CN113312615A

CN113312615A - Terminal detection and response system

Info

Publication number: CN113312615A
Application number: CN202110697932.6A
Authority: CN
Inventors: 周国华; 毕向阳; 李海峰
Original assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Current assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Priority date: 2021-06-23
Filing date: 2021-06-23
Publication date: 2021-08-27
Anticipated expiration: 2041-06-23
Also published as: CN113312615B

Abstract

The present disclosure relates to a terminal detection and response system, including: the system comprises at least one detection point, a filtering engine and a monitoring system, wherein the detection point is used for capturing an event and constructing an event context of the event and sending the event context to the filtering engine; the safety object database is used for storing the information of the key objects; the filtering engine is used for maintaining the strategy set, filtering the event context transmitted from the detection point according to the strategy set and returning a filtering result; when the filtering engine filters and judges the event context, inquiring a security object database to obtain information of an event related object; and the detection point is also used for executing corresponding operation according to the filtering result. Therefore, real-time detection and response can be realized at the terminal, and the detection efficiency and effect are improved.

Description

Terminal detection and response system

Technical Field

The disclosure relates to the technical field of information security, in particular to a terminal detection and response system.

Background

At present, malicious code has always been the most significant Threat to information systems, from the earliest emerging viruses, worms, trojan horses, to APT (Advanced Persistent Threat).

In the related technology, the prevention means for malicious codes is usually antivirus software or active defense software, the antivirus software is realized by detecting a signature of a feature code contained in the malicious codes, the effectiveness of the antivirus software is closely related to a virus library of the antivirus software, and the virus library is kept to be updated as new malicious codes are found, so that the newly generated malicious codes cannot be prevented in the update period of the virus library, particularly for malicious codes with deep hidden voltage, once a large-area outbreak occurs, the virus library is upgraded late, the APT cannot be responded to, various confusion and evasion means adopted by an attacker can bypass defense, and the continuous increase of the virus library has a certain influence on the detection efficiency; the active defense software monitors the access of code to specific resources during the running process of the code aiming at the possible utilization technology of malicious code, and when a risky operation is captured, a user is prompted, the user decides whether to block the operation or directly blocks the operation, however, when the risky operation occurs, whether malicious behaviors are really judged, and if the risky operation is decided by the user, the decision is dependent on the professional knowledge of the user; if the judgment is direct, the judgment is easy to miss, and the common evasive means of APT cannot be handled, for example, malicious operation is completed by means of system tools in a white list, so that the detection is bypassed.

Disclosure of Invention

To solve the above technical problem or to at least partially solve the above technical problem, the present disclosure provides a terminal detection and response system.

The present disclosure provides a terminal detection and response system, which is characterized by comprising:

the system comprises at least one detection point, a filtering engine and a monitoring system, wherein the detection point is used for capturing an event and constructing an event context of the event to be sent to the filtering engine;

the safety object database is used for storing the information of the key objects;

the filtering engine is used for maintaining a strategy set, filtering the event context transmitted from the detection point according to the strategy set and returning a filtering result; when the filtering engine carries out filtering judgment on the event context, inquiring the security object database to obtain the information of the event related object;

and the detection point is also used for executing corresponding operation according to the filtering result.

In an optional embodiment of the present disclosure, the filtering engine, which centrally manages all policy sets required by the terminal detection and response system;

the filtering engine provides a unique event filtering inlet for all the detection points.

In an optional embodiment of the present disclosure, the event context includes, but is not limited to, one or more of an event identification, an event parameter, a subject object, a guest object, a transformed guest object, and a summary of the event.

In an optional embodiment of the present disclosure, for each format definition of a policy in the set of policies, in addition to containing a policy identification, a policy priority,

each policy comprises an event type set used for judging whether the event context is matched with each policy or not;

each strategy comprises a trigger judgment expression used for judging whether the event is matched with each strategy or not;

each policy may include N rules, each rule including a rule decision expression and a rule handling expression, and configured to execute processing described by the rule handling expression when an event satisfies the rule decision expression; wherein N is a natural number; the judgment expression uses all the related objects and object attributes in the event context in the operation process;

each policy may include a default handling expression for performing processing without a hit rule.

In an optional embodiment of the present disclosure, a handling expression may contain multiple handling methods including, but not limited to, handling identification of return filter result code or other code specified by parameters, call handling identification of global procedures, object-related method call identification.

In an optional embodiment of the present disclosure, the filtering engine performs filtering processing on the event context incoming from the detection point, including the following steps:

according to the event type in the event context and the priority of the strategy, screening out a strategy set matched with the event context from the strategy set;

sequentially traversing the strategy set matched with the event context, for each strategy, firstly taking the event context as a parameter, calculating a trigger expression of the strategy, and when the result is true, sequentially matching the access control rules of the strategy;

traversing the access control rules in the strategy, calculating a judgment expression of the rules by taking the event context as a parameter for each access control rule, if the result is false, continuously traversing the next rule, if the result is true, operating a handling method specified by a rule handling expression, and returning a filtering result;

if the access control rule is not hit, executing a processing method specified in the strategy default processing expression, and returning a filtering result;

and when the filtering result returned by one strategy is not the continuation mark, finishing strategy matching and returning the filtering result to the detection point.

In an optional embodiment of the disclosure, storing the attributes of the key object in the secure object database comprises:

each object has a unique object identifier, and the object identifier is used for acquiring an object from a database;

each object contains a source attribute specifying the creator of the object;

each object is associated with a behavior matrix attribute, and the behavior matrix attribute is used for storing behavior information of the same source object.

In an optional embodiment of the present disclosure, the detecting point is a file system filter, and captures any file system call, and when the event is an operation event of creating a file in the file system and writing a file, the source record processing step includes:

the file system filter is used for constructing a file context when a new file is created and associating the file context to a file object distributed by a file system;

the file system filter is further configured to obtain a source of the file context determination file from a file object of the file system when a new file is closed, read an extended attribute of the source file, extract an object identifier and/or a behavior matrix attribute, store the source file in the security object database if the source file is not in the security object database, set the returned object identifier to the source attribute of the file context, set the behavior matrix attribute to the file context, and write the source attribute and the behavior matrix attribute of the file context to the extended attribute of the file object of the file system.

In an optional embodiment of the disclosure, the at least one detection point comprises a process manager,

the process manager is used for maintaining all the alive process objects and the parent process objects thereof in the system, and establishing a structure for each process object, wherein the structure comprises a process mark, a process-associated executable file object, a process-associated user account object, a process-associated main file object and a process module list besides a process identifier, a process name, a command line and a session;

the process manager is also used for carrying out main body identification, setting a process mark and a main body file according to the situation in the process of executing the process, and acquiring the process mark and the main body file to carry out the operation of judging an expression under the condition that the main body of the event is the process in the event filtering processing process;

and the process manager is used as a detection point, constructs an event context when the process creation and loading dynamic library operation occurs, calls the filtering engine, and performs corresponding processing according to the filtering result.

In an optional embodiment of the present disclosure, the process manager maintains a process object;

the process manager is also used for searching a corresponding executable file object in the safe object database according to the executable file path of the process when the process is started, and if the executable file object does not exist, inserting a new executable file object into the safe object database;

the process manager assigns the inherent attribute and the conventional attribute of the acquired object to the corresponding attribute of the new executable file object in the process of establishing the new executable file object;

and in the process of establishing a new executable file object, the process manager also calls a classifier to acquire a code signature and a classification identifier of the executable file and assigns the code signature and the classification identifier to a corresponding attribute of the new executable file object.

the process manager is also used for searching a corresponding executable file object in the security object database according to the executable file path of the dynamic library when the dynamic link library is loaded in the process, and inserting a new executable file object into the security object database if the corresponding executable file object does not exist; the process manager assigns the inherent attribute and the conventional attribute of the acquired object to the corresponding attribute of the new executable file object in the establishing process of the new executable file object, and calls the classifier to acquire the code signature and the classification identifier of the executable file and assigns the code signature and the classification identifier to the corresponding attribute of the new executable file object in the establishing process of the new executable file object;

the process manager is also used for determining whether the process loaded with the dynamic link library is credible or not according to the classification mark of the executable file object of the dynamic link library and updating the process mark; and constructing a module list item which comprises an executable file, a base address and a size, and inserting the module list item into a module list of a process.

In an optional embodiment of the present disclosure, the policy is a behavior detection policy, and the handling method is to update a behavior matrix associated with the event body;

the filtering engine calls a process manager to extract a main body file associated with the main body process when updating the behavior matrix associated with the main body according to the behavior detection strategy, then obtains a pointer of a behavior matrix structure associated with the main body file in the security object database, and updates a hit set of the matrix according to a behavior identifier specified by the disposal method parameter;

if the hit set already contains the incoming behavior identification, returning, otherwise, adding the incoming behavior identification to the hit set of the behavior matrix, calculating the risk value of the behavior matrix and evaluating the risk level of the behavior matrix.

In an optional embodiment of the present disclosure, the detecting point is a user layer detecting point, further including:

and the user layer detection point is used for capturing the operation of the user layer on the security object, packaging the event into binary data and then dispatching the binary data to the filtering engine through the input and output interface for filtering.

In an optional embodiment of the present disclosure, the objects related in the event context, the policy decision expression, the related objects in the handling expression, and the objects stored in the secure object database are all described by a unified architecture, which specifically includes:

the class architecture defines the composition of all object classes, and the definition comprises but is not limited to the identification of the classes, the names of the classes, the storage modes of the class objects and the attribute sets specific to the classes;

the attribute architecture defines the attributes which are referred in all the class architectures, and the definition comprises but is not limited to the identification of the attributes, the names of the attributes, the data types of the attributes and the storage modes of the attributes;

a method framework defining all available disposal methods, including but not limited to the name of the method, the applicable conditions of the method, the number of parameters of the method, and the name and data type of each parameter;

and the event framework defines all filterable events, and the definition comprises but is not limited to the identification of the event, the type of the event, the name and the data type of each parameter of the number of the parameters of the event.

Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:

the event context is constructed and sent to the filtering engine; the safety object database is used for storing the information of the key objects; the filtering engine is used for maintaining the strategy set, filtering the event context transmitted from the detection point according to the strategy set and returning a filtering result; when the filtering engine filters and judges the event context, inquiring a security object database to obtain information of an event related object; and the detection point is also used for executing corresponding operation according to the filtering result. Therefore, real-time detection and response can be realized at the terminal, and the detection efficiency and effect are improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.

Fig. 1 is a schematic structural diagram of a terminal detection and response system according to an embodiment of the present disclosure;

fig. 2 is a schematic structural diagram of another terminal detection and response system according to the embodiment of the present disclosure.

Detailed Description

In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.

Currently, known malicious behaviors are classified according to different stages or purposes of an attack, And therefore, an Endpoint detection And Response (EDR) product appears, the EDR does not use a single behavior as a blocking basis any more, but continuously detects various security events during the operation of the Endpoint, And confirms the occurrence of the attack through analysis, so as to perform related Response (handling). A large goal of EDR is to shorten the discovery of APT.

Therefore, the EDR focuses on behavior analysis, and generally, the EDR implementation is implemented by dividing front and back ends: the method comprises the steps that events are collected on a front end (terminal), the events are sent to a rear end (server or cloud), the rear end analyzes the events of the terminal by means of big data processing, machine learning and the like, and then responses are sent to the terminal after a conclusion is obtained, detection and responses are lagged, the granularity of event collection is difficult to control, the granularity is too small (information is detailed), and network and computing resource expenses are high; too large granularity (short message), distortion of original data, and high cost due to centralized and high computation support.

In view of the above problems, the present application provides a terminal detecting and responding system, including: the detection point is used for capturing the event and constructing the event context of the event to be sent to the filtering engine; the filtering engine is used for determining a strategy linked list according to the type of the event, filtering the event context according to each strategy in the strategy linked list, generating a filtering result and sending the filtering result to the detection point; and the detection point is also used for executing corresponding operation according to the detection result.

Therefore, malicious codes are prevented without depending on feature codes (signatures), APT can be found as early as possible, timely response (attack behavior blocking and system recovery) can be achieved, the terminal can detect and respond in real time, and detection efficiency and effects are improved.

In the embodiment of the present disclosure, the described objects mainly refer to the objects defined by the system and related to the security. The objects are classified, and the system mainly comprises the following object classifications: processes, directories, files, executables, user accounts, services, tasks, registry keys and values (under a Windows system), devices, sockets, network packets, etc.

Each object contains a number of inherent attributes and a number of class architecture defined unique attributes, each attribute being characterized by an attribute architecture.

To support the tracing of the object, the present system additionally defines the following fixed attributes of the object: the source is as follows: the source file of the indicated object should be a file object stored in the secure object database SODB. The behavior matrix points to objects stored in an SODB, and objects from the same source share one behavior matrix.

Under different scenes, the objects can be stored in different forms, and the storage types are divided into the following three types: inventory object: the object is stored in the SODB and may be passed through an object ID or pointer. The class architecture of the present system is consistent with that of the SODB. The active object is: the structure of the rest data is determined by a constructor (usually a kernel layer checkpoint module) and the object can be transmitted through a data pointer of the object. Its header structure contains the type declaration of the object and the interface functions that maintain the object lifetime and access the object properties. Packaging the object: and all the information of the storage type used for exchanging the objects between the user layer and the kernel layer is packaged into a buffer area of binary data according to a class architecture.

The data header of the above three storage type objects has a fixed position to identify the class of the object and the storage type of the object. Through the adjustment, the system realizes an object attribute access function which does not distinguish the storage type through an object pointer, and can simplify the object access and the storage type conversion.

Fig. 1 is a schematic structural diagram of a terminal detection and response system according to an embodiment of the present disclosure.

As shown in fig. 1, includes: detection point 100, security object database 200, and filtering engine 300.

Wherein at least one detection point 100 is used to capture an event and construct an event context for the event to send to the filtering engine 300.

A secure object database 200 for storing information of key objects.

The filtering engine 300 is configured to maintain a policy set, perform filtering processing on an event context transmitted from the detection point 100 according to the policy set, and return a filtering result; when the filtering engine carries out filtering judgment on the event context, the safe object database is inquired to obtain the information of the event related object.

The detection point 100 is further configured to execute a corresponding operation according to the filtering result.

In the disclosed embodiment, the detection point 100 may be one or more, and may include, but is not limited to, one or more of a user-level detection point 101, a file system filter 102, a process manager 103, and a kernel-level detection point 104 as shown in fig. 1.

In the disclosed embodiment, the event context includes, but is not limited to, one or more of an event identification, an event parameter, a subject, an object, a transformation object, and a summary of the event.

Specifically, event contexts are assigned and constructed by the checkpoint 100 as structural members of: event identification: defined by an event schema; event parameters: an event may have multiple parameters, described by an event schema; a main body: the initiating object of the action, the most commonly used object type as the main body is the process; object: objects affected by the action; transform object (possible): a second object for describing a new object generated after the object is changed by the action, or a second object influenced by the action simultaneously with the object; summary of events (possible): for actions that may occur repeatedly, the checkpoint module may extract some features of the above-mentioned elements in the event and calculate a digest value, so that the filtering engine 300 may apply a caching mechanism to directly return the last filtering result, thereby improving efficiency.

Specifically, in the kernel-layer detection point, objects such as a subject, an object, and a transformation object in the event context are pointers.

In an embodiment of the present disclosure, when the detection point 100 is the user layer detection point 101, the detection point is used for capturing an operation of the user layer on a secure object, encapsulating an event into binary data, and then dispatching the binary data to the filtering engine 300 through the input and output interface for filtering.

Specifically, the modules running in the user mode are responsible for capturing operations of the user layer on the security objects, encapsulating the events into binary data, and then dispatching the binary data to the filtering engine 300 through the input/output interface for filtering. The implementation techniques of the user layer detection point may be various, for example: RPC service hooks, process hooks, or plug-ins to applications.

In the user layer detection point, corresponding packaging processing needs to be carried out on objects such as a subject, an object, a transformation object and the like, and the specific packaging rule comprises that when a process is taken as the subject object: indicating the object using the process identification, for objects already existing in the secure object database: the object is indicated using an object identification.

It should be noted that the binary data is used to encapsulate object information (i.e., encapsulating objects), and the model of the event is consistent with the definition of the access control model (subject, action, object).

In the embodiment of the present disclosure, the filtering engine 300, which centrally manages all required policy sets of the terminal detection and response system, provides a unique event filtering entry for all detection points.

In the embodiment of the present disclosure, for the format definition of each policy in the policy set, except for including a policy identifier and a policy priority, each policy includes an event type set, which is used to determine whether an event context matches each policy; each strategy comprises a trigger judgment expression used for judging whether the event is matched with each strategy or not; each policy may include a plurality of rules, each rule including a rule decision expression and a rule handling expression, for executing processing described by the rule handling expression when an event satisfies the rule decision expression; each policy may contain a default handling expression for performing processing without a hit rule; predicate expressions all objects and object attributes associated in an event context are used in the operation process.

In embodiments of the present disclosure, one handling expression may contain multiple handling methods including, but not limited to, a handling identification of return filter result code or other code specified by a parameter, a call handling identification of a global procedure, an object-related method call identification. Among them, the handling of the returned filtering result code is identified such as "continue", "block", "release", or other code specified by the parameter, the call handling of the global procedure, the parameter (e.g. setting the behavior matrix associated with the subject file) object-related method call can be transmitted, and the parameter can be transmitted.

In an embodiment of the present disclosure, the filtering engine performs filtering processing on the event context transmitted by the detection point, including the following steps: according to the event type in the event context and the priority of the strategy, screening out a strategy set matched with the event context from the strategy set; sequentially traversing the strategy set matched with the event context, for each strategy, firstly taking the event context as a parameter, calculating a trigger expression of the strategy, and when the result is true, sequentially matching the access control rules of the strategy; traversing the access control rules in the strategy, calculating a judgment expression of the rules by taking the event context as a parameter for each access control rule, if the result is false, continuously traversing the next rule, if the result is true, operating a handling method specified by the rule handling expression, and returning a filtering result; if the access control rule is not hit, executing a processing method specified in the strategy default processing expression, and returning a filtering result; and when the filtering result returned by one strategy is not the continuation mark, finishing strategy matching and returning the filtering result to the detection point.

Specifically, the filtering engine 300 is a core component of the terminal detection and response system, and integrates policy management and event filtering functions, so that a unified filtering entry can be provided to process events incoming from each detection point 100, specifically, a filtering policy adopts a formal description mode, and rules in the policy are mainly organized in a "decision-handling" form, where a decision is an expression, and all elements related to an event can participate in calculation of the expression, including various attributes of a subject object and an object, and action parameters, and also including a global variable object when the event occurs; the treatment is also in the form of an expression, describing one or more treatment actions to be performed in case the determination result is true, and the specific treatment includes execution of the method in addition to simple blocking, releasing.

The filtering strategies are divided into two types in terms of application, and the behavior detection strategy comprises the following steps: the purpose is that when the appointed event happens, when the judgment expression is hit, the behavior matrix of the subject object is immediately updated, and meanwhile, the risk evaluation is carried out on the subject object; and (3) access control policy: the object is to determine the handling of actions based on the risk assessment status of the subject when important access resource events occur (e.g., writing to a file, connecting to a network).

In the filtering engine 300, a plurality of policy linked lists are maintained according to the classification of events (or called subject, process, file, service, etc.), and in each policy linked list, a plurality of policies are sorted according to priority, and the policies with high priority are matched first. Each policy has a read-write lock to ensure policy data consistency during concurrent policy updates and event handling. For each policy item in the policy linked list, there are the following structural members: the identification and persistence marking of the strategy determine whether the strategy is still effective after the computer is restarted, the priority of the strategy, the sequence of the strategy in a strategy linked list, an event type set, an event type indicating the event type to be filtered by the strategy, and a triggering judgment expression for judging whether the event hits the strategy and a plurality of access control rules, wherein each rule consists of two parts and is used for judging whether the event hits the rule.

The handling expression is used for indicating handling to be executed after the event hits the rule. A default treatment expression that defaults to the treatment that needs to be performed when no access rule is hit.

Specifically, an event is captured by the detection point 100, and the detection point 100 constructs an event context including a subject, an action parameter, an object and a transformation object; detection point 100 communicates the event context to filtering engine 300; the filtering engine 300 determines a policy linked list according to the type of the event; the filtering engine 300 traverses each policy in the policy linked list, applies the policy one by one to filter the event until an explicit interrupt processing indication (blocking or passing) is obtained, and for each filtering process, the flow is as follows: a) judging whether the type of the event is matched with the strategy, if not, ignoring the strategy and continuing to traverse; b) calculating a trigger expression of the strategy by using the event context as a parameter, and if the result is false, ignoring the strategy and continuing to traverse; c) traversing the access control rules of the strategy, calculating a judgment expression of the rules by taking the event context as a parameter for each rule, and if the result is false, continuously traversing the next rule; judging whether the calculation result of the expression is true (hit rule), operating the processing method specified by the rule, and if the method returns an explicit interrupt processing instruction, exiting the strategy matching process; d) if the access control rule is not hit, executing a policy default handling method, and if the method returns an explicit interrupt processing instruction, exiting the policy matching process.

Further, the filtering engine 300 returns the filtering result, the inspection point 100 decides whether to block or release the operation or perform other processing according to the filtering result, and the inspection point 100 releases the event context, including the object allocated in the process.

In an embodiment of the present disclosure, storing the attribute of the key object in the security object database includes: each object has a unique object identifier, and the object identifier is used for acquiring an object from the database; each object contains a source attribute, which is used to specify the creator of the object; each object is associated with a behavior matrix attribute, and the behavior matrix attribute is used for storing behavior information of the same source object.

Specifically, a secure object database 200(SODB) is responsible for storing information of security-related objects in the operating system, and the secure object database 200 is an object-oriented kernel-layer database in which all data is in memory at runtime, and in the present system, its main functions are: a) objects that have been subjected to complex analysis are stored for quick access to object properties during the filtering process. For example, for an executable file whose classification attributes are derived by the classifier module through complex calculations, an executable file may be frequently loaded in the system and the classification cannot be recalculated every time it is loaded, and for this reason, its information is stored in the secure object database 200 and can be quickly accessed when needed. b) The source information of the stored object is an important basis for behavior analysis and also an important basis for removing the influence of malicious codes and restoring the system for key objects and tracing the sources of the key objects. In the architectural definition of secure object database 200, the source is a fixed attribute that every object class has. c) The behavior matrix is recorded and for the subject file (executable, script, package), its associated behavior matrix is maintained in the secure object database 200. Based on the mechanism of tracing the source of the subject file, all files from the same source share a behavior matrix stored in the secure object database 200. Therefore, when the attacker conducts attack actions in a time-sharing and decentralized mode, the behavior of the attacker can still be evaluated as a whole.

In the embodiment of the present disclosure, the detecting point 100 is a file system filter 102, which captures any file system call, and when the event is an operation event of creating a file and writing a file in the file system, the source record processing step includes: the file system filter 102 is configured to construct a file context when a new file is created, associate the file context with a file object allocated by the file system, obtain the file context from the file object of the file system when the new file is closed to determine a source of the file, read an extended attribute of the source file, extract an object identifier and/or a behavior matrix attribute, store the incoming file in the secure object database 200 if the source file is not in the secure object database 200, set the returned object identifier to the source attribute of the file context, set the behavior matrix attribute in the file context, and write the source attribute and the behavior matrix attribute of the file context into the extended attribute of the file object of the file system.

Specifically, a file context is constructed when a new file is created, the file context is associated with a file object allocated by a file system, the file context is acquired from the file object of the file system when the new file is closed, and the source of the file is determined: if the file is a copy operation from a user, taking the source file as a source file; otherwise, the main file associated with the process is used as a source file; reading the extended attribute of the source file, and extracting the object identification and the behavior matrix attribute which possibly exist; if the source object is not in the Safe Object Database (SODB), the source object is signed into the SODB, and the returned object identification is set to the source attribute of the file context; if the behavior matrix attribute of the source file exists, setting the source file into a new file context; and writing the source attribute and the behavior matrix attribute of the file context into the extended attribute of the file object of the file system.

Among them, a kernel-mode file system filter 102 driver is mainly responsible for: capturing operations of new files and written files of a file system, and when the operations are completed: a) the source (tracing) of the file is determined. b) The files are classified. The file system filter 102 acts as a detection point for the file system and interacts with the filtering engine 300.

The files are important safety objects, and the source tracing of the files is related to the accuracy of behavior analysis. The file system filter needs to process the operation of the file frequently, and in most cases, the file object is an active object maintained by the file filter, and the structure of the file object includes the following members: complete path: full path of file (directory, filename); name: inherent properties in the object architecture, which are part of the complete path; a container: inherent properties in the object architecture, which are part of the complete path; file attributes of the file system standard include: size, one attribute of a file class definition, creation time, one attribute of a file class definition, modification time, one attribute of a file class definition.

Among them, a plurality of members accessible by file Extension Attribute (EA) mainly include: the format of the file is as follows: an attribute of a file class definition. Comprises two parts: classification and format; file identification: if the file has a corresponding record in the SODB, the file is an object identifier in the SODB; the creator: inherent attributes in the object architecture, object identification in the SODB; the source is as follows: inherent attributes in the object architecture, object identification in the SODB; behavior matrix: inherent attributes in the object architecture, object identification in the SODB, and several members for traceability analysis.

In one embodiment of the present disclosure, as shown in fig. 1, the terminal detection and response system further includes: at least one of the checkpoints 100 comprises a process manager 103.

In the embodiment of the present disclosure, the process manager 103 is configured to maintain all the alive process objects and their parent process objects in the system, and create a structure for each process object, where the structure includes, in addition to a process identifier, a process name, a command line, and a session, a flag of a process, an executable file object associated with the process, a user account object associated with the process, a main file object associated with the process, and a module list of the process; the process manager 103 is further configured to perform subject authentication, set a process flag and a subject file according to a situation during execution of the process, and acquire the process flag and the subject file to perform operation of a determination expression when a subject of the event is the process during event filtering processing; the process manager 103 is used as a detection point, and when the process creation and loading operation of the dynamic library occurs, an event context is constructed, a filtering engine is called, and corresponding processing is performed according to a filtering result.

The process manager 103 is further configured to, when the process is started, search for a corresponding executable file object in the secure object database 200 according to an executable file path of the process, if the corresponding executable file object does not exist, insert a new file object into the secure object database 200, insert a new executable file object into the secure object database 200, assign an inherent attribute and a conventional attribute of an acquired object to a corresponding attribute of the new executable file object by the process manager 103 in an establishment process of the new executable file object, and further invoke a classifier to acquire a code signature and a classification identifier of the executable file and assign the obtained code signature and classification identifier to the corresponding attribute of the new executable file object by the process manager 103 in the establishment process of the new executable file object.

Specifically, first, according to the file path, the file object is searched in the security object database 200, if the file object does not exist, a new file object is inserted into the security object database 200, and then: a) and reading the creator, source and behavior matrix of the file from the Extended Attribute (EA) of the file object, and respectively assigning the creator, source and behavior matrix to the inherent attribute corresponding to the new file object if the query is successful. b)

And reading the file format from the EA of the file object, if the file format does not exist, calling a classifier to analyze the file format, and setting the file format to the file format attribute of the file object. Inserting a new executable file object into the security object database 200, assigning the following inherent attributes of the file object obtained in the previous step to the corresponding attributes of the executable file object: a) a name; b) a container; c) a creator; d) a source; e) a behavior matrix. Determining the underlying relationship of the file object and the executable file object: a) the object ID of the executable file is assigned to the descendent object property of the file object. b) The base class object of the executable file is set as the object ID of the file object. Extracting the following character strings from the resource information of the executable file, and setting the character strings to the corresponding attributes of the executable file object: a) a version; b) a company; c) an original file name; and calling a classifier, acquiring a code signer and a classification identifier of the executable file, and assigning to corresponding attributes of the executable file object. Upon completion, an object pointer for the executable file is returned.

Among them, a process manager 103, its function includes: a) a set of currently alive process objects is maintained. b) The process manager provides an interface to each checkpoint module for obtaining a process subject object for the event. c) And capturing events related to the process, and sending the events to a filtering engine for processing.

In the embodiment of the present disclosure, the process manager 103 is further configured to create a structure of a process, fill header information, construct basic information of the process, search an executable object in the secure object database through a complete path of the executable file, and insert a new executable object into the secure object database if the executable object is not found; the process manager 103 is further configured to perform subject authentication, set a process flag and a subject file, construct an event context, use a parent process as a subject and a new process as an object, invoke the filtering engine 300, release a process structure when a filtering result is blocking, block a process creation operation, and insert a process into a process linked list.

Specifically, a process structure is created, header information is filled, and basic information of the process is constructed, wherein the basic information comprises a parent process, a complete path of an execution file, an account number, a session ID and the like; searching an executable file object in the SODB through a complete path of the executable file, and if the executable file object is not found, inserting the executable file object into the SODB; performing main body identification, and setting a process mark and a main body file; initializing a module column; constructing an event context, calling the filtering engine 300 by taking a parent process as a main body and a new process as an object; if the filtering result is blocking, releasing the process structure, blocking the process establishing operation, and returning; the process is inserted into the process linked list.

The process is an important security object, most events are mainly processes, the process object in the system is an active object created and maintained by a process manager, and the structure mainly comprises the following members: complete path: a full way of process executable files; name: inherent properties in the object architecture, which are part of the complete path; executable file object: a process class attribute, a pointer to an executable file object in the SODB; a main body file: the progress type attribute points to a file object in the SODB and is used for recording a main file which is more accurate than an executable file of the progress; behavior matrix: inherent attributes in the object architecture point to behavior matrix attributes of the process main body file; and (4) classification identification: the process class attribute points to the classification identification of the executable file object; and (3) process marking: process class attributes, mark properties of a process, including but not limited to: whether it is trusted, whether it is a service process, whether it has administrator authority, PID: process class attribute, process identifier assigned by system, module list: the loaded mirror information.

The executable file is an important security object, and the process is started and run depending on the executable file. The system refers to executable files related to an operating system in particular and does not comprise scripts.

In the object system of the system, the executable file is inherited from the file object and only exists in the SODB, all the executable files are searched in the SODB when being loaded, and if not found, the executable files need to be created and then can be used. Except for the inherent properties, the executable file object mainly comprises the following properties: and (4) classification identification: the set of classification labels obtained after classification by the classifier is an integer of 64 bits, and each bit represents a classification identifier. Code signer: and the publisher of the file can be identified by the classification of the classifier. Version: extracted from the resources of the file. Company name: extracted from the resources of the file. The product name is as follows: extracted from the resources of the file. Original file name: extracted from the resources of the file.

In an embodiment of the present disclosure, the process manager 103 is further configured to, when the process loads the dynamic link library, search for a corresponding executable file object in the secure object database according to an executable file path of the dynamic library, and if the executable file object does not exist, insert a new executable file object into the secure object database 200; the process manager 103 assigns the inherent attribute and the conventional attribute of the acquired object to the corresponding attribute of the new executable file object in the establishing process of the new executable file object, the process manager 103 also calls a classifier to acquire a code signature and a classification identifier of the executable file in the establishing process of the new executable file object and assigns the code signature and the classification identifier to the corresponding attribute of the new executable file object, and the process manager 103 is further configured to determine whether the process loaded with the dynamic link library is trusted or not according to the classification label of the executable file object of the dynamic link library and update the process label; and constructing a module list item which comprises an executable file, a base address and a size, and inserting the module list item into a module list of the process.

Specifically, a current process object is obtained; if the path of the dynamic link library is incomplete, completing the path into a complete path; searching an executable file object in the SODB by using the complete path of the dynamic link library, and if the executable file object is not found, newly building an executable file object in the SODB; according to the classification mark of the executable file object, determining whether the process after loading the library is credible, and updating the process mark; a module list entry is constructed containing the executable file, base address and size, which is inserted into the module list of the process.

In one embodiment of the present disclosure, detection point 100 is a kernel-layer detection point 104; the kernel layer detection points 104 include registry detection points and network filter detection points.

Specifically, the registry detection point as the kernel layer detection point 104 is a module working in the kernel layer, and filters registry keys and value operations of the Windows system by taking a process as a main body and registry keys and registry values as objects.

Specifically, the network filtering detection point as the kernel layer detection point 104 is a kernel mode driver, and is mainly responsible for capturing network events at multiple hierarchical positions and sending the network events to the filtering engine for filtering, and mainly includes the following hierarchies: an application layer: the network event taking the process as a subject and the SOCKET information as an object comprises connection and data receiving and transmitting. A transmission layer: the network event with the network card device as a subject and the transport layer packet as an object includes actions such as sending and receiving, and information such as an IP address and a port is transmitted as action parameters. Network layer: the network event with the network card device as a subject and the IP data packet as an object comprises actions such as sending and receiving, and information such as IP address and protocol is transmitted as action parameters.

In one embodiment of the present disclosure, the filtering engine 300 is further configured to determine a policy as a behavior detection policy, and the handling method is to update a behavior matrix associated with an event subject; and the filtering engine 300 is used for calling the process manager 103 to extract the main body file associated with the main body process when the behavior matrix associated with the main body is updated according to the behavior detection strategy, then acquiring a pointer of the behavior matrix structure associated with the main body file in the security object database 200, updating a hit set of the matrix according to the behavior identifier specified by the disposal method parameter, returning if the hit set already contains the incoming behavior identifier, otherwise, adding the incoming behavior identifier to the hit set of the behavior matrix, and calculating a risk value of the behavior matrix and evaluating a risk level of the behavior matrix.

Specifically, after the rules of the behavior detection policy are hit, the executed treatment is to update the behavior matrix associated with the subject file, and the treatment incoming parameter is the behavior identification. If the subject class of the event is not a process, then return is made. And extracting the main body file from the main body process object. And acquiring the behavior matrix attribute of the main file object, and returning if the behavior matrix attribute is not specified. Pointers to the behavior matrix structure are obtained from the SODB. If the hit set already contains the incoming behavior ID, indicating that the behavior has been previously processed, return. The incoming behavior tokens are appended to the hit set of the behavior matrix. Calculating the risk value of the behavior matrix: a) acquiring a risk value of a behavior through a behavior matrix framework so as to obtain a tactical corresponding to the behavior; b) acquiring the maximum weight of tactics corresponding to the behavior through a behavior matrix architecture; c) multiplying the risk value of the behavior by the tactical weight, and accumulating the risk value to the risk value of the behavior matrix; d) the tactical mask of the behavior is merged into the hit tactics of the behavior matrix ('or' operation). Assessing the risk level of the behavior matrix: a) calculating the tactical number contained in the hit tactical of the behavior matrix; b) adding the tactical number to the risk value of the behavior matrix to obtain an evaluation value; c) and comparing the evaluation value with each element in a risk evaluation threshold value array in the behavior matrix architecture one by one, finding out the last array index exceeding the threshold value, and setting the array index as the risk level of the behavior matrix.

The behavior matrix architecture defines parameters for behavior and evaluation, and comprises an array of structures describing behaviors, each structure comprising the following members: behavior identification: a 16-bit integer identification is used to refer to an action. Behavior associated tactical mask: a 16-bit integer, each bit representing a tactic, and a behavior may be associated with multiple tactics. Risk value of behavior: an integer number. An array of structures describing a tactical, the index of the array being a tactical number, each structure comprising the following members: name of tactics, weight of tactics: an integer number. And an integer array of risk assessment thresholds, wherein the risk level of the matrix can be judged after the risk value of the behavior matrix is specified to exceed the value.

Wherein, the behavior matrix is a data structure defined by the system, and comprises: and (4) hit set: stored is an identification array (ending with 0) of hit actions. And (3) hit tactics: the tactics that describe the behavioral coverage of all hits (the result of an or operation on each behavior's tactical mask). Risk value: and weighting and summing the risk value of each behavior and the weight of the corresponding tactics to obtain the risk value. Risk level: the degree of tactical coverage is additionally calculated based on the automatically calculated risk values, and is graded by a plurality of thresholds defined by the architecture, for example, the grades can be classified as follows: alert: risky operation, but not considered malicious, should continue to be observed. In case of doubt: the risk is greater and some of its capabilities should be limited (e.g., disallowing it from network communication). Determining that it is malicious: the acknowledgement is malicious code and all operations of the associated subject should be blocked. Manually set flags: indicia specifiable by a user, including: credible: components of the present system; white list: the file itself does not contain malicious code; black list: the confirmation is malicious code.

As an example of a scenario, as shown in fig. 2, the object-oriented, real-time detection and real-time response terminal detection and response system includes a kernel-layer detection point, a file system filter, a process manager, a user-layer detection point, a filtering engine, a security object database SODB, a classifier, and a main service.

Specifically, a core architecture composed of a filtering engine, a security object database and detection points is used for providing a unique event filtering inlet for the filtering engine at a core layer, the filtering engine uniformly processes a filtering strategy, and the strategy adopts a judgment expression-treatment expression form to organize the filtering strategy, including: predicate expressions enable all event elements to participate in the predicate, handle the expressions, and execute methods defined by the method schema.

Specifically, as shown in fig. 2, a filtering engine is called by a plurality of detection points, the capturing of an event and the processing of the event are separated, various architecture description objects, attributes and event methods are used, the system has expandability, an in-memory database implemented in a kernel, the filtering engine and the detection points can access object information instantly, document source tracing processing is performed, a plurality of documents from the same source are associated with a behavior matrix, behavior analysis and risk assessment are performed instantly in the event filtering process, and a classifier is used for classifying executable documents.

In the embodiment of the present disclosure, the objects related in the event context, the policy decision expression, and the objects related in the handling expression, and the objects stored in the secure object database, are all described by a unified architecture, which specifically includes: the class architecture defines the composition of all object classes, and the definition comprises but is not limited to the identification of the classes, the names of the classes, the storage modes of the class objects and the attribute sets specific to the classes; the attribute architecture defines the attributes which are referred in all the class architectures, and the definition comprises but is not limited to the identification of the attributes, the names of the attributes, the data types of the attributes and the storage modes of the attributes; a method framework defining all available disposal methods, including but not limited to the name of the method, the applicable conditions of the method, the number of parameters of the method, and the name and data type of each parameter; and the event framework defines all filterable events, and the definition comprises but is not limited to the identification of the event, the type of the event, the name and the data type of each parameter of the number of the parameters of the event.

The architecture data is a series of structure arrays describing a system object system, and respectively comprises: a) the class architecture is as follows: defining the attribute owned by each class of object; b) and (3) attribute architecture: defining the name and data type of each attribute; c) an event framework comprises the following steps: defining events that may occur on each class of objects; d) the method comprises the following steps: methods executable for each class of objects and global methods are defined.

The classifier of one kernel layer classifies files or other data by applying preset classification rules, and an interface of the classifier: a) file format classification interface: the input can be a complete path of the file or a data buffer of the file; the output is a string of 8 bytes, the first byte being a classification of the format and the remaining 7 bytes being a format string. b) Executable file classification interface: the input can be a complete path of the file or a data buffer of the file; the output is the code signer (string) of the document, and a class identifier represented by a 64-bit integer, where each binary bit represents a document class.

The main service is a service operated by a user layer and mainly responsible for: at the first run of the system, critical security objects (services, accounts, disk volumes, loaded executables, etc.) are scanned and checked into the security object database. And updating the filtering strategy, the behavior architecture and the classification rule issued by the user interface or the management end to the kernel layer. And forwarding a query request of the user interface or the management terminal to the SODB. And transmitting the alarm information generated by the kernel layer to a user interface or a management terminal.

Therefore, compared with antivirus software products, the system is free from dependence on feature codes (virus libraries) based on real-time behavior analysis of malicious codes. Compared with an active defense product, the system does not aim at single risk behavior protection, evaluates the overall behavior of the malicious code by taking a behavior matrix as a unit, does not need user intervention, and can effectively reduce false alarm and false negative. Compared with an EDR product constructed based on an event acquisition and event analysis technology, the system provides a real-time detection and response mechanism.

In summary, the terminal detecting and responding system of the present disclosure includes: the system comprises at least one detection point, a filtering engine and a monitoring system, wherein the detection point is used for capturing an event and constructing an event context of the event and sending the event context to the filtering engine; the safety object database is used for storing the information of the key objects; the filtering engine is used for maintaining the strategy set, filtering the event context transmitted from the detection point according to the strategy set and returning a filtering result; when the filtering engine filters and judges the event context, inquiring a security object database to obtain information of an event related object; and the detection point is also used for executing corresponding operation according to the filtering result. Therefore, real-time detection and response can be realized at the terminal, and the detection efficiency and effect are improved.

It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A terminal detection and response system, comprising:

2. The terminal detection and response system of claim 1,

the filtering engine is used for intensively managing all strategy sets required by the terminal detection and response system;

3. The terminal detection and response system of claim 1, wherein the event context includes, but is not limited to, one or more of an event identification, an event parameter, a subject object, an object, a transformed object, and a summary of an event.

4. The terminal detection and response system of claim 1, wherein for each policy format definition in the set of policies, excluding policy identification and policy priority,

5. The terminal detection and response system of claim 4, wherein:

one handle expression may contain multiple handle methods including, but not limited to, handle identification of return filter result code or other code specified by parameters, call handle identification of global procedures, object-related method call identification.

6. A terminal detection and response system as claimed in claim 1, said filtering engine filtering incoming event contexts of detection points, comprising the steps of:

7. The terminal detection and response system of claim 1, wherein storing attributes of the key objects in the secure object database comprises:

each object contains a source attribute specifying the creator of the object;

8. The terminal detection and response system of claim 1, wherein the detection point is a file system filter that captures any file system calls, and when the event is a file system new file, write file operation event, the source record processing step comprises:

9. A terminal detection and response system according to claim 1, wherein the at least one detection point includes a process manager,

10. The terminal detection and response system of claim 9, wherein the process manager maintains process objects;

11. The terminal detection and response system of claim 9, wherein the process manager maintains process objects;

12. The terminal detection and response system of claim 1, wherein the policy is a behavior detection policy, and the handling method is to update a behavior matrix associated with the event body;

13. The terminal detection and response system of claim 1, wherein the detection points are user-level detection points, further comprising:

14. The system according to claim 1, wherein the objects associated in the event context, the objects related in the policy decision expression and the handling expression, and the objects stored in the secure object database are all described by a unified architecture, and specifically comprises: