of a gas in the atmosphere,
and under the condition that the data to be detected has missing items, making up the missing items.
5. A multi-device intrusion detection apparatus, comprising:
the device comprises an acquisition module, a processing module and a display module, wherein the acquisition module is used for acquiring protection information from a plurality of protection devices, and each protection device in the plurality of protection devices is isolated from each other;
the conversion module is used for converting the protection information with the same attribute in the protection information into to-be-detected data with the same format;
the determining module is used for analyzing the data to be detected and determining the invasion condition of the plurality of protective devices according to the result obtained by analysis;
analyzing the data to be detected, and determining the intrusion condition of the plurality of protective devices according to the result obtained by the analysis comprises the following steps: analyzing the data to be detected by adopting at least two strategies to obtain a decision result corresponding to each strategy, and determining that the plurality of protective devices have dangerous behaviors under the condition that a plurality of decision results show abnormal states, wherein,
analyzing the data to be detected by adopting a first strategy comprises the following steps:
acquiring process parameters, process service identifiers and process loading module names in the data to be detected;
judging whether any one of the process parameters, the process service identifiers and the process loading module names hits a first strategy, wherein the first strategy is used for identifying dynamic behavior information carried by the data to be detected;
determining that a decision result corresponding to the first strategy is in an abnormal state under the condition that any one of the process parameters, the process service identifier and the process loading module name hits the first strategy;
the first strategy comprises three rules, wherein the rule A1 is used for judging whether the process parameter carries an IP (Internet protocol) or a domain name, the rule A2 is used for judging whether the corresponding process is a high-imitation system service and/or a third-party service according to the process service identifier, the rule A3 is used for judging whether the process loading module is a high-imitation system file module and/or a third-party signature module, and if any one of the rules is judged to be yes, the first strategy is hit;
analyzing the data to be detected by adopting a second strategy comprises the following steps:
acquiring the time of logging in the protective equipment by an operating system user in the data to be detected, the shutdown time of the protective equipment, the startup time of the protective equipment, and upload flow and download flow;
judging whether any one of time when the operating system user logs in the protective device, time when the protective device is turned off, time when the protective device is turned on, and uploading flow and downloading flow hits a second strategy, wherein the second strategy is used for identifying abnormal behavior information carried by the data to be detected;
determining that a decision result corresponding to the second policy is in an abnormal state under the condition that any one of time when the operating system user logs in the protective device, shutdown time of the protective device, startup time of the protective device, the upload flow and the download flow is judged to hit the second policy;
the second policy comprises three rules, a rule B1 is used for judging whether the time of logging in the protective equipment by the operating system user is abnormal, a rule B2 is used for judging whether the power-off time and the power-on time of the protective equipment are abnormal, a rule B3 is used for judging whether the upload flow and the download flow exceed preset thresholds, and if any one of the rules is judged to be yes, the second policy is hit;
analyzing the data to be detected by adopting a third strategy comprises the following steps:
creating a machine learning model comprising at least one of: a hidden DNS tunnel communication model, a WebShell back door model and an ore excavation behavior model;
analyzing the data to be detected according to the machine learning model to obtain a corresponding machine learning result;
judging whether the machine learning result hits a third strategy, wherein the third strategy is used for identifying information which is carried by the data to be detected and accords with the characteristics of the machine learning model;
determining that a decision result corresponding to the third strategy is in an abnormal state under the condition that the machine learning result is judged to hit the third strategy;
the third strategy comprises three rules, wherein the rule C1 is used for analyzing the data to be detected by adopting a hidden DNS tunnel communication model and judging whether a hidden DNS tunnel communication behavior exists, the rule C2 is used for analyzing the data to be detected by adopting a WebShell back door model and judging whether the WebShell back door behavior exists, the rule C3 is used for analyzing the data to be detected by adopting an ore mining behavior model and judging whether the ore mining behavior exists, and if any one of the rules is judged to be yes, the third strategy is hit.
