CN115643082A

CN115643082A - Method and device for determining lost host and computer equipment

Info

Publication number: CN115643082A
Application number: CN202211287900.XA
Authority: CN
Inventors: 崔菊; 赵欢; 高峰; 张志超; 王秀娟
Original assignee: Beijing Ultrapower Information Safety Technology Co ltd; Ultrapower Software Co ltd
Current assignee: Beijing Ultrapower Information Safety Technology Co ltd; Ultrapower Software Co ltd
Priority date: 2022-10-20
Filing date: 2022-10-20
Publication date: 2023-01-24

Abstract

The embodiment of the application provides a method and a device for determining a trapped host and computer equipment. According to the method for determining the trapped host, on the basis of malicious domain name detection, the trapped host is continuously determined from the suspected host on the basis of the initial security data in the suspected host, and the problem that the accuracy of determining the trapped host is poor due to the fact that the trapped host is determined only through the malicious domain name detection method is solved.

Description

Method and device for determining lost host and computer equipment

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a computer device for determining a failed host.

Background

A lost host refers to a host that an attacker gains control in some way over a network. After obtaining control, the attacker may continue to attack other hosts in the intranet by using the host as a springboard, and also actively communicate with the IP or domain name specified by the network intrusion attacker and transmit the security data stored thereon. In addition, the lost host often has the characteristics of irregularity and high concealment, and many intrusion actions are difficult to identify or cannot confirm whether the attack pair is successful. Therefore, the host computer is required to be subjected to the failure detection so as to repair the failed host computer in time, thereby ensuring the network utilization safety of enterprises.

In the related art, the method for determining the lost host includes acquiring a domain name to be detected, and determining whether the domain name to be detected is a malicious domain name, and if the domain name to be detected is the malicious domain name, directly determining the host to be detected, in which the domain name to be detected is stored, as the lost host.

However, the above method of determining a lost host is less accurate.

Disclosure of Invention

The embodiment of the application provides a method and a device for determining a lost host and computer equipment, which can determine suspected hosts from the host to be detected after malicious domain name detection is carried out on the host to be detected, further determine that the suspected hosts are all lost hosts through initial safety data in the suspected hosts, and solve the problem of low accuracy caused by determining whether the host is lost only through malicious domain name detection.

A first aspect of an embodiment of the present application provides a method for determining a failed host, where the method for determining includes:

acquiring initial security data of each host to be detected, wherein the initial security data are data generated in the running process of the host to be detected;

fusing each initial safety data based on a heterogeneous data fusion method to obtain target safety data;

inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, and screening suspected hosts from the hosts to be detected based on a detection result, wherein each domain name to be detected of the suspected hosts comprises the malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

and determining a lost host from the suspected hosts based on the initial security data of the suspected hosts.

A second aspect of the embodiments of the present application provides an apparatus for determining a failed host, the apparatus including:

the system comprises an acquisition module, a detection module and a control module, wherein the acquisition module is used for acquiring initial security data of each host to be detected, and the initial security data is data generated by the host to be detected in the operation process;

the fusion module is used for fusing the initial security data based on a heterogeneous data fusion method to obtain target security data;

the detection screening module is used for inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, screening suspected hosts from each host to be detected based on a detection result, wherein each domain name to be detected of each suspected host comprises the malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

and the determining module is used for determining the failed host from the suspected hosts based on the initial security data of the suspected hosts.

A third aspect of the embodiments of the present application provides a computer device, including a processor and a memory, where the memory is used for storing executable instructions of the processor, and the processor is used for reading the executable instructions from the memory and executing the instructions to implement the method for determining a failed host provided in the first aspect of the embodiments of the present application.

A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the method for determining a failed host provided in the first aspect of the embodiments of the present application.

A fifth aspect of embodiments of the present application provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the method for detecting a failed host provided in the first aspect of embodiments of the present application.

The technical scheme provided by the embodiment of the application can at least achieve the following beneficial effects:

according to the method for determining the lost host provided by the embodiment of the application, malicious domain name detection is performed on each host to be detected based on different types of initial security data of the host to be detected, suspected hosts are screened out from the hosts to be detected, and the lost host is further determined from the suspected hosts according to the initial security data in the suspected hosts. According to the method for determining the trapped host, on the basis of malicious domain name detection, the trapped host is continuously determined from the suspected host on the basis of the initial security data in the suspected host, and the problem that the accuracy of determining the trapped host is poor due to the fact that the trapped host is determined only through the malicious domain name detection method is solved.

Drawings

Fig. 1 is a diagram illustrating an application scenario of a method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 2 is a flow chart diagram illustrating a method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 3 is a flow chart diagram illustrating a method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 4 is a flowchart illustrating a method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 5 is a flow chart illustrating a further method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 6 is a flow chart illustrating another method for determining a failed host according to an exemplary embodiment of the present application;

fig. 7 is a flowchart illustrating a method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 8 is a flow chart illustrating a further method for determining a failed host according to an exemplary embodiment of the present application;

FIG. 9 is a flow chart illustrating another determination of a failed host according to an exemplary embodiment of the present application;

fig. 10 is a block diagram illustrating a structure of a device for determining a failing host according to an exemplary embodiment of the present application;

fig. 11 is an internal structural diagram of a computer device according to an exemplary embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if," as used herein, may be interpreted as "at \8230; \8230when" or "when 8230; \823030when" or "in response to a determination," depending on the context.

The disclosed embodiments may be applied to electronic devices such as terminal devices, computer systems, servers, etc., which are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with electronic devices, such as terminal devices, computer systems, servers, and the like, include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network pcs, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above, and the like.

Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

First, technical terms appearing in the present application are introduced:

a host computer: refers to various devices used in computer networks or communication networks, including but not limited to computers, switches, routers, security devices, and the like.

The collapse host machine: refers to a host that a network intrusion attacker gains control in some way. After obtaining the control right, an attacker may continue to attack other hosts of the intranet by taking the lost host as a springboard; in addition, the host machine with the defect is often characterized by irregularity and high concealment, many intrusion actions are difficult to identify or cannot confirm whether the attack is successful, but the host machine can be judged to be damaged through various actions after the attack. When an office device or a server is controlled by an illegal organization after being attacked, an IP or a domain name is actively assigned to the illegal organization server for communication, and security data (such as personnel, assets, events, logs, configuration, strategies, flow and the like) stored on the illegal organization server is transmitted. Therefore, the host needs to be subjected to the defect detection so as to timely repair the defect host, thereby ensuring the network safety of enterprises.

Domain name system: one of the important basic core services in the (Domain Name System, DNS for short) internet is responsible for providing a uniform Domain Name address space mapping service, and mainly resolves a Domain Name which is easy to be memorized by a human into an IP address which is easy to be recognized by a machine.

Malicious domain name: it is a Domain name generated by Domain Generation Algorithm (DGA) which is often used by attackers in the Domain name of malicious programs for communication between the trojan software and the control server.

Once the host becomes a lost host, the security data on the host is at risk of leakage, and meanwhile, the host also poses a threat to other hosts which have access relations with the host, and immeasurable loss is brought to enterprises. Therefore, each enterprise needs to determine whether a lost host exists in each host in real time during the network operation. At present, a common method for determining whether a host is a failed host is to perform malicious domain name detection on all hosts, and if it is detected that the host includes a malicious domain name, determine that the host is the failed host.

The method for determining whether the host is a lost host is only determined by malicious domain name detection, and the accuracy is low.

In view of this, the embodiment of the present application provides a method for determining a trapped host, which continues to determine the trapped host from the suspected host based on the security data in the suspected host on the basis of the malicious domain name detection, thereby improving the problem of poor accuracy in determining the trapped host only by using the malicious domain name detection method.

The method for determining a lost host provided by the embodiment of the application can be applied to an application environment as shown in fig. 1. Wherein a plurality of hosts to be detected 102 communicate with a target host 104 over a network. The data storage system may be integrated on target host 104, or may be placed on the cloud or other network host. The target host 104 obtains initial security data of the multiple hosts 102 to be detected, processes the initial security data of the multiple hosts 102 to be detected to obtain target security data, performs malicious domain name detection on the multiple hosts 102 to be detected based on the target security data, screens out suspected hosts from the multiple hosts 102 to be detected according to detection results, continues to obtain security data according to the suspected hosts after the suspected hosts are screened out, and accordingly determines a trapped host from the suspected hosts according to the security data of the suspected hosts. The host to be detected 102 and the target host 104 may be implemented by independent servers or a server cluster composed of a plurality of servers.

Specific technical solutions of the embodiments of the present application are exemplarily described below with reference to the accompanying drawings.

Fig. 2 is a flowchart illustrating a method for determining a failed host according to an exemplary embodiment of the present application. Referring to fig. 2, the method specifically includes the following steps:

step S100, acquiring initial safety data of each host to be detected, wherein the initial safety data are data generated in the running process of the host to be detected;

the host to be detected may be a target enterprise server device, and the number of the host to be detected is at least one, or may be multiple, which is not limited herein. The initial safety data is data generated in the running process of the host to be detected and is used for supporting the subsequent determination of the trapped host. The initial security data may be obtained from the memory of the host to be detected, may be obtained from other monitoring devices, and may also be obtained from the memory of the host to be detected and other monitoring devices, which is not limited herein. It should be noted that the other monitoring devices are devices for monitoring the operation data of the host to be detected, and include, for example, a flow monitoring device, a threat intelligence information monitoring device, and the like. Illustratively, the initial security data is, for example, basic information (e.g., a memory of the host to be detected, a kernel version of the host to be detected, etc.) of the host to be detected, asset data (e.g., a system account, an open port, a database, etc.), asset operation data (e.g., process behavior data, file access data, system operation data, network traffic data, etc.), threat intelligence information, behavior log data (e.g., a DNS server request response log, an http hypertext transfer protocol, a server access log, a login log, a process behavior log, a file log, a network log, etc.), network traffic data (a network protocol, a basic field of a corresponding protocol, traffic data), etc. which are accessed in real time.

The method and the device for monitoring the security data of the host to be detected can transmit an acquisition instruction to the host to be detected and/or other monitoring equipment through the target host, and the host to be detected and/or other monitoring equipment pack and transmit the initial security data stored in the memory to the target host after receiving the acquisition instruction transmitted by the target host. The host to be detected and/or other monitoring equipment carry the identification corresponding to each host to be detected when sending the data packet, so that the target host determines the host to be detected corresponding to the data in the data packet based on the identification and performs classified storage. Of course, the target host may also store data packets sent by multiple hosts to be detected and/or other monitoring devices in the same memory address, which is not limited in this application.

Different types of initial security data have the following advantages over a single type of initial security data:

the single type of initial security data has a sensing error due to factors such as external interference, and the like, while the different types of initial security data can still provide an accurate basis for determining the trapped host based on the redundancy of the different types of initial security data when the single type of initial security data is actually or seriously deviated.

The single type of initial security data can only provide characteristic information of a certain single aspect, and cannot be described integrally, and different types of initial security data can be complementarily superposed to supplement actual information, so that clearer and more accurate description is finally obtained.

The time and the speed for obtaining and sending the information of the single type of initial safety data are unchanged, the different types of initial safety data can make up the disadvantage of the single type of initial safety data, real-time data information is obtained, and the efficiency for determining the trapped-in host can be improved.

Illustratively, the target host sends an initial security data acquisition command to the host a, the host B and the host C respectively, after the host a, the host B and the host C receive the acquisition command, the host a packages and sends the stored enterprise asset data to the target host, the host B packages and sends the stored enterprise log data to the target host, and the host C sends the stored enterprise user data to the target host.

S200, fusing each initial safety data based on a heterogeneous data fusion method to obtain target safety data;

the heterogeneous data fusion method is a processing means for data of different sources, and the initial security data from different hosts to be detected and/or other monitoring devices can be processed by filtering, screening, complementing, converting, aggregating, merging, analyzing, extracting and the like to obtain target security data. Techniques and algorithms employed in heterogeneous data fusion methods include, for example: least squares, weighted mean, kalman filtering, bayesian estimation techniques, minimum description length, genetic algorithms, evidence functions, etc.

And fusing each initial safety data through a heterogeneous data fusion method, wherein the output target safety data can reduce the uncertainty in determining the lost host and improve the quality of determining the lost host. More importantly, the heterogeneous data fusion method can effectively utilize redundancy and complementarity among different source data, so that the sink host can be more accurately determined from a global perspective, the data volume can be reduced through the heterogeneous data fusion method, intermediate table information such as an IP general table and an IP session log can be generated according to subsequent services, a basic security data center is comprehensively constructed, the problems of conflict, dispersed attributes, incomplete single-source data, one-sided data and the like among different types of initial security data are solved, and the analysis requirement of the subsequent sink host is supported. The target safety data obtained by the heterogeneous fusion method not only carries out noise reduction processing on the data to a certain extent, improves the condition that the host determination is inaccurate due to the occurrence of a data island, but also can support the subsequent risk research and judgment analysis of the trapped host.

In one embodiment, as shown in fig. 3, fig. 3 is an alternative embodiment of a method for fusing initial security data shown in an exemplary embodiment of the present application, where the embodiment of the method includes the following steps:

step S201, fusing each initial safety data based on a heterogeneous data fusion method to obtain intermediate safety data;

for example, the embodiment of the present application may perform the following operations on each initial security data:

extracting key information of each initial safety data through a configuration data analysis algorithm; performing correlation completion on key information of each initial safety data; labeling each initial safety data after completion; and finally obtaining the intermediate security data.

Specifically, the method comprises the following steps: key information may be extracted from the IP address of each initial security data, current host IP address, domain name, URL, protocol type, event content, etc., as shown in the following table:

the association completion is, for example, to enrich the content of log data, fixed asset information (including a user identifier of a user to which the device belongs, an identifier of an organization in which the user belongs, location information of the user, and communication information of the user).

According to the embodiment of the application, the initial safety data can be labeled by the technical and tactical ID of the ATT & CK so as to classify and label each initial safety data, so that the massive initial safety data can be rapidly classified, and the efficiency and the accuracy of analyzing the data are further improved. Illustratively, an image may include tags for adults, women, yellow-grown people, long hairs, and the like. For words, tags such as subjects, predicates, objects, noun verbs, and the like may be included.

Specifically, when the initial security data is labeled, data feature extraction is required to obtain features of the initial security data, and the initial security data is labeled according to the features of the initial security data. For example, a link to a known malicious site is found in the host application log, and the user accesses the link, tagging the host with a "phishing risk".

According to the technical scheme provided by the embodiment of the application, the initial security data are preprocessed, then a plurality of pieces of key information extracted based on the processed initial security data are combined with a subsequent determination method, so that the determination of the lost host is more accurate, and the error rate of determining the lost host only through single key information is reduced.

Step S202, the intermediate security data is standardized to obtain target security data, and the standardized processing is used for limiting the data format of the security data and the expression form of the data content.

Because the storage rules of the hosts to be detected and other monitoring devices for storing the initial security data are different, and the situations that the data formats, the representation forms of the data contents and the like cannot be unified may exist, in order to subsequently and quickly determine the trapped host based on the initial security data, it is necessary to perform standardized processing on each intermediate data so as to unify the data formats of all the intermediate data and the representation forms of the data contents, thereby improving the efficiency of determining the trapped host.

Step S300, inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, screening out suspected hosts from each host to be detected based on a detection result, wherein each domain name to be detected of the suspected hosts comprises a malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

the domain name to be detected is from the target security data, and may be obtained from DNS log data in the target security data, for example. Whether the host to be detected has a communication relation with an attacker can be detected by detecting the domain name to be detected, if the attacker utilizes the domain name to be detected to communicate with the host to be detected, the domain name to be detected can be determined to be a malicious domain name, and further a suspected host can be determined from the hosts to be detected based on the malicious domain name. According to the method and the device, the malicious domain name detection is carried out on the domain name to be detected according to the detection model, and the malicious domain name detection is carried out on the domain name to be detected through the detection model, so that the detection result of the malicious domain name can be obtained more quickly.

After the malicious domain name is obtained based on the method, the hosts to be detected containing the malicious domain name can be screened as suspected hosts, and the suspected hosts can be one or more hosts, which is not limited herein.

In addition, in the embodiment of the present application, after the suspected hosts are screened from the hosts to be detected, the alarm mechanism may be triggered, for example, the alarm level of the suspected hosts may be adjusted to a middle level.

In another embodiment, as shown in fig. 4, fig. 4 is an alternative embodiment of a method for obtaining a detection model according to an exemplary embodiment of the present application, where the method embodiment includes the following steps:

step S301, acquiring a plurality of normal domain names and a plurality of malicious domain names;

for example, alexa (http:// www. Secret. Com) and the first 1000000 data in the Cisco dataset can be selected as samples of normal domain names: the normal domain names selected are, for example, google.com, facebook.com, youtube.com, baidu.com, yahoo.com, amazon.com, wikipedia.org, qq.com, twitter.com, etc.

The method can be used for acquiring a malicious domain name data set from open source websites such as http:// data. Netlab.360.Com/dga/, selecting malicious domain name data sets such as abcbot, cclean, dmsniff, bubble, madmax, necro, proslikefan, rovnix, tempedree and vido, and selecting the first 1000000 data from the malicious domain name data sets as malicious domain name samples. Examples of the malicious domain names selected are kyyjpvbi.com, byypvjy.pages.dev, kyyjpvbi.tk, vyvppybij.com, kyyjpvbi.pages.dev, yivjbpypk.com, ykjbpvvviy.pages.dev, ykjbpvyvpb.com, kvyjyvpb.pages.dev, pikbyjyvvv.pages.dev, kyjpvb.pages.dev, and the like.

After the normal domain name sample and the malicious domain name sample are obtained, the embodiment of the application can also perform extraction operations such as cleaning, main domain name extraction and the like on the samples.

Step S302, extracting feature information of each normal domain name and feature information of each malicious domain name, wherein the feature information comprises at least one of character randomness of the domain name, length of characters, proportion of vowels in the characters, proportion of unique characters in the characters and a top-level domain name;

wherein the characteristic information includes at least one of character randomness, length of the character, proportion of vowels in the character, proportion of unique characters in the character, and top-level domain name, for example.

The character randomness expression of the normal domain name and the malicious domain name has the characteristics that: the character randomness of the malicious domain name is larger than that of the normal domain name;

the characters of the normal domain name and the malicious domain name have the characteristics of length expression: the character length of the normal domain name is within 19, the characters are concentrated between 8 and 12, and the length of the characters of only a few normal domain names reaches more than 19; while the malicious domain name has a length ranging from 8 to 32, and 2 peak points, respectively 12 and 30, appear, wherein the number of the malicious domain names with the length of 30 characters is more.

The proportion expression of vowel letters in the characters of the normal domain name and the malicious domain name is characterized in that: in order to facilitate the user's memory and to have better readability, the pinyin for a normal domain name usually uses words or names, and often certain vowels are inserted into the words or names, so that the domain name can be read more easily. And because the malicious domain name is randomly generated, readability cannot be considered, the proportion of vowel letters in the normal domain name is higher than that of vowel letters in the malicious domain name.

The proportion expression of the unique characters in the characters of the normal domain name and the malicious domain name is characterized in that: the unique character is the number of different characters in the domain name, for example, the unique character [ b.a.i.d.u ] of the domain name baidu, the number of the characters is 5; com has a u.r.l.z.t character of 4. Because the malicious domain name has great randomness and the unique characters in the malicious domain name are higher, the proportion of the unique characters in the normal domain name is lower than that in the malicious domain name.

The top-level domain names of the normal domain names and the malicious domain names have the following characteristics: the top level domain names of normal domain names will generally use common top level domain names, such as. The top-level domain names of malicious domain names are relatively random, and an attacker can select some top-level domain names with relaxed auditing, such as biz, ru and the like. For example, the normal domain name includes 1933 common top-level domain names and 67 other top-level domain names; then 1342 common top-level domain names and 658 other top-level domain names may be included in the malicious domain name, and it can be seen that the top-level domain name with a height of approximately 2/3 in the malicious domain name is an unusual top-level domain name. Therefore, the expression is characterized in that the proportion of the common top-level domain name in the normal domain name is higher than that in the malicious domain name.

In machine learning, because the input items of the model basically need to be numerical variables, and the category variables do not have numerical attributes, the category variables generally need to be processed separately. Therefore, based on the above method, after extracting the feature information of the normal domain name and the malicious domain name, character-level label coding is also required to be performed on the normal domain name and the malicious domain name, and a common variable conversion method in a label encoding tree model is usually adopted to convert the category variable into a numerical type. For example: and converting [ g, o, o, g, l, e, c, o, m ] into [1,2, 1,3,4,5,6,2,7], so that the numerical conversion is completed by the normal domain name and the malicious domain name. Therefore, machine learning is conveniently carried out according to the normal domain name and the malicious domain name, and a detection model with better robustness is obtained.

Step S303, training the long-term and short-term memory neural network based on the feature information of each normal domain name and the feature information of each malicious domain name to obtain a detection model.

For example, the embodiment of the application can divide the feature information of each normal domain name and the feature information of each malicious domain name into training data and test data, firstly, based on classification algorithms such as K-neighborhood, logistic regression, SVN, iterative algorithm and the like, train the long-short term memory neural network through the training data to obtain an initial detection model, then, predict the test data through the initial detection model, and obtain an algorithm with the best effect by cross validation according to the accuracy, the false alarm rate and the recall rate found by the DGA domain name in the prediction result, thereby obtaining a detection model with better accuracy.

After the detection model is obtained through the training and prediction, the normal domain name sample and the malicious domain name sample can be reselected to carry out secondary verification on the detection model, and further adjustment is carried out from the aspects of the proportion of the normal domain name and the malicious domain name, algorithm selection, parameter tuning and the like according to the verification result, so that a more optimized detection model is finally obtained.

And step S400, determining the lost host from the suspected hosts based on the initial safety data of the suspected hosts.

After suspected hosts are screened out from all hosts to be detected based on the method, initial security data of the suspected hosts can be further obtained, IOC security threat information matching is carried out based on the security data of the suspected hosts, whether the suspected hosts are trapped host machines or not is determined according to related matching results, and the problem that the accuracy of determining the trapped host machines is poor due to the fact that the trapped host machines are determined only through a malicious domain name detection method is solved.

In one embodiment, as shown in fig. 5, fig. 5 is an alternative embodiment of a method for determining a failed host according to an exemplary embodiment of the present application, where the method includes the following steps:

step S401, risk data identification is carried out on the initial safety data of the suspected host through a risk data identification risk model to obtain an identification result, and the risk data identification risk model is obtained through training based on a neural network model according to different types of risk data and different types of normal data.

And obtaining the risk data through model training based on neural network model training according to different types of risk data and different types of normal data. The normal data can be safety data obtained from a non-lost host, and the risk data can be target asset data, vulnerability data, target user data, threat intelligence data and the like obtained from a lost host; the normal data and the risk data may also be data collected during the history of determining a failed host, which is not limited in this application. The trained risk data recognition model may be stored in the target host.

After the suspected hosts are screened out from the hosts to be detected by the method, different types of initial safety data in the suspected hosts can be obtained, the different types of initial safety data are input into a trained risk data identification model, an output result of the risk data identification model is obtained, the output result can be empty (namely risk data are not identified from the initial safety data), the output result can also be corresponding risk data, and the risk data can only comprise one type of risk data or can also comprise multiple different types of risk data; and the risk data can also carry a risk type label, so that the risk type of the suspected host can be rapidly obtained based on the identification result of the risk identification model in the following, and the determination efficiency of the lost host is improved.

Step S402, if the identification result is that dangerous data are identified from the initial safety data of the suspected host, the suspected host is determined as a lost host; the risk data comprises at least one of target asset data, vulnerability data, target user data and threat intelligence data, the target asset data is asset data with a security level greater than a preset level, and the target user data is user data with a preset operation authority.

And the failed host can be quickly determined from the suspected hosts based on the output result of the risk data identification model. Specifically, if the identification result is that no risk data exists in the initial security data of the suspected host, the suspected host is not the lost host, otherwise, if the identification result is that at least one of target asset data, vulnerability data, target user data and threat information data exists in the initial security data of the suspected host, the suspected host is determined to be the lost host.

Further, after the asset data, the vulnerability data, the user data and the threat intelligence data of the suspected host are obtained, the target host may continue to perform operations of searching whether asset data with a security level greater than a predetermined level exists in the asset data of the suspected host, searching whether vulnerability data exists in the initial security data, searching whether user data with a predetermined operation authority exists in the user data and searching whether threat intelligence data exists in the initial security data, and determining whether the suspected host is a lost host according to a search result. If the target host finds at least one of asset data (namely target asset data) with a security level greater than a predetermined level, vulnerability data, user data (namely target user data) with a predetermined operation authority and threat intelligence data, the suspected host is determined to be a lost host. It should be noted here that the predetermined level and the predetermined operation authority are determined by the enterprise according to its own business.

Meanwhile, in the embodiment of the present application, after it is determined that risk data exists in the suspected host, the alarm mechanism may be triggered again, for example, the alarm level of the suspected host may be adjusted to a high level.

Whether risk data exist in the safety data of the suspected host or not is determined, the trapped host is determined from the suspected host, the risk data are easy to obtain, the suspected hosts can be rapidly determined to be the trapped hosts, and the efficiency of determining the trapped host is improved.

After determining the failed host from the multiple hosts to be detected in the above manner, the failed host needs to be repaired, so that greater loss to enterprises is avoided, and the network utilization safety of the enterprises is guaranteed. Specifically, as shown in fig. 6, fig. 6 is an alternative embodiment of a method for repairing a lost host according to an exemplary embodiment of the present application, where the method embodiment includes the following steps:

step S600, acquiring risk data of the lost host;

the method for determining whether the suspected host is the lost host is based on the method for determining whether the safety data of the suspected host exist risk data. Therefore, the failing host must include risk data, and the target host may send an acquisition instruction to the failing host to obtain the risk data sent by the failing host, where the risk data may be at least one of target asset data, vulnerability data, target user data, and threat intelligence data.

Step S700, determining the risk type of the lost host based on the risk data of the lost host;

the risk types of the trapped host computer are determined based on the obtained risk data of the trapped host computer, and the risk types include asset risks, vulnerability risks, user risks and threat intelligence risks.

If the risk data of the lost host are target asset data, determining that the risk type of the lost host is asset risk;

if the risk data of the failed host is vulnerability data, determining that the risk type of the failed host is vulnerability risk;

if the risk data of the lost host is the target user data, determining the risk type of the lost host as the user risk;

and if the risk data of the lost host is threat intelligence data, determining the risk type of the lost host as a threat intelligence risk.

Moreover, in the embodiment of the present application, after determining that any one of asset risks, vulnerability risks, user risks, and threat intelligence risks exists in the suspected host, an alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to a high level;

in the embodiment of the present application, after determining that any two risks of asset risk, vulnerability risk, user risk, and threat information risk exist in the suspected host, an alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to the initial level;

in the embodiment of the present application, after determining that any three risks, i.e., asset risk, vulnerability risk, user risk, and threat intelligence risk, exist in the suspected host, an alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to a medium-high level;

in the embodiment of the present application, after determining that there are four risks, namely asset risk, vulnerability risk, user risk, and threat intelligence risk, in the suspected host, an alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to a very high level.

Step S800, acquiring at least one classified repair strategy corresponding to the risk type from a security knowledge base based on the risk type, wherein the security knowledge base comprises a plurality of risk types and classified repair strategies corresponding to the risk types;

the security Knowledge base is an ATT & CK technology Knowledge base (Adversal Tactics technologies and Common Knowledge) stored in a target host, the ATT & CK is a set of model and Knowledge base which are provided by the MITRE and reflect attack behaviors in each attack life cycle, a set of finer-grained and more easily-shared Knowledge model and framework are constructed for more observable attacker behaviors, and a set of network attacker behavior Knowledge base which is participated and maintained by governments, public service enterprises, private enterprises and academic institutions together is formed through continuous accumulation so as to guide users to adopt targeted detection, defense and response work.

The safety knowledge base comprises technology, general knowledge, a plurality of risk types and classified repair strategies corresponding to the risk types. Therefore, if the risk type of the failed host is determined, the classification repair strategy corresponding to the risk type can be searched from the security knowledge base. The classified repair strategy is a corresponding operation that needs to be executed to repair a repair object, and may include multiple execution steps, where different execution steps may be execution steps for a same operation object, or execution steps for different operation objects, and are not limited to this. It should be noted here that the repair object may be, for example, a processor, a memory, an output module, an input module, a display module, an audio module, and the like, and when repairing the repair object, corresponding operations may be performed on an operation object such as a device, a driver, a program, code, and other external devices having an interactive relationship with the repair object in the repair object, so as to implement a repair operation on the repair object.

Illustratively, the classification repair policy is, for example: wifi blocker, firewall linkage, agent linkage, mail notification, short message notification, automatic execution of response blocking process, blocking network connection, IP blocking, domain name blocking and the like.

In an embodiment, as shown in fig. 7, fig. 7 is an alternative embodiment of a method for obtaining a classification repair policy corresponding to a risk type, shown in an exemplary embodiment of the present application, where the method embodiment includes the following steps:

step S801, acquiring a risk type label of at least one risk type;

the risk data identified by the risk data identification model may be at least one risk data, or may be a plurality of risk data, the plurality of risk data may be the same type of risk data, or may be different types of risk data, and the failing host only has one risk when the identified risk data is the same type of risk data; similarly, if the identified risk data is different types of risk data, the failing host may have a plurality of different risks. And because the risk data identified by the risk data identification model carries the risk type label, the risk type label of the risk type can be directly obtained according to the output result of the risk data identification model, so that the efficiency of determining the failed host can be improved. The risk type label may be represented by, for example, letters, numbers, symbols, etc., without limitation to this application.

Step S802, at least one classified repair strategy corresponding to the risk type label is obtained from a security knowledge base according to the risk type label of the risk type, and the security knowledge base comprises a plurality of risk type labels and a plurality of classified repair strategies corresponding to the risk type labels.

Since the security knowledge base includes the risk type labels corresponding to the risk types and the classification repair policies corresponding to the risk type labels, after the obtained label for realizing the risk type of the host is based on the above, the classification repair policy corresponding to the label can be found from the security knowledge base based on the label. Therefore, a classification repair strategy can be determined more quickly, the repair efficiency of the lost host is further improved, more serious loss of an enterprise is avoided, and the safe network utilization of the enterprise is guaranteed.

Step S900, combining the classified repair strategies corresponding to the risk types according to a preset logical relation to obtain a target repair strategy, wherein the preset logical relation is used for representing the relevance among the classified repair strategies;

the predetermined logical relationship may be determined based on the relevance between the operation steps of the repair object targeted by each classified repair policy, or may be determined based on the relevance between the steps of each classified repair policy, which is not limited in this application.

In one embodiment, as shown in fig. 8, fig. 8 is an alternative embodiment of a method for obtaining a target repair policy, which is shown in an exemplary embodiment of the present application, and includes the following steps:

step S9011, determining a plurality of operation objects and a plurality of target execution steps associated with the operation objects from the classification repair strategy;

the classification repair policy includes a plurality of execution steps, and each execution step may be an operation step for one operation object or an operation step for a plurality of operation objects. Then multiple operands and multiple target execution steps associated with each operand can be readily determined from the classification repair strategy.

And step S9012, sequencing the target execution steps associated with the operation objects according to a target sequence to obtain a plurality of combined repair strategies, wherein the target sequence is a sequence meeting continuous operation.

The method and the device for repairing the multiple targets can sequence the multiple target execution steps according to the condition whether the multiple target execution steps of each operation object meet continuous operation or not, and obtain the combined repairing strategy.

For example, if the classified repair strategy includes a plurality of steps, where the first step in the first classified repair strategy, the second step in the second classified repair strategy, and the third step in the third classified repair strategy are all executed steps for the router and have a relation of consecutive operations, the first step in the first classified repair strategy, the second step in the second classified repair strategy, and the third step in the third classified repair strategy may be regarded as one combined repair strategy.

And step S9013, taking each combined repair strategy as a target repair strategy.

If three combined repair strategies are obtained based on the determination process, the three combined repair strategies may be determined as the target repair strategy.

The target restoration strategy determined by the method has strong operability, and the aim of improving restoration efficiency can be achieved, so that more serious loss of enterprises is avoided, and the safe network utilization of the enterprises is guaranteed.

It should be further noted that the flow of the target repair policy can be edited, and risk emergency response handling is assisted by an automated means, so that more practical application scenarios besides the automatic repair of the failed host can be handled. The process of the target repairing strategy is automatically executed once configured, personnel intervention is not needed, the response speed to risks can be improved, the host can be rapidly and automatically repaired once the host is determined to be a lost host, and the whole log record is adopted, so that the source tracing is conveniently carried out by managers after events.

The target repairing strategy obtained by the method can simultaneously repair all objects involved in the repairing process, so that the aim of improving the repairing efficiency is fulfilled, the enterprise is prevented from more serious loss, and the safe network utilization of the enterprise is guaranteed.

And step S1000, repairing the lost host based on the target repairing strategy.

The lost host may be automatically repaired by the target host according to the generated target repair policy.

Furthermore, after the attacker obtains the control right of the lost host, the attacker not only steals data and the like stored on the lost host, but also continuously attacks other hosts having access relations with the lost host by taking the lost host as a springboard, so that other hosts also get into crisis.

In one embodiment, as shown in fig. 9, fig. 9 is an alternative embodiment of a method for determining other hosts (target objects), which is shown in an exemplary embodiment of the present application, and includes the following steps:

step S1001, acquiring a network security event of a lost host, wherein the network security event refers to an event that a network, an information system and data are damaged caused by the lost host;

the network security event refers to an event that damages a network and an information system or data therein and negatively affects the society due to human reasons, defects or faults of software and hardware of a host, natural disasters, and the like, and can be classified into a harmful program event, a network attack event, an information destruction event, an information content security event, an equipment and facility fault, a catastrophic event, and other events. In the present application, the network security event for the failed host is an event that may be caused by a defect or failure of software and hardware of the failed host and may cause damage to a network, an information system, and data. The network security event of the lost host is from the initial security data, and further log data from the initial security data can be generated.

Step S1002, determining an attack path of the lost host based on the network security event;

based on the network security event obtained from the initial security data of the trapped host, the trapped host may restore the interaction process between the trapped host and other hosts based on the time sequence, so as to obtain the attack path of the trapped host.

And step S1003, determining a target object having an access relation with the lost host from the attack path.

The attack path includes interaction between the trapped host and other hosts or objects, so that a target object (i.e. other hosts) having an access relationship with the trapped host can be determined through the restored attack path, where the access relationship includes a relationship that the trapped host actively accesses the target object and/or a relationship that the target object accesses the trapped host.

Then, after the target object is determined by the above method, the lost host and the target object may be repaired simultaneously by the following method:

and sending the target repair strategy to the lost host and the target object so that the lost host and the target object execute corresponding repair operation based on the target repair strategy.

Finally, based on the target repair strategy obtained in the above process and the determined target object, the embodiment of the present application may send the repair strategy related to the failed host in the target repair strategy to the failed host, and send the repair strategy related to the target object in the target repair strategy to the target object, so as to instruct the failed host and the target object to perform corresponding repair operations according to the steps of the repair strategy, thereby achieving the purpose of quickly repairing the failed host and the target object, avoiding more serious loss of an enterprise, and ensuring the safe network utilization of the enterprise.

According to the embodiment of the application, a backtracking analysis result, target asset information and the like of the trapped host are combined, a target repairing strategy for the trapped host is flexibly formulated based on SOAR technology, corresponding risk emergency response operation of the trapped host is executed, risk identification and safety protection equipment are deeply integrated together, the functions of confirming the trapped host and automatically repairing the trapped host are achieved, and the accuracy and the precision of disposal are guaranteed while the efficiency is high.

It should be understood that, although the steps in the flowcharts related to the above embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not limited to being performed in the exact order illustrated and, unless explicitly stated herein, may be performed in other orders. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.

Based on the same inventive concept, the embodiment of the present application further provides a device for determining a failed host, which is used for implementing the method for determining a failed host mentioned above. The implementation scheme for solving the problem provided by the apparatus is similar to the implementation scheme described in the method, so specific limitations in the following embodiments of the apparatus for determining one or more lost hosts may refer to the limitations on the method for determining a lost host, which are not described herein again.

In one embodiment, as shown in fig. 10, there is provided a device 2000 for determining a lost host, the processing device including: an acquisition processing module 2001, a fusion module 2002, a detection screening module 2003, and a determination module 2004,

an obtaining processing module 2001, configured to obtain initial security data of each host to be detected, where the initial security data is data generated by the host to be detected during an operation process;

the fusion module 2002 is configured to fuse the initial security data based on a heterogeneous data fusion method to obtain target security data;

the detection screening module 2003 is used for inputting each domain name to be detected in the target safety data into the detection model for malicious domain name detection, screening suspected hosts from the hosts to be detected based on the detection result, wherein each domain name to be detected of the suspected hosts comprises a malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

a determining module 2004 is configured to determine a failing host from the suspected hosts based on the initial security data of the suspected hosts.

In an embodiment, the determining module 2005 is specifically configured to determine that the suspected host is a failed host if risk data exists in the initial security data of the suspected host, where the risk data includes at least one of target asset data, vulnerability data, target user data, and threat intelligence data, the target asset data is asset data with a security level greater than a predetermined level, and the target user data is user data with a predetermined operation authority.

In one embodiment, the apparatus further comprises a repair module (not shown),

the repairing module is used for acquiring risk data of the lost host; determining a risk type of the lost host based on the risk data of the lost host; based on the risk types, at least one classified repair strategy corresponding to the risk types is obtained from a safety knowledge base, wherein the safety knowledge base comprises a plurality of risk types and a plurality of classified repair strategies corresponding to the risk types; combining all the classified repairing strategies corresponding to the risk types according to a preset logical relation to obtain a target repairing strategy, wherein the preset logical relation is used for representing the relevance among all the classified repairing strategies; and repairing the lost host based on the target repairing strategy.

In one embodiment, the recovery module is specifically configured to obtain a tag of a risk type, where the tag is used to mark different risk types; and acquiring at least one classified repair strategy corresponding to the label of the risk type from a security knowledge base, wherein the security knowledge base comprises the label corresponding to each risk type and a plurality of classified repair strategies corresponding to each label.

In an embodiment, the repair module is further specifically configured to determine, from the classified repair policies, a plurality of operation objects and a plurality of target execution steps associated with the operation objects; combining a plurality of target execution steps associated with each operation object to obtain a plurality of combined repair strategies; and taking each combined repair strategy as a target repair strategy.

In an embodiment, the repair module is further configured to sort the multiple target execution steps associated with the operation objects according to a target order to obtain multiple combined repair policies, where the target order is an order satisfying the continuous operation.

In an embodiment, the fusion module 2002 is further configured to fuse the initial security data based on a heterogeneous data fusion method to obtain intermediate security data; and standardizing the intermediate security data to obtain target security data, wherein the standardized processing is used for limiting the data format of the security data and the representation form of the data content.

In an embodiment, the determining module 2005 is further configured to obtain a network security event of the failed host, where the network security event refers to an event that a network, an information system, and data are damaged by the failed host; determining an attack path of the lost host based on the network security event; and determining a target object having an access relation with the lost host from the attack path.

In an embodiment, the repair module is further specifically configured to send the target repair policy to the lost host and the target object, so that the lost host and the target object execute corresponding repair operations based on the target repair policy.

In one embodiment, the apparatus further comprises a training module (not shown).

The training module is used for acquiring a plurality of normal domain names and a plurality of malicious domain names; extracting feature information of each normal domain name and feature information of each malicious domain name, wherein the feature information comprises at least one of character randomness of the domain name, length of characters, proportion of vowels in the characters, proportion of unique characters in the characters and a top-level domain name; and training the long-term and short-term memory neural network based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name to obtain a detection model.

The various modules in the above described means for determining a lost host may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, and the internal structure of the computer device may be as shown in fig. 11. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing the safety data of each host to be detected and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of determining a failed host.

Those skilled in the art will appreciate that the architecture shown in fig. 11 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:

inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, screening suspected hosts from the hosts to be detected based on a detection result, wherein each domain name to be detected of the suspected hosts comprises a malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

and determining the lost host from the suspected hosts based on the initial security data of the suspected hosts.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

if risk data exist in the initial safety data of the suspected host computer, the suspected host computer is determined to be a failing host computer, the risk data comprise at least one of target asset data, vulnerability data, target user data and threat intelligence data, the target asset data are asset data with the security level larger than a preset level, and the target user data are user data with a preset operation authority.

In one embodiment, the processor when executing the computer program further performs the steps of:

acquiring risk data of the lost host; determining the risk type of the lost host based on the risk data of the lost host; based on the risk types, at least one classification repair strategy corresponding to the risk types is obtained from a security knowledge base, and the security knowledge base comprises a plurality of risk types and a plurality of classification repair strategies corresponding to the risk types; combining all the classified repair strategies corresponding to the risk types according to a preset logical relation to obtain a target repair strategy, wherein the preset logical relation is used for representing the relevance among all the classified repair strategies; and repairing the lost host based on the target repairing strategy.

obtaining a label of the risk type, wherein the label is used for marking different risk types; and acquiring at least one classified repair strategy corresponding to the label of the risk type from a safety knowledge base, wherein the safety knowledge base comprises the label corresponding to each risk type and a plurality of classified repair strategies corresponding to each label.

determining a plurality of operation objects and a plurality of target execution steps associated with the operation objects from the classification repair strategies; combining a plurality of target execution steps associated with each operation object to obtain a plurality of combined repair strategies; and taking each combined repair strategy as a target repair strategy.

and sequencing the target execution steps associated with the operation objects according to a target sequence to obtain a plurality of combined repair strategies, wherein the target sequence is a sequence meeting the continuous operation.

fusing each initial safety data based on a heterogeneous data fusion method to obtain intermediate safety data; and standardizing the intermediate security data to obtain target security data, wherein the standardized processing is used for limiting the data format of the security data and the representation form of the data content.

acquiring a network security event of the lost host, wherein the network security event refers to an event that a network, an information system and data are damaged caused by the lost host; determining an attack path of the lost host based on the network security event; and determining a target object having an access relation with the lost host from the attack path.

acquiring a plurality of normal domain names and a plurality of malicious domain names; extracting feature information of each normal domain name and feature information of each malicious domain name, wherein the feature information comprises at least one of character randomness of the domain name, length of characters, proportion of vowels in the characters, proportion of unique characters in the characters and a top-level domain name; and training the long-term and short-term memory neural network based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name to obtain a detection model.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

and determining the lost host from the suspected hosts based on the initial safety data of the suspected hosts.

In one embodiment, the computer program when executed by the processor further performs the steps of:

if risk data exist in the initial safety data of the suspected host, the suspected host is determined to be a lost host, the risk data comprise at least one of target asset data, vulnerability data, target user data and threat information data, the target asset data are asset data with the security level greater than the preset level, and the target user data are user data with the preset operation authority.

acquiring risk data of the lost host; determining a risk type of the lost host based on the risk data of the lost host; based on the risk types, at least one classified repair strategy corresponding to the risk types is obtained from a safety knowledge base, wherein the safety knowledge base comprises a plurality of risk types and a plurality of classified repair strategies corresponding to the risk types; combining all the classified repair strategies corresponding to the risk types according to a preset logical relation to obtain a target repair strategy, wherein the preset logical relation is used for representing the relevance among all the classified repair strategies; and repairing the lost host based on the target repairing strategy.

acquiring a label of the risk type, wherein the label is used for marking different risk types; and acquiring at least one classified repair strategy corresponding to the label of the risk type from a safety knowledge base, wherein the safety knowledge base comprises the label corresponding to each risk type and a plurality of classified repair strategies corresponding to each label.

and sequencing a plurality of target execution steps associated with each operation object according to a target sequence to obtain a plurality of combined repair strategies, wherein the target sequence is a sequence meeting continuous operation.

and sending the target repair strategy to the lost host and the target object so as to enable the lost host and the target object to execute corresponding repair operation based on the target repair strategy.

In one embodiment, a computer program product is provided, comprising a computer program which when executed by a processor performs the steps of:

acquiring risk data of a lost host; determining the risk type of the lost host based on the risk data of the lost host; based on the risk types, at least one classified repair strategy corresponding to the risk types is obtained from a safety knowledge base, wherein the safety knowledge base comprises a plurality of risk types and a plurality of classified repair strategies corresponding to the risk types; combining all the classified repair strategies corresponding to the risk types according to a preset logical relation to obtain a target repair strategy, wherein the preset logical relation is used for representing the relevance among all the classified repair strategies; and repairing the lost host based on the target repairing strategy.

acquiring a label of the risk type, wherein the label is used for marking different risk types; and acquiring a classified repair strategy corresponding to the label of the risk type from a safety knowledge base, wherein the safety knowledge base comprises the label corresponding to each risk type and the classified repair strategy corresponding to each label.

acquiring a label of the risk type, wherein the label is used for marking different risk types; and acquiring at least one classified repair strategy corresponding to the label of the risk type from a security knowledge base, wherein the security knowledge base comprises the label corresponding to each risk type and a plurality of classified repair strategies corresponding to each label.

It is easily understood that, on the basis of the several embodiments provided in the present application, a person skilled in the art may combine, split, recombine, etc. the embodiments of the present application to obtain other embodiments, which do not depart from the scope of the present application.

The above embodiments are only intended to be specific embodiments of the present application, and are not intended to limit the scope of the embodiments of the present application, and any modifications, equivalent substitutions, improvements, and the like made on the basis of the technical solutions of the embodiments of the present application should be included in the scope of the embodiments of the present application.

Claims

1. A method for determining a lost host, the method comprising:

acquiring initial security data of each host to be detected, wherein the initial security data is data generated in the running process of the host to be detected;

inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, and screening out suspected hosts from each host to be detected based on a detection result, wherein each domain name to be detected of the suspected hosts comprises the malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

2. The method of claim 1, wherein the determining a failed host from the suspected hosts based on the initial security data of the suspected hosts comprises:

performing risk data identification on the initial safety data of the suspected host through a risk data identification risk model to obtain an identification result, wherein the risk data identification risk model is obtained by training based on a neural network model according to different types of risk data;

if the identification result is that dangerous data are identified from the initial safety data of the suspected host, determining the suspected host as a lost host; the risk data comprises at least one of target asset data, vulnerability data, target user data and threat intelligence data, the target asset data is asset data with a security level larger than a preset level, and the target user data is user data with a preset operation authority.

3. The method of determining according to claim 2, further comprising:

acquiring risk data of the lost host;

determining a risk type of the lost host based on the risk data of the lost host;

based on the risk types, at least one classification repair strategy corresponding to the risk types is obtained from a security knowledge base, wherein the security knowledge base comprises a plurality of risk types and a plurality of classification repair strategies corresponding to the risk types;

combining the classified repair strategies corresponding to the risk types according to a preset logical relationship to obtain a target repair strategy, wherein the preset logical relationship is used for representing the relevance between the classified repair strategies;

and repairing the lost host based on the target repairing strategy.

4. The determination method according to claim 3, wherein the risk data of the failed host carries a risk type tag, and the obtaining, based on the risk type, at least one classification repair policy corresponding to the risk type from a security knowledge base includes:

obtaining a risk type label of at least one risk type;

and acquiring at least one classified repair strategy corresponding to the risk type label from the security knowledge base according to the risk type label of the risk type, wherein the security knowledge base comprises a plurality of risk type labels and a plurality of classified repair strategies corresponding to the risk type labels.

5. The method according to claim 4, wherein the classification repair strategy includes a plurality of execution steps, and the step of combining the classification repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy includes:

determining a plurality of operation objects and a plurality of target execution steps associated with the operation objects from the classification repair strategies;

sequencing a plurality of target execution steps associated with each operation object according to a target sequence to obtain a plurality of combined repair strategies, wherein the target sequence is a sequence meeting continuous operation;

and taking each combined repair strategy as the target repair strategy.

6. The method for determining according to any one of claims 1-5, wherein the fusing each initial security data based on a heterogeneous data fusion method to obtain target security data comprises:

fusing each initial safety data based on a heterogeneous data fusion method to obtain intermediate safety data;

and standardizing the intermediate security data to obtain the target security data, wherein the standardized processing is used for limiting the data format of the security data and the representation form of the data content.

7. The determination method according to any one of claims 1 to 5, characterized in that the method further comprises:

acquiring a network security event of the lost host, wherein the network security event refers to an event that a network, an information system and data are damaged caused by the lost host;

determining an attack path of the lost host based on the network security event;

determining a target object having an access relation with the lost host from the attack path;

the repairing the lost host based on the target repair policy comprises:

8. The determination method according to any one of claims 1 to 6, wherein the generation process of the detection model includes:

acquiring a plurality of normal domain names and a plurality of malicious domain names;

extracting feature information of each normal domain name and feature information of each malicious domain name, wherein the feature information comprises at least one of character randomness of the domain names, lengths of characters, proportions of vowels in the characters, proportions of unique characters in the characters and top-level domain names;

and training the long-term and short-term memory neural network based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name to obtain the detection model.

9. An apparatus for determining a failed host, the apparatus comprising:

the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring initial security data of each host to be detected, and the initial security data is data generated in the running process of the host to be detected;

10. A computer device, comprising:

a processor;

a memory for storing the processor-executable instructions;

the processor is used for reading the executable instructions from the memory and executing the instructions to realize the determination method of the lost host according to any one of claims 1 to 8.