CN111935180A - Active defense method, device and system for security equipment - Google Patents
Active defense method, device and system for security equipment Download PDFInfo
- Publication number
- CN111935180A CN111935180A CN202011012735.8A CN202011012735A CN111935180A CN 111935180 A CN111935180 A CN 111935180A CN 202011012735 A CN202011012735 A CN 202011012735A CN 111935180 A CN111935180 A CN 111935180A
- Authority
- CN
- China
- Prior art keywords
- equipment
- security
- running state
- characteristic value
- management platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The application provides an active defense method, device and system for security equipment, wherein the method comprises the following steps: the method comprises the steps that security and protection front-end equipment obtains first equipment running state information in preset unit time; the security front-end equipment determines a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment; the security front-end equipment determines whether the running state of the current equipment is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; and when the security front-end equipment is in an abnormal operation state at present, alarming the equipment management platform. The method can reduce the computing resources and the storage resources required by the security front-end equipment for realizing active defense.
Description
Technical Field
The application relates to the field of network security, in particular to an active defense method, device and system for security equipment.
Background
With the wide-range deployment of the security front-end equipment, how to efficiently carry out active defense on the security front-end equipment becomes a problem to be solved urgently.
At present, an active defense implementation scheme of security front-end equipment is mainly to preset some black and white lists (such as MD5 values of various known viruses and trojans) in the security front-end equipment to avoid equipment from being attacked by hackers, and the biggest problem of the method is that the accuracy and the real-time performance of the black and white lists are greatly depended on, the maintenance cost of the black and white lists is high, and when the scale of the black and white lists is large, a large storage burden is generated on the security front-end equipment.
Disclosure of Invention
In view of this, the present application provides an active defense method and apparatus for a security device, and an electronic device.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of an embodiment of the present application, an active defense method for a security device is provided, and is applied to an active defense system for a security device, where the active defense system for a security device includes a security front-end device and a device management platform, and the method is provided
The method comprises the steps that security and protection front-end equipment obtains first equipment running state information in preset unit time;
the security front-end equipment determines a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment;
the security front-end equipment determines whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is a statistical characteristic value of second equipment running state information determined by the variable point detection algorithm based on second equipment running state information in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit times;
and when the security front-end equipment is in an abnormal operation state at present, the security front-end equipment gives an alarm to the equipment management platform.
According to a second aspect of the embodiments of the present application, an active defense apparatus for security equipment is provided, which is applied to security front-end equipment, the apparatus includes:
the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring the running state information of first equipment in preset unit time;
a first determining unit, configured to determine, based on the first device operating state information, a first statistical feature value of the first device operating state information by using a determined change point detection algorithm;
the second determining unit is used for determining whether the current equipment running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is a statistical characteristic value of second equipment running state information determined by the variable point detection algorithm based on second equipment running state information in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit times;
and the defense unit is used for giving an alarm to the equipment management platform when the equipment is in an abnormal operation state.
According to a third aspect of the embodiments of the present application, there is provided an active defense system for security devices, including: security front-end equipment and an equipment management platform; wherein:
the security front-end equipment is used for acquiring the running state information of the first equipment in a preset unit time;
the security front-end equipment is further used for determining a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment;
the security front-end equipment is further used for determining whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is the statistical characteristic value of the running state information of the second equipment determined by the variable point detection algorithm based on the running state information of the second equipment in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit time
The security protection front-end equipment is further used for giving an alarm to the equipment management platform when the current equipment is in an abnormal operation state.
The active defense method for the security equipment of the embodiment of the application obtains the running state information of the first equipment in the preset unit time, and determining a first statistical characteristic value of the first device operation state information based on the first device operation state information by using the determined change point detection algorithm, and the second statistical characteristic value of the second equipment running state information of the determined security and protection front-end equipment in the normal running state, determining whether the current equipment running state is abnormal, furthermore, when the equipment is in an abnormal operation state, the equipment management platform is alarmed, so that the dependence of active defense on black and white lists by the security front-end equipment is avoided, the security front-end equipment does not need to store the black and white lists, and the black and white list does not need to be updated, so that the computing resources and the storage resources required by the security front-end equipment for realizing active defense are reduced.
Drawings
Fig. 1 is a schematic flowchart illustrating an active defense method for a security device according to an exemplary embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of an active defense system of a security device according to an exemplary embodiment of the present application;
fig. 3 is a schematic flowchart illustrating an active defense method for a security device according to an exemplary embodiment of the present application;
fig. 4 is a schematic structural diagram of an active defense device of security equipment according to an exemplary embodiment of the present application;
fig. 5 is a schematic diagram illustrating a hardware structure of an electronic device according to an exemplary embodiment of the present application;
fig. 6 is a schematic structural diagram of an active defense system of a security device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow diagram of an active defense method for a security device according to an embodiment of the present application is provided, where the active defense method for a security device may be applied to an active defense system for a security device, and the active defense system for a security device may include a security front-end device and a device management platform, as shown in fig. 1, the active defense method for a security device may include the following steps:
s100, the security front-end equipment acquires the running state information of the first equipment in a preset unit time.
For example, the preset unit time may include 1 second, 1 millisecond, or the like.
Illustratively, the device operating state information may include, but is not limited to, one or more of CPU (central processing Unit) occupancy, memory occupancy, and network bandwidth.
In the embodiment of the application, the security front-end device may obtain the device running state information (referred to as first device running state information herein) of the device every preset unit time.
For example, taking the preset unit time as 1 second as an example, the security front-end device may obtain the device running state information of the device once per second, that is, the security front-end device may obtain the device running state information of the device in 1 second as the unit time.
Step S110, the security front-end device determines a first statistical characteristic value of the running state information of the first device by using a determined variable point detection algorithm based on the running state information of the first device.
Step S120, the security front-end equipment determines whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is the statistical characteristic value of the running state information of the second equipment determined by the variable point detection algorithm based on the running state information of the second equipment in the first time period when the security front-end equipment is in the normal running state, and the first time period comprises a plurality of preset unit times.
In the embodiment of the application, in consideration of the fact that active defense needs to be realized by relying on a black-and-white list in the traditional active defense scheme of the security front-end device, the storage of the black-and-white list needs to occupy more storage space, a larger storage burden can be generated on the security front-end device, and the timeliness requirement of the black-and-white list is higher.
In addition, it is considered that when the security front-end device is in a normal operation state, the device operation state information of the security front-end device is usually maintained in a relatively stable state, and the device operation state information generally does not appear to suddenly increase or decrease.
Correspondingly, when the device running state information of the security front-end device suddenly increases or suddenly decreases, the security front-end device usually has an abnormal running state, such as being attacked by a virus or a trojan horse.
Therefore, by utilizing the characteristic that the running state information of the security and protection front-end equipment is stable in the normal running state, the running state information of the security and protection front-end equipment is analyzed to detect whether the running state information of the security and protection front-end equipment is suddenly increased or decreased, so as to determine whether the running state of the equipment is abnormal.
Based on the above consideration, in the embodiment of the application, a statistical characteristic value of data distribution for representing the operation state information of the security front-end device may be determined through a variable point detection algorithm, and whether the operation state of the security front-end device is abnormal or not may be detected based on the statistical characteristic value.
Accordingly, the security front-end device may specify device operation state information (referred to as second device operation state information herein) in a time period (an end time of the time period is before step S110, and referred to as a first time period herein) based on the device operation state information when the device is in the normal operation state, and determine a statistical characteristic value (referred to as a second statistical characteristic value herein) of the second device operation state information by using a variable point detection algorithm, where the second statistical characteristic value is used to represent data distribution of the device operation state information in the normal operation state of the security front-end device.
Illustratively, the statistical characteristic value may include, but is not limited to, a variance or a standard deviation, etc.
For example, the normal operation state refers to a state in which the security front-end device is normally powered on and operated, and no additional task is executed.
The additional task refers to other tasks except the default task (such as camera inspection, running log reporting and the like) of the security front-end device, and is usually a manually triggered task.
For example, the security front-end device may use the device running state of the first 5-10 minutes after the device is turned on and enters normal operation as the second device running state information.
It should be noted that, in the embodiment of the present application, the calculation operation of the second statistical characteristic value may be performed by the device management platform, or performed by the security front-end device. Since the computing performance of the device management platform is usually strong, when the computing operation of the second statistical characteristic value is performed by the device management platform, the duration of the first time period may be set longer, so as to improve the accuracy of determining the operating state of the device. And the calculation performance of the security front-end equipment is relatively weak, when the calculation operation of the second statistical characteristic value is executed by the security front-end equipment, the duration of the first time period can be set to be shorter so as to reduce the performance consumption of the security front-end equipment.
In addition, because different variable point detection algorithms have different dependencies on the computing resources, when the computing operation of the second statistical characteristic value is executed by the device management platform, the variable point detection algorithm used can be the variable point detection algorithm with higher dependency on the computing resources, so as to improve the accuracy of the device operation state judgment. When the calculation operation of the second statistical characteristic value is performed by the security front-end device, the used variable point detection algorithm may be a variable point detection algorithm with low dependence on calculation resources, so as to reduce performance consumption of the security front-end device.
In one example, the calculation operation of the second statistical characteristic value is executed by the device management platform, and when the second statistical characteristic value is obtained, the second statistical characteristic value is issued to the security front-end device, so that the accuracy of the device running state judgment is improved, and the consumption of the calculation resource of the security front-end device by the calculation of the second statistical characteristic value is avoided.
In this embodiment of the application, when the security front-end device acquires the running state information of the first device, the acquired running state information of the first device may be input into a determined variable point detection algorithm (a variable point detection algorithm used when calculating the second statistical characteristic value), a statistical characteristic value (referred to as a first statistical characteristic value herein) of the running state information of the first device is calculated, and the first statistical characteristic value is used to represent data distribution of real-time running state information of the security front-end device, and the first statistical characteristic value and the second statistical characteristic value are compared to determine whether the running state of the current device is abnormal.
For example, when the security front-end device is always in the normal operation state, the device operation state information of the security front-end device is always in the steady state, that is, the first statistical characteristic value and the second statistical characteristic value determined in the above manner are usually relatively close; when the operation state of the security front-end device is abnormal, such as when the security front-end device is attacked by a virus or a trojan horse, the operation state information of the security front-end device may suddenly increase or decrease, at this time, the first statistical characteristic value may be generally different from the second statistical characteristic value by a relatively large amount, and therefore, whether the operation state of the security front-end device is abnormal or not may be determined based on a difference between the first statistical characteristic value and the second statistical characteristic value.
For example, a difference between the second statistical characteristic value and the first statistical characteristic value may be determined based on the first statistical characteristic value and the second statistical characteristic value, and it is determined whether an absolute value of the difference exceeds a preset threshold, and if so, it is determined that the current device is in an abnormal operation state; otherwise, determining that the current equipment is not in an abnormal operation state.
Therefore, by determining and storing the second statistical characteristic value of the equipment running state information of the security front-end equipment in the normal running state, the active defense of the security front-end equipment can be realized under the condition that the black and white list storage is not needed (compared with the black and white list, the data quantity of the second statistical characteristic value is much smaller), and the storage resource of the security front-end equipment is saved; in addition, the security front-end equipment does not need to frequently update the stored second statistical characteristic value according to the update of the virus or the Trojan horse, and the computing resource of the security front-end equipment is saved.
And S130, when the current equipment of the security front-end equipment is in an abnormal operation state, alarming to the equipment management platform.
In the embodiment of the application, when the security front-end device determines that the current device is in an abnormal operation state, the device management platform can be alarmed.
For example, the security front-end device may report an abnormal information log to the device management platform, where the abnormal information log may record related information of the running state information of the device in which the abnormality occurs.
For example, if the abnormal device running state information is the CPU utilization, the abnormal information log may include one or more of process names of N processes before the CPU utilization ranking, command lines corresponding to the processes, process CPU utilization, memory occupancy, users to which the processes belong, thread number of the processes, and the like;
if the abnormal device running state information is the memory utilization rate, the abnormal information log may include one or more of process names of N processes before the memory utilization rate ranking, command lines corresponding to the processes, process CPU utilization rate, memory occupancy rate, users to which the processes belong, thread number of the processes, and the like;
if the abnormal device operation state information is network bandwidth, the abnormal information log may include one or more of source IP addresses, source ports, destination IP addresses, destination ports, bandwidth occupation, and the like of N network connections before the network bandwidth occupancy ranking.
Where N is a positive integer, which may be set according to an actual scene, for example, N is 5.
It can be seen that, in the flow of the method shown in fig. 1, the statistical characteristic value of the device operation state information is determined based on the variable point detection algorithm, and whether the device operation state is abnormal is determined by comparing the real-time statistical characteristic value of the device operation state information of the security front-end device with the statistical characteristic value of the device operation state information in the normal operation state, and configuration, storage and update of a black-and-white list are not required, so that dependence of active defense on the black-and-white list by the security front-end device is avoided, and calculation resources and storage resources required by the security front-end device for active defense are reduced.
As a possible embodiment, in step S130, after the security front-end device gives an alarm to the device management platform, the method may further include:
the security front-end equipment receives a blocking task issued by the equipment management platform;
and the security front-end equipment performs process or/and network blocking based on the blocking task.
For example, when the device management platform receives the alarm information of the security front-end device, it may be determined whether the security front-end device is in an abnormal state, and a specific implementation thereof may be described below, which is not described herein again.
When the device management platform determines that the security front-end device is abnormal, the device management platform is attacked by malicious programs such as viruses or trojans, and the like, and the device management platform can issue blocking tasks to the security front-end device.
When the security front-end device receives the blocking task issued by the device management platform, process or/and network blocking can be performed based on the blocking task.
In one example, the security front-end device may block a process or a network connection (referred to herein as a target process or a network connection) that occupies a highest resource (referred to herein as a target resource) corresponding to the abnormal device operation state information.
For example, if the abnormal running state information is the CPU utilization, the security front-end device may block the process with the highest CPU utilization.
If the abnormal running state information is the memory occupancy rate, the security front-end device can block the process with the highest memory occupancy rate.
If the abnormal operation state information is the network bandwidth, the security front-end device can block the network connection with the highest network bandwidth occupancy rate.
It should be noted that, in the embodiment of the present application, blocking a target process or network connection when a blocking task is received is only a specific implementation manner for implementing attack blocking, and is not limited to the protection scope of the present application, that is, in the embodiment of the present application, attack blocking may also be implemented in other manners, for example, one or more viruses or trojans and other malicious attack programs whose occurrence frequencies are ranked in the top order may be counted, and a blocking command carrying identification information of the malicious attack program is issued, so that the security front-end device blocks a process or network connection associated with the identification information of the malicious attack program.
As a possible embodiment, in step S130, the alarming, by the security front-end device, the device management platform may include:
the security front-end equipment reports an abnormal information log to an equipment management platform;
correspondingly, after security protection front-end equipment reports to the police to equipment management platform, can also include:
the equipment management platform determines whether an additional task is issued to the security front-end equipment within a second time period; the second time period is a preset time period which takes the time when the equipment management platform receives the abnormal information log as the end time;
when the equipment management platform issues an additional task to the security front-end equipment in a second time period, generating an alarm log to be verified to determine whether the abnormal information log is false alarm, and generating a false alarm log when the abnormal information log is determined to be false alarm.
Illustratively, the additional tasks may include, but are not limited to, manually issued zooming, steering, rotating, logging, software updating, or device information backing up, etc.
For example, considering that when the device management platform issues an additional task to the security front-end device, the device operating state of the security front-end device may also suddenly change, in this case, the security front-end device may also have a larger difference between a first statistical characteristic value of the first device operating state information determined by using the change point detection algorithm and the second statistical characteristic value based on the acquired first device operating state information in the preset unit time, so that the security front-end device may detect that the device operating state is abnormal, and further false alarm may occur.
In order to improve the accuracy of alarming and reduce the probability of false alarming, when the equipment management platform receives the abnormal information log reported by the security front-end equipment, whether an accessory task is issued to the security front-end equipment or not can be determined in the second time period.
When the equipment management platform issues an additional task to the security front-end equipment in the second time period, the equipment management platform can generate an alarm log to be verified so as to represent whether the abnormal information log reported by the security front-end equipment at this time needs to be verified to be abnormal or not.
For example, when the device management platform generates an alarm log to be verified, a user (e.g., an administrator) may be prompted to manually verify whether the security front-end device is abnormal, if the verification result indicates that no abnormality occurs, the abnormal information log reported this time is determined to be a false alarm, and at this time, the device management platform may generate a false alarm log.
When the device management platform determines that the abnormal information log is not an error report, the blocking task may be issued in the manner described in the above embodiment.
In an example, before the security front-end device obtains the running state information of the first device in the preset unit time, the method may further include:
the security front-end equipment receives a variable point detection algorithm and a second statistical characteristic value issued by the equipment management platform;
the above method may further comprise:
and when the equipment management platform periodically generates the alarm logs to be verified and the false alarm logs and the number of the verification alarm logs and the number of the false alarm logs reach the first number, updating the second statistical characteristic value, or updating the variable point detection algorithm and the second statistical characteristic value.
For example, the security detection method on the security front-end device may be configured by the device management platform, and the second statistical characteristic value may be issued after being determined by the device management platform.
For example, considering that an additional task of the security front-end device is usually executed periodically, when the device management platform issues the additional task to the security front-end device, the security front-end device may report an abnormal information log periodically, and the device management platform may generate a to-be-verified alarm log and a false alarm log periodically, at this time, in order to determine that the device is in an abnormal operating state more accurately, the second statistical characteristic value needs to be updated, or the used change point detection algorithm and the second statistical characteristic value need to be updated.
Correspondingly, when the device management platform periodically generates the alarm logs to be verified and the false alarm logs, and the number of the alarm logs to be verified and the number of the false alarm logs reaches the first number, the device management platform may determine that the abnormal information logs reported by the security front-end device are caused by periodically executing the additional task, and at this time, the device management platform may update the second statistical characteristic value of the security front-end device, or update the change point detection algorithm and the second statistical characteristic value used by the security front-end device.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
Referring to fig. 2, a schematic view of an architecture of an active defense system for security devices provided in an embodiment of the present application is shown in fig. 2, where the active defense system for security devices may include a device management platform and a security front-end device (security device for short).
Referring to fig. 3, a schematic flow chart of an active defense method for a security device provided in an embodiment of the present application is shown, and as shown in fig. 3, the active defense method for the security device may include the following steps:
it should be noted that the executing subject in steps S300 and S330 to S340 is an equipment management platform, and the executing subject in steps S310 to S320 is a security front-end equipment (for example, any one of the security equipments 1 to N in fig. 2).
Step S300, initializing a variable point detection model;
for example, a variety of change point detection algorithms may be included in the change point detection model. Initialization of the change point detection model may include selection and initialization of a change point detection algorithm.
Step S310, judging whether the current equipment running state is abnormal according to the variable point detection model, if so, entering the next step, otherwise, continuing to judge whether the equipment is in the running state;
step S320, constructing an abnormal information log and reporting to an equipment management platform;
s330, linking the abnormal information log and the equipment task information, and processing the abnormal log;
and step S340, judging whether the model needs to be updated according to the data of the equipment management platform, if so, re-performing the step S300, otherwise, ending.
Illustratively, step S300 may include:
1-1, setting the security equipment to be in a common working mode, not executing an additional task, and collecting equipment running state information (namely second equipment running state information) in a period of time;
specifically, the device management platform may set the security device to be in a normal operating state, and extract device operating state information (assumed to be Info _ a) within a period of Time (which may be referred to as Time _ timeout, i.e., the first Time period).
It should be noted that the normal operation state refers to that the device is normally started and operated, and can execute periodic tasks (such as camera inspection, running log reporting, and the like), but cannot issue additional tasks;
secondly, the Time _ timeout is not specifically limited, and the setting of the value is required according to specific conditions, for example, when the device has a periodic task, the periodic Time can be set to three task periods, and no periodic task can be set to 1 hour;
furthermore, the device operating state information may include, but is not limited to, one or more of CPU utilization, memory utilization, network bandwidth, and the like, and each type of device operating state information may calculate corresponding change point detection data.
For example, a sudden increase in CPU utilization indicates that a device may contain a mine digging virus, a sudden increase in memory occupancy indicates that a device may contain a worm virus, and a sudden increase in network bandwidth indicates that a device may contain a bot or be attacked by a bot; a sudden drop in the correlation indicator indicates that the device may not perform the task properly.
1-2, inputting the running state information of the equipment into a variable point detection algorithm (the variable point detection algorithm selected and initialized when a variable point detection model is initialized), calculating running state statistical data (namely a second statistical characteristic value) of the equipment in a normal running state (a common working mode) by using the variable point detection algorithm, and storing the calculated second statistical characteristic value and the variable point detection algorithm;
specifically, the device management platform may input the collected running state information of the security device in the normal running state into the change point detection algorithm for calculation, and store the calculated second statistical characteristic data and the used change point detection algorithm.
It should be noted that the variable point detection algorithm may include, but is not limited to Bayes, pettitt, Buishand _ U, or the like.
In one example, the change point detection algorithm is an EXpoSE change point detection algorithm.
In addition, the variable point detection algorithm calculates mathematical statistical indexes such as distribution type, distribution parameters and the like for the input sequence data, and the maximum difference of different variable point detection algorithms is different from the calculated mathematical indexes.
And 1-3, initializing the information stored in the step 1-2 into security equipment to be protected.
Illustratively, step S310 may include:
2-1, collecting the equipment running state information of the same type as that in 1-1;
specifically, the security device may obtain device running state information (assumed to be Info _ B, that is, the above-mentioned first device running state information) of the device.
For example, the security device to be protected may extract device running state information of the same type as the Info _ a once every preset unit time, where the specific time interval is the same as 1-1, for example, 1s is used as unit time to extract device running state information in 1-1, and 1s is also used as unit time to extract state information in 2-1.
Illustratively, the unit time is a preset minimum time granularity, that is, the extraction of the device operation state information is performed with the minimum time granularity as a time interval, so that after the device operation state information is extracted, time slot cutting is not required, and the continuity of data is ensured.
And 2-2, judging whether the current equipment running state is abnormal or not by using the initialized change point detection algorithm and the second statistical characteristic value in the steps 1-3, if so, entering the next step, otherwise, continuously extracting the equipment running state information, and continuously judging whether the equipment is in the running state or not.
For example, the security device to be protected may determine whether the current device operating state is abnormal based on the change point detection algorithm and the second statistical characteristic value initially determined in step S300.
For example, the security device to be protected may determine a statistical characteristic value (i.e., the first statistical characteristic value) of the Info _ B by using the above-mentioned change point detection algorithm based on the extracted device operating state information (i.e., Info _ B), and determine whether the current device operating state is abnormal by comparing the first statistical characteristic value with the second statistical characteristic value.
Illustratively, the determination may be made every time the device operation state information Info _ B is extracted 1 time. And determining whether the next step needs to be carried out or not according to the change point detection result, if the result is abnormal (namely the current equipment running state is abnormal), then entering the step S320, otherwise, continuously extracting the equipment running state information, and continuously judging whether the equipment is in an abnormal running state or not.
Illustratively, step S320 may include:
3-1, constructing an abnormal information log by the security equipment based on the collected equipment running state information;
specifically, when the security device determines that the device operating state of the device is abnormal, an abnormal information log may be constructed based on the device operating state information extracted in step S310.
Illustratively, the contents of the exception information log may include:
if the abnormal device running state information is the CPU utilization rate, the abnormal information log may include one or more of process names of N processes before the CPU utilization rate ranking, command lines corresponding to the processes, process CPU utilization rate, memory occupancy rate, users to which the processes belong, thread number of the processes, and the like;
if the abnormal device running state information is the memory utilization rate, the abnormal information log may include one or more of process names of N processes before the memory utilization rate ranking, command lines corresponding to the processes, process CPU utilization rate, memory occupancy rate, users to which the processes belong, thread number of the processes, and the like;
if the abnormal device operation state information is network bandwidth, the abnormal information log may include one or more of source IP addresses, source ports, destination IP addresses, destination ports, bandwidth occupation, and the like of N network connections before the network bandwidth occupancy ranking.
Exemplarily, N = 5.
And 3-2, the security equipment sends the constructed abnormal information log to an equipment management platform, and the management platform performs unified management.
Specifically, the security device may send the constructed abnormal information log to the management platform. The transmission method is not limited.
For example, in this embodiment, a syslog mode is used, the constructed abnormal information log is processed into a json (JavaScript Object Notation) format character string, and then the JavaScript Object Notation character string is sent to the management platform in the syslog mode.
Illustratively, step S330 may include:
4-1, checking whether a new task is issued to the equipment, if the new task is issued, constructing a log to be verified (also called a warning log to be verified), and entering 4-2, otherwise entering 4-3;
specifically, when the device management platform receives an abnormal information log reported by the security device, it is determined whether an additional task (a task in a non-ordinary working mode, generally a manually triggered task) is issued to the security device by the device management platform within an M time period taking the time when the abnormal information log is received as an end time.
Illustratively, M takes 1 minute.
When the equipment management platform issues the additional task to the security equipment, the equipment running state information of the security equipment may be suddenly increased or decreased (if a certain task is closed), so that the security equipment determines that the equipment running state is abnormal based on a variable point detection algorithm and reports an abnormal information log to form a false report, therefore, when the equipment management platform determines that the additional task is issued to the security equipment within the M time period, a log to be verified is constructed, and the step 4-2 is carried out, otherwise, the step 4-3 is carried out.
4-2: the administrator carries out manual verification on the log to be verified, if the log is false alarm, a false alarm log is constructed, and if the log is false alarm, the step 4-3 is carried out;
specifically, the administrator performs manual verification on the log to be verified, judges whether the log belongs to false alarm, and constructs a false alarm log if the log belongs to false alarm.
For example, the log to be verified is usually generated when the device management platform issues a new additional task to the security device, and at this time, the management platform is usually in a manual operation state, so that it can be determined whether the constructed log to be verified is a false report in a manual verification manner.
For example, additional tasks issued by the device management platform to the security device generally need to be executed periodically, and therefore, logs to be verified are generally generated periodically.
4-3: and issuing a blocking task to the security equipment reporting the abnormal information log, and constructing the blocking log.
Specifically, when the device management platform determines that the abnormal information log reported by the security device does not belong to the false alarm, the device management platform may issue a blocking task to the scheme device, and block resources corresponding to the abnormal device running state information from occupying a first process or network connection (i.e., a target process or network connection).
Illustratively, step S340 may include:
and when the logs to be verified and the false alarm logs periodically appear and the number of the logs to be verified and the number of the false alarm logs reaches a preset number threshold, determining that the variable point detection model needs to be updated.
For example, when the two types of logs appear periodically and indicate that the operation state mode of the security device has been modified, it may be that the device performs tasks periodically, so that the operation state information of the device changes periodically.
The methods provided herein are described above. The following describes the apparatus provided in the present application:
referring to fig. 4, a schematic structural diagram of an active defense apparatus for security equipment provided in an embodiment of the present application is shown, where the active defense apparatus for security equipment may be applied to security front-end equipment in the foregoing method embodiment, and as shown in fig. 4, the active defense apparatus may include:
the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring the running state information of first equipment in preset unit time;
a first determining unit, configured to determine, based on the first device operating state information, a first statistical feature value of the first device operating state information by using a determined change point detection algorithm;
the second determining unit is used for determining whether the current equipment running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is a statistical characteristic value of second equipment running state information determined by the variable point detection algorithm based on second equipment running state information in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit times;
and the defense unit is used for giving an alarm to the equipment management platform when the equipment is in an abnormal operation state.
In one embodiment, after the defense unit alarms the device management platform, the defense unit further includes:
receiving a blocking task issued by the equipment management platform;
and performing process or/and network blocking based on the blocking task.
Correspondingly, the application also provides a hardware structure of the device shown in fig. 4. Referring to fig. 5, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.
Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.
The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 6, a schematic structural diagram of an active defense system of a security device provided in an embodiment of the present application is shown in fig. 6, where the active defense system of the security device may include: security front-end equipment and an equipment management platform; wherein:
the security front-end equipment is used for acquiring the running state information of the first equipment in a preset unit time;
the security front-end equipment is further used for determining a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment;
the security front-end equipment is further used for determining whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is the statistical characteristic value of the running state information of the second equipment determined by the variable point detection algorithm based on the running state information of the second equipment in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit time
The security protection front-end equipment is further used for giving an alarm to the equipment management platform when the current equipment is in an abnormal operation state.
In an embodiment, the security front-end device is specifically configured to report an abnormal information log to the device management platform;
the equipment management platform is further used for determining whether an additional task is issued to the security front-end equipment within a second time period; the second time period is a preset time period which takes the time when the equipment management platform receives the abnormal information log as the end time; and when an additional task is issued to the security front-end equipment in a second time period, generating an alarm log to be verified to determine whether the abnormal information log is false alarm, and generating a false alarm log when the abnormal information log is determined to be false alarm.
In one embodiment, the security front-end device is further configured to receive the change point detection algorithm and the second statistical characteristic value sent by the device management platform;
the device management platform is further configured to update the second statistical characteristic value or update the change point detection algorithm and the second statistical characteristic value when the to-be-verified alarm log and the false-positive log are periodically generated and the number of the verified alarm log and the number of the false-positive log reach a first number.
In one embodiment, after the security front-end device gives an alarm to the device management platform, the method further includes:
the security protection front-end management equipment receives a blocking task issued by the equipment management platform;
and the security front-end management equipment performs process or/and network blocking based on the blocking task.
In one embodiment, the performing, by the security front-end management device, process or/network blocking based on the blocking task includes:
the security front-end management equipment blocks a target process or network connection based on the blocking task; the target process or the network connection is the process or the network connection which occupies the highest target resource, and the target resource is the resource corresponding to the abnormal equipment running state information.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. An active defense method for security equipment is characterized by being applied to an active defense system for the security equipment, wherein the active defense system for the security equipment comprises security front-end equipment and an equipment management platform, and the method comprises the following steps:
the method comprises the steps that security and protection front-end equipment obtains first equipment running state information in preset unit time;
the security front-end equipment determines a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment;
the security front-end equipment determines whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is a statistical characteristic value of second equipment running state information determined by the variable point detection algorithm based on second equipment running state information in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit times;
and when the security front-end equipment is in an abnormal operation state at present, the security front-end equipment gives an alarm to the equipment management platform.
2. The method of claim 1, wherein the security front-end device alerts the device management platform, comprising:
the security front-end equipment reports an abnormal information log to the equipment management platform;
after security protection front-end equipment reports to the police to equipment management platform, still include:
the equipment management platform determines whether an additional task is issued to the security front-end equipment within a second time period; the second time period is a preset time period which takes the time when the equipment management platform receives the abnormal information log as the end time;
when the equipment management platform issues an additional task to the security front-end equipment in a second time period, generating an alarm log to be verified to determine whether the abnormal information log is false alarm, and generating a false alarm log when the abnormal information log is determined to be false alarm.
3. The method according to claim 2, wherein before the security front-end device obtains the running state information of the first device in the preset unit time, the method further comprises:
the security front-end equipment receives the variable point detection algorithm and a second statistical characteristic value sent by the equipment management platform;
the method further comprises the following steps:
and when the equipment management platform periodically generates to-be-verified alarm logs and false alarm logs and the number of the verified alarm logs and the number of the false alarm logs reaches a first number, updating the second statistical characteristic value, or updating the variable point detection algorithm and the second statistical characteristic value.
4. The method according to any one of claims 1 to 3, wherein after the security front-end device alarms the device management platform, the method further comprises:
the security protection front-end management equipment receives a blocking task issued by the equipment management platform;
and the security front-end management equipment performs process or/and network blocking based on the blocking task.
5. The method of claim 4, wherein the security front-end management device performs process or network blocking based on the blocking task, and the process or network blocking comprises:
the security front-end management equipment blocks a target process or network connection based on the blocking task; the target process or the network connection is the process or the network connection which occupies the highest target resource, and the target resource is the resource corresponding to the abnormal equipment running state information.
6. The active defense device for the security equipment is characterized by being applied to security front-end equipment, and comprises:
the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring the running state information of first equipment in preset unit time;
a first determining unit, configured to determine, based on the first device operating state information, a first statistical feature value of the first device operating state information by using a determined change point detection algorithm;
the second determining unit is used for determining whether the current equipment running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is a statistical characteristic value of second equipment running state information determined by the variable point detection algorithm based on second equipment running state information in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit times;
and the defense unit is used for giving an alarm to the equipment management platform when the equipment is in an abnormal operation state.
7. The apparatus of claim 6, wherein after the defense unit alerts the device management platform, the apparatus further comprises:
receiving a blocking task issued by the equipment management platform;
and performing process or/and network blocking based on the blocking task.
8. An active defense system for security equipment, comprising: security front-end equipment and an equipment management platform; wherein:
the security front-end equipment is used for acquiring the running state information of the first equipment in a preset unit time;
the security front-end equipment is further used for determining a first statistical characteristic value of the running state information of the first equipment by using a determined variable point detection algorithm based on the running state information of the first equipment;
the security front-end equipment is further used for determining whether the current running state is abnormal or not based on the first statistical characteristic value and the determined second statistical characteristic value; the second statistical characteristic value is the statistical characteristic value of the running state information of the second equipment determined by the variable point detection algorithm based on the running state information of the second equipment in a first time period when the security front-end equipment is in a normal running state, wherein the first time period comprises a plurality of preset unit time
The security protection front-end equipment is further used for giving an alarm to the equipment management platform when the current equipment is in an abnormal operation state.
9. The system of claim 8,
the security front-end device is specifically configured to report an abnormal information log to the device management platform;
the equipment management platform is further used for determining whether an additional task is issued to the security front-end equipment within a second time period; the second time period is a preset time period which takes the time when the equipment management platform receives the abnormal information log as the end time; and when an additional task is issued to the security front-end equipment in a second time period, generating an alarm log to be verified to determine whether the abnormal information log is false alarm, and generating a false alarm log when the abnormal information log is determined to be false alarm.
10. The system of claim 9,
the security front-end device is also used for receiving the variable point detection algorithm and the second statistical characteristic value sent by the device management platform;
the device management platform is further configured to update the second statistical characteristic value or update the change point detection algorithm and the second statistical characteristic value when the to-be-verified alarm log and the false-positive log are periodically generated and the number of the verified alarm log and the number of the false-positive log reach a first number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011012735.8A CN111935180A (en) | 2020-09-24 | 2020-09-24 | Active defense method, device and system for security equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011012735.8A CN111935180A (en) | 2020-09-24 | 2020-09-24 | Active defense method, device and system for security equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111935180A true CN111935180A (en) | 2020-11-13 |
Family
ID=73335136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011012735.8A Pending CN111935180A (en) | 2020-09-24 | 2020-09-24 | Active defense method, device and system for security equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111935180A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448693A (en) * | 2022-01-24 | 2022-05-06 | 来也科技(北京)有限公司 | Safety control method, device, electronic equipment and medium combining RPA and AI |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104075749A (en) * | 2014-06-30 | 2014-10-01 | 通号通信信息集团有限公司 | Abnormal state detecting method and system for equipment in internet of things |
| CN107040742A (en) * | 2017-03-10 | 2017-08-11 | 浙江宇视科技有限公司 | A kind of method for detecting abnormality and network hard disk video recorder NVR |
| CN109257564A (en) * | 2018-09-25 | 2019-01-22 | 武汉华天世纪科技发展有限公司 | A kind of electric equipment operation condition monitoring system |
| US10375169B1 (en) * | 2017-05-24 | 2019-08-06 | United States Of America As Represented By The Secretary Of The Navy | System and method for automatically triggering the live migration of cloud services and automatically performing the triggered migration |
| CN111738467A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Running state abnormity detection method, device and equipment |
-
2020
- 2020-09-24 CN CN202011012735.8A patent/CN111935180A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104075749A (en) * | 2014-06-30 | 2014-10-01 | 通号通信信息集团有限公司 | Abnormal state detecting method and system for equipment in internet of things |
| CN107040742A (en) * | 2017-03-10 | 2017-08-11 | 浙江宇视科技有限公司 | A kind of method for detecting abnormality and network hard disk video recorder NVR |
| US10375169B1 (en) * | 2017-05-24 | 2019-08-06 | United States Of America As Represented By The Secretary Of The Navy | System and method for automatically triggering the live migration of cloud services and automatically performing the triggered migration |
| CN109257564A (en) * | 2018-09-25 | 2019-01-22 | 武汉华天世纪科技发展有限公司 | A kind of electric equipment operation condition monitoring system |
| CN111738467A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Running state abnormity detection method, device and equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448693A (en) * | 2022-01-24 | 2022-05-06 | 来也科技(北京)有限公司 | Safety control method, device, electronic equipment and medium combining RPA and AI |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9736173B2 (en) | Differential dependency tracking for attack forensics | |
| US10296739B2 (en) | Event correlation based on confidence factor | |
| US11770387B1 (en) | Graph-based detection of lateral movement in computer networks | |
| US10476752B2 (en) | Blue print graphs for fusing of heterogeneous alerts | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| CA2996966A1 (en) | Process launch, monitoring and execution control | |
| US11647029B2 (en) | Probing and responding to computer network security breaches | |
| US20180004958A1 (en) | Computer attack model management | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| CN113987492A (en) | Method and device for determining alarm event | |
| CN112671767A (en) | Security event early warning method and device based on alarm data analysis | |
| RU2630415C2 (en) | Method for detecting anomalous work of network server (options) | |
| US20210288982A1 (en) | Activity detection based on time difference metrics | |
| CN111935180A (en) | Active defense method, device and system for security equipment | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| Du et al. | ATOM: Automated tracking, orchestration and monitoring of resource usage in infrastructure as a service systems | |
| WO2017176676A1 (en) | Graph-based fusing of heterogeneous alerts | |
| CN115146263A (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| KR102348357B1 (en) | Apparatus and methods for endpoint detection and reponse using dynamic analysis plans | |
| US11392435B2 (en) | Evaluation of a performance parameter of a monitoring service | |
| CN113709153A (en) | Log merging method and device and electronic equipment | |
| EP4091084A1 (en) | Endpoint security using an action prediction model | |
| CN112511568A (en) | Correlation analysis method, device and storage medium for network security event | |
| KR102348359B1 (en) | Apparatus and methods for endpoint detection and reponse based on action of interest | |
| GB2575098A (en) | Method for threat control in a computer network security system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Bin Inventor after: Wang Chonghua Inventor after: Zhang Feng Inventor after: Wang Xing Inventor after: Chen Jiadong Inventor after: Chen Da Inventor after: Chen Yikai Inventor after: Xu Wenyuan Inventor after: Ji Xiaoyu Inventor after: Li Jun Inventor before: Wang Bin Inventor before: Wang Chonghua Inventor before: Zhang Feng Inventor before: Wang Xing Inventor before: Chen Jiadong Inventor before: Chen Da Inventor before: Chen Yikai Inventor before: Xu Wenyuan Inventor before: Ji Xiaoyu Inventor before: Li Jun |
|
| CB03 | Change of inventor or designer information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201113 |
|
| RJ01 | Rejection of invention patent application after publication |