6. A multi-device intrusion detection system, comprising: the system comprises a plurality of protective devices and a cooperative analysis device, wherein each protective device in the plurality of protective devices is isolated from each other, and each protective device in the plurality of protective devices is coupled with the cooperative analysis device respectively; the multiple protection devices are used for generating protection information, and the cooperative analysis device is used for acquiring the protection information from the multiple protection devices and executing the multiple-device intrusion detection method according to any one of claims 1 to 4 according to the protection information.
7. A storage medium having stored thereon a computer program, wherein the computer program is arranged to execute the method of detecting a multi-device intrusion according to any one of claims 1 to 4 when the computer program is run.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010697621.5A CN111901326B (en) | 2020-07-20 | 2020-07-20 | Multi-device intrusion detection method, device, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010697621.5A CN111901326B (en) | 2020-07-20 | 2020-07-20 | Multi-device intrusion detection method, device, system and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111901326A CN111901326A (en) | 2020-11-06 |
CN111901326B true CN111901326B (en) | 2022-11-15 |
Family
ID=73189438
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010697621.5A Active CN111901326B (en) | 2020-07-20 | 2020-07-20 | Multi-device intrusion detection method, device, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111901326B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112839050A (en) * | 2021-01-20 | 2021-05-25 | 付中野 | Intrusion detection method and system based on Internet of things |
CN114221793B (en) * | 2021-11-23 | 2022-12-20 | 武汉天楚云计算有限公司 | Data information intrusion protection method and server in big data environment |
CN114172721B (en) * | 2021-12-06 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Malicious data protection method and device, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404473A (en) * | 2017-06-06 | 2017-11-28 | 西安电子科技大学 | Based on Mshield machine learning multi-mode Web application means of defences |
CN109743311A (en) * | 2018-12-28 | 2019-05-10 | 北京神州绿盟信息安全科技股份有限公司 | A kind of WebShell detection method, device and storage medium |
CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
CN110830470A (en) * | 2019-11-06 | 2020-02-21 | 浙江军盾信息科技有限公司 | Method, device and equipment for detecting defect-losing host and readable storage medium |
-
2020
- 2020-07-20 CN CN202010697621.5A patent/CN111901326B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404473A (en) * | 2017-06-06 | 2017-11-28 | 西安电子科技大学 | Based on Mshield machine learning multi-mode Web application means of defences |
CN109743311A (en) * | 2018-12-28 | 2019-05-10 | 北京神州绿盟信息安全科技股份有限公司 | A kind of WebShell detection method, device and storage medium |
CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
CN110830470A (en) * | 2019-11-06 | 2020-02-21 | 浙江军盾信息科技有限公司 | Method, device and equipment for detecting defect-losing host and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111901326A (en) | 2020-11-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11550560B2 (en) | Enhanced device updating | |
Anthi et al. | A supervised intrusion detection system for smart home IoT devices | |
US10581898B1 (en) | Malicious message analysis system | |
CN111901326B (en) | Multi-device intrusion detection method, device, system and storage medium | |
US10467411B1 (en) | System and method for generating a malware identifier | |
US10354072B2 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
US11258812B2 (en) | Automatic characterization of malicious data flows | |
EP2828767A1 (en) | System and method for crowdsourcing of mobile application reputations | |
CN103051617A (en) | Method, device and system for identifying network behaviors of program | |
KR20140045448A (en) | System and method for protocol fingerprinting and reputation correlation | |
CN1656731A (en) | Multi-method gateway-based network security systems and methods | |
US20220159023A1 (en) | System and method for detecting and classifying malware | |
Fuller et al. | Misuse-based detection of Z-Wave network attacks | |
CN113518042B (en) | Data processing method, device, equipment and storage medium | |
CN112738071A (en) | Method and device for constructing attack chain topology | |
CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
CN112003779A (en) | Phishing mail detection method and medium based on dynamic and static link characteristic identification | |
CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
CN103067360B (en) | Program network Activity recognition method and system | |
CN116319074B (en) | Method and device for detecting collapse equipment based on multi-source log and electronic equipment | |
CN110224975B (en) | APT information determination method and device, storage medium and electronic device | |
CN112003839B (en) | Equipment anti-identity recognition method and device, electronic device and storage medium | |
US12088618B2 (en) | Methods and systems for asset risk determination and utilization for threat mitigation | |
US20220337488A1 (en) | Network device type classification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |