CN114024775A - Host computer defect detection method and system based on EDR and NDR - Google Patents
Host computer defect detection method and system based on EDR and NDR Download PDFInfo
- Publication number
- CN114024775A CN114024775A CN202210002637.9A CN202210002637A CN114024775A CN 114024775 A CN114024775 A CN 114024775A CN 202210002637 A CN202210002637 A CN 202210002637A CN 114024775 A CN114024775 A CN 114024775A
- Authority
- CN
- China
- Prior art keywords
- ndr
- module
- edr
- host computer
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The embodiment of the application provides a host computer defect detection method and system based on EDR and NDR, and relates to the technical field of data security. The host computer defect detection method based on the EDR and the NDR comprises the following steps: acquiring flow log information; analyzing the flow log information through an NDR module to generate NDR detection information; sending the NDR detection information to an EDR module; analyzing the NDR detection information through the EDR module to generate host computer failure information; calling process chain information of the EDR module through the NDR module to generate host log information; and generating host computer sink tracing data according to the host computer sink information, the flow log information and the host computer log information. The host computer defect detection method based on the EDR and the NDR can achieve the technical effect of improving the detection capability and the source tracing capability of the host computer defect.
Description
Technical Field
The application relates to the technical field of data security, in particular to a host computer defect detection method and system based on EDR and NDR, electronic equipment and a computer readable storage medium.
Background
At present, along with the technical development, the level of hackers is continuously improved, and the realization of the security protection of the whole enterprise security architecture by only a single device is unrealistic. Therefore, the concept of enterprise security defense is currently pursued, that is, corresponding security products are provided at both the network and the server host side to perform related protection on enterprise assets.
In the prior art, host computer failure can be said to be the most fatal attack to enterprise security protection, because all network security protection is to protect enterprise data from being lost, most enterprise related data is put on a server host computer, and if the host computer fails and is not detected immediately and traceable, the enterprise data is subjected to great loss. And the host computer is lost, which means that a hacker breaks through or bypasses the previous layer of detection and protection, finally falls on the host computer, and the problems of product detection, source tracing and protection in the enterprise security construction are proved.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, a system, an electronic device, and a computer-readable storage medium for detecting host computer failure based on EDR and NDR, which can achieve the technical effect of improving the detection capability and traceability capability of host computer failure.
In a first aspect, an embodiment of the present application provides a host computer failure detection method based on EDR and NDR, including:
acquiring flow log information;
analyzing the flow log information through an NDR (Endpoint Detection and Response) module to generate NDR Detection information;
sending the NDR Detection information to an EDR (Network Detection and Response) module;
analyzing the NDR detection information through the EDR module to generate host computer failure information;
calling process chain information of the EDR module through the NDR module to generate host log information;
and generating host computer sink tracing data according to the host computer sink information, the flow log information and the host computer log information.
In the implementation process, the NDR module and the EDR module are effectively linked, the NDR module can provide NDR detection information of a plurality of flow layers to the EDR module, the EDR module can generate host collapse information by using the information of the flow layers after receiving the information, the accuracy of the host collapse is better judged, and finally the tracing of the host collapse is completed by combining the EDR module and the NDR module; therefore, the host computer defect detection method based on the EDR and the NDR can achieve the technical effect of improving the detection capability and the source tracing capability of the host computer defect.
Further, before the step of generating the host log information by invoking the process chain information of the EDR module through the NDR module, the method further includes:
and issuing a file acquisition instruction to the EDR module through the NDR module.
In the implementation process, the NDR module can also send a file instruction to the EDR module to acquire a related file; correspondingly, the EDR module can also send a file instruction to the NDR module to acquire related files, and effective linkage between the NDR module and the EDR module is completed.
Further, after the step of generating the host log information by invoking the process chain information of the EDR module through the NDR module, the method further includes:
and issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of a blocking process, a blocking network connection, a blocking IP and a blocking domain name.
In the implementation process, the NDR module or the EDR module can issue a host disposal command, such as blocking a process, blocking a network connection, blocking an IP or a domain name, and the NDR module or the EDR module can dispose the host which is a sink, so that the efficiency of disposing the host by tracing the NDR is improved.
Further, before the step of obtaining traffic log information, the method further comprises:
deploying the NDR module on a core switch and deploying the EDR module on a target host;
and carrying out linkage configuration on the NDR module and the EDR module.
In the implementation process, one multi-host system comprises a core switch and a plurality of hosts, and the NDR module is deployed at the position of the core switch and can detect the network flow of the whole multi-host system; the EDR module can accurately detect the host computer sink, but an Agent needs to be installed on the host computer, so that a target host computer needing important protection is selected from a multi-host computer system to deploy the EDR module; the NDR module and the EDR module are linked, and the NDR module and the EDR module can call files of the other side mutually, so that the requirements of host sink-out detection and source tracing are met, and the safety protection of the whole multi-host system is completed.
In a second aspect, an embodiment of the present application provides an EDR and NDR based host computer failure detection system, including:
an acquisition unit configured to acquire traffic log information;
the NDR detection unit is used for analyzing the flow log information through an NDR module and generating NDR detection information;
a sending unit, configured to send the NDR detection information to an EDR module;
the host computer defect-loss unit is used for analyzing the NDR detection information through the EDR module to generate host computer defect-loss information;
the host log unit is used for calling the process chain information of the EDR module through the NDR module to generate host log information;
and the source tracing unit is used for generating source tracing data of the host computer failure according to the host computer failure information, the flow log information and the host computer log information.
Further, the host computer failure detection system based on the EDR and the NDR further comprises:
and the file acquisition instruction unit is used for issuing a file acquisition instruction to the EDR module through the NDR module.
Further, the host computer failure detection system based on the EDR and the NDR further comprises:
and the handling instruction unit is used for issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of process blocking, network connection blocking, IP blocking and domain name blocking.
Further, the host computer failure detection system based on the EDR and the NDR further comprises:
the deployment unit is used for deploying the NDR module on a core switch and deploying the EDR module on a target host;
and the linkage configuration unit is used for carrying out linkage configuration on the NDR module and the EDR module.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a host computer failure detection method based on EDR and NDR according to an embodiment of the present application;
FIG. 2 is a schematic flow chart illustrating another method for detecting host computer failure based on EDR and NDR according to an embodiment of the present disclosure;
FIG. 3 is a block diagram of a host computer system for detecting host computer failure based on EDR and NDR according to an embodiment of the present disclosure;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a host computer defect detection method, a host computer defect detection system, electronic equipment and a computer readable storage medium based on EDR and NDR, which can be applied to the host computer defect detection and tracing process; the host computer defect detection method based on the EDR and the NDR realizes mutual supplement of information through the EDR module and the NDR module; the EDR module cannot be deployed on each host, so that the EDR module cannot effectively detect undeployed hosts, and the EDR module can detect the undeployed hosts; in addition, the detection of the EDR module on the host layer is strong, but the detection of the EDR module on the network traffic layer is weak, and for a scene of collapse reverse connection, the information of the network traffic layer can be detected through the NDR module as the improvement of the detection capability and the source tracing information supplement. Therefore, effective linkage of the NDR module and the EDR module is completed, the NDR module can provide NDR detection information of a plurality of flow layers for the EDR module, host collapse information can be generated by the EDR module after the EDR module receives the NDR detection information, accuracy of host collapse is better judged, and finally the EDR module and the NDR module are combined to complete tracing of the host collapse. Therefore, the host computer defect detection method based on the EDR and the NDR can achieve the technical effect of improving the detection capability and the source tracing capability of the host computer defect.
Referring to fig. 1, fig. 1 is a schematic flow chart of a host computer failure detection method based on EDR and NDR according to an embodiment of the present application, where the host computer failure detection method based on EDR and NDR includes the following steps:
s100: and acquiring flow log information.
S200: and analyzing the flow log information through the NDR module to generate NDR detection information.
Illustratively, the NDR module generates NDR detection information according to traffic log information to implement host computer failure detection from traffic information of a network layer, but detection is performed only by means of the traffic information of the network layer, and the detection accuracy of host computer failure is relatively low.
Illustratively, the NDR module takes a network as a monitoring dimension to guarantee the networking security of the host. The NDR module discovers abnormal networking behaviors in the host by monitoring network flow and network behaviors and controls the networking behaviors.
S300: and sending the NDR detection information to the EDR module.
S400: and analyzing the NDR detection information through the EDR module to generate host computer defect information.
Exemplarily, the EDR module is an active endpoint security solution, and an Agent of the EDR module needs to be installed on a corresponding host; the EDR module operates by recording terminal (host) events (e.g., user, file, process, registry, memory, etc.) and storing this information locally at the endpoint or centralized database. Continuous search of data and machine learning techniques in conjunction with known attack indicators, databases of behavioral analysis, monitor for any possible security threats and respond quickly to those security threats. It also helps to investigate the attack scope quickly and provides responsiveness.
Illustratively, the detection of the EDR module at the host layer is relatively strong, but the detection of the EDR module at the network traffic layer is relatively weak, and for a scenario of host collapse and reverse connection, information of the network traffic layer needs to be detected as the improvement of detection capability and the source tracing information supplement. Therefore, the EDR module can provide log information and data of a plurality of flow layers to the EDRmo block by receiving NDR detection information sent by the NDR module, and after the EDR module receives the information of the flow layers, the EDR module can better judge the accuracy of host collapse by using the information of the flow layers; and finally, the host computer defect information about the host computer defect condition is generated, so that the detection accuracy of the host computer defect can be effectively improved.
S500: and calling the process chain information of the EDR module through the NDR module to generate host log information.
In some embodiments, on a product interface of the NDR module, a process chain of the host, or an entity relationship diagram, a host traverse diagram, or the like can be seen, so as to further improve the convenience of host sink tracing on the NDR module. The process chain or the process tree is an effective tool for the detrack tracing, and the coming and going pulse of the threat event aiming at the host can be seen very intuitively.
S600: and generating the tracing data of the host computer sink according to the host computer sink information, the flow log information and the host computer log information.
For example, the NDR module may obtain process chain information (information at a host level, i.e., host log information) of the EDR module, and the EDR module may obtain information (information at a network level, i.e., traffic log information) of the EDR module; and performing host sink depth tracing on certain or several host information by combining host sink information, flow log information and host log information sink information, and generating host sink tracing data.
Referring to fig. 2, fig. 2 is a schematic flowchart of another host computer failure detection method based on EDR and NDR according to an embodiment of the present application.
Exemplarily, at S500: before the step of calling the process chain information of the EDR module through the NDR module and generating the host log information, the method further includes:
s501: and issuing a file acquisition instruction to the EDR module through the NDR module.
For example, the NDR module may also send a file instruction to the EDR module to obtain the related file; correspondingly, the EDR module can also send a file instruction to the NDR module to acquire related files, and effective linkage between the NDR module and the EDR module is completed.
Exemplarily, at S500: after the step of calling the process chain information of the EDR module by the NDR module and generating the host log information, the method further includes:
s510: and issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of a blocking process, a blocking network connection, a blocking IP and a blocking domain name.
Illustratively, the NDR module or the EDR module may issue a host handling command, such as blocking a process, blocking a network connection, blocking an IP or a domain name, and the NDR module or the EDR module may handle a failed host, thereby improving efficiency of source tracing handling in NDR. Generally, tracing and handling the host for the failure can generally be done together.
Exemplarily, at S100: before the step of obtaining the traffic log information, the method further includes:
s101: deploying the NDR module on a core switch and deploying the EDR module on a target host;
s102: and carrying out linkage configuration on the NDR module and the EDR module.
Illustratively, one multi-host system comprises a core switch and a plurality of hosts, and the NDR module is deployed at the position of the core switch, so that the network traffic of the whole multi-host system can be detected; the EDR module can accurately detect the host computer sink, but an Agent needs to be installed on the host computer, so that a target host computer needing important protection is selected from a multi-host computer system to deploy the EDR module; the NDR module and the EDR module are linked, and the NDR module and the EDR module can call files of the other side mutually, so that the requirements of host sink-out detection and source tracing are met, and the safety protection of the whole multi-host system is completed.
In some implementation scenarios, the host computer failure detection method based on the EDR and the NDR can be applied to security protection of an enterprise host computer; aiming at the host computer sink-out external connection scene, the following method is adopted to build an environment and prepare the detection and tracing of the enterprise host computer sink-out:
1) the NDR module is deployed at the position of an enterprise core switch, and the mirror flow is adopted for detection, so that all host flows entering and exiting the enterprise core switch can be monitored by the NDR module and can be detected (NDR detection information); therefore, the NDR can acquire the flow information of most hosts and can also detect the information of the host collapse. The detection method mainly highlights the characteristic of wide detection range in the aspect of detecting the host computer defect.
2) Deploying an Agent of an EDR module on a target host to be protected, and carrying out safety protection on the target host;
3) the NDR module and the EDR module are linked, so that the NDR module and the EDR module are mutually connected and called, and partial linkage function is realized, so that the requirements of detection and tracing are met.
According to the traditional technical scheme, a scene of host computer sink external connection is generally detected in a common host computer sink detection mode, or host computer sink detection is performed on a single product, such as an EDR (electronic data record), an NDR (data description and Event Management) platform, and the comprehensiveness cannot be well guaranteed. The current detection collapse host computer is that EDR or NDR carry out single product detection, can tentatively judge that the host computer collapses or the host computer collapses the backward connection action, the better enterprise of partial network security construction can use SIEM platform to unify and detect, trace to the source, the integrated log of SIEM platform commonly used, unify and carry out log analysis, detect and trace to the source, collect the log and the alarm data of safety products such as EDR, NDR on SIEM platform, SIEM platform carries out analytic processing to the log of many parts of products (equipment), unified comprehensive judgment threat is reported an emergency and asked for help or increased vigilance, detect, trace to the source.
Illustratively, the detection of the host is performed only by means of NDR, that is, only by means of traffic information of a network layer, and the detection accuracy is relatively low; meanwhile, if a hacker does not pass through the network in a host collapse mode and does not pass through a core switch in an enterprise, traffic and logs on a network layer cannot be generated, and the NDR cannot be detected. Such as offline mining, lasso, viruses, worms, trojans, etc.; the EDR can accurately detect the host computer defect, but corresponding agents are required to be installed on the host computer, most enterprises cannot install the agents on all the host computers, part of the host computers cannot install the agents due to various business problems, and if no Agent exists, the EDR can not detect the host computer defect completely; meanwhile, only a single device is used, and for a scene of the defect-losing external connection, less information can be acquired, and the difficulty in detection and tracing is great. The detection and the tracing are to see the information quantity, and if the information quantity is not large, the detection result and the tracing result are difficult to obtain; the detection mode of the SIEM platform has long construction period and high investment cost, various data still need to be docked after the SIEM platform is completed, huge manpower also needs to be invested in the aspect of safe operation, and the SIEM platform is not worth investing for a plurality of companies, particularly small and medium-sized companies. Moreover, the SIEM integrates log data and alarm data, the detection capability of the SIEM is very limited, and finally, the SIEM is actually used for detecting and tracing EDR or NDR products.
Exemplarily, compared with the host computer sink detection of a single product in the conventional technical scheme, the technical scheme provided by the embodiment of the application links the EDR and the NDR with each other, detects the product together, detects the host computer sink more comprehensively and accurately, and aims at the scene of host computer sink reverse connection; the application has the advantages of solving the problems as follows: firstly, the detection and the tracing are not only carried out by depending on a single product, but also reasonably carried out by using two products of EDR and NDR, so that the comprehensive detection and the tracing of the end + network are realized, and the detection and the tracing are more accurate and comprehensive than the detection and the tracing of the single product; secondly, the construction cost is lower, only needs two products of EDR and NDR, just can realize very comprehensive and accurate detection, can detect and trace to the source most host computer invasion threat. The performance cost ratio of the scheme is high.
For example, in the EDR and NDR based host computer failure detection method provided in the embodiment of the present application, both the NDR module and the EDR module detect a threat that can be detected, and may supplement information with each other. The EDR detection requires a host to install corresponding Agent, and if the host does not or cannot install the Agent for some reasons, the EDR module has very few detections on the host; in this case, the NDR module can be used as a supplement for the amplification of the detection surface, and some hosts without agents can be detected through the NDR module; similarly, the EDR module is stronger in detection on the host layer, but is weaker in detection on the network traffic layer, and can detect information on the network traffic layer in the scene of the collapse reverse connection, as the improvement of detection capability and the source tracing information supplement.
Illustratively, in the process that the NDR module and the EDR module complement each other to obtain information, the NDR module collects network traffic level information and the EDR module collects host log level information. After NDR module and EDR module linkage, the NDR module can provide log information and the data of a lot of flow levels and give the EDR module, and after the information of flow level was received to the EDR module, can utilize the information of flow level, judges the degree of accuracy that the host computer sinks better. Generally, the more information is contacted, the higher the accuracy of judgment is, and in many cases, it is difficult to judge whether the threat is present on the host level, or the rules on the host are difficult to grasp, while on the traffic level, the network level is better grasped, and the accuracy can be greatly improved through the information provided on the network.
In some implementation scenarios, for enterprise host computer failure detection of a trojan file, a specific flow of the EDR and NDR-based host computer failure detection method provided in the embodiment of the present application is as follows:
1) and constructing an NDR module to be deployed at the position of an enterprise core switch, deploying the EDR module in the enterprise, and deploying the Agent of the EDR module on a target host of the enterprise. The NDR module and the EDR module are configured and linked, and detection and tracing environment construction are completed;
2) if a hacker passes through a bug on the Web server at the moment, uploading a Trojan file A to a Web directory (the Trojan file A is smaller) at the position of a file uploaded on a Web page by using the bug, and then the host is lost;
3) because the Trojan file A is small, no malicious behavior exists at the moment, and only one downloading function exists; at the moment, the Trojan file A adopts a common mode of 'small horse drawing big horse', is connected to a normal network address in a defect-free mode, and downloads a big Trojan file B. The Trojan file B can carry out a series of operations such as data stealing, intranet traversing and the like;
4) in the process, the NDR module can detect information of a flow layer, the NDR detection information can detect the Trojan file A, but the NDR detection information does not know that the NDR detection information falls below a path of the host and does not determine that the NDR detection information is a malicious file, and after the EDR module receives the NDR detection information, the host is judged to be lost by combining a series of operations of reverse connection of the host and the Trojan file B, and host lost information is generated;
5) in the tracing process, the NDR module can directly call the process chain information of the EDR module to check, host layer information is checked on a product interface of the NDR module, meanwhile, the flow log information provided by the NDR module and the host log information provided by the EDR module are combined, the whole attack process is combed by combining host defect information, and the coming and going veins of the threat event are displayed.
6) The NDR module or the EDR module can issue a command to block the process and the reverse connection address, and execute the deleting operation.
In the hacking scene, the NDR module and the EDR module can provide information of a plurality of opposite parties through linkage, which is beneficial to further tracing. The EDR module can acquire log information of more traffic levels, can provide great help in the scene of judging the collapse reverse connection, and according to the traffic level information, the EDR module can more clearly know the coming and going pulse of the whole attack process. The method mainly helps security operators to trace to a host attack entrance, namely how hackers come in, the hackers generally attack from a network layer and then invade the host, and if spidrome trails are found on network information, the method helps greatly to progress tracing work. Similarly, the NDR module can also obtain log information of more host layers, such as the position of a Webshell file on the host, and the like, so as to help security personnel to complete handling and tracing of the host on the NDR module.
Therefore, the host computer defect detection method based on the EDR and the NDR provided by the embodiment of the application does not only rely on a single product for detection and tracing, but reasonably uses two products of the EDR module and the NDR module for detection and tracing, so that comprehensive detection and tracing of the end + network are realized, the detection and tracing are more accurate and comprehensive than those of the single product, and the detection capability and the tracing capability of the host computer defect are greatly improved; the construction cost is lower, only needs two products of EDR module and NDR module, just can realize very comprehensive and accurate detection, can detect and trace to the source most host computer invasion threat, and the scheme cost performance is higher.
Referring to fig. 3, fig. 3 is a block diagram illustrating a structure of an EDR and NDR based host computer system for detecting a host computer defect according to an embodiment of the present application, where the EDR and NDR based host computer system for detecting a host computer defect includes:
an acquisition unit 100 configured to acquire traffic log information;
an NDR detection unit 200, configured to analyze traffic log information through an NDR module, and generate NDR detection information;
a sending unit 300, configured to send NDR detection information to the EDR module;
a host computer sink unit 400, configured to analyze the NDR detection information through the EDR module, and generate host computer sink information;
the host log unit 500 is configured to invoke process chain information of the EDR module through the NDR module, and generate host log information;
and a tracing unit 600, configured to generate host-lost tracing data according to the host-lost information, the traffic log information, and the host log information.
Illustratively, the EDR and NDR based host computer system for detecting a host computer failure further comprises:
and the file acquisition instruction unit is used for issuing a file acquisition instruction to the EDR module through the NDR module.
Illustratively, the EDR and NDR based host computer system for detecting a host computer failure further comprises:
and the handling instruction unit is used for issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of process blocking, network connection blocking, IP blocking and domain name blocking.
Illustratively, the EDR and NDR based host computer system for detecting a host computer failure further comprises:
the deployment unit is used for deploying the NDR module on the core switch and deploying the EDR module on the target host;
and the linkage configuration unit is used for carrying out linkage configuration on the NDR module and the EDR module.
It should be noted that the host computer failure detection system based on EDR and NDR shown in fig. 3 corresponds to the method embodiments shown in fig. 1 and fig. 2, and is not described herein again to avoid repetition.
Fig. 4 shows a block diagram of an electronic device according to an embodiment of the present disclosure, where fig. 4 is a block diagram of the electronic device. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 520 of the electronic device is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities.
The Processor 510 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, which when executed by the processor 510, enable the electronic device to perform the steps involved in the method embodiments of fig. 1-2 described above.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 4 or may have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A host computer defect detection method based on EDR and NDR is characterized by comprising the following steps:
acquiring flow log information;
analyzing the flow log information through an NDR module to generate NDR detection information;
sending the NDR detection information to an EDR module;
analyzing the NDR detection information through the EDR module to generate host computer failure information;
calling process chain information of the EDR module through the NDR module to generate host log information;
and generating host computer sink tracing data according to the host computer sink information, the flow log information and the host computer log information.
2. The EDR and NDR based host computer crash detection method of claim 1, wherein prior to the step of invoking process chain information of the EDR module by the NDR module to generate host log information, the method further comprises:
and issuing a file acquisition instruction to the EDR module through the NDR module.
3. The EDR and NDR based host computer crash detection method of claim 1 or 2, wherein after the step of generating host log information by invoking process chain information of the EDR module by the NDR module, the method further comprises:
and issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of a blocking process, a blocking network connection, a blocking IP and a blocking domain name.
4. The EDR and NDR based host computer failure detection method of claim 1, wherein prior to the step of obtaining traffic log information, the method further comprises:
deploying the NDR module on a core switch and deploying the EDR module on a target host;
and carrying out linkage configuration on the NDR module and the EDR module.
5. A host computer defect detection system based on EDR and NDR, characterized by, includes:
an acquisition unit configured to acquire traffic log information;
the NDR detection unit is used for analyzing the flow log information through an NDR module and generating NDR detection information;
a sending unit, configured to send the NDR detection information to an EDR module;
the host computer defect-loss unit is used for analyzing the NDR detection information through the EDR module to generate host computer defect-loss information;
the host log unit is used for calling the process chain information of the EDR module through the NDR module to generate host log information;
and the source tracing unit is used for generating source tracing data of the host computer failure according to the host computer failure information, the flow log information and the host computer log information.
6. The EDR and NDR based host computer system of claim 5, wherein the system further comprises:
and the file acquisition instruction unit is used for issuing a file acquisition instruction to the EDR module through the NDR module.
7. The EDR and NDR based host computer system fault detection system of claim 5 or 6, further comprising:
and the handling instruction unit is used for issuing a host handling instruction to the lost host through the NDR module or the EDR module, wherein the host handling instruction comprises one or more of process blocking, network connection blocking, IP blocking and domain name blocking.
8. The EDR and NDR based host computer system of claim 5, wherein the system further comprises:
the deployment unit is used for deploying the NDR module on a core switch and deploying the EDR module on a target host;
and the linkage configuration unit is used for carrying out linkage configuration on the NDR module and the EDR module.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the EDR and NDR based host computer crash detection method as claimed in any one of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when executed on a computer, cause the computer to perform the EDR and NDR based host computer crash detection method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210002637.9A CN114024775A (en) | 2022-01-05 | 2022-01-05 | Host computer defect detection method and system based on EDR and NDR |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210002637.9A CN114024775A (en) | 2022-01-05 | 2022-01-05 | Host computer defect detection method and system based on EDR and NDR |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114024775A true CN114024775A (en) | 2022-02-08 |
Family
ID=80069236
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210002637.9A Pending CN114024775A (en) | 2022-01-05 | 2022-01-05 | Host computer defect detection method and system based on EDR and NDR |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024775A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115309907A (en) * | 2022-10-08 | 2022-11-08 | 北京升鑫网络科技有限公司 | Alarm log association method and device |
| CN115658443A (en) * | 2022-12-28 | 2023-01-31 | 北京微步在线科技有限公司 | Log filtering method and device |
| CN115859279A (en) * | 2023-03-01 | 2023-03-28 | 北京微步在线科技有限公司 | Host behavior detection method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014119869A1 (en) * | 2013-01-29 | 2014-08-07 | (주)잉카인터넷 | System for detecting host file of malicious executable code and method therefor |
| CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
| CN111212035A (en) * | 2019-12-19 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Host computer defect confirming and automatic repairing method and system based on same |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111786964A (en) * | 2020-06-12 | 2020-10-16 | 深信服科技股份有限公司 | Network security detection method, terminal and network security equipment |
-
2022
- 2022-01-05 CN CN202210002637.9A patent/CN114024775A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014119869A1 (en) * | 2013-01-29 | 2014-08-07 | (주)잉카인터넷 | System for detecting host file of malicious executable code and method therefor |
| CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
| CN111212035A (en) * | 2019-12-19 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Host computer defect confirming and automatic repairing method and system based on same |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111786964A (en) * | 2020-06-12 | 2020-10-16 | 深信服科技股份有限公司 | Network security detection method, terminal and network security equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115309907A (en) * | 2022-10-08 | 2022-11-08 | 北京升鑫网络科技有限公司 | Alarm log association method and device |
| CN115309907B (en) * | 2022-10-08 | 2022-12-27 | 北京升鑫网络科技有限公司 | Alarm log association method and device |
| CN115658443A (en) * | 2022-12-28 | 2023-01-31 | 北京微步在线科技有限公司 | Log filtering method and device |
| CN115859279A (en) * | 2023-03-01 | 2023-03-28 | 北京微步在线科技有限公司 | Host behavior detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| CN114024775A (en) | Host computer defect detection method and system based on EDR and NDR | |
| Milajerdi et al. | Holmes: real-time apt detection through correlation of suspicious information flows | |
| US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
| US8117659B2 (en) | Malicious code infection cause-and-effect analysis | |
| CN111404909A (en) | Security detection system and method based on log analysis | |
| US20080148398A1 (en) | System and Method for Definition and Automated Analysis of Computer Security Threat Models | |
| Taveras | SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations | |
| CN110290114B (en) | Vulnerability automatic protection method and system based on early warning information | |
| CN103078835A (en) | System and method for restricting pathways to harmful hosts in computer networks | |
| CN110351277A (en) | Electric power monitoring system security protection alarm method | |
| CN113761519B (en) | Method and device for detecting Web application program and storage medium | |
| US20180336350A1 (en) | Program integrity monitoring and contingency management system and method | |
| US20210176257A1 (en) | Mitigating malware impact by utilizing sandbox insights | |
| CN114024773B (en) | Webshell file detection method and system | |
| CN113660115A (en) | Network security data processing method, device and system based on alarm | |
| CN113886814A (en) | Attack detection method and related device | |
| CN112131571A (en) | Threat tracing method and related equipment | |
| CN110012000B (en) | Command detection method and device, computer equipment and storage medium | |
| CN115396182A (en) | Industrial control safety automatic arrangement and response method and system | |
| CN111611590A (en) | Method and device for data security related to application program | |
| CN105930740B (en) | Source retroactive method, monitoring method, restoring method and system when software file is changed | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN116382952A (en) | Exception handling method, device and system | |
| Macak et al. | Scenarios for process-aware insider attack detection in manufacturing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220208 |