CN115664821A - Behavior portrait construction method and device, electronic equipment and storage medium - Google Patents

Behavior portrait construction method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115664821A
CN115664821A CN202211326383.2A CN202211326383A CN115664821A CN 115664821 A CN115664821 A CN 115664821A CN 202211326383 A CN202211326383 A CN 202211326383A CN 115664821 A CN115664821 A CN 115664821A
Authority
CN
China
Prior art keywords
behavior
terminal
cluster
behavior data
learning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211326383.2A
Other languages
Chinese (zh)
Inventor
曹锦新
郭开
董枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202211326383.2A priority Critical patent/CN115664821A/en
Publication of CN115664821A publication Critical patent/CN115664821A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The application discloses a behavior portrait construction method and device, electronic equipment and a storage medium, wherein the method comprises the following steps: the server receives behavior data reported by each terminal of at least two terminals in the cluster; for each process, analyzing behavior data of the process at each terminal in a correlation manner, and adjusting each behavior data for learning a behavior baseline of the process; learning to obtain a behavior baseline of each process based on the adjusted behavior data; and packaging the behavior baselines of all the processes obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.

Description

Behavior portrait construction method and device, electronic equipment and storage medium
Technical Field
The application relates to the technical field of network security, in particular to a behavior portrait construction method and device, electronic equipment and a storage medium.
Background
In a virtual network scenario, multiple physical servers typically operate in a cluster. In the related art, the electronic device filters the behavior log through the learned behavior portrait, and identifies suspicious behaviors according to the filtering result, so that the detection cost of behavior identification is high.
Disclosure of Invention
In view of the above, embodiments of the present application provide a behavior sketch constructing method, apparatus, electronic device, and storage medium, so as to at least solve the problem of high detection cost in behavior recognition in the related art.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a behavior portrait construction method, which is applied to a server and comprises the following steps:
receiving behavior data reported by each terminal of at least two terminals in a cluster;
for each process, analyzing behavior data of the process at each terminal in a correlation manner, and adjusting each behavior data for learning a behavior baseline of the process;
learning to obtain a behavior baseline of each process based on the adjusted behavior data;
and encapsulating the behavior baseline of each process obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.
In the above scheme, the encapsulating the behavior baseline of each process obtained by learning to obtain the terminal behavior portrait model applicable to the cluster includes:
determining the process type;
storing the corresponding behavior baseline into a terminal behavior portrait model of the corresponding process type according to different process types; wherein,
the process type includes one of:
a system process;
a key business process;
other business processes;
the terminal behavior portrait model includes one of:
a system process behavior portrait model;
a key business process behavior portrait model;
other business process behavioral representation models.
In the above scheme, the method further comprises:
and distributing the terminal behavior representation model to each terminal in the cluster, so that each terminal performs behavior abnormity detection based on the locally distributed terminal behavior representation model.
In the above scheme, the method further comprises:
under the condition of meeting the set conditions, continuously updating the current terminal behavior portrait model; wherein,
the set condition represents that the abnormal behavior missing report rate corresponding to the current terminal behavior portrait model is larger than a first set threshold value, and/or the normal behavior false report rate corresponding to the current terminal behavior portrait model is larger than a second set threshold value.
The embodiment of the application further provides a behavior portrait construction method, which is applied to terminals in a cluster, and the method comprises the following steps:
reporting local behavior data to a server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster;
and carrying out anomaly detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model.
In the above scheme, the detecting the local abnormal behavior of the terminal based on the terminal behavior portrait model includes:
receiving a terminal behavior portrait model issued by the server;
and carrying out anomaly detection on local abnormal behaviors based on the received terminal behavior portrait model.
The embodiment of the present application further provides a behavior recognition portrait creating device, including:
the receiving unit is used for receiving the behavior data reported by each terminal of at least two terminals in the cluster;
the adjusting unit is used for analyzing the behavior data of the process at each terminal in a correlation manner for each process and adjusting each behavior data for learning the process behavior baseline;
the learning unit is used for learning to obtain a behavior baseline of each process based on the adjusted behavior data;
and the packaging unit is used for packaging the behavior base line of each process obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.
The embodiment of the present application further provides a behavior portrait constructing device, including:
the reporting unit is used for reporting the local behavior data to the server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster;
and the detection unit is used for carrying out abnormity detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model.
An embodiment of the present application further provides an electronic device, including: a processor and a memory for storing a computer program capable of running on the processor,
the processor is used for executing the steps of the behavior recognition portrait construction method when the computer program is run.
The embodiment of the application also provides a storage medium, on which a computer program is stored, and the computer program is executed by a processor to implement the steps of the behavior portrayal construction method.
According to the scheme provided by the embodiment of the application, the server receives the behavior data reported by each terminal of at least two terminals in the cluster; for each process, analyzing behavior data of the process at each terminal in a correlation manner, and adjusting each behavior data for learning a behavior baseline of the process; learning to obtain a behavior baseline of each process based on the adjusted behavior data; and packaging the behavior baselines of all the processes obtained by learning to obtain the terminal behavior portrait model suitable for the cluster. The method comprises the steps that terminals in a cluster report local behavior data to a server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster; and carrying out anomaly detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model. Based on the scheme provided by the embodiment of the application, the server adjusts each behavior data which are reported by each terminal and used for learning each process behavior baseline to obtain a terminal behavior portrait model suitable for the cluster, and the terminal detects the local abnormal behavior of the terminal based on the terminal behavior portrait model, so that the terminal in the cluster does not need to learn the terminal behavior portrait model, and the detection cost during behavior recognition is reduced.
Drawings
FIG. 1 is a schematic flow chart illustrating an implementation of a behavior sketch construction method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart illustrating an implementation of a behavior sketch construction method according to another embodiment of the present application;
FIG. 3 is a schematic diagram of a detection framework provided in an embodiment of the present application;
fig. 4 is a schematic flow chart of an implementation of a cloud behavior representation construction method according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of a behavior sketch constructing apparatus according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of a behavior representation constructing apparatus according to another embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In a virtual network scenario, multiple physical servers typically operate in a cluster. In the related art, the electronic device filters the behavior log through the behavior portrait obtained through learning, and identifies suspicious behaviors according to the filtering result, so that the detection cost of behavior identification is high.
Based on this, in various embodiments of the present application, a server receives behavior data reported by each terminal of at least two terminals in a cluster; for each process, analyzing behavior data of the process at each terminal in a correlation manner, and adjusting each behavior data for learning a behavior baseline of the process; learning to obtain a behavior baseline of each process based on the adjusted behavior data; and packaging the behavior baselines of all the processes obtained by learning to obtain the terminal behavior portrait model suitable for the cluster. The terminal in the cluster reports the local behavior data to the server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster; and carrying out anomaly detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model. Based on the scheme provided by the embodiment of the application, the server adjusts each behavior data which are reported by each terminal and used for learning each process behavior baseline to obtain a terminal behavior portrait model suitable for the cluster, and the terminal detects the local abnormal behavior of the terminal based on the terminal behavior portrait model.
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic view of an implementation flow of a behavior sketch construction method provided in an embodiment of the present application, where the embodiment of the present application provides a behavior sketch construction method, which is applied to a server, and the method includes:
step 101: and receiving the behavior data reported by each of at least two terminals in the cluster.
In a virtual network scenario, a cluster typically includes two or more terminals, including but not limited to servers, mobile terminals, and other electronic devices. The server may be a server within the cluster or a server outside the cluster, and is not limited herein.
In the embodiment of the application, the terminal runs with processes, the processes can generate behavior data, and the terminal reports the behavior data corresponding to each process to the server. The behavior data of the process may be data in the form of executable file paths or behavior logs.
Step 102: for each process, analyzing the behavior data of the process at each terminal in a correlation manner, and adjusting each behavior data for learning the process behavior baseline.
Here, taking a single process as an example, each terminal running the process in the cluster reports behavior data of the process at each terminal to the server, but the behavior data of the process reported by each terminal at each terminal may be abnormal, and the behavior data cannot be directly used to learn to obtain a behavior baseline of the process, so the behavior data is analyzed to screen out the behavior data required for learning the behavior baseline of the process.
Specifically, the server extracts, from the received behavior data of the process at each terminal, a feature that can determine whether the behavior data of the process is normal behavior data, and sets a feature baseline corresponding to the feature. And the server screens out the behavior data required for learning the process behavior baseline from the received behavior data of the process in each terminal based on the characteristics corresponding to the process and the corresponding characteristic baseline.
Wherein the types of features include, but are not limited to: process liveness, owner of document, issuer of document signature, threat intelligence information of document, behavior information of process. The characteristic baseline can be set according to experience values of developers, or roughly selected according to the received behavior data, or calculated according to a certain formula according to the received behavior data, and the like. The characteristic baseline can be understood as a threshold, specifically, the characteristic baseline can be a single value such as x, and a value condition is satisfied when the characteristic value is greater than x or less than x; the characteristic baseline can also be two values such as x and y (x < y), and the value condition is satisfied when the characteristic value is greater than x and less than y or less than x or greater than y.
In practical applications, the activity of a process may be obtained according to the number of times some operations occur in the behavior data of the process. Assuming that the software A is installed on the terminal, clicking the software A1 time, the software A will run, and then obtaining 1 executable file path about the software A, clicking the software A10 times, obtaining 10 executable file paths about the software A, and then extracting the activity of the software A process from the behavior data of the software A to be 10.
The way of screening behavioral data according to the characteristic baseline may be: and removing the maximum value and the minimum value in the received characteristic values, and judging each retained characteristic value, wherein all the behavior data corresponding to the characteristic values meeting the value-taking condition are the behavior data required for learning the process behavior baseline.
In practical application, after the behavior data is received, the behavior data may be subjected to data format conversion, and converted into a data format that can be recognized and processed by the server.
Step 103: and based on the adjusted behavior data, learning to obtain a behavior baseline of each process.
Here, the behavior baselines of the corresponding processes are learned respectively based on the behavior data required for learning the behavior baselines of the corresponding processes.
Step 104: and packaging the behavior baselines of all the processes obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.
Based on the scheme provided by the embodiment of the application, the server adjusts each behavior data which is reported by each terminal and used for learning the behavior baseline of each process, learns to obtain the behavior baseline of each process, and finally encapsulates to obtain the terminal behavior portrait model suitable for the cluster.
In an embodiment, the encapsulating the behavior baselines of the learned processes to obtain a terminal behavior representation model applicable to the cluster includes:
determining the process type;
storing the corresponding behavior base line into the terminal behavior portrait model of the corresponding process type according to different process types; wherein,
the process type includes one of:
a system process;
a key business process;
other business processes;
the terminal behavior portrait model comprises one of the following:
a system process behavior portrait model;
a key business process behavior portrait model;
other business process behavioral representation models.
And storing the behavior baseline corresponding to the system process into the system process behavior portrait model. The server can identify the service type of the terminal by analyzing the behavior data of the system process corresponding to the system process behavior portrait model, and can also be used as a behavior white list of default software of the system to be issued to the terminal, and the terminal judges the behavior data in the behavior white list as white behaviors according to the issued behavior white list, so that the time consumed by behavior data filtering is shortened, and the false alarm rate of normal behaviors is reduced. In practical application, under the condition that the behavior portrait of a certain system process is not converged by default of a system of the terminal, the server issues the behavior portrait of the system process, and the learning difficulty of the terminal is reduced.
And storing the behavior baseline corresponding to the key business process into the behavior sketch model of the key business process. Corresponding to the key business process behavior portrait model, the server determines the safety behavior boundary of the business by analyzing the key business process of the terminal (usually a server, such as a web server), can be used for filtering and detecting unknown behaviors, and can also be issued to the terminal as a public white list, so that the terminal which cannot learn business behaviors obtains the behavior portrait, abnormal behavior data is filtered by using the behavior portrait distributed by the server, the phenomenon that normal behaviors are mistakenly reported as abnormal behaviors is improved, and the false alarm rate is reduced. The values of some characteristics of the abnormal behavior event are different from those of the normal behavior event, and corresponding alarm rules are set for the characteristics, so that an alarm log is generated after the abnormal behavior event triggers an alarm.
And storing the behavior baselines corresponding to other business processes into other business process behavior portrait models, wherein the other business processes can be understood as application processes. The server can identify normal behaviors generated during the running period of the application by analyzing behavior data corresponding to white behaviors of the application process, and judges the behavior data generated by the application in the application white list as the white behaviors by constructing and issuing the white list of the application granularity and the terminal according to the issued application white list, so that the time consumed by filtering the behavior data is shortened and the false alarm rate of the normal behaviors is reduced. In this embodiment, the behavior baselines corresponding to the processes are classified according to the process types, and the behavior baselines corresponding to the processes of the same type are stored in the same terminal behavior portrait model, so that the terminal behavior portrait model can be issued to the terminals in the cluster in a subsequent targeted manner.
In an embodiment, the method further comprises:
and distributing the terminal behavior representation model to each terminal in the cluster, so that each terminal performs behavior abnormity detection based on the locally distributed terminal behavior representation model.
Here, the server may implement distribution of the terminal behavior representation model by means of a software interface, a hardware interface, or the like. The server may generate and distribute the terminal behavior representation model in two discontinuous behaviors, that is, the server may broadcast the terminal behavior representation model to the clustered terminals after obtaining the terminal behavior representation model, or store the terminal behavior representation model, and issue the terminal behavior representation model to the terminal when a trigger condition (for example, a request from the terminal is received or the terminal joins the cluster) is satisfied, which is not limited herein. The terminal receiving the behavior representation model may or may not be the terminal reporting the behavior data.
The server can determine the process operated by the terminal according to the behavior data reported by the terminal and send the terminal behavior portrait model corresponding to the operated process to the terminal.
Or the server can acquire the process supported by the running environment of the terminal and/or the process newly installed by the terminal through the management plane of the first cluster, and send the process supported by the terminal and/or the terminal behavior portrait model corresponding to the process newly installed by the terminal to the terminal.
Alternatively, the server may send the corresponding terminal behavioral representation model to the terminal according to a request (e.g., request to obtain the system process behavioral representation model) sent by the terminal.
In the embodiment of the application, the server performs correlation analysis on the behavior data reported by the terminals in the cluster to obtain the terminal behavior portrait model suitable for the cluster, so that the terminals in the cluster do not need to learn the terminal behavior portrait model, the terminal behavior portrait model issued by the server can be directly used for performing behavior anomaly detection on the local behavior data of the terminal, the abnormal behavior data are filtered out from the local behavior data, and the detection cost during behavior identification is reduced.
In an embodiment, the method further comprises:
under the condition of meeting the set conditions, continuously updating the current terminal behavior portrait model; wherein,
the set condition represents that the abnormal behavior missing report rate corresponding to the current terminal behavior portrait model is larger than a first set threshold value, and/or the normal behavior false report rate corresponding to the current terminal behavior portrait model is larger than a second set threshold value.
After the terminal behavior portrait model is obtained, the server judges whether the current terminal behavior portrait model meets the set conditions or not, determines that the current terminal behavior portrait model needs to be updated under the condition that the current terminal behavior portrait model meets the set conditions, and updates the current terminal behavior portrait model based on the screening result of the behavior data of the obtained current terminal behavior portrait model. The screening processing action of the behavior data may be executed by the operation and maintenance personnel, or may be executed by a server or other electronic devices.
Here, it may be determined whether the updated terminal behavior image model satisfies the setting condition, and if the updated terminal behavior image model satisfies the setting condition, the terminal behavior image model may be updated again until the updated terminal behavior image model does not satisfy the setting condition.
In the scheme, the server updates the terminal behavior portrait models by using the screened behavior data, can eliminate the behavior data of part or all abnormal behavior events, improves the condition that the abnormal behaviors are learned to the terminal behavior portrait model, and reduces the abnormal behavior misreport rate of the terminal behavior portrait model. In addition, by excluding behavior data which may cause false alarm of normal behavior, the false alarm rate of normal behavior of the terminal behavior portrait model can be reduced.
Fig. 2 is a schematic view of an implementation flow of a behavior sketch construction method provided in an embodiment of the present application, and the embodiment of the present application provides a behavior sketch construction method applied to terminals in a cluster, where the terminals include, but are not limited to, servers, mobile terminals, and other electronic devices. The method comprises the following steps:
step 201: and reporting the local behavior data to a server.
And performing correlation analysis on the received behavior data of each terminal by using the indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for the cluster.
Step 202: and carrying out anomaly detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model.
In an embodiment, the performing, based on the terminal behavior representation model, an anomaly detection on an abnormal behavior local to the terminal includes:
receiving a terminal behavior portrait model issued by the server;
and carrying out anomaly detection on local abnormal behaviors based on the received terminal behavior portrait model.
In a virtual network scenario, a cluster typically includes two or more terminals, where the terminals run processes that can generate behavior data. The server may be a server within the cluster or a server outside the cluster, and is not limited herein.
The server performs correlation analysis on the behavior data reported by the terminals in the cluster to obtain a terminal behavior portrait model suitable for the cluster, distributes the terminal behavior portrait model to the terminals in the cluster, and the terminals receive and utilize the terminal behavior portrait model issued by the server to perform behavior anomaly detection on the local behavior data of the terminals and filter the abnormal behavior data from the local behavior data.
The terminal for receiving the terminal behavior portrait model may be a terminal for reporting behavior data, or may not be the terminal. The behavior data may be data in the form of executable file paths or behavior logs, etc. Here, the terminal behavior representation model can be used by one or more terminals in the cluster, and the terminal can receive the terminal behavior representation model transmitted by the server through a software interface, a hardware interface or the like.
In the embodiment of the application, the terminal in the cluster does not need to learn a terminal behavior portrait model, so that the detection cost in behavior recognition is reduced, the terminal behavior portrait model learned by the server is more comprehensive and accurate, and the false alarm rate of normal behaviors and the false alarm rate of abnormal behaviors are reduced.
The abnormal behavior data has characteristics different from the normal behavior data, in one embodiment, corresponding alarm rules are set for the characteristics, and when the terminal detects the abnormal behavior data from the local behavior data, an alarm log is generated after the alarm is triggered, so that an operator can find the local abnormal behavior of the terminal in time.
The terminal can output the alarm log by means of an external device such as a display. Before the alarm logs are output, similar alarm logs can be merged through aggregation reduction modes such as character aggregation, semantic aggregation and/or statistical reduction, and the like, so that the number of the alarm logs is reduced. When the alarm log is output, the alarm events corresponding to the alarm log can be sequenced according to the risk degree of the alarm, and the alarm event with high risk degree is preceded, so that the alarm log can be conveniently analyzed by operators. Here, the alarm log and the corresponding behavior event may also be analyzed according to the association relationship of the original data (e.g., the behavior log), the association relationship of the alarm log, and the association relationship across hosts, and an analysis result may be output.
In an embodiment, a set credit library is arranged in the terminal, behavior data corresponding to abnormal behaviors and/or behavior data corresponding to normal behaviors are recorded in the set credit library, and when the terminal filters the local behavior data, the local behavior data can be filtered based on the set credit library, so that the abnormal behavior data can be filtered out. Here, the set reputation base may be issued by the server to the terminal, or may be generated by the terminal during operation according to the behavior data and the corresponding determination result. Therefore, the false alarm phenomenon that normal behavior data is recognized as abnormal behavior data can be improved, and the number of false alarm logs can be reduced.
The present application will be described in further detail with reference to the following application examples.
Currently, the behavior on the server is filtered by defining expert rules. The expert uses the professional experience in a specific field to design the rule which can be identified by the computer and can be used for detection, and the rule is the expert rule. The expert rules are divided into two types, one is a white rule and one is a black rule.
The black rule analyzes known attack behaviors, judges which features different from normal behaviors exist in the attack process, and combines the features to form a rule. And all behaviors are filtered by the rules in the detection stage, and if the rules are hit, the behaviors are considered to be attack behaviors. The generation of the rules depends on the experience of experts, and if the design is not good, normal behaviors can be matched, and false alarm is generated. False positives refer to situations where a normal log is identified as a suspect log.
The white rule is a rule that an expert judges what behavior can be executed according to the service executed by the server, the executable behavior is abstracted into a corresponding rule, and the behavior which is not in the rule running range is not allowed to be executed. If the normal behavior rule design is too strict, many normal files cannot be executed, and if the normal behavior rule design is too loose, many malicious behaviors bypass the expert rules.
The effect depends on the quality of the rules extracted by the security experts, the problem of high false alarm exists from the actual test effect of the client side, and meanwhile, the detection effect is limited aiming at 0day attack. A 0day attack refers to an act by a hacker of attacking a client's server with no disclosed vulnerabilities or tools. Here, a server may be understood as a computer that provides various high-performance services to a user, such as a supercomputer for a scientific computing task.
Based on this, the embodiment of the present application provides a distributed anomaly detection method and system, which can filter the behavior log generated by the host, identify suspicious behaviors, and discover unknown attacks in time based on a set detection framework. Specifically, by combining the terminal behavior portrayal, the alarm reduction and the cloud portrayal, suspicious behaviors can be automatically detected on the premise of ensuring the control of false alarm. Meanwhile, the whole abnormal detection process realizes full automation, and can realize the detection of known and unknown attacks without the intervention of security experts.
As shown in fig. 3, the setup detection framework is mainly divided into three modules:
the terminal behavior portrait module is used for learning the behaviors of the host, and the learned behavior portrait is used for filtering the behavior log, so that the problems of dependence on expert rules and unstable effect can be solved.
The cloud portrait correction module is used for optimizing the behavior portrait model reported by the user. The host portrait of the terminal is continuously optimized and adjusted through the cluster portrait, the host portrait, the application portrait, the system background portrait and/or the service portrait, so that the terminal behavior portrait keeps the best detection state. The scheme of the application embodiment can reduce the number of the false alarm logs, and can automatically detect the host behavior while ensuring the false alarm rate and the detection rate.
The alarm reduction module is used for compressing alarm logs generated by the terminal behavior portrait, so that the number of false alarm logs is reduced, and the effect of false alarm control is achieved. After the alarm is reduced, the number of the false alarm logs can be reduced by more than 90%, and the working efficiency of safe operation is greatly improved.
The detection framework shown in fig. 3 is explained:
terminal behavior log: logs generated and collected on the host.
The terminal behavior portrait module comprises sub-modules of an application white list, a behavior baseline and model pollution analysis.
Application of the white list: for some common applications that are not utilized by attackers, the filtering can be performed quickly by applying a white list.
Behavior baseline: the collection of relevant behaviors learned from the host is also referred to as a behavior model.
And (3) analyzing model pollution: model pollution analysis can be performed through modes such as rule detection and pollution analysis, and the problem that abnormal behaviors are missed to be reported due to the fact that attack behaviors are learned to the model is mainly solved.
The alarm reduction module comprises sub-modules of alarm aggregation, alarm correlation analysis and scoring algorithm.
Alarm aggregation: the similar alarm logs are mainly merged, so that the alarm quantity is reduced.
Alarm correlation analysis: through alarm correlation analysis, safety operation and maintenance personnel can conveniently study and judge the alarm log.
And (3) scoring algorithm: the scoring algorithm sorts according to the risk degree of the alarm, so that the emergency alarm event can be advanced, and operators can focus main efforts on key alarm logs conveniently.
The cloud portrait correction module comprises submodules of a portrait library and a behavior credit library.
A picture library: a cloud portrait library is established through different visual angles, and a general basic behavior library can be established and used as the input of a behavior credit library.
A behavior reputation library: the behavior reputation base can be issued to the terminal for filtering some common normal behaviors or abnormal behaviors.
Compared with a centralized detection framework, all logs are transmitted to a server for processing, the scheme of the embodiment of the application filters behavior logs generated by each terminal by reasonably utilizing various computing and storage resources on the terminal, so that the amount of the uploaded logs is reduced, and the detection cost is greatly reduced. Under the premise of controllable misinformation, the method can help the client to find unknown attack behaviors in time, and avoids loss. Meanwhile, the alarm logs generated after the behavior logs are screened are compressed, so that the number of the false alarm logs is reduced, and the false alarm is controllable.
Fig. 4 is a schematic view showing an implementation flow of a cloud behavior representation construction method provided in an application embodiment of the present application, where the implementation flow at least includes:
and (3) reporting terminal behavior data: the terminal is used for reporting the behavior data generated by the upper process of the terminal to the cloud.
Information analysis: and analyzing the reported behavior data into the characteristics required by the characteristic extraction module.
A feature extraction module: features which can be used for the whitening, such as process liveness, owner of the document, issuer of the document signature, threat intelligence information of the document, behavior information of the process, are mainly extracted. Files that are executed in the operating system may be referred to herein as processes.
The process white behavior identification and filtering module: according to the characteristics, the process behaviors are judged and filtered, and only the white behaviors related to the process can enter the process type identification module.
A process type identification module: according to the type of the process, white behaviors of the process are classified into a system background portrait, a service portrait and an application portrait, so that data can be issued in a targeted manner subsequently.
The manual identification and operation module: the security expert can optimize the terminal cluster behavior image library at the cloud end, solve the problem that attacks are mixed in during the learning period, and can also solve the problem that false alarms are high.
Updating the issuing module: and the terminal cluster behavior portrait library at the cloud end issues corresponding behavior portraits in a targeted manner according to the problems and requirements of the terminals.
Any method similar to the method or architecture of the present invention, but using other detection modules similar to the terminal behavior image to detect and process the behavior, is within the scope of the present application.
In order to implement the method of the embodiment of the present application, an embodiment of the present application further provides a behavior sketch constructing apparatus, as shown in fig. 5, the apparatus includes:
a receiving unit 501, configured to receive behavior data reported by each terminal of at least two terminals in a cluster;
an adjusting unit 502, configured to, for each process, perform correlation analysis on behavior data of the process at each terminal, and adjust each behavior data used for learning a behavior baseline of the process;
a learning unit 503, configured to learn to obtain a behavior baseline of each process based on the adjusted behavior data;
and an encapsulating unit 504, configured to encapsulate the behavior baseline of each learned process to obtain a terminal behavior representation model applicable to the cluster.
Wherein, in one embodiment, the encapsulating unit 504 is configured to:
determining the process type;
storing the corresponding behavior base line into the terminal behavior portrait model of the corresponding process type according to different process types; wherein,
the process type includes one of:
a system process;
a key business process;
other business processes;
the terminal behavior portrait model comprises one of the following:
a system process behavior portrait model;
a key business process behavior portrait model;
other business process behavioral representation models.
In one embodiment, the apparatus further comprises:
and the distribution unit is used for distributing the terminal behavior representation model to each terminal in the cluster so that each terminal can perform behavior abnormity detection based on the locally distributed terminal behavior representation model.
In one embodiment, the apparatus further comprises:
the updating unit is used for continuously updating the current terminal behavior portrait model under the condition that the set condition is met; wherein,
the set condition represents that the abnormal behavior missing report rate corresponding to the current terminal behavior portrait model is larger than a first set threshold value, and/or the normal behavior false report rate corresponding to the current terminal behavior portrait model is larger than a second set threshold value.
In practical applications, the receiving unit 501 may be implemented by a communication interface in a behavior-based representation constructing apparatus, the adjusting unit 502, the learning unit 503, the encapsulating unit 504, and the updating unit may be implemented by a processor in the behavior-based representation constructing apparatus, and the distributing unit may be implemented by a processor in the behavior-based representation constructing apparatus in combination with the communication interface.
It should be noted that: in the above embodiment, when the behavior image constructing apparatus is used to construct a behavior image, the above-mentioned division of each program module is merely used as an example, and in practical applications, the above-mentioned processing may be distributed to different program modules according to needs, that is, the internal structure of the apparatus may be divided into different program modules to complete all or part of the above-mentioned processing. In addition, the behavior sketch constructing device and the behavior sketch constructing method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
In order to implement the method of the embodiment of the present application, an embodiment of the present application further provides a behavior sketch constructing apparatus, as shown in fig. 6, the apparatus includes:
a reporting unit 601, configured to report local behavior data to a server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster;
a detecting unit 602, configured to perform anomaly detection on local abnormal behavior of the terminal based on the terminal behavior portrait model.
Wherein, in one embodiment, the detection unit 602 is configured to:
receiving a terminal behavior portrait model issued by the server;
and carrying out anomaly detection on local abnormal behaviors based on the received terminal behavior portrait model.
In practical applications, the reporting unit 601 may be implemented by a communication interface in the behavior-based sketch constructing apparatus, and the detecting unit 602 may be implemented by a processor in the behavior-based sketch constructing apparatus.
It should be noted that: in the above embodiment, when the behavior image constructing apparatus is used to construct a behavior image, the above-mentioned division of each program module is merely used as an example, and in practical applications, the above-mentioned processing may be distributed to different program modules according to needs, that is, the internal structure of the apparatus may be divided into different program modules to complete all or part of the above-mentioned processing. In addition, the behavior sketch constructing device and the behavior sketch constructing method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Based on the hardware implementation of the program module, in order to implement the behavior sketch construction method in the embodiment of the present application, an embodiment of the present application further provides an electronic device. Fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 7, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable the communication of connections between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for the sake of clarity the various buses are labeled as bus system 4 in figure 7.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 2 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present application may be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 2. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present application are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, specifically a computer readable storage medium, for example, including a memory 3 storing a computer program, which can be executed by a processor 2 to implement the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps of implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer-readable storage medium, and when executed, executes the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
It is understood that in the embodiments of the present application, user information is referred to, and when the embodiments of the present application are applied to specific products or technologies, user permission or consent needs to be obtained, and the collection, use and processing of relevant data need to comply with relevant laws and regulations and standards in relevant countries and regions.
The technical means described in the embodiments of the present application may be arbitrarily combined without conflict. Unless otherwise specified and limited, the term "coupled" is to be construed broadly, e.g., as meaning electrical connections, or as meaning communications between two elements, either directly or indirectly through intervening media, as well as the specific meanings of such terms as understood by those skilled in the art.
In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order. It should be understood that "first \ second \ third" distinct objects may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be implemented in an order other than those illustrated or described herein.
The term "and/or" herein is merely an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any combination of at least two of any one or more of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Various combinations of the specific features in the embodiments described in the detailed description may be made without contradiction, for example, different embodiments may be formed by different combinations of the specific features, and in order to avoid unnecessary repetition, various possible combinations of the specific features in the present application will not be described separately.

Claims (10)

1. A behavior portrait construction method is applied to a server, and the method comprises the following steps:
receiving behavior data reported by each terminal of at least two terminals in a cluster;
for each process, performing correlation analysis on behavior data of the process at each terminal, and adjusting each behavior data for learning a behavior baseline of the process;
learning to obtain a behavior baseline of each process based on the adjusted behavior data;
and packaging the behavior baselines of all the processes obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.
2. The method of claim 1, wherein encapsulating the learned behavior baselines of the processes to obtain a terminal behavior representation model applicable to the cluster comprises:
determining the process type;
storing the corresponding behavior base line into the terminal behavior portrait model of the corresponding process type according to different process types; wherein,
the process type includes one of:
a system process;
a key business process;
other business processes;
the terminal behavior portrait model comprises one of the following:
a system process behavior portrait model;
a key business process behavior portrait model;
other business process behavioral representation models.
3. The method of claim 1, further comprising:
and distributing the terminal behavior representation model to each terminal in the cluster, so that each terminal performs behavior abnormity detection based on the locally distributed terminal behavior representation model.
4. The method of claim 1, further comprising:
under the condition of meeting the set conditions, continuously updating the current terminal behavior portrait model; wherein,
the set condition represents that the abnormal behavior missing report rate corresponding to the current terminal behavior portrait model is larger than a first set threshold value, and/or the normal behavior false report rate corresponding to the current terminal behavior portrait model is larger than a second set threshold value.
5. A behavior portrait construction method is applied to terminals in a cluster, and comprises the following steps:
reporting local behavior data to a server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster;
and carrying out anomaly detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model.
6. The method of claim 5, wherein the performing anomaly detection on the abnormal behavior local to the terminal based on the terminal behavior representation model comprises:
receiving a terminal behavior portrait model issued by the server;
and carrying out anomaly detection on local abnormal behaviors based on the received terminal behavior portrait model.
7. A behavior sketch constructing apparatus, comprising:
the receiving unit is used for receiving the behavior data reported by each terminal of at least two terminals in the cluster;
the adjusting unit is used for analyzing the behavior data of the process at each terminal in a correlation manner for each process and adjusting each behavior data for learning the process behavior baseline;
the learning unit is used for learning to obtain a behavior baseline of each process based on the adjusted behavior data;
and the packaging unit is used for packaging the behavior base line of each process obtained by learning to obtain the terminal behavior portrait model suitable for the cluster.
8. A behavior sketch constructing apparatus, comprising:
the reporting unit is used for reporting the local behavior data to the server; performing correlation analysis on the received behavior data of each terminal by using an indication server to obtain process behavior data required by process behavior baseline learning, and finally obtaining a terminal behavior portrait model suitable for a cluster;
and the detection unit is used for carrying out abnormity detection on the local abnormal behaviors of the terminal based on the terminal behavior portrait model.
9. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is adapted to perform the steps of the method of any one of claims 1 to 4, or to perform the steps of the method of claim 5 or 6, when running the computer program.
10. A storage medium having stored thereon a computer program for implementing the steps of the method of any one of claims 1 to 4, or the steps of the method of claim 5 or 6, when executed by a processor.
CN202211326383.2A 2022-10-27 2022-10-27 Behavior portrait construction method and device, electronic equipment and storage medium Pending CN115664821A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211326383.2A CN115664821A (en) 2022-10-27 2022-10-27 Behavior portrait construction method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211326383.2A CN115664821A (en) 2022-10-27 2022-10-27 Behavior portrait construction method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115664821A true CN115664821A (en) 2023-01-31

Family

ID=84993551

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211326383.2A Pending CN115664821A (en) 2022-10-27 2022-10-27 Behavior portrait construction method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115664821A (en)

Similar Documents

Publication Publication Date Title
CN114584405B (en) Electric power terminal safety protection method and system
US10534906B1 (en) Detection efficacy of virtual machine-based analysis with application specific events
Hu et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN112671807B (en) Threat processing method, threat processing device, electronic equipment and computer readable storage medium
CN112953971B (en) Network security flow intrusion detection method and system
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
CN113364750B (en) Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method
US20150358292A1 (en) Network security management
CN117879970A (en) Network security protection method and system
JP2024536226A (en) SYSTEM AND METHOD FOR DETECTING MALICIOUS HANDS-ON KEYBOARD ACTIVITY VIA MACHINE LEARNING
CN110365673B (en) Method, server and system for isolating network attack plane
CN118101250A (en) Network security detection method and system
CN115664822A (en) Behavior portrait construction method and device, electronic equipment and storage medium
CN118018231A (en) Security policy management method, device, equipment and storage medium for isolation area
CN115296849B (en) Associated alarm method and system, storage medium and electronic equipment
CN115086081B (en) Escape prevention method and system for honeypots
US20230315848A1 (en) Forensic analysis on consistent system footprints
CN116346442A (en) Threat detection method and device based on threat information
CN115664821A (en) Behavior portrait construction method and device, electronic equipment and storage medium
CN114362980B (en) Protocol hanging login account identification method, device, computer equipment and storage medium
CN114584391A (en) Method, device, equipment and storage medium for generating abnormal flow processing strategy
CN115967542B (en) Intrusion detection method, device, equipment and medium based on human factor
CN114154160B (en) Container cluster monitoring method and device, electronic equipment and storage medium
CN112968916B (en) Network attack state identification method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination