CN112580022B - Host system security early warning method, device, equipment and storage medium - Google Patents
Host system security early warning method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112580022B CN112580022B CN202011440751.7A CN202011440751A CN112580022B CN 112580022 B CN112580022 B CN 112580022B CN 202011440751 A CN202011440751 A CN 202011440751A CN 112580022 B CN112580022 B CN 112580022B
- Authority
- CN
- China
- Prior art keywords
- attribute data
- item
- safety analysis
- data
- host system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004458 analytical method Methods 0.000 claims abstract description 76
- 230000002159 abnormal effect Effects 0.000 claims abstract description 52
- 230000008859 change Effects 0.000 claims abstract description 52
- 238000012549 training Methods 0.000 claims description 15
- 238000010801 machine learning Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 4
- 230000005856 abnormality Effects 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims 1
- 238000012544 monitoring process Methods 0.000 description 13
- 238000001514 detection method Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000004048 modification Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 7
- 230000004913 activation Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 210000002569 neuron Anatomy 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 4
- 239000013598 vector Substances 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000007477 logistic regression Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Biophysics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Virology (AREA)
- Alarm Systems (AREA)
Abstract
One or more embodiments of the present disclosure provide a method, an apparatus, a device, and a storage medium for security pre-warning of a host system, including: collecting attribute data of a plurality of events of a host system; comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database for any item to obtain the change value of the attribute data of the item; responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data; and carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe. According to the invention, after the attribute data of the event is used as the abnormal attribute data, the safety analysis is carried out on the abnormal attribute data again, so that the accuracy and pertinence of the safety early warning of the host are improved.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of host security technologies, and in particular, to a host system security early warning method, device, apparatus, and storage medium.
Background
In the process of high-speed development of 5G, artificial intelligence, industrial Internet and Internet of things, the information security boundary is gradually expanding, the attack and defense with black production are increasingly carried out, the enterprise digital asset taking data as a carrier faces extremely high threat, and the host machine is finally the most important gate as the enterprise digital asset, so that the security cannot be ignored.
At present, the host security technology mainly comprises the steps of automatically checking the information asset configuration compliance of various information systems, collecting relevant configuration of information assets of various information systems in a monitored range in real time, and then comparing the real-time security configuration of equipment and the system with a security base line in a security base line library to further find and locate security defects and risks of the system or the equipment.
However, since the information assets of most information systems are huge in quantity and various in safety base lines, the safety defects and risks found by the existing method are huge in quantity, various and not targeted, a large amount of resources are consumed, and if early warning work is performed on a large quantity of information, the meaning of the early warning work is not great.
Disclosure of Invention
In view of the foregoing, one or more embodiments of the present disclosure are directed to a method, an apparatus, a device and a storage medium for security pre-warning of a host system, so as to solve the problem that the existing security pre-warning of the host is inaccurate and not targeted.
In view of the above objects, one or more embodiments of the present disclosure provide a host system security pre-warning method, including:
collecting attribute data of a plurality of events of a host system;
For attribute data of each of the plurality of items, performing the following operations:
comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database to obtain a change value of the attribute data of the item;
Responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data;
And carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe.
Optionally, the method further comprises:
When the host system is installed and deployed for the first time, collecting attribute data of a plurality of items of the host system, and constructing a primary database; and inputting the original database into a pre-constructed threshold rule model to obtain the attribute data change threshold of each item in the original database.
Optionally, the collecting attribute data of the plurality of items of the host system includes at least one of the following:
Acquiring attribute data of the plurality of items from a system registry;
and acquiring attribute data of the plurality of items from a system configuration file.
Optionally, the method further comprises:
Constructing a first sample set comprising a number of first samples; wherein the first sample comprises: first sample data and first tag data; the first sample data includes a training native database; the first tag data includes a threshold of change in attribute data for each item corresponding to the training native database.
And constructing and training to obtain the threshold rule model through a preset machine learning algorithm according to the first sample set.
Optionally, the method further comprises:
constructing a second sample set comprising a number of second samples; wherein the second sample comprises: second sample data and second tag data; the second sample data comprises training abnormal attribute data; the second tag data comprises a security analysis result corresponding to the abnormal attribute data.
And constructing and training to obtain the safety analysis model through a preset machine learning algorithm according to the second sample set.
Optionally, the method further comprises:
After the attribute data of the item is used as abnormal attribute data, at least one time of acquisition is performed on the attribute data of the item, whether the attribute data is the abnormal attribute data is judged, and safety analysis is performed on the abnormal attribute data through a pre-constructed safety analysis model, so that a safety analysis result is obtained.
Optionally, the method further comprises:
And when the security analysis result indicates that the security analysis result is not secure, restoring the abnormal attribute data into the attribute data of the corresponding item in the original database.
Based on the same inventive concept, one or more embodiments of the present disclosure provide a host system security pre-warning device, including:
the data acquisition module is used for acquiring attribute data of a plurality of items of the host system;
The change comparison module is used for comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database so as to obtain a change value of the attribute data of the item;
The abnormality determination module is used for responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data;
And the safety analysis module is used for carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe.
Based on the same inventive concept, one or more embodiments of the present description provide an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method as described above when executing the program.
Based on the same inventive concept, one or more embodiments of the present specification provide a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the above-described method.
As can be seen from the foregoing, the host system security pre-warning method, apparatus, device and storage medium provided in one or more embodiments of the present disclosure include: collecting attribute data of a plurality of events of a host system; comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database for any item to obtain the change value of the attribute data of the item; responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data; and carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe. According to the invention, after the attribute data of the event is used as the abnormal attribute data, the safety analysis is carried out on the abnormal attribute data again, so that the accuracy and pertinence of the safety early warning of the host are improved.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only one or more embodiments of the present description, from which other drawings can be obtained, without inventive effort, for a person skilled in the art.
FIG. 1 is a schematic diagram of a first flow chart of a host system security pre-warning method according to one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram illustrating a second flow of a host system security pre-warning method according to one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram illustrating a structure of a security early warning device of a host system according to one or more embodiments of the present disclosure;
Fig. 4 is a schematic diagram of a hardware structure of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
It is noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should be taken in a general sense as understood by one of ordinary skill in the art to which the present disclosure pertains. The use of the terms "first," "second," and the like in one or more embodiments of the present description does not denote any order, quantity, or importance, but rather the terms "first," "second," and the like are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
In the process of high-speed development of 5G, artificial intelligence, industrial Internet and Internet of things, the information security boundary is gradually expanding, the attack and defense with black production are increasingly carried out, the enterprise digital asset taking data as a carrier faces extremely high threat, and the host machine is finally the most important gate as the enterprise digital asset, so that the security cannot be ignored.
At present, the host security technology mainly comprises the steps of automatically checking the information asset configuration compliance of various information systems, collecting relevant configuration of information assets of various information systems in a monitored range in real time, and then comparing the real-time security configuration of equipment and the system with a security base line in a security base line library to further find and locate security defects and risks of the system or the equipment.
However, since the information assets of most information systems are huge in quantity and various in safety base lines, the safety defects and risks found by the existing method are huge in quantity, various and not targeted, a large amount of resources are consumed, and if early warning work is performed on a large quantity of information, the meaning of the early warning work is not great.
In order to solve the above-mentioned problems, one or more embodiments of the present disclosure provide a host system security pre-warning method, and fig. 1 is a schematic flow chart of the host system security pre-warning method provided in one or more embodiments of the present disclosure, where the host system security pre-warning method includes:
s110, collecting attribute data of a plurality of items of the host system.
As an alternative embodiment, the host system includes: windows system, macOS system, linux system, iOS system, android system, etc. Such as Microsoft Windows 7、Microsoft Windows 8、Microsoft Windows Server 2003、Microsoft Windows Server 2008、RedHat、Ubuntu、CentOS、AIX and HP-UNIX.
As an alternative embodiment, the matters include: files, processes, user groups, services, registries, etc. The attribute data includes: creation time, modification time, access time, last save time, file rights, encrypted value or certificate information, items, keys, values in registry, etc., rights users and groups, administrators, self-established accounts, guests, etc., process PID, status, belonging user name, CPU, memory usage changes, etc. For any of the above matters, one or more of the attribute data may be collected, and a specific correspondence may be established in advance.
As an alternative embodiment, the method for collecting attribute data of a plurality of items of the host system includes at least one of: acquiring attribute data of the plurality of items from a system registry and acquiring attribute data of the plurality of items from a system configuration file. The registry is a core database of the Windows operating system, stores various parameters, and directly controls the starting of Windows, the loading of hardware drivers and the running of some Windows applications. The registry is also used for controlling hardware and software, such as regulating BIOS (Basic Input Output System ) and cache in the registry, and modifying parameters. The system configuration file may configure parameters and initial settings for some computer programs.
For attribute data of each of the plurality of items, performing the following operations:
s120, comparing the attribute data of the item with the native attribute data of the item in a pre-constructed native database to obtain a change value of the attribute data of the item.
In one or more embodiments of the present disclosure, when a host system is first installed and deployed, attribute data of a plurality of items of the host system is collected, and a native database is constructed. Optionally, in a subsequent use process of the host system, when the host system installs middleware, a database or other application software according to actual service requirements, attribute data of a plurality of corresponding events are collected and stored in the built original database. Optionally, a method for collecting attribute data of a plurality of items of the host system is the same as the method for collecting attribute data of a plurality of items of the host system in S110.
In the process of constructing the primary database, for the acquisition result, different modes of storage can be performed according to actual needs, optionally, in an online mode, the acquisition result is classified according to different items (files, processes, user groups, services, registries and the like), the acquisition result is stored in the database as different data tables, and attributes in the items are respectively stored according to fields in the tables, for example: and C, taking \Users\test.txt as a first field of a data table, taking a file type as a second field, taking an opening mode as a third field and taking a position as a fourth field, and storing all information according to independent fields according to a file attribute value. Optionally, in an offline mode, various pieces of system configuration information are stored as XML files in combination with the acquisition result, for example :"<?xml version="1.0"encoding="UTF-8"standalone="no"?><exam><student URL="C:\Users\test.txt"<type> text files (. Txt) </type > < open > notepad </open > < site > C: \Users </site > … … </student > ", so that offline scanning comparison is facilitated.
And inputting the original database into a pre-constructed threshold rule model to obtain the attribute data change threshold of each item in the original database. Constructing a threshold rule model, comprising:
Constructing a first sample set comprising a number of first samples; wherein the first sample comprises: first sample data and first tag data; the first sample data includes a training native database; the first tag data includes a threshold of change in attribute data for each item corresponding to the training native database.
And constructing and training to obtain the threshold rule model through a preset machine learning algorithm according to the first sample set.
Wherein the predetermined machine learning algorithm may be selected from one or more of a naive bayes algorithm, a decision tree algorithm, a support vector machine algorithm, a kNN algorithm, a neural network algorithm, a deep learning algorithm, and a logistic regression algorithm.
The input layer of the threshold rule model realizes feature extraction of the native database to obtain feature vectors reflecting features of the native database.
The number of hidden layers may be one or more, and the specific number may be set as required. Specifically, the hidden layer includes a plurality of neurons. For each neuron, its input is a weighted sum of the outputs of each neuron of the previous hidden layer, which is output after an activation function; the activation function may select sigmoid, tanh, reLU, etc., in this example, sigmoid.
The activation function of the output layer may select Softmax, e.g., the output layer gets a vector (0.4,0.6) where 0.4 represents the probability that the item selected the first attribute data change threshold and 0.6 represents the probability that the item selected the second attribute data change threshold, and because the probability that the item selected the second attribute data change threshold is higher, the second attribute data change threshold is output as the attribute data change threshold for the item.
The type of threshold varies depending on the type of attribute data of the acquired event, and the threshold includes, but is not limited to, time, percentage, value, MD5, and range values of certificates.
S130, responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data.
And comparing the change value of the attribute data of the event item by item with a preset change threshold value of the attribute data of the event item, and judging whether the change value of the attribute data of the event item exceeds the preset change threshold value of the attribute data of the event item. And if the change value of the attribute data of the event exceeds the preset attribute data change threshold of the event, taking the attribute data of the event as abnormal attribute data.
And S140, carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe.
Constructing a security analysis model, comprising:
constructing a second sample set comprising a number of second samples; wherein the second sample comprises: second sample data and second tag data; the second sample data comprises training abnormal attribute data; the second tag data comprises a security analysis result corresponding to the abnormal attribute data.
And constructing and training to obtain the safety analysis model through a preset machine learning algorithm according to the second sample set.
Wherein the predetermined machine learning algorithm may be selected from one or more of a naive bayes algorithm, a decision tree algorithm, a support vector machine algorithm, a kNN algorithm, a neural network algorithm, a deep learning algorithm, and a logistic regression algorithm.
The input layer of the security analysis model realizes feature extraction of the abnormal attribute data to obtain feature vectors reflecting the abnormal attribute data.
The number of hidden layers may be one or more, and the specific number may be set as required. Specifically, the hidden layer includes a plurality of neurons. For each neuron, its input is a weighted sum of the outputs of each neuron of the previous hidden layer, which is output after an activation function; the activation function may select sigmoid, tanh, reLU, etc., in this example, sigmoid.
The activation function of the output layer may select Softmax, for example, the output layer obtains a vector (0.4,0.6) in which 0.4 represents a probability that the abnormal attribute data is in a safe state and 0.6 represents a probability that the abnormal attribute data is in a dangerous state, and outputs the abnormal attribute data in a dangerous state as a result of the safety analysis of the abnormal attribute data because the probability that the abnormal attribute data is in a dangerous state is high.
Optionally, the method further comprises: and when the security analysis result indicates that the security analysis result is not secure, restoring the abnormal attribute data into the attribute data of the corresponding item in the original database.
As can be seen from the foregoing, one or more embodiments of the present disclosure provide a host system security pre-warning method, including: collecting attribute data of a plurality of events of a host system; comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database for any item to obtain the change value of the attribute data of the item; responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data; and carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe. According to the invention, after the attribute data of the event is used as the abnormal attribute data, the safety analysis is carried out on the abnormal attribute data again, so that the accuracy and pertinence of the safety early warning of the host are improved.
Referring to fig. 2, as an alternative embodiment, after the attribute data of the event is taken as the abnormal attribute data, at least one time of collection is performed on the attribute data of the event, and whether the event is the abnormal attribute data is judged, and safety analysis is performed on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result.
Specifically, detection analysis and/or monitoring analysis are performed on the abnormal attribute data, namely, the attribute data are collected and compared continuously according to a preset time interval or continuously, and analysis is performed on the abnormal attribute data. The analysis model includes a detection model, a monitoring model and a smart model.
The detection models include WEBSHELL detection models, back door detection models and dark chain detection models. webshell refers to the authority of anonymous users (intruders) to operate a WEB server to some extent through a WEB service port. The backdoor detection model is used for preventing malicious backdoors. The dark link means that the website links are hidden on other normal websites in a link form which is invisible to the online visitor but can be searched by the search engine so as to acquire a large amount of network traffic. The dark link detection model adopts the technologies of website URL comparison, sensitive keyword detection (such as betting, pornography and the like) and the like to detect whether a website is hung with a dark link.
The monitoring models include a rights monitoring model, a change monitoring model, a link monitoring model and a process monitoring model.
The intelligent model comprises an association analysis model, and performs unified analysis according to the tracing of one item of information to all associated data.
The analysis model executes different detection models, monitoring models and intelligent models according to different thresholds, and if time variation in file attributes is found, the detection models and the monitoring models are started; starting a monitoring model for the newly generated file; starting a detection model for file content change; and calling different analysis models according to the log conditions aiming at the specific log file change, if a person is found to violently crack the user name password, starting a user authority monitoring model and an associated analysis model, early warning and continuous monitoring once the log of the user is found to be successful, and starting a evidence obtaining process if the password is changed.
The invention provides a method for actively detecting and actively monitoring the changes occurring in the primary and running processes of a host, and the changes are actively detected and monitored for analysis, so that the attack behavior or threat is actively early-warned, and the capability of the host for actively detecting is improved.
It should be noted that the methods of one or more embodiments of the present description may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of one or more embodiments of the present description, the devices interacting with each other to accomplish the methods.
It should be noted that the foregoing describes specific embodiments of the present invention. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, one or more embodiments of the present disclosure further provide a host system security pre-warning device corresponding to the method of any embodiment.
Referring to fig. 3, the host system security pre-warning device includes:
A data collection module 210, configured to collect attribute data of a plurality of items of the host system;
the change comparison module 220 is configured to compare the attribute data of the item with the native attribute data of the item in the pre-built native database, so as to obtain a change value of the attribute data of the item;
an anomaly determination module 230, configured to, in response to determining that a change value of the attribute data of the event exceeds a preset attribute data change threshold of the event, take the attribute data of the event as anomaly attribute data;
And the safety analysis module 240 is configured to perform safety analysis on the abnormal attribute data through a pre-constructed safety analysis model, obtain a safety analysis result, and perform early warning when the safety analysis result indicates unsafe.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in one or more pieces of software and/or hardware when implementing one or more embodiments of the present description.
The device of the foregoing embodiment is used for implementing the corresponding host system security pre-warning method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, corresponding to the method of any embodiment, one or more embodiments of the present disclosure further provide an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the host system security pre-warning method of any embodiment when executing the program.
Fig. 4 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage, dynamic storage, etc. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the corresponding host system security pre-warning method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, corresponding to any of the above embodiments, one or more embodiments of the present disclosure further provide a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the host system security pre-warning method according to any of the above embodiments.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The storage medium of the foregoing embodiment stores computer instructions for causing the computer to execute the host system security pre-warning method according to any one of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the present disclosure, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments described above which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure one or more embodiments of the present description. Furthermore, the apparatus may be shown in block diagram form in order to avoid obscuring the one or more embodiments of the present description, and also in view of the fact that specifics with respect to implementation of such block diagram apparatus are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present disclosure is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the one or more embodiments of the disclosure, are therefore intended to be included within the scope of the disclosure.
Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, may be used to store information that may be accessed by the computing device.
The storage medium of the foregoing embodiment stores computer instructions for causing the computer to execute the host system security pre-warning method according to any one of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the present disclosure, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments described above which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure one or more embodiments of the present description. Furthermore, the apparatus may be shown in block diagram form in order to avoid obscuring the one or more embodiments of the present description, and also in view of the fact that specifics with respect to implementation of such block diagram apparatus are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present disclosure is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the one or more embodiments of the disclosure, are therefore intended to be included within the scope of the disclosure.
Claims (8)
1. A host system security pre-warning method, comprising:
collecting attribute data of a plurality of events of a host system;
For attribute data of each of the plurality of items, performing the following operations:
Comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database to obtain a change value of the attribute data of the item; when the host system is installed and deployed for the first time, collecting attribute data of a plurality of items of the host system, and constructing the primary database;
Responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data; inputting the original database into a pre-constructed threshold rule model to obtain the attribute data change threshold of each item in the original database;
Carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe;
And when the security analysis result indicates that the security analysis result is not secure, restoring the abnormal attribute data into the attribute data of the corresponding item in the original database.
2. The method of claim 1, wherein the collecting attribute data for a plurality of events of the host system comprises at least one of:
Acquiring attribute data of the plurality of items from a system registry;
and acquiring attribute data of the plurality of items from a system configuration file.
3. The method as recited in claim 1, further comprising:
constructing a first sample set comprising a number of first samples; wherein the first sample comprises: first sample data and first tag data; the first sample data includes a training native database; the first tag data comprises attribute data change threshold values of each item corresponding to the training native database;
and constructing and training to obtain the threshold rule model through a preset machine learning algorithm according to the first sample set.
4. The method as recited in claim 1, further comprising:
Constructing a second sample set comprising a number of second samples; wherein the second sample comprises: second sample data and second tag data; the second sample data comprises training abnormal attribute data; the second tag data comprises a security analysis result corresponding to the abnormal attribute data;
and constructing and training to obtain the safety analysis model through a preset machine learning algorithm according to the second sample set.
5. The method as recited in claim 1, further comprising:
After the attribute data of the item is used as abnormal attribute data, at least one time of acquisition is performed on the attribute data of the item, whether the attribute data is the abnormal attribute data is judged, and safety analysis is performed on the abnormal attribute data through a pre-constructed safety analysis model, so that a safety analysis result is obtained.
6. A host system security early warning device, comprising:
the data acquisition module is used for acquiring attribute data of a plurality of items of the host system;
The change comparison module is used for comparing the attribute data of the item with the original attribute data of the item in a pre-constructed original database so as to obtain a change value of the attribute data of the item; the method is also used for collecting attribute data of a plurality of items of the host system and constructing the primary database when the host system is subjected to primary installation and deployment;
the abnormality determination module is used for responding to the fact that the change value of the attribute data of the event exceeds the preset attribute data change threshold value of the event, and taking the attribute data of the event as abnormal attribute data; the method is also used for inputting the original database into a pre-constructed threshold rule model to obtain the attribute data change threshold of each item in the original database;
The safety analysis module is used for carrying out safety analysis on the abnormal attribute data through a pre-constructed safety analysis model to obtain a safety analysis result, and carrying out early warning when the safety analysis result indicates unsafe; and the abnormal attribute data is restored to the attribute data of the corresponding item in the original database when the security analysis result indicates that the security is not ensured.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when the program is executed by the processor.
8. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011440751.7A CN112580022B (en) | 2020-12-07 | 2020-12-07 | Host system security early warning method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011440751.7A CN112580022B (en) | 2020-12-07 | 2020-12-07 | Host system security early warning method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580022A CN112580022A (en) | 2021-03-30 |
| CN112580022B true CN112580022B (en) | 2024-06-25 |
Family
ID=75132029
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011440751.7A Active CN112580022B (en) | 2020-12-07 | 2020-12-07 | Host system security early warning method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580022B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113627834B (en) * | 2021-10-13 | 2022-02-08 | 深圳市鹏亚食品有限公司 | Intelligent monitoring and early warning method and system for fruit and vegetable full chain |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109144820A (en) * | 2018-08-31 | 2019-01-04 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal host |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9411864B2 (en) * | 2008-08-26 | 2016-08-09 | Zeewise, Inc. | Systems and methods for collection and consolidation of heterogeneous remote business data using dynamic data handling |
| US20120137367A1 (en) * | 2009-11-06 | 2012-05-31 | Cataphora, Inc. | Continuous anomaly detection based on behavior modeling and heterogeneous information analysis |
| US10474932B2 (en) * | 2016-09-01 | 2019-11-12 | Uptake Technologies, Inc. | Detection of anomalies in multivariate data |
| CN107169356B (en) * | 2017-05-03 | 2020-08-18 | 上海上讯信息技术股份有限公司 | Statistical analysis method and device |
| US11175652B2 (en) * | 2019-02-20 | 2021-11-16 | International Business Machines Corporation | Real-time detection and visualization of potential impairments in under-floor appliances |
| US11533326B2 (en) * | 2019-05-01 | 2022-12-20 | Oracle International Corporation | Systems and methods for multivariate anomaly detection in software monitoring |
| CN110597651A (en) * | 2019-09-18 | 2019-12-20 | 深圳前海微众银行股份有限公司 | Method, device and equipment for troubleshooting business anomaly and computer readable storage medium |
-
2020
- 2020-12-07 CN CN202011440751.7A patent/CN112580022B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109144820A (en) * | 2018-08-31 | 2019-01-04 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal host |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580022A (en) | 2021-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6888109B2 (en) | Intelligent security management | |
| US11822670B2 (en) | Security risk assessment and control for code | |
| CN107209818B (en) | Method and system for detecting false user interactions with a mobile device for improved malware protection | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| Sabhadiya et al. | Android malware detection using deep learning | |
| Raghuraman et al. | Static and dynamic malware analysis using machine learning | |
| KR20170055962A (en) | Methods and systems for aggregated multi-application behavioral analysis of mobile device behaviors | |
| Ding et al. | DeepPower: Non-intrusive and deep learning-based detection of IoT malware using power side channels | |
| BR102015017215A2 (en) | computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium | |
| US20200159925A1 (en) | Automated malware analysis that automatically clusters sandbox reports of similar malware samples | |
| KR20200039912A (en) | System and method for automatically analysing android malware by artificial intelligence | |
| KR20190048004A (en) | Method for detecting an anomalous behavior based on machine-learning and Apparatus thereof | |
| CN110730164A (en) | Safety early warning method, related equipment and computer readable storage medium | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| CN112580022B (en) | Host system security early warning method, device, equipment and storage medium | |
| Guerra-Manzanares et al. | Leveraging the first line of defense: A study on the evolution and usage of android security permissions for enhanced android malware detection | |
| US10817601B2 (en) | Hypervisor enforcement of cryptographic policy | |
| Suhuan et al. | Android malware detection based on logistic regression and XGBoost | |
| Basu et al. | COPPTCHA: COPPA tracking by checking hardware-level activity | |
| Fowdur et al. | A real-time machine learning application for browser extension security monitoring | |
| Congyi et al. | Method for detecting Android malware based on ensemble learning | |
| CN112367336B (en) | Webshell interception detection method, device, equipment and readable storage medium | |
| US20220237289A1 (en) | Automated malware classification with human-readable explanations | |
| Gupta et al. | Android malware detection using machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211105 Address after: 100089 south building, block a, Dongxu International Center, Fanyang Road, Fengtai District, Beijing Applicant after: Beijing Zhongdian Feihua Communication Co.,Ltd. Address before: 100070 south building, block a, Dongxu International Center, Fanyang Road, Fengtai District, Beijing Applicant before: Beijing Zhongdian Feihua Communication Co.,Ltd. Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. |
|
| GR01 | Patent grant |