CN114629696A - Security detection method and device, electronic equipment and storage medium - Google Patents
Security detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114629696A CN114629696A CN202210188255.XA CN202210188255A CN114629696A CN 114629696 A CN114629696 A CN 114629696A CN 202210188255 A CN202210188255 A CN 202210188255A CN 114629696 A CN114629696 A CN 114629696A
- Authority
- CN
- China
- Prior art keywords
- terminal
- operation behavior
- abnormal
- target
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 115
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 230000002159 abnormal effect Effects 0.000 claims abstract description 112
- 238000004458 analytical method Methods 0.000 claims abstract description 80
- 238000000034 method Methods 0.000 claims abstract description 44
- 230000006399 behavior Effects 0.000 claims description 194
- 230000015654 memory Effects 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 19
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 12
- 230000001960 triggered effect Effects 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 10
- 230000004931 aggregating effect Effects 0.000 claims description 7
- 230000002776 aggregation Effects 0.000 claims description 7
- 238000004220 aggregation Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 24
- 238000007726 management method Methods 0.000 description 60
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 6
- 238000012800 visualization Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 230000001186 cumulative effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011112 process operation Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000593 degrading effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The embodiment of the application provides a safety detection method, a safety detection device, electronic equipment and a storage medium, the target terminal to be detected is monitored in real time, lightweight data acquisition for the target terminal is achieved, and abnormal analysis is performed on at least one recorded terminal operation behavior in acquired terminal operation data respectively based on preset detection rules, so that a large amount of operation loads brought to the target terminal in a safety detection analysis process are effectively reduced, and system operation consumption of the target terminal is reduced. Meanwhile, the method enables the management object to determine the complete operation path of the corresponding terminal threat (such as unknown program) in the target terminal based on the obtained terminal operation data, thereby further ensuring the accuracy of the security detection for the target terminal.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a security detection method and apparatus, an electronic device, and a storage medium.
Background
With the development of the information age, various network attack behaviors emerge endlessly, and great security threat is formed on the information assets of the target object. On this basis, in order to maintain the information security of the target object, besides a perfect defense System (such as a network firewall, etc.), a corresponding Intrusion Detection System (IDS) is often required to be constructed according to the network environment to which the target terminal belongs, so as to respond to various abnormal operation behaviors triggered by the target terminal in the network environment in time.
Specifically, in the related art, in order to maintain the information security of the target object, it is often necessary to deploy a corresponding detection agent module in a specified target terminal, so that the program takes terminal operation data (such as a system log, an application program log, and the like) stored in the target terminal as a data source, analyzes and judges various terminal operation behaviors recorded in the program, and timely responds to and warns analyzed abnormal operation behaviors. Further, the target terminal sends the corresponding alarm information to the designated management platform, so that the related management object determines a corresponding safety detection scheme based on the received alarm information, thereby helping the target object to realize safety detection for the target terminal.
However, the above method has the following disadvantages:
1. the terminal load is large.
In the related art, because the data volume of the terminal operation data is usually large, a large operation load is often generated on the target terminal in the process of analyzing each terminal operation behavior recorded in the terminal operation data by the detection agent module, so that the normal operation of other services on the target terminal is adversely affected.
2. The detection accuracy is low.
In the related art, the intrusion detection system often provides corresponding alarm information to the management object according to the respective alarm types of the detected abnormal operation behaviors, however, due to the above alarm manner, the associated normal operation behaviors among the abnormal operation behaviors are not further reflected, so that under an actual condition, the management object is difficult to determine the complete operation path of the corresponding terminal threat (such as an unknown program) in the target terminal based on the obtained alarm information, that is, in the related art, the alarm information for the target terminal often has a single problem, so that under an actual condition, the security detection analysis of the management object on the target terminal is not comprehensive enough, thereby affecting the accuracy of the security detection for the target terminal.
Disclosure of Invention
The embodiment of the application provides a safety detection method, a safety detection device, electronic equipment and a storage medium, which are used for reducing a large amount of operation loads generated by a target terminal in a safety detection process and improving the accuracy of safety detection.
In a first aspect, an embodiment of the present application provides a security detection method, including:
the method comprises the steps of obtaining terminal operation data of a target terminal to be detected, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal operation data.
And performing anomaly analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one anomaly operation behavior to be detected from the at least one terminal operation behavior based on an analysis result.
And determining the respective accumulated operation times of the corresponding operation types in the target terminal based on the respective operation types of the at least one abnormal operation behavior, and generating corresponding target alarm information based on the obtained respective accumulated operation times.
And sending the target alarm information and the terminal operation data to a specified management server to perform safety detection analysis aiming at the target terminal.
In a second aspect, an embodiment of the present application provides a security detection apparatus, including:
the terminal operation data comprises at least one terminal operation behavior triggered by the target terminal.
And the detection module is used for carrying out abnormity analysis on the obtained at least one terminal operation behavior based on a preset detection rule and determining at least one abnormal operation behavior to be detected from the at least one terminal operation behavior based on an analysis result.
And the alarm module is used for determining the respective accumulated operation times of the corresponding operation types in the target terminal based on the respective operation types of the at least one abnormal operation behavior, and generating corresponding target alarm information based on the obtained respective accumulated operation times.
And the transmission module is used for transmitting the target alarm information and the terminal operation data to a specified management server to perform safety detection analysis aiming at the target terminal.
In an optional embodiment, when acquiring the terminal operation data of the target terminal to be detected, the acquiring module is specifically configured to:
the method comprises the steps of monitoring a target terminal to be detected in real time, and obtaining terminal log data of the target terminal, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal log data.
And analyzing the terminal log data based on a preset analysis rule, and determining the terminal operation data to be detected from the terminal log data based on an analysis result.
In an optional embodiment, when performing an abnormal analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one abnormal operation behavior to be detected from the at least one terminal operation behavior based on an analysis result, the detection module is specifically configured to:
and aggregating all terminal operation behaviors of which the corresponding operation time meets a preset detection time condition in the at least one terminal operation behavior, and determining at least one operation behavior combination to be detected from the at least one terminal operation behavior based on an aggregation result.
And respectively carrying out anomaly analysis on the obtained at least one operation behavior combination based on a preset anomaly behavior sequence, and determining at least one anomaly operation behavior to be detected from at least one terminal operation behavior based on an analysis result.
In an optional embodiment, when performing anomaly analysis on at least one obtained operation behavior combination based on a preset anomaly behavior sequence, the detection module is specifically configured to:
for at least one operation behavior combination, the following operations are respectively executed:
a similarity between a combination of operational behaviors and the sequence of abnormal behaviors is determined.
And if the similarity is smaller than a preset similarity threshold, determining each terminal operation behavior contained in one operation behavior combination as a corresponding normal operation behavior.
And if the similarity is not less than the preset similarity threshold, determining each terminal operation behavior contained in one operation behavior combination as a corresponding abnormal operation behavior.
In an optional embodiment, before determining, based on the respective operation type of the at least one abnormal operation behavior, the respective cumulative number of operations of the corresponding operation type in the target terminal, the alarm module is further configured to:
respectively generating corresponding abnormal alarm information aiming at least one abnormal operation behavior, wherein the abnormal alarm information at least comprises: the operation time and the operation type of the corresponding abnormal operation behavior.
And sending each obtained abnormal alarm information to a specified management server to carry out abnormal alarm aiming at the target terminal.
In an optional embodiment, when generating corresponding target alarm information based on the obtained cumulative operation times, the alarm module is specifically configured to:
and respectively generating accumulated alarm information aiming at the corresponding operation type based on the obtained accumulated operation times.
And aggregating all the obtained accumulated alarm information based on a preset statistical rule to generate corresponding target alarm information.
In a third aspect, an embodiment of the present application further provides an electronic device, including a memory and a processor, where the memory stores a computer program that is executable on the processor, and when the computer program is executed by the processor, the processor is caused to implement any one of the security detection methods in the first aspect.
In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the security detection method of the first aspect is implemented.
In a fifth aspect, the present application further provides a computer program product, which when called by a computer, causes the computer to execute the method according to the first aspect.
The embodiment of the application provides a safety detection method, a safety detection device, electronic equipment and a storage medium, the target terminal to be detected is monitored in real time, lightweight data acquisition for the target terminal is achieved, and abnormal analysis is performed on at least one recorded terminal operation behavior in acquired terminal operation data respectively based on preset detection rules, so that a large amount of operation loads brought to the target terminal in a safety detection analysis process are effectively reduced, and system operation consumption of the target terminal is reduced. On the other hand, in the embodiment of the application, the collected terminal operation data is sent to the specified management server, so that the management object can query the corresponding and associated normal operation behaviors from the terminal operation data through the respective associated abnormal information (such as the corresponding operation type or the operation time) of each determined abnormal operation behavior, and thus the management object can determine the complete operation path of the corresponding terminal threat (such as an unknown program) in the target terminal based on the obtained normal operation behaviors, and the accuracy of the security detection for the target terminal is further ensured.
Drawings
Fig. 1 is a schematic diagram of a possible application scenario provided in an embodiment of the present application;
FIG. 2 is a block diagram of a security detection system according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a security detection method according to an embodiment of the present application;
fig. 4 is a schematic diagram of a method for acquiring terminal operating data according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an alarm display interface according to an embodiment of the present application;
fig. 6 is a schematic view of a security detection visualization platform provided in an embodiment of the present application;
fig. 7 is a logic diagram of a security detection method according to an embodiment of the present application;
FIG. 8 is a schematic view of a safety inspection device according to an embodiment of the present disclosure;
fig. 9 is a schematic view of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein.
The design idea of the application is as follows:
in the related art, because the data volume of the terminal operation data is usually large, a large operation load is often generated on the target terminal in the process that the detection agent module analyzes various terminal operation behaviors recorded in the detection agent module; on the other hand, in the related art, the intrusion detection system often provides corresponding alarm information to the management object according to the respective alarm types of the detected abnormal operation behaviors, however, due to the above alarm manner, the associated normal operation behaviors among the abnormal operation behaviors are not further reflected, so that under an actual condition, it is difficult for the management object to determine a complete operation path of a corresponding terminal threat (e.g., an unknown program, etc.) in the target terminal based on the obtained alarm information, that is, in the related art, there is a problem that the alarm information for the target terminal is too single.
In order to reduce a large amount of operation loads generated by a target terminal in a safety detection process and improve the accuracy of safety detection, embodiments of the application provide a safety detection method, an apparatus, an electronic device and a storage medium, the target terminal to be detected is monitored in real time, lightweight data acquisition for the target terminal is realized, and based on a preset detection rule, at least one recorded terminal operation behavior in acquired terminal operation data is analyzed abnormally, so that a large amount of operation loads brought to the target terminal in a safety detection analysis process are effectively reduced, and the system operation consumption of the target terminal is reduced.
Further, in the embodiment of the application, aggregation statistics is performed on the respective accumulated operation times of the corresponding operation types in the target terminal based on the determined operation types of the abnormal operation behaviors, so as to generate target alarm information for the target terminal, so that the management object can more clearly and accurately determine the behavior rules of the abnormal operation behaviors for the target terminal in the data aggregation manner, and the management object is assisted to perform rapid safety detection analysis. On the other hand, the collected terminal operation data is sent to the designated management server, so that the management object can inquire the corresponding and associated normal operation behaviors from the terminal operation data through the respective associated abnormal information (such as corresponding operation types or operation time) of the determined abnormal operation behaviors, and the management object can determine the complete operation path of the corresponding terminal threat (such as an unknown program) in the target terminal based on the obtained normal operation behaviors, thereby further ensuring the accuracy of the security detection for the target terminal.
The security detection method provided by the embodiment of the present application is further explained and explained below with reference to the accompanying drawings:
fig. 1 is a schematic diagram of a possible application scenario provided in the embodiment of the present application, where the application scenario includes a management server 10 and a target terminal 11.
The target terminal 11 is installed with a client related to security detection, where the client may be software (e.g., a browser), a web page, an applet, or the like, and the client may also be deployed in a physical machine, a virtual machine, or a cloud environment corresponding to the target terminal; the number of the target terminals 11 may be one or more, and in the embodiment of the present application, for convenience of description, it is assumed that the number of the target terminals 11 is one; further, the target terminal 11 may be, but is not limited to, a mobile phone, a tablet computer, a notebook computer, a desktop computer, an e-book reader, an intelligent voice interaction device, an intelligent household appliance, a vehicle-mounted terminal, or a virtual machine device with a complete hardware system function.
The management server 10 is a background server corresponding to software, a web page, an applet, or the like, or a server specially used for security detection, which is not limited in this application. The management server 10 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a web service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform.
In an optional embodiment, the target terminal 11 may monitor its own processes, network connections, and other behaviors through a deployed security detection client, so as to acquire and obtain corresponding terminal operation data and send the terminal operation data to the specified management server 10, so that the management server performs security detection analysis on the target terminal 11 based on the acquired terminal operation data.
Referring to fig. 2, the embodiment of the present application further provides a security detection system 20, which includes a detection client 201, an analysis engine 202, and a detection platform 203.
The detection client 201 is used for monitoring a specified target terminal in real time so as to acquire terminal operation data of the target terminal; optionally, the detection client 201 may be deployed in a specified target terminal (e.g., a physical machine, a virtual machine), or may be deployed in a cloud environment corresponding to the target terminal; further, the detection client 201 may also transmit the acquired terminal operation data to the analysis engine 202 through the created data transmission channel, so that the analysis engine 202 performs detection of abnormal operation behavior and corresponding alarm based on a preset alarm rule.
The analysis engine 202 is used for performing anomaly analysis on the obtained terminal operation data, screening out various abnormal operation behaviors triggered by a target terminal and performing corresponding types of alarms; optionally, at least one alarm rule determined for the specified alarm type or a preset machine learning algorithm is used to perform anomaly analysis and corresponding alarm for at least one terminal operation behavior recorded in the terminal operation data.
The detection platform 203 is configured to receive the alarm information sent by the analysis engine 202, perform aggregation statistics on the received alarm information, and perform unified display, so as to help the management object perform faster and more accurate security detection and analysis based on various display information displayed by the management object. The functions of the detection platform 203 may be implemented by one server, a cloud server, a block chain server, or a server cluster, which is not described herein again.
Based on the above system architecture, referring to fig. 3, an embodiment of the present application provides a security detection method, including:
s301: and acquiring terminal operation data of a target terminal to be detected.
Specifically, terminal operation data of a target terminal is acquired by monitoring the target terminal to be detected in real time, wherein at least one terminal operation behavior triggered by the target terminal is recorded in the terminal operation data; optionally, the terminal log data of the target terminal is captured in real time, and the obtained terminal log is analyzed based on a preset analysis rule, so that at least one terminal operation behavior meeting the analysis rule is screened out from the terminal log obtained by monitoring, and the obtained at least one terminal operation behavior is used as the terminal operation data of the target terminal.
For example, in an optional embodiment, the operation log of the target terminal may be monitored in real time by the detection client 201, where the operation log may include:
a process operation log;
a file operation log;
a network operation log;
the registry operates a log.
Further, the obtained operation log is analyzed based on a preset analysis rule, in an optional embodiment, the analysis rule may include at least one target operation type determined for a target terminal, and in the process of analyzing the operation log, terminal operation behaviors corresponding to the target operation types may be further screened out from the operation log collected for the target terminal based on the determined target operation types; optionally, a preset analysis operation sequence may be further adopted to filter the operation logs, so as to reduce the data volume of the terminal operation data to be analyzed and reduce the calculation load required by the security detection analysis.
For example, referring to fig. 4, in an alternative embodiment, the detection client 201 performs real-time monitoring on a target terminal to be detected, and performs real-time capture of an operation log for the target terminal, and then, while capturing the operation log each time, the transmission of the corresponding operation log may be performed through technologies such as API Hook, and based on a preset analysis rule, at least one terminal operation behavior that satisfies the analysis rule in the operation log is screened out and used as corresponding terminal operation data.
S302: and performing anomaly analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one anomaly operation behavior to be detected from the at least one terminal operation behavior based on an analysis result.
Further, a preset detection rule is adopted to perform anomaly analysis on at least one terminal operation contained in the terminal operation data; optionally, the terminal operation behaviors of the at least one terminal operation behavior whose corresponding operation time meets the preset detection time condition are aggregated, and the at least one operation behavior combination to be detected is determined based on the aggregation result, so that the obtained at least one operation behavior combination is subjected to anomaly analysis based on the preset abnormal behavior sequence.
Specifically, the abnormal behavior sequence indicates an operation sequence formed by at least one corresponding abnormal operation behavior, and when a certain operation behavior combination hits the abnormal behavior sequence, it may be considered that each terminal operation behavior included in the operation behavior combination is a corresponding abnormal operation behavior.
Further, in an actual situation, corresponding abnormal behavior sequences are often required to be determined for different abnormal operation types. For example, in the embodiment of the present application, the following abnormal behavior sequences 1 to 5 may be adopted to perform abnormal analysis on the operation behaviors of each terminal. The method comprises the following steps:
1. an exception call sequence.
Specifically, in the embodiment of the application, a preset abnormal calling sequence is adopted to perform abnormal analysis on each terminal operation behavior of a calling operation type; specifically, in an actual situation, when the terminal threat to be detected is characterized as a malicious program call, an abnormal call sequence for the abnormal operation type may be determined based on corresponding call operation types (e.g., creating a file, opening a file, etc.).
For example, in an alternative embodiment, to prevent a malicious program from automatically releasing a virus file and self-starting, the abnormal call sequence may be expressed as: creating a file, opening the file, writing the file, creating a process and starting, wherein the abnormal operation behaviors come from the same operation source; when it is determined that a certain operation behavior combination from the same operation source hits the abnormal call sequence, the terminal operation behaviors included in the operation behavior combination may be considered as corresponding abnormal operation behaviors.
2. An abnormal release sequence.
Specifically, in the embodiment of the application, a preset abnormal release sequence is adopted to perform abnormal analysis on each terminal operation behavior of a release operation type; specifically, in an actual situation, when the terminal threat to be detected is characterized by a malicious program releasing an executable file, an abnormal call sequence for the abnormal operation type may be determined based on corresponding release operation types (e.g., creating a file, opening a file, etc.).
For example, in an alternative embodiment, to prevent a malicious program from automatically releasing a virus file (e.g., an executable file such as DLL, EXE, SYS, etc.), the exception release sequence may be expressed as: creating a file, opening the file, writing the file, wherein the abnormal operation behavior is from the same operation source and aims at the same file; when it is determined that a certain operation behavior combination is from the same operation source and the abnormal release sequence is hit for the operation behavior combination of the same file, it may be considered that each terminal operation behavior included in the operation behavior combination is a corresponding abnormal operation behavior.
3. And (4) adding a sequence abnormally.
Specifically, in the embodiment of the application, a preset abnormal adding sequence is adopted to perform abnormal analysis on the operation behavior of each terminal aiming at the adding operation type; specifically, in an actual situation, when the terminal threat to be detected is characterized by a malicious program self-adding firewall trust list, an abnormal call sequence for the abnormal operation type may be determined based on each corresponding addition operation type (e.g., modifying a registry chain, etc.).
For example, in an alternative embodiment, to prevent malicious programs from self-adding a firewall trust list, the above exception addition sequence may be expressed as: modifying the registry chain; when it is determined that a certain operation behavior combination hits the abnormal addition sequence, it may be considered that each terminal operation behavior included in the operation behavior combination is a corresponding abnormal operation behavior.
4. An abnormal open sequence.
Specifically, in the embodiment of the application, a preset abnormal open sequence is adopted to perform abnormal analysis on each terminal operation behavior of an open operation type; specifically, in an actual situation, when the terminal threat to be detected is characterized as a malicious program to reduce the system security protection, an abnormal call sequence for the abnormal operation type may be determined based on corresponding open operation types (e.g., closing a system firewall, closing antivirus software, etc.).
For example, in an alternative embodiment, to prevent malicious programs from degrading system security, the abnormal open sequence may be expressed as: closing a system firewall; optionally, the abnormal open sequence may further include: closing antivirus software, opening an unusual port, uninstalling patches, adding sharing authority and the like; when it is determined that a certain operation behavior combination hits the abnormal open sequence, the terminal operation behaviors included in the operation behavior combination can be considered as corresponding abnormal operation behaviors.
5. An exception process sequence.
Specifically, in the embodiment of the application, a preset abnormal process sequence is adopted to perform abnormal analysis on each terminal operation behavior aiming at the process operation type; specifically, in an actual situation, when the terminal threat to be detected is characterized by a malicious program invading other processes, an abnormal call sequence for the abnormal operation type may be determined based on corresponding operation types of the processes (e.g., a target process is different from an operation subject process, etc.).
For example, in an alternative embodiment, to prevent a malicious program from registering a malicious dynamic library in the address space of other processes, the abnormal open sequence may be expressed as: the target process is different from the operation subject process; when it is determined that a certain operation behavior combination hits the abnormal process sequence, the terminal operation behaviors included in the operation behavior combination can be considered as corresponding abnormal operation behaviors.
It should be noted that, the above abnormal behavior sequences are only examples, and in an actual situation, more abnormal behavior sequences may be designed and refined based on the research on the intrusion operation features of the management object on the server.
Optionally, the abnormal analysis of each terminal operation behavior may be performed based on a preset machine learning algorithm, specifically, the system call API set of the abnormal program may be obtained and compared with the specified alarm behavior API call sequence, so as to perform iterative training of the preset model according to the comparison result, so as to implement analysis and detection of each abnormal operation behavior of the specified type, which is not described herein again.
S303: and determining the respective accumulated operation times of the corresponding operation types in the target terminal based on the respective operation types of the at least one abnormal operation behavior, and generating corresponding target alarm information based on the obtained respective accumulated operation times.
Further, alarming each detected abnormal operation behavior; optionally, based on the respective operation type of each abnormal operation behavior, corresponding alarm information is generated, and the respective accumulated operation times of the corresponding operation type is counted to generate corresponding target alarm information.
For example, in an actual situation, based on the above abnormal behavior sequences, the operation type of the abnormal operation behavior detected each time may be determined, and corresponding alarm information may be generated, where the alarm information may be sent to a corresponding management server in real time, or may be stored in a specified target database, and the management server captures the corresponding alarm information at a specified time, which is not limited in this application. In addition, the alarm information can be aggregated, and the counted accumulated operation times of the corresponding operation types are graphically represented, so that the management object can clearly manage the target alarm information.
S304: and sending the target alarm information and the terminal operation data to a specified management server to perform safety detection analysis aiming at the target terminal.
Further, the target alarm information and the terminal operation data are sent to a designated management server to perform security detection analysis for the target terminal, and optionally, the target alarm information and the terminal operation data may also be stored in a designated database, and a management object performs corresponding retrieval from the designated database according to the determined terminal identifier of the target terminal, which is not described herein again.
Specifically, the management server may present a corresponding alarm display interface based on the received target alarm information, so that the management object may clearly and accurately determine a behavior rule for an abnormal operation behavior of the target terminal based on various statistical views included in the alarm display interface, and assist the management object in performing rapid security detection and analysis. Furthermore, the management object can also query each corresponding and associated normal operation behavior from the terminal operation data through the determined abnormal information (such as corresponding operation type or operation time) associated with each abnormal operation behavior, so that the management object can determine a complete operation path of a corresponding terminal threat (such as an unknown program) in the target terminal based on each obtained normal operation behavior, thereby further ensuring the accuracy of security detection for the target terminal.
For example, referring to fig. 5, a schematic diagram of an alarm display interface provided in the embodiment of the present application is shown, where each alarm statistical view for a target terminal is further presented in the alarm display interface, where each alarm statistical view is obtained by aggregating respective accumulated operation times of corresponding operation types in target alarm information; optionally, the alarm statistical view may be a histogram, a sector graph, or other various types of statistical views; optionally, an alarm display bar for real-time alarm may be designed in the alarm display interface to perform real-time alarm on each detected abnormal operation behavior; based on the graphical mode, the management object can more clearly and accurately determine the behavior rule aiming at the abnormal operation behavior of the target terminal, so that the management object is assisted to carry out rapid and accurate safety detection and analysis.
Further, referring to fig. 6, an embodiment of the present application further provides a security detection visualization platform 60, where the security detection visualization platform 60 may be the detection platform 203 mentioned in the foregoing embodiment, or may be another visualization platform deployed in a management server, and the security detection visualization platform 60 is designed based on the security detection method provided in the foregoing embodiment, specifically, the security detection visualization platform 60 may include: alarm monitoring module 601, terminal management module 602 and central management module 603, wherein:
the alarm monitoring module 601: the system comprises a management object, a target alarm display interface and a warning display interface, wherein the management object is used for displaying a corresponding warning display interface to the management object based on received target alarm information; in the embodiment of the application, the alarm display interface comprises at least one alarm statistical view determined aiming at the target terminal.
The terminal management module 602: and the method is used for correspondingly managing the target alarm information of the detected target terminal and the terminal operation data. For example, in an alternative embodiment, the log viewing function provided by the terminal management module 602 may be used to search and browse the associated terminal operation behaviors from the terminal operation data based on the operation type, the operation time, the process name, the process ID, and other screening items, so as to assist the management object to determine the complete operation path of the corresponding terminal threat in the target terminal based on the terminal operation behaviors. Optionally, the terminal management module 602 may further perform management on target alarm information and terminal operating data of corresponding terminal devices based on terminal identifiers of different terminals, so as to implement unified management on multiple terminal devices.
The central management module 603: the method is used for setting the access authority of the related management object and further managing the target alarm information and the terminal operation data.
Fig. 7 is a logic diagram of the security detection method according to the embodiment of the present disclosure; monitoring the target terminal in real time, acquiring terminal operation data of the target terminal, and detecting and alarming in real time aiming at each abnormal operation behavior contained in the terminal operation data through a detection rule preset in an analysis engine; furthermore, the related data are sent to the management server, so that the related management object can more clearly and efficiently determine the complete operation path of the corresponding terminal threat (such as an unknown program) in the target terminal based on the target alarm information determined by analysis and the related terminal operation data, thereby further ensuring the accuracy of the security detection for the target terminal.
Referring to fig. 8, an embodiment of the present application provides a security detection apparatus, including an obtaining module 801, a detecting module 802, an alarming module 803, and a transmitting module 804, where:
an obtaining module 801, configured to obtain terminal operation data of a target terminal to be detected, where at least one terminal operation behavior triggered for the target terminal is recorded in the terminal operation data.
The detecting module 802 is configured to perform anomaly analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determine at least one anomaly operation behavior to be detected from the at least one terminal operation behavior based on an analysis result.
The alarm module 803 is configured to determine, based on the operation type of each of the at least one abnormal operation behavior, an accumulated operation frequency of each of the corresponding operation types in the target terminal, and generate corresponding target alarm information based on the obtained accumulated operation frequencies.
And the transmission module 804 is configured to send the target alarm information and the terminal operation data to a specified management server, and perform security detection analysis for the target terminal.
In an alternative embodiment, when acquiring the terminal operation data of the target terminal to be detected, the acquiring module 801 is specifically configured to:
the method comprises the steps of monitoring a target terminal to be detected in real time, and obtaining terminal log data of the target terminal, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal log data.
And analyzing the terminal log data based on a preset analysis rule, and determining the terminal operation data to be detected from the terminal log data based on an analysis result.
In an optional embodiment, when performing an abnormal analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one abnormal operation behavior to be detected from the at least one terminal operation behavior based on an analysis result, the detection module 802 is specifically configured to:
and aggregating all terminal operation behaviors of which the corresponding operation time meets a preset detection time condition in the at least one terminal operation behavior, and determining at least one operation behavior combination to be detected from the at least one terminal operation behavior based on an aggregation result.
And respectively carrying out anomaly analysis on the obtained at least one operation behavior combination based on a preset anomaly behavior sequence, and determining at least one anomaly operation behavior to be detected from at least one terminal operation behavior based on an analysis result.
In an alternative embodiment, when performing an anomaly analysis on at least one obtained operation behavior combination based on a preset anomaly behavior sequence, the detection module 802 is specifically configured to:
for at least one operation behavior combination, the following operations are respectively executed:
a similarity between a combination of operational behaviors and the sequence of abnormal behaviors is determined.
And if the similarity is smaller than a preset similarity threshold, determining each terminal operation behavior contained in one operation behavior combination as a corresponding normal operation behavior.
And if the similarity is not less than the preset similarity threshold, determining each terminal operation behavior contained in one operation behavior combination as a corresponding abnormal operation behavior.
In an optional embodiment, before determining, based on the operation type of each of the at least one abnormal operation behavior, the cumulative operation times of each of the corresponding operation types in the target terminal, the alarm module 803 is further configured to:
respectively generating corresponding abnormal alarm information aiming at least one abnormal operation behavior, wherein the abnormal alarm information at least comprises: the operation time and the operation type of the corresponding abnormal operation behavior.
And sending each obtained abnormal alarm information to a specified management server to carry out abnormal alarm aiming at the target terminal.
In an alternative embodiment, when generating corresponding target alarm information based on the obtained accumulated operation times, the alarm module 803 is specifically configured to:
and respectively generating accumulated alarm information aiming at the corresponding operation type based on the obtained accumulated operation times.
And aggregating all the obtained accumulated alarm information based on a preset statistical rule to generate corresponding target alarm information.
Based on the same inventive concept as the above application embodiments, the embodiment of the present application further provides an electronic device, which can be used for security detection. In one embodiment, the electronic device may be a server, a terminal device, or other electronic devices. In this embodiment, the electronic device may be configured as shown in fig. 9, and include a memory 901, a communication interface 903, and one or more processors 902.
A memory 901 for storing computer programs executed by the processor 902. The memory 901 may mainly include a program storage area and a data storage area, where the program storage area may store an operating system, a program required for running an instant messaging function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.
The processor 902 may include one or more Central Processing Units (CPUs), a digital Processing Unit, or the like. A processor 902, configured to implement the above-described security detection method when calling the computer program stored in the memory 901.
The communication interface 903 is used for communication with terminal devices and other servers.
The embodiment of the present application does not limit the specific connection medium among the memory 901, the communication interface 903, and the processor 902. In the embodiment of the present application, the memory 901 and the processor 902 are connected through the bus 904 in fig. 9, the bus 904 is represented by a thick line in fig. 9, and the connection manner between other components is merely illustrative and is not limited. The bus 904 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform any one of the security detection methods in the above embodiments. The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
According to an aspect of the present application, there is also provided a computer program product which, when invoked by a computer, causes the computer to perform the method of the first aspect.
The embodiment of the application provides a safety detection method, a safety detection device, electronic equipment and a storage medium, the target terminal to be detected is monitored in real time, lightweight data acquisition for the target terminal is achieved, and abnormal analysis is performed on at least one recorded terminal operation behavior in acquired terminal operation data respectively based on preset detection rules, so that a large amount of operation loads brought to the target terminal in a safety detection analysis process are effectively reduced, and system operation consumption of the target terminal is reduced. On the other hand, in the embodiment of the application, the collected terminal operation data is sent to the specified management server, so that the management object can query the corresponding and associated normal operation behaviors from the terminal operation data through the respective associated abnormal information (such as the corresponding operation type or the operation time) of each determined abnormal operation behavior, and thus the management object can determine the complete operation path of the corresponding terminal threat (such as an unknown program) in the target terminal based on the obtained normal operation behaviors, and the accuracy of the security detection for the target terminal is further ensured.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A security detection method, comprising:
acquiring terminal operation data of a target terminal to be detected, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal operation data;
performing anomaly analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one anomaly operation behavior to be detected from the at least one terminal operation behavior based on an analysis result;
determining respective accumulated operation times of corresponding operation types in the target terminal based on respective operation types of the at least one abnormal operation behavior, and generating corresponding target alarm information based on the obtained respective accumulated operation times;
and sending the target alarm information and the terminal operation data to a specified management server to perform safety detection analysis aiming at the target terminal.
2. The method of claim 1, wherein the obtaining of the terminal operation data of the target terminal to be detected comprises:
monitoring a target terminal to be detected in real time, and acquiring terminal log data of the target terminal, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal log data;
and analyzing the terminal log data based on a preset analysis rule, and determining the terminal operation data to be detected from the terminal log data based on an analysis result.
3. The method according to claim 1 or 2, wherein the performing an abnormal analysis on the obtained at least one terminal operation behavior based on a preset detection rule, and determining at least one abnormal operation behavior to be detected from the at least one terminal operation behavior based on an analysis result comprises:
aggregating each terminal operation behavior of which the corresponding operation time meets a preset detection time condition in the at least one terminal operation behavior, and determining at least one operation behavior combination to be detected from the at least one terminal operation behavior based on an aggregation result;
and respectively performing anomaly analysis on the obtained at least one operation behavior combination based on a preset anomaly behavior sequence, and determining at least one anomaly operation behavior to be detected from the at least one terminal operation behavior based on an analysis result.
4. The method according to claim 3, wherein the performing the abnormal analysis on the obtained at least one operation behavior combination based on the preset abnormal behavior sequence comprises:
for the at least one operation behavior combination, respectively performing the following operations:
determining a similarity between a combination of operational behaviors and the sequence of abnormal behaviors;
if the similarity is smaller than a preset similarity threshold, determining each terminal operation behavior contained in the operation behavior combination as a corresponding normal operation behavior;
and if the similarity is not less than a preset similarity threshold, determining each terminal operation behavior contained in the operation behavior combination as a corresponding abnormal operation behavior.
5. The method according to claim 3, wherein before determining the respective accumulated operation times of the corresponding operation types in the target terminal based on the respective operation types of the at least one abnormal operation behavior, the method further comprises:
respectively generating corresponding abnormal alarm information aiming at the at least one abnormal operation behavior, wherein the abnormal alarm information at least comprises: the operation time and the operation type of the corresponding abnormal operation behavior;
and sending each obtained abnormal alarm information to a specified management server to carry out abnormal alarm aiming at the target terminal.
6. The method according to claim 1 or 2, wherein the generating of the corresponding target alarm information based on the obtained respective accumulated operation times comprises:
respectively generating accumulated alarm information aiming at the corresponding operation types based on the obtained accumulated operation times;
and aggregating all the obtained accumulated alarm information based on a preset statistical rule to generate corresponding target alarm information.
7. A security detection device, comprising:
the terminal operation data acquisition module is used for acquiring terminal operation data of a target terminal to be detected, wherein at least one terminal operation behavior triggered aiming at the target terminal is recorded in the terminal operation data;
the detection module is used for carrying out abnormity analysis on the obtained at least one terminal operation behavior based on a preset detection rule and determining at least one abnormal operation behavior to be detected from the at least one terminal operation behavior based on an analysis result;
the alarm module is used for determining the respective accumulated operation times of the corresponding operation types in the target terminal based on the respective operation types of the at least one abnormal operation behavior and generating corresponding target alarm information based on the obtained respective accumulated operation times;
and the transmission module is used for sending the target alarm information and the terminal operation data to a specified management server to perform safety detection analysis aiming at the target terminal.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the security detection method according to any of claims 1-6 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
10. A computer program product, which, when called by a computer, causes the computer to perform the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210188255.XA CN114629696A (en) | 2022-02-28 | 2022-02-28 | Security detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210188255.XA CN114629696A (en) | 2022-02-28 | 2022-02-28 | Security detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114629696A true CN114629696A (en) | 2022-06-14 |
Family
ID=81900323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210188255.XA Pending CN114629696A (en) | 2022-02-28 | 2022-02-28 | Security detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114629696A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708033A (en) * | 2023-08-04 | 2023-09-05 | 腾讯科技(深圳)有限公司 | Terminal security detection method and device, electronic equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101057432B1 (en) * | 2010-02-23 | 2011-08-22 | 주식회사 이세정보 | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process |
| CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
| CN107465652A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | A kind of operation behavior detection method, server and system |
| CN108268354A (en) * | 2016-12-30 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Data safety monitoring method, background server, terminal and system |
| CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
| CN109257196A (en) * | 2017-07-12 | 2019-01-22 | 阿里巴巴集团控股有限公司 | A kind of abnormality eliminating method and equipment |
| WO2019091028A1 (en) * | 2017-11-10 | 2019-05-16 | 华为技术有限公司 | Method and terminal for application software malicious behavior dynamic alarm |
| CN111651767A (en) * | 2020-06-05 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
| CN112631862A (en) * | 2020-12-22 | 2021-04-09 | 车主邦(北京)科技有限公司 | Abnormity monitoring method, device and system |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
-
2022
- 2022-02-28 CN CN202210188255.XA patent/CN114629696A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101057432B1 (en) * | 2010-02-23 | 2011-08-22 | 주식회사 이세정보 | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process |
| CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
| CN107465652A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | A kind of operation behavior detection method, server and system |
| CN108268354A (en) * | 2016-12-30 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Data safety monitoring method, background server, terminal and system |
| CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
| CN109257196A (en) * | 2017-07-12 | 2019-01-22 | 阿里巴巴集团控股有限公司 | A kind of abnormality eliminating method and equipment |
| WO2019091028A1 (en) * | 2017-11-10 | 2019-05-16 | 华为技术有限公司 | Method and terminal for application software malicious behavior dynamic alarm |
| CN111651767A (en) * | 2020-06-05 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
| CN112631862A (en) * | 2020-12-22 | 2021-04-09 | 车主邦(北京)科技有限公司 | Abnormity monitoring method, device and system |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708033A (en) * | 2023-08-04 | 2023-09-05 | 腾讯科技(深圳)有限公司 | Terminal security detection method and device, electronic equipment and storage medium |
| CN116708033B (en) * | 2023-08-04 | 2023-11-03 | 腾讯科技(深圳)有限公司 | Terminal security detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102612500B1 (en) | Sensitive data exposure detection through logging | |
| CN111092852B (en) | Network security monitoring method, device, equipment and storage medium based on big data | |
| US10936717B1 (en) | Monitoring containers running on container host devices for detection of anomalies in current container behavior | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20120311562A1 (en) | Extendable event processing | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| US20240070267A1 (en) | Detecting malicious behavior in a network using security analytics by analyzing process interaction ratios | |
| CN114629696A (en) | Security detection method and device, electronic equipment and storage medium | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| Daghmehchi Firoozjaei et al. | Memory forensics tools: a comparative analysis | |
| CN114826639A (en) | Application attack detection method and device based on function call chain tracking | |
| CN113987492A (en) | Method and device for determining alarm event | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN111316268A (en) | Advanced cyber-security threat mitigation for interbank financial transactions | |
| US11763004B1 (en) | System and method for bootkit detection | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN113127856A (en) | Network security operation and maintenance management method and device, computing equipment and storage medium | |
| Barbhuiya et al. | LS-ADT: Lightweight and Scalable Anomaly Detection for Cloud Datacentres | |
| CN110166421B (en) | Intrusion control method and device based on log monitoring and terminal equipment | |
| CN113672910B (en) | Security event processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |