CN113434747A

CN113434747A - Abnormal behavior tracking device and method based on sequence mode

Info

Publication number: CN113434747A
Application number: CN202110642902.5A
Authority: CN
Inventors: 谭喆; 顾雄飞; 殷星
Original assignee: Jiayuan Technology Co Ltd
Current assignee: Jiayuan Technology Co Ltd
Priority date: 2021-06-09
Filing date: 2021-06-09
Publication date: 2021-09-24

Abstract

The invention discloses an abnormal behavior tracking device and method based on a sequence mode, wherein the device comprises a hook module, a sequence mode grabbing module, a sequence mode generating module and a user operation counting module; the hook module is used for hooking the API; the sequence mode capturing module is used for carrying out serialization processing on the API calling information to generate sequence data; the sequence pattern generation module is used for mining the sequence data and generating a calling statistical table; the user operation statistical module is used for setting parameters required by each module. The invention registers the command behavior of calling API by the user, and sorts the command behavior by the sequence pattern mining model, analyzes the most common behavior and the least common behavior, and can improve the accuracy of intrusion detection to a certain extent.

Description

Abnormal behavior tracking device and method based on sequence mode

Technical Field

The invention relates to an abnormal behavior tracking device and method based on a sequence mode, and belongs to the technical field of network security detection.

Background

With the development of the internet, the problems of software security and intrusion detection are more and more emphasized by all people. The invading virus will cause significant harm to the operating system, which may not only crash the system and the processes therein, but also monitor and steal the user's private information, with great harm.

The HOOK technology is a relatively mature technology, and HOOK means HOOK. The HOOK technology can be used for hooking keyboard actions and mouse actions, and can also be used for hooking an API (application program interface), registering the calling process of the API and monitoring the incoming parameters. IAT (import Address Table) of a process, SSDT (System service descriptor Table) of a system, IDT (interrupt descriptor Table), and the like are ideal objects for hooking. After hooking, a roundabout branch is added in the original process, and the processing steps of the original flow are continuously switched back after the roundabout. Fig. 1 depicts a comparison of the execution flow of software after the HOOK procedure is added and not added.

The original intrusion and abnormal behavior detection method is basically to hook important API or system call, then record the call process and associate the call process with the next call process. And comparing the rule base (such as a virus base, an illegal action base and the like) of the detection software, and if the description of the rule base is met, determining that the program is a virus or an invader.

Disclosure of Invention

The invention provides an abnormal behavior tracking device and method based on a sequence mode, which improve an abnormal behavior detection mechanism by utilizing a sequence mode model and a HOOK technology so as to improve the accuracy of intrusion detection.

The technical scheme adopted by the invention is as follows:

the invention provides an abnormal behavior tracking device based on a sequence mode, which comprises a hook module, a sequence mode capturing module, a sequence mode generating module and a user operation counting module, wherein the hook module is used for capturing the sequence mode;

the hook module is used for hooking an API;

the sequence mode capturing module is used for subscribing API calling information and carrying out serialization processing on the API calling information to generate sequence data;

the sequence pattern generation module is used for mining sequence data transmitted by the sequence pattern capture module to generate a sequence pattern, counting based on calling frequency and generating a statistical table;

the user operation statistical module is used for setting parameters, including setting an API (application program interface) to be hooked by the hooking module, setting information to be grabbed by the sequence mode grabbing module, setting upper and lower thresholds of grabbing parameters of the sequence mode generating module, setting upper and lower limits of calling frequency thresholds and checking statistical information.

Further, the hooking module hooks the API by replacing the import address table of the process.

Further, the sequence mode grabbing module comprises two sub-modules;

the first submodule is used for subscribing API calling information including calling parameter values, parameter quantity and calling time to the hook module and carrying out denoising processing on the parameter values;

the second submodule is used for carrying out serialization processing on the received API call information, generating a sequence and transmitting the sequence to the sequence mode generating module;

one sequence data is represented as: APIName, APIAddress, Param1, Param2.. ParamN, Timestamp >, wherein APIName represents an API name, APIAddress represents an API address, Param represents a parameter value of the ith call parameter, N is the number of call parameters, and Timestamp represents a call time.

Further, the sequence pattern generating module excavates the sequence pattern by using Apriori algorithm.

Further, the sequence pattern generating module counts the number of calls based on the API name or the API address or the call parameter, accumulates the number of calls after each call, and generates a new statistical sequence, which is expressed as: parameter value N, call time, call times >.

Further, the sequence pattern generating module is further configured to generate a statistical table for the API based on the statistical sequence when there is a sequence of the same API name or API address.

Further, the sequence pattern generation module is also used for analyzing abnormal behaviors based on the statistical table and giving an early warning to the user operation statistical module;

the abnormal behavior comprises:

the method comprises the following steps of calling the calling frequency within a time period, wherein the calling frequency is lower than a set lower calling frequency threshold, calling the calling parameter value which exceeds an upper threshold range and a lower threshold range of the parameter, and calling the calling frequency within a time period, wherein the calling frequency is higher than a set upper calling frequency threshold.

Further, the user operation statistic module is also used for,

and correcting the upper threshold and the lower threshold of the parameters according to the maximum value and the minimum value of the parameters in the statistical table.

The invention also provides an abnormal behavior tracking method based on the sequence mode, which comprises the following steps:

setting an API to be hooked, a parameter set to be captured, calling time and setting upper and lower thresholds of the captured parameter;

capturing API (application program interface) calling information according to the set calling time of the capturing parameters, and performing serialization processing to generate sequence data;

mining the generated sequence data to generate a sequence mode;

counting the calling times of the sequence mode according to the API name or the API address or the parameter to generate a statistical table;

and analyzing abnormal behaviors to alarm based on the statistical table.

Further, the abnormal behavior includes:

The invention has the beneficial effects that:

the invention registers the instruction behavior of calling API by the user, can count the use frequency, parameter information, calling time, calling user and the like of the interested API by sequence pattern mining, and can be cascaded (Adaboost) with other API calling information so as to discover stronger and more accurate behavior rules. The invention analyzes the most common and least common behaviors by sequencing and counting the sequence model, can improve the accuracy of intrusion detection to a certain extent, can also carry out statistical analysis on calling rules interested by users, and can carry out authorization on the calling behaviors.

Drawings

FIG. 1 is a comparison of the software execution flow after the hooking process is added and not added;

FIG. 2 is a block diagram of an abnormal behavior tracking apparatus based on sequence patterns according to the present invention;

FIG. 3 is a schematic diagram of the operation of the hook module of the present invention;

FIG. 4 is a schematic representation of candidate sequences and sequence pruning;

FIG. 5 is a timing diagram illustrating the cooperation of the user operation statistics module with other modules in the present invention;

FIG. 6 is a collaboration diagram of a sequence pattern capture module, a sequence pattern construction module, and a user operation statistics module in accordance with the present invention.

Detailed Description

The invention is further described below. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.

One embodiment of the invention provides an abnormal behavior tracking device based on a sequence mode, which comprises a hook module, a sequence mode capturing module, a sequence mode generating module and a user operation counting module, wherein the overall structure is shown in fig. 2.

The hook module is used to hook the API.

And the sequence mode capturing module is used for subscribing API calling information and carrying out serialization processing on the API calling information to generate sequence data.

And the sequence pattern generation module is used for mining the sequence data transmitted by the sequence pattern capture module and generating a sequence pattern statistical table about the API.

The user operation statistical module is used for setting parameters, and comprises an API (application program interface) for setting a hook module to hook, information of interest to be captured by the sequence mode capturing module is set, an upper threshold and a lower threshold corresponding to the capturing parameters of the sequence mode generating module are set, an upper limit and a lower limit of a calling frequency threshold are set, and meanwhile statistical information can be viewed.

In the embodiment of the invention, the hook module hook API is realized by replacing an Import Address Table (IAT) of a process. Specifically, the specific function entry address in IA is replaced, but the parameters remain consistent. The replaced address is an entry address of the new API, representing an instruction module. The instruction module is divided into two parts, one part is a processing logic module and is mainly responsible for calling and registering API, acquiring parameters, registering timestamps and the like, and meanwhile, the data can be sent to the sequence mode capturing module; the other part is the Jump Module (JMP), specifically, the jump back to the entry address of the replaced API, so that the original calling process is not affected. The processing logic is shown in fig. 3.

In the embodiment of the invention, the sequence mode capturing module comprises two sub-modules, wherein the first sub-module is connected with the hook module in a butt joint mode, and the second sub-module is connected with the sequence mode generating module in a butt joint mode. The first submodule is used for subscribing API calling information including calling parameter values, parameter quantity, calling time and the like to the hook module, and denoising processing is carried out after receiving the API calling information (denoising processing is carried out under the condition that the difference between the parameter values and most of the parameter values is too large). The information that the API is called each time is captured and processed by the module. For example, the API (int a, char B) calls the specific parameter value (ParamA, ParamB), and the information sent by the hook module received by the first sub-module includes APIName, APIAddress, ParamA, ParamB, Timestamp, and other information of interest set by the user. The second sub-module receives the information and carries out serialization processing to generate a sequence < APINAME/APIAddress-paramA-paramB-Timestamp-others >, and transmits the sequence to the sequence mode generating module. Generally, the sequence will include the following terms < APIName, APIAddress, Param1, Param2.. ParamN, Timestamp >. APIName represents the API name, APIAddress represents the API address, Param represents the parameter value of the ith call parameter, N is the number of call parameters, and Timestamp represents the call time.

In the embodiment of the invention, the sequence pattern generation module excavates the sequence data transmitted by the sequence pattern capture module, and analyzes the structured sequence data according to the use frequency statistics to form the sequence pattern. That is, given a sequence data set D and a user-specified minimum support min, all sequences with a support greater than or equal to min are found.

The support of the sequence s refers to the proportion of all data sequences (ordered list of events associated with a single data object) containing s, and if the support of the sequence s is greater than or equal to minsup, s is called a sequence mode (frequent sequence).

The sequence pattern is typically constructed using the Apriori algorithm to generate candidate k-sequences by merging a pair of frequent (k-1) sequences. To avoid duplicate generation, the merging principle is as follows:

the merging of the sequence s1 with the sequence s2 allows merging only if the subsequence resulting from the removal of the first event from s1 is identical to the subsequence resulting from the removal of the last event from s2, resulting in the concatenation of s1 with the last event of s2, which is called a candidate sequence. The connection mode has two types:

1) if the last two events of S2 belong to the same element, then the last event of S2 is part of the last element of S1 in the merged sequence;

2) if the last two events of s2 belong to different elements, then the last event of s2 becomes a separate element in the merged sequence that is connected to the tail of s 1.

If at least one of the candidate sequences is infrequent, it will be pruned. As shown in fig. 4.

The raw data of the sequence pattern generation module statistics may be API names or addresses, API parameter sets, etc. And generating the calling times after each calling statistics is completed, and generating a new statistical sequence. Such a new statistical sequence is similar in the following manner < APIName, APIAddress, parameter value a1, parameter value b1.. parameter value N1, call time, number of calls, etc. >. Since the number of parameters per API is fixed, the number of parameters N can be determined. For example < XXAPI1, A1, B1, time1,8>, < XXAPI2, A2, B2, time2,9 >. When a sequence of identical API names or addresses enters the statistics module, a statistics table for the API is generated, as shown in Table 1.

Table 1 API call statistics sequence table

API Name

API Adress

Param1

Param2

……

ParamN

TimeStamp

Call Rate

XXAPI1

0x00033EC0

A1

B1

N1

time1

5

XXAPI2

0x000334F0

A2

B2

N2

time2

7

……

XXAPIN

0x00056560

An

Bn

Nn

timen

10

Each record in the table refers to an API call, that is, an original sequence pattern, for the statistical table, the maximum and minimum values of each column of parameters can be analyzed, and the call frequency of different parameters for the API can also be counted to form two statistical dimensions, namely, horizontal and vertical: an upper parameter threshold, a lower parameter threshold, and a calling frequency for a first type of calling parameter set (first record) and a calling frequency for a second type of calling parameter set (second record). With the parameters, it can be counted out what sequences are frequent, what sequences are not frequent and what sequences are rare. Of course, frequent, infrequent, and infrequent qualification thresholds may be set by the user operating the statistics module.

Based on the statistical table, suspected abnormal behaviors with low use frequency are counted, a frequency threshold value can be set by a user, an alarm can be given after the frequency threshold value is found, and the user can continue to execute after confirming.

In the embodiment of the invention, the user operation statistical module can correct the upper and lower thresholds of the parameters according to the maximum value and the minimum value of each parameter in the statistical table by a semi-supervised learning method.

When there is an abnormal sequence call, the user may be notified that, for example, the value of a certain API parameter X is outside of the threshold range for that parameter. And if the times of the calls of a certain sequence in a time period are abnormally increased, sending an alarm to the user. The cooperation of the user operation statistics module with the other modules is shown in fig. 4.

In addition, sequences and cascades between sequences can also be used to generate stronger sequences. For example, < API1, A1, B1, API2, A2, B2, C2 >. This allows for the discovery of rules between calling processes, resulting in more intense rules.

Another embodiment of the present invention provides a method for tracking abnormal behavior based on sequence patterns, referring to fig. 5, the steps are as follows:

step 1: the user operation statistical module sets a function (API) to be hooked to the hooking module;

step 2: the user operates the statistical module to set a captured information set to the sequence mode capturing module, and here, it is assumed that all parameters need to be captured and call time needs to be recorded, and the capturing is expressed as: < API, Param1, Param2.. ParamN, TimeStamp >; parami represents the ith grabbing parameter, N represents the number of grabbing parameters, Timestamp represents the calling time,

and step 3: the user operation statistical module sets the upper and lower thresholds of the grabbing parameters to the sequence mode generation module, which are expressed as: MaxN >, Max1, Max 2....; maxi represents the upper and lower threshold ranges of the ith grabbing parameter;

and 4, step 4: starting a sequence mode construction process, and capturing API calling information and carrying out serialization processing by a sequence capture module to generate sequence data;

and 5: the sequence pattern generation module excavates sequence data transmitted by the sequence pattern capture module;

step 6: repeatedly executing the step 4 and the step 5, generating a certain number of sample sequences based on semi-supervised learning, wherein the generated number and degree are determined by a system default value or set by a user, counting the sequence mode according to the use frequency, and generating a calling statistical table;

and generating the calling times after each calling statistics is completed, and generating a new statistical sequence. The new statistical sequence is < APIName, APIAddress, parameter a1, parameter b1.... parameter N1, call time, call times, etc. >. The statistical data may be API names or addresses, API parameter sets, etc.

Step 6: and based on the calling statistical table, giving an alarm to the user operation statistical module when the abnormal row exists.

In this embodiment, the abnormal behavior includes: and calling the behavior with the frequency lower than the frequency threshold value, calling the behavior with the parameter value beyond the threshold range of the parameter, and displaying the behavior of abnormally increasing calling frequency of a sequence in a time period.

In this embodiment, the user normally uses various System calls, which are not limited to the API, and may be a System Call or the like.

It is to be noted that the apparatus embodiment corresponds to the method embodiment, and the implementation manners of the method embodiment are all applicable to the apparatus embodiment and can achieve the same or similar technical effects, so that the details are not described herein.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims

1. An abnormal behavior tracking device based on a sequence mode is characterized by comprising a hook module, a sequence mode capturing module, a sequence mode generating module and a user operation counting module;

the hook module is used for hooking an API;

2. The device according to claim 1, wherein the hooking module hooks the API by replacing an import address table of the process.

3. The abnormal behavior tracking device based on the sequence pattern as claimed in claim 1, wherein the sequence pattern capture module comprises two sub-modules;

4. The apparatus according to claim 1, wherein the sequence pattern generating module mines the sequence pattern by using Apriori algorithm.

5. The abnormal behavior tracking device based on sequence mode as claimed in claim 4, wherein the sequence mode generating module counts the number of calls based on the API name or the API address or the call parameter, accumulates the number of calls after each call, and generates a new statistical sequence represented as: parameter value N, call time, call times >.

6. The apparatus according to claim 5, wherein the sequence pattern generation module is further configured to generate a statistical table for the API based on the statistical sequence when there is a sequence of the same API names or API addresses.

7. The device according to claim 6, wherein the sequence pattern generation module is further configured to analyze abnormal behavior based on a statistical table and to pre-warn a user operating the statistical module;

the abnormal behavior comprises:

8. The device for tracking abnormal behavior based on sequence patterns according to claim 1, wherein the user operation statistic module is further configured to,

9. An abnormal behavior tracking method based on sequence mode is characterized by comprising the following steps:

mining the generated sequence data to generate a sequence mode;

and analyzing abnormal behaviors to alarm based on the statistical table.

10. The abnormal behavior tracking method based on sequence patterns, as claimed in claim 9, wherein the abnormal behavior comprises: