CN112153062B - Multi-dimension-based suspicious terminal equipment detection method and system - Google Patents

Multi-dimension-based suspicious terminal equipment detection method and system Download PDF

Info

Publication number
CN112153062B
CN112153062B CN202011034350.1A CN202011034350A CN112153062B CN 112153062 B CN112153062 B CN 112153062B CN 202011034350 A CN202011034350 A CN 202011034350A CN 112153062 B CN112153062 B CN 112153062B
Authority
CN
China
Prior art keywords
data
equipment
associated data
terminal equipment
suspicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011034350.1A
Other languages
Chinese (zh)
Other versions
CN112153062A (en
Inventor
余伟
吴小景
杨军
张峥嵘
邓智
马圣
张雷
禹荣虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202011034350.1A priority Critical patent/CN112153062B/en
Publication of CN112153062A publication Critical patent/CN112153062A/en
Application granted granted Critical
Publication of CN112153062B publication Critical patent/CN112153062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a multi-dimensional suspicious terminal equipment detection method and a system, wherein the method comprises the following steps: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment. The embodiment of the invention analyzes by combining a big data technology and various security data, reduces the possibility of misjudgment of security events, improves the efficiency of security event processing, accelerates the investigation of suspicious terminals and further reduces the risk of a network.

Description

Multi-dimension-based suspicious terminal equipment detection method and system
Technical Field
The invention relates to the technical field of big data security, in particular to a multi-dimensional suspicious terminal equipment detection method and system.
Background
The big data era comes, the data scale of each industry is TB-level growth, and enterprises with high-value data sources occupy a vital core position in a big data industry chain. After large data concentration is realized, how to ensure the integrity, availability and confidentiality of network data is not influenced by security threats of information leakage and illegal tampering, and the method becomes a core problem to be considered for informatization health development.
With the progress and development of technology, the current network situation becomes more and more complex, and various security devices are widely used, but because the detection rules set by manufacturers for the own security devices are not very reasonable, the generated security events have a large data volume, and a large number of misjudged security events exist, so that the judgment of the user on the security of the terminal device managed by the user is seriously influenced, the terminal device possibly having a risk is not discovered, and the security risk of the whole network is increased.
Therefore, a method and a system for detecting suspicious terminal devices based on multiple dimensions are needed to solve the above problems.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a multi-dimensional suspicious terminal device detection method and system.
In a first aspect, an embodiment of the present invention provides a method for detecting a suspicious terminal device based on multiple dimensions, including:
acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data;
and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.
Further, the determining the associated data by a preset process white list rule includes:
acquiring a process name of the terminal equipment corresponding to the associated data according to the IP address information of the equipment and the source port information;
matching the terminal device process names according to historical terminal device process names in the preset process white list rule, wherein the historical terminal device process names comprise conventional process names and suspicious process names;
if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
Further, the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.
Further, the matching the associated data with the virus log in the virus data according to the device IP address information and the source port information, and if the matching is successful, determining that the terminal device to be detected is a high-risk device, including:
and matching the process name, the equipment IP address information and the MD5 value of the terminal equipment of the associated data in the virus data, and judging that the terminal equipment to be detected corresponding to the associated data is high-risk equipment if a corresponding virus log in the virus data is matched.
Further, the matching the process name, the device IP address information, and the MD5 value of the terminal device of the associated data in the virus data further includes:
if the association data and the virus data are not successfully matched, marking the association data for equipment abnormity judgment, and if the terminal equipment to be detected is abnormal, generating corresponding equipment abnormity information and updating a process white list and a corresponding virus library.
Further, the method further comprises:
and acquiring a risk value of the terminal equipment according to source IP address information and source port information of the historical threat flow data, and detecting the terminal equipment according to the sequence of the risk value from high to low.
In a second aspect, an embodiment of the present invention provides a multi-dimensional suspicious terminal device detection system, which is characterized in that the system includes:
the correlation module is used for acquiring a security event log through the flow data, and correlating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the equipment IP address information and the source port information to obtain correlation data;
and the judging module is used for judging the associated data through a preset process white list rule, matching virus logs in the associated data and the virus data according to the equipment IP address information and the source port information if the associated data is judged to be a suspicious process, and judging to know that the terminal equipment to be detected is high-risk equipment if the associated data is successfully matched with the virus logs in the virus data.
Further, the judging module comprises:
the first processing unit is used for acquiring a process name of the terminal equipment corresponding to the associated data according to the equipment IP address information and the source port information;
the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is the name of the suspicious process, judging that the associated data is the suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method as provided in the first aspect are implemented.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the multi-dimensional suspicious terminal equipment detection method and system provided by the embodiment of the invention, through a big data technology and by combining with multiple security data for analysis, the possibility of misjudgment of a security event is reduced, the efficiency of security event processing is improved, the investigation of a suspicious terminal is accelerated, and the risk of a network is further reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a multi-dimensional suspicious terminal device detection method according to an embodiment of the present invention;
fig. 2 is an overall flowchart of suspicious terminal device detection according to an embodiment of the present invention;
fig. 3 is a result schematic diagram of a multi-dimensional suspicious terminal device detection system according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for detecting a suspicious terminal device based on multiple dimensions according to an embodiment of the present invention, and as shown in fig. 1, an embodiment of the present invention provides a method for detecting a suspicious terminal device based on multiple dimensions, including:
step 101, obtaining a security event log through flow data, and associating terminal process data of a terminal device to be detected with the corresponding security event log according to device IP address information and source port information to obtain associated data.
In the embodiment of the invention, most of the risks in the network are from the terminal equipment at present, so that the embodiment of the invention judges whether the terminal equipment is high-risk equipment for initiating network attack by detecting the terminal equipment. Further, the relationship between the data needs to be correlated, and because the terminal device (i.e., the terminal device to be detected) generates traffic when attacking other devices, and the attack generates a corresponding process, according to the characteristics, the embodiment of the present invention captures the traffic data through the network probe, and generates a corresponding security event log. Meanwhile, terminal process data of the terminal equipment to be detected are obtained, and then the security event log with the same equipment IP address information and source port information is associated with the terminal process data, so that associated data of the two kinds of information is obtained. It should be noted that, in the embodiment of the present invention, association may be understood as a matching process between a security event log and terminal process data, and since an equipment terminal corresponding to a security event in the security event log is only a high-risk equipment, in the embodiment of the present invention, first, according to equipment IP address information and source port information of the terminal process data, a terminal equipment to be detected is associated with the security event log, so as to perform subsequent further detection.
And step 102, judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.
According to the multi-dimensional suspicious terminal equipment detection method provided by the embodiment of the invention, through a big data technology and by combining with various security data for analysis, the possibility of misjudgment of a security event is reduced, the efficiency of security event processing is improved, the investigation of a suspicious terminal is accelerated, and the risk of a network is further reduced.
On the basis of the above embodiment, the determining the associated data by presetting a process white list rule includes:
acquiring a process name of the terminal equipment corresponding to the associated data according to the IP address information of the equipment and the source port information;
matching the terminal device process names according to historical terminal device process names in the preset process white list rule, wherein the historical terminal device process names comprise conventional process names and suspicious process names;
if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
In the embodiment of the invention, a preset process white list rule is constructed according to source IP address information and source port information of threat flow data counted by history. Then, according to the IP address information and the source port information of the equipment in the terminal process data, obtaining a corresponding terminal equipment process name, matching the terminal equipment process name with the historical terminal equipment process name in a preset process white list rule, judging whether the terminal equipment process name is a suspicious process, and if not, judging that a security event is false alarm; if the process is suspicious, the terminal equipment is judged to be suspicious equipment, and whether the security event is false alarm needs to be further judged. In the embodiment of the invention, by setting the white list rule of the preset process, the IP which is determined to be the misjudged event can be filtered in the judgment process of the security event without statistics; in addition, white list filtering is carried out on the process data of the terminal equipment, and the conventional process is filtered without collection. Wherein, the judgment standard of the suspicious process is as follows: processes that are not in the process white list are all suspicious processes.
On the basis of the above embodiment, the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.
In the embodiment of the invention, according to the source IP address information and the source port information counted by history, the corresponding IP address information and the corresponding source port information are matched in the terminal process data one by one, so that the corresponding equipment IP address information of the suspicious process and the MD5 value of the process are obtained. And if the corresponding process name and the MD5 value exist in the preset white list, judging the security event as a misjudgment event.
On the basis of the above embodiment, matching the associated data with the virus log in the virus data according to the device IP address information and the source port information, and if matching is successful, determining that the terminal device to be detected is a high-risk device, including:
and matching the process name, the equipment IP address information and the MD5 value of the terminal equipment of the associated data in the virus data, and judging that the terminal equipment to be detected corresponding to the associated data is high-risk equipment if a corresponding virus log in the virus data is matched.
On the basis of the above embodiment, the matching, in the virus data, the process name of the terminal device, the device IP address information, and the MD5 value of the associated data further includes:
if the associated data and the virus data are not successfully matched, marking the associated data for equipment abnormity judgment, and if the terminal equipment to be detected is abnormal, generating corresponding equipment abnormity information and updating a process white list and a corresponding virus library.
In the embodiment of the invention, the terminal virus data mainly comes from the terminal equipment, and the spread of the virus also generates a process on the local equipment, so that the data of the virus process can be acquired by a terminal process data acquisition module of the terminal equipment. Fig. 2 is an overall flowchart of suspicious terminal device detection according to an embodiment of the present invention, which can refer to fig. 2, and after determining that a suspicious process exists in a terminal device to be detected according to source IP address information and source port information by presetting a white list, further querying whether a virus log exists on the terminal device to be detected in virus data, specifically, analyzing the virus data according to a name and IP address information of the suspicious process, and if a relevant virus log exists in the virus data (that is, the process name and IP address information of the virus log in the virus data are consistent with the process name and IP address information of the terminal device to be detected), determining that the security event is a real security event, determining that the terminal device is a high-risk device, and performing corresponding security processing on the terminal device having the suspicious process; if not, the corresponding terminal equipment needs to be checked manually to see whether abnormal conditions exist, such as machine jamming and system operation abnormity.
On the basis of the above embodiment, the method further includes:
and acquiring a risk value of the terminal equipment according to source IP address information and source port information of the historical threat flow data, and detecting the terminal equipment according to the sequence of the risk value from high to low.
In the embodiment of the invention, through the relationship among various data and the set threshold (for example, according to the source IP address information and the source port information of the equipment generating the attack, the attack times are obtained, and the event corresponding to the attack times meeting the preset threshold is determined as the security event), the risk values of the equipment corresponding to the security event are sequenced, so as to provide a basis for the subsequent network risk investigation.
Fig. 3 is a schematic structural diagram of a multi-dimensional suspicious terminal device detecting system according to an embodiment of the present invention, and as shown in fig. 3, an embodiment of the present invention provides a multi-dimensional suspicious terminal device detecting system, which includes an association module 301 and a determination module 302, where the association module 301 is configured to obtain a security event log through traffic data, and associate terminal process data of a terminal device to be detected with a corresponding security event log according to device IP address information and source port information to obtain associated data; the determining module 302 is configured to determine the associated data according to a preset process white list rule, match virus logs in the associated data and the virus data according to the device IP address information and the source port information if the associated data is determined to be a suspicious process, and determine that the terminal device to be detected is a high-risk device if the matching is successful.
The multi-dimensional suspicious terminal equipment detection system provided by the embodiment of the invention performs analysis by combining various security data through a big data technology, reduces the misjudgment possibility of security events, improves the efficiency of security event processing, accelerates the investigation of suspicious terminals and further reduces the risk of a network.
On the basis of the foregoing embodiment, the determining module includes a first processing unit and a second processing unit, where the first processing unit is configured to obtain, according to the device IP address information and the source port information, a process name of the terminal device corresponding to the associated data; the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
The system provided by the embodiment of the present invention is used for executing the above method embodiments, and for details of the process and the details, reference is made to the above embodiments, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and referring to fig. 4, the electronic device may include: a processor (processor) 401, a communication Interface (Communications Interface) 402, a memory (memory) 403 and a communication bus 404, wherein the processor 401, the communication Interface 402 and the memory 403 communicate with each other through the communication bus 404. Processor 401 may call logic instructions in memory 403 to perform the following method: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.
In addition, the logic instructions in the memory 403 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the method for detecting a suspicious terminal device based on multiple dimensions, which includes: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be the suspicious process, matching the associated data with virus logs in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. A multi-dimensional based suspicious terminal device detection method is characterized by comprising the following steps:
acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data;
judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment;
the determining the associated data according to the preset process white list rule includes:
acquiring a process name of the terminal equipment corresponding to the associated data according to the IP address information of the equipment and the source port information;
matching the terminal device process names according to historical terminal device process names in the preset process white list rule, wherein the historical terminal device process names comprise conventional process names and suspicious process names;
if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
2. The multi-dimensional suspicious terminal device detecting method according to claim 1, wherein the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.
3. The method according to claim 2, wherein the matching between the associated data and a virus log in virus data is performed according to the device IP address information and the source port information, and if matching is successful, it is determined that the terminal device to be detected is a high-risk device, including:
and matching the process name, the equipment IP address information and the MD5 value of the terminal equipment of the associated data in the virus data, and judging that the terminal equipment to be detected corresponding to the associated data is high-risk equipment if a corresponding virus log in the virus data is matched.
4. The method according to claim 3, wherein the matching of the terminal device process name, device IP address information, and MD5 value of the associated data in the virus data further comprises:
if the associated data and the virus data are not successfully matched, marking the associated data for equipment abnormity judgment, and if the terminal equipment to be detected is abnormal, generating corresponding equipment abnormity information and updating a process white list and a corresponding virus library.
5. The method according to claim 1, further comprising:
and acquiring a risk value of the terminal equipment according to source IP address information and source port information of the historical threat flow data, and detecting the terminal equipment according to the sequence of the risk value from high to low.
6. A suspicious terminal device detection system based on multiple dimensions is characterized by comprising:
the correlation module is used for acquiring a security event log through the flow data, and correlating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the equipment IP address information and the source port information to obtain correlation data;
the judging module is used for judging the associated data through a preset process white list rule, matching the associated data with virus logs in the virus data according to the IP address information of the equipment and the source port information if the associated data is judged to be a suspicious process, and judging to know that the terminal equipment to be detected is high-risk equipment if the associated data is successfully matched with the virus logs in the virus data;
the judging module comprises:
the first processing unit is used for acquiring a process name of the terminal equipment corresponding to the associated data according to the equipment IP address information and the source port information;
the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the multi-dimensional based suspicious terminal device detecting method according to any one of claims 1 to 5.
8. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, performs the steps of the multi-dimensional based suspicious terminal device detecting method according to one of the claims 1 to 5.
CN202011034350.1A 2020-09-27 2020-09-27 Multi-dimension-based suspicious terminal equipment detection method and system Active CN112153062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011034350.1A CN112153062B (en) 2020-09-27 2020-09-27 Multi-dimension-based suspicious terminal equipment detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011034350.1A CN112153062B (en) 2020-09-27 2020-09-27 Multi-dimension-based suspicious terminal equipment detection method and system

Publications (2)

Publication Number Publication Date
CN112153062A CN112153062A (en) 2020-12-29
CN112153062B true CN112153062B (en) 2023-02-21

Family

ID=73895463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011034350.1A Active CN112153062B (en) 2020-09-27 2020-09-27 Multi-dimension-based suspicious terminal equipment detection method and system

Country Status (1)

Country Link
CN (1) CN112153062B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113835954A (en) * 2021-09-15 2021-12-24 广东电力信息科技有限公司 Dynamic network security monitoring method, device and equipment
CN115051833B (en) * 2022-05-12 2023-12-15 中国电子科技集团公司电子科学研究院 Intercommunication network anomaly detection method based on terminal process
CN116455642B (en) * 2023-04-21 2023-11-21 杭州虎符网络有限公司 Access risk real-time auditing method and system based on log analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016143278A (en) * 2015-02-03 2016-08-08 三菱電機株式会社 Electronic mail distribution device and electronic mail distribution program
CN106446685A (en) * 2016-09-30 2017-02-22 北京奇虎科技有限公司 Methods and devices for detecting malicious documents
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method
CN108959927A (en) * 2018-06-27 2018-12-07 杭州安恒信息技术股份有限公司 A kind of device and method of the safe across comparison analysis of Internet of Things
CN110247934A (en) * 2019-07-15 2019-09-17 杭州安恒信息技术股份有限公司 The method and system of internet-of-things terminal abnormality detection and response
CN110929259A (en) * 2019-11-14 2020-03-27 腾讯科技(深圳)有限公司 Process security verification white list generation method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5557623B2 (en) * 2010-06-30 2014-07-23 三菱電機株式会社 Infection inspection system, infection inspection method, recording medium, and program
CN111027061A (en) * 2019-02-26 2020-04-17 北京安天网络安全技术有限公司 Terminal virus detection method and device based on data packet and storage device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016143278A (en) * 2015-02-03 2016-08-08 三菱電機株式会社 Electronic mail distribution device and electronic mail distribution program
CN106446685A (en) * 2016-09-30 2017-02-22 北京奇虎科技有限公司 Methods and devices for detecting malicious documents
CN108959927A (en) * 2018-06-27 2018-12-07 杭州安恒信息技术股份有限公司 A kind of device and method of the safe across comparison analysis of Internet of Things
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method
CN110247934A (en) * 2019-07-15 2019-09-17 杭州安恒信息技术股份有限公司 The method and system of internet-of-things terminal abnormality detection and response
CN110929259A (en) * 2019-11-14 2020-03-27 腾讯科技(深圳)有限公司 Process security verification white list generation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于4级受信机制的可疑终端的恶意代码取证与分析;苗得雨,康学斌,肖新光;《电信科学》;20110131;105-109 *

Also Published As

Publication number Publication date
CN112153062A (en) 2020-12-29

Similar Documents

Publication Publication Date Title
CN112153062B (en) Multi-dimension-based suspicious terminal equipment detection method and system
CN108471429B (en) Network attack warning method and system
CN108683687B (en) Network attack identification method and system
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN108881263B (en) Network attack result detection method and system
CN112819336B (en) Quantification method and system based on network threat of power monitoring system
CN108833185B (en) Network attack route restoration method and system
CN107426231B (en) Method and device for identifying user behavior
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
JP6174520B2 (en) Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program
CN112953917B (en) Network attack source identification method and device, computer equipment and storage medium
CN107209834B (en) Malicious communication pattern extraction device, system and method thereof, and recording medium
CN110460611B (en) Machine learning-based full-flow attack detection technology
CN108234426B (en) APT attack warning method and APT attack warning device
CN114124587B (en) Attack chain processing method and system and electronic equipment
CN114050937B (en) Mailbox service unavailability processing method and device, electronic equipment and storage medium
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN114329452A (en) Abnormal behavior detection method and device and related equipment
CN112003835B (en) Security threat detection method and device, computer equipment and storage medium
CN115664868B (en) Security level determination method, device, electronic equipment and storage medium
CN114257403B (en) False alarm detection method, equipment and readable storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN115603995A (en) Information processing method, device, equipment and computer readable storage medium
CN112751863B (en) Attack behavior analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant