CN115859279A - Host behavior detection method and device, electronic equipment and storage medium - Google Patents
Host behavior detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115859279A CN115859279A CN202310182102.9A CN202310182102A CN115859279A CN 115859279 A CN115859279 A CN 115859279A CN 202310182102 A CN202310182102 A CN 202310182102A CN 115859279 A CN115859279 A CN 115859279A
- Authority
- CN
- China
- Prior art keywords
- behavior
- host
- information
- host behavior
- process chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 113
- 230000006399 behavior Effects 0.000 claims abstract description 453
- 238000000034 method Methods 0.000 claims abstract description 209
- 230000008569 process Effects 0.000 claims abstract description 169
- 238000004590 computer program Methods 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000029610 recognition of host Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the application provides a method and a device for detecting host behaviors, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring host behavior information; acquiring host behavior information; extracting the host behavior attribute in the host behavior information; generating a host behavior label according to the host behavior attribute; constructing a behavior process chain according to the host behavior attribute; constructing a behavior label process chain according to the host behavior label and the behavior process chain; and performing correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result. By implementing the embodiment of the application, the detection efficiency of the host behavior can be improved, the specific host behavior can be quickly and accurately captured by utilizing a correlation detection mode, the occupation of resources is reduced, and the missing report and the false report are not easy to generate.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting host behavior, an electronic device, and a computer storage medium.
Background
The intrusion detection of the host security product is mainly based on single-point detection, and the single-point detection is simple and convenient, but the accuracy is difficult to grasp. The accuracy of single-point detection depends on the fineness of the detection rule, and if the detection rule is fine, the false alarm rate is low, but the false alarm rate is high; otherwise, the false alarm rate is high and the false alarm rate is low.
The existing host security product is a terminal-based detection engine, a console detection engine or a combination of the two, and is only single-point detection aiming at a certain single behavior of the host, but the single-point detection range is small, the detection capability is limited, and the accuracy is difficult to guarantee. Moreover, most intrusion threats generate a plurality of host behaviors, and the host behaviors are often identified inefficiently and accurately by adopting a single-point detection mode in the face of the complicated intrusion behaviors, so that a plurality of false reports and a plurality of false reports are easily generated.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting a host behavior, an electronic device, and a storage medium, which can improve detection efficiency of the host behavior, quickly and accurately capture a specific host behavior by using a correlation detection method, reduce occupation of resources, and prevent false negative and false positive.
In a first aspect, an embodiment of the present application provides a method for detecting a host behavior, where the method includes:
acquiring host behavior information;
extracting host behavior attributes in the host behavior information;
generating a host behavior label according to the host behavior attribute;
constructing a behavior process chain according to the host behavior attribute;
constructing a behavior label process chain according to the host behavior label and the behavior process chain;
and performing correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result.
In the implementation process, a behavior process chain is constructed according to the host behavior attribute, a behavior label process chain is constructed according to the host behavior label, and correlation detection is carried out on the host behavior based on the behavior label process chain to obtain a detection result, so that the detection efficiency of the host behavior can be improved, the specific host behavior is quickly and accurately captured by using a correlation detection mode, the occupation of resources is reduced, and missed reports and false reports are not easy to generate.
Further, the step of obtaining the host behavior information includes:
monitoring a behavior event of a host to obtain initial host behavior information;
and filling the initial host behavior information to obtain the host behavior information.
In the implementation process, the initial host behavior information is filled, so that the obtained host behavior information is more accurate, the host behavior information can be ensured to accurately express the host behavior, and the reliability of the host behavior can be improved.
Further, the step of generating a host behavior tag according to the host behavior attribute includes:
judging whether the host behavior attribute accords with a detection rule or not;
if so, extracting a behavior tag corresponding to the detection rule;
and pushing the behavior label to a graph engine for storage to obtain the host behavior label.
In the implementation process, corresponding behavior label extraction is carried out according to whether the host behavior attribute accords with the detection rule, each host behavior attribute can be accurately marked to obtain the host behavior label, and the subsequent detection of the host behavior is facilitated.
Further, the step of constructing a behavior process chain according to the host behavior attribute includes:
constructing node information according to the host behavior attribute;
constructing first edge relation information according to the host behavior attribute;
and constructing the behavior process chain according to the node information and the first edge relation information.
In the implementation process, the behavior process chain is constructed according to the node information and the first edge relation information, and the node information and the first edge relation information can be accurately expressed through the behavior process chain, so that the obtained behavior process chain is more accurate, and the host behavior attribute can be accurately expressed.
Further, the step of constructing a behavior tag process chain according to the host behavior tag and the behavior process chain includes:
taking the host behavior label as second edge relation information;
and constructing the behavior label process chain according to the second edge relation information and the behavior process chain.
In the implementation process, the host behavior tag is used as the second side relationship information, so that the behavior tag process chain can accurately reflect the host behavior tag, and the host behavior can be detected conveniently according to the host behavior tag.
Further, the step of constructing the behavior tag process chain according to the second edge relationship information and the behavior process chain includes:
and associating the second edge relationship information with the node information in the behavior process chain to generate the behavior label process chain.
In the implementation process, the second edge relation information is associated with the node information, so that the behavior process chain is complete, clear and reasonable, and the generated behavior label process chain can improve the subsequent detection efficiency and is convenient to search.
Further, the step of performing association detection on the host behavior based on the behavior tag process chain to obtain a detection result includes:
extracting the associated behavior information of the behavior tag process chain;
extracting specific behavior tags from the host behavior tags;
and performing correlation detection on the host behavior according to the correlation behavior information and the specific behavior tag to obtain the detection result.
In the implementation process, the host behavior is subjected to correlation detection according to the correlation behavior information and the specific behavior tag, so that the detection efficiency and the detection accuracy can be improved, and the specific host behavior can be accurately detected according to the specific behavior tag.
Further, the step of performing association detection on the host behavior according to the association behavior information and the specific behavior tag to obtain the detection result includes:
carrying out threat judgment on the host behavior according to the associated behavior information and the specific behavior tag to obtain the host behavior with the threat;
and marking the host behavior with the threat to obtain the detection result.
In the implementation process, the host behavior is judged to be threatened, the host behavior with the threat is accurately obtained and marked, and the condition of missing report or false report can be effectively avoided.
In a second aspect, an embodiment of the present application further provides an apparatus for detecting a host behavior, where the apparatus includes:
the acquisition module is used for acquiring host behavior information;
the extraction module is used for extracting the host behavior attribute in the host behavior information;
the generating module is used for generating a host behavior label according to the host behavior attribute;
the building module is used for building a behavior process chain according to the host behavior attribute; the behavior tag process chain is constructed according to the host behavior tag and the behavior process chain;
and the detection module is used for carrying out correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result.
In the implementation process, a behavior process chain is constructed according to the host behavior attribute, a behavior label process chain is constructed according to the host behavior label, and correlation detection is carried out on the host behavior based on the behavior label process chain to obtain a detection result, so that the detection efficiency of the host behavior can be improved, the specific host behavior is quickly and accurately captured by using a correlation detection mode, the occupation of resources is reduced, and missed reports and false reports are not easy to generate.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part may be learned by the practice of the above-described techniques of the disclosure.
The present invention can be implemented in accordance with the content of the specification, and the following detailed description of the preferred embodiments of the present application is made with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope values, and it is obvious for those skilled in the art that other related drawings can be obtained based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for detecting host behavior according to an embodiment of the present disclosure;
fig. 2 is a schematic structural composition diagram of a device for detecting host behavior according to an embodiment of the present disclosure;
fig. 3 is a schematic structural component diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not construed as indicating or implying relative importance.
The following detailed description of the present application will be made with reference to the accompanying drawings and examples. The following examples are intended to illustrate the present application but are not intended to limit the scope of the present application.
Example one
Fig. 1 is a schematic flowchart of a method for detecting host behavior according to an embodiment of the present application, and as shown in fig. 1, the method includes:
s1, acquiring host behavior information;
s2, extracting the host behavior attribute in the host behavior information;
s3, generating a host behavior label according to the host behavior attribute;
s4, constructing a behavior process chain according to the host behavior attribute;
s5, constructing a behavior tag process chain according to the host behavior tag and the behavior process chain;
and S6, performing correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result.
In the implementation process, a behavior process chain is constructed according to the host behavior attribute, a behavior label process chain is constructed according to the host behavior label, and correlation detection is carried out on the host behavior based on the behavior label process chain to obtain a detection result, so that the detection efficiency of the host behavior can be improved, the specific host behavior is quickly and accurately captured by using a correlation detection mode, the occupation of resources is reduced, and missed reports and false reports are not easy to generate.
According to the method and the device, the inherent attributes (processes, process files, behaviors, target files, target domain names and target IPs) of each behavior and the threat labels generated by a single-point detection engine aiming at the behaviors of a single host are extracted through a plurality of behaviors on the host, and a behavior process chain and a behavior label process chain are constructed by combining the technology of a graph database. The behavior tag process chain can connect a plurality of behaviors with threats in series on a host (a single host or a plurality of hosts), comprehensively judges which behaviors have threats from a global view angle, and overcomes the defect that a conventional single-point detection engine cannot prepare for recognizing complex intrusion detection, so that the detection accuracy is improved, and the false alarm rate and the false missing report rate are reduced.
Further, S1 includes:
monitoring a behavior event of a host to obtain initial host behavior information;
and filling the initial host behavior information to obtain the host behavior information.
In the implementation process, the initial host behavior information is filled, so that the obtained host behavior information is more accurate, the host behavior information can be ensured to accurately express the host behavior, and the reliability of the host behavior can be improved.
The terminal monitors and collects host behavior information, and the monitoring of behavior events comprises the following steps: the process behavior event, the network behavior event and the file behavior event are collected and filled with relevant information according to different behaviors and a certain rule to be assembled into a piece of initial host behavior information. Batches were reported to the console at a frequency of once in 10 seconds. And the console receives the host behavior information, and the host behavior information is filled through the data management center and is processed for the second time to form a piece of host behavior information which is in line with expectation.
In S2, extracting host behavior attributes, the graph engine receiving the host behavior message and extracting key attributes of the host behavior, including:
host information: host ID, host IP; and (3) process behaviors: process information, process file information, parent process information, process behavior, and target file information; and (3) process information: process ID, process name, process command line; process file information: process file name, process file path, process file sha256 and process file md5; parent process information: a parent process ID, a parent process name, a parent process command line; and (3) process behaviors: establishing a process, establishing an external connection, downloading a file, reading the file and the like; target file information: a target file name, a target file path, a target file sha256 and a target file md5; file behavior: file information, file behavior; file information: file name, file path, file sha256, and file md5; file behavior: write files, read files, etc.; network behavior: network information; network information: domain name, IP address, port.
Further, S3 includes:
judging whether the behavior attribute of the host meets the detection rule or not;
if yes, extracting a behavior label corresponding to the detection rule;
and pushing the behavior label to a graph engine for storage to obtain a host behavior label.
In the implementation process, corresponding behavior tag extraction is carried out according to whether the host behavior attribute accords with the detection rule, each host behavior attribute can be accurately marked to obtain the host behavior tag, and the host behavior can be conveniently detected in the follow-up process.
And the label engine receives the host behavior message and performs preliminary judgment according to the information such as the single host behavior attribute, the file content, the file sha256, the file md5 and the like. And according to the judgment result, extracting the corresponding behavior label from the detection rule meeting the requirement, and pushing the behavior label to the graph engine. For example, the host downloads a file through a website and saves the file locally. The whole process will label the behavior as "establish external connection" and "write file". The label engine can detect websites and files, if the websites are malicious, labels of 'visiting malicious websites' are marked, if the files are threatened, and meanwhile labels of 'threatening files' are marked on the files.
Further, S4 includes:
constructing node information according to the host behavior attribute;
constructing first edge relation information according to the host behavior attribute;
and constructing a behavior process chain according to the node information and the first edge relation information.
In the implementation process, the behavior process chain is constructed according to the node information and the first edge relation information, and the node information and the first edge relation information can be accurately expressed through the behavior process chain, so that the obtained behavior process chain is more accurate, and the host behavior attribute can be accurately expressed.
The graph engine receives the host behavior attributes, constructs the host behavior attributes into nodes and edges of a graph database by means of the graph database, and forms a relational graph called a behavior process chain.
Constructing node information of a graph database, comprising: host node, process node, file node, IP node, domain name node.
Constructing edge relationship information (i.e., first edge relationship information) for a graph database, comprising: host process edge relationships, host file edge relationships, process IP edge relationships, process domain name edge relationships, and IP domain name edge relationships.
Constructing a behavior process chain: and (3) persisting the data based on the graph database by using the constructed node information and the first edge relation information, and constructing a behavior process chain by using the advantages of the graph database.
Further, S5 includes:
taking the host behavior label as second side relation information;
and constructing a behavior label process chain according to the second edge relation information and the behavior process chain.
In the implementation process, the host behavior tag is used as the second side relationship information, so that the behavior tag process chain can accurately reflect the host behavior tag, and the host behavior can be detected conveniently according to the host behavior tag.
Further, the step of constructing the behavior tag process chain according to the second edge relationship information and the behavior process chain includes:
and associating the second edge relationship information with the node information in the behavior process chain to generate a behavior label process chain.
In the implementation process, the second edge relation information is associated with the node information, so that the behavior process chain is complete, clear and reasonable, and the generated behavior label process chain can improve the subsequent detection efficiency and is convenient to search.
And constructing a behavior label process chain, wherein the graph engine uses the host behavior label as second edge relation information by means of a graph database according to the received host behavior label, and associates the host node, the process node, the file node, the IP node and the domain name node to form a behavior process chain with the host behavior label, which is called a behavior label process chain.
Further, S6 includes:
extracting associated behavior information of a behavior tag process chain;
extracting a specific behavior tag in the host behavior tags;
and performing correlation detection on the host behavior according to the correlation behavior information and the specific behavior tag to obtain the detection result.
In the implementation process, the host behavior information is subjected to correlation detection according to the correlation behavior information and the specific behavior tag, so that the detection efficiency and the detection accuracy can be improved, and the specific host behavior can be accurately detected according to the specific behavior tag.
Further, the step of performing association detection on the host behavior according to the association behavior information and the specific behavior tag to obtain a detection result includes:
carrying out threat judgment on the host behavior according to the associated behavior information and the specific behavior tag to obtain the host behavior with the threat;
and marking the host behavior with the threat to obtain a detection result.
In the implementation process, the host behavior is judged to be threatened, the host behavior with the threat is accurately obtained and marked, and the condition of missing report or misinformation can be effectively avoided.
And based on a behavior label process chain constructed by a graph engine, comprehensively judging the behaviors of a plurality of hosts by combining a global view angle and multiple dimensions with host behavior information, and finally obtaining a detection result.
Extracting associated behaviors, receiving the single behavior of the host, and extracting a series of host behavior information which can be associated together by combining context information through a behavior process chain constructed by a graph engine.
And extracting the specific behavior label, and matching and extracting the behavior label meeting the requirement based on the behavior label process chain constructed by the graph engine through the host behavior information to obtain the specific behavior label.
And correspondingly combining the behavior tags, and judging whether the current host behavior has certain threat or not if the behavior tags are hit by contrasting detection rules of various threat scenes. For example, if the tags of "establish external connection", "write file", and "threat file" hit at the same time, the host downloads the malicious file, and then a process accesses the file to perform a series of operations, so that it can be determined that the current behavior has a certain threat.
And marking the host behavior information related to the current host behavior as the host behavior information with threat by combining the host behavior information with the threat and the behavior process chain constructed by the graph engine.
The embodiment of the application focuses on intrusion detection of host behaviors, is applied to EDR products, and intrusion detection is one of the core functions of EDR, monitors and collects host behavior information through a terminal, judges the host behavior information by combining various detection engines, and then marks the host behavior information with threats and presents the host behavior information through a console.
Compared with the traditional single-point detection scheme, the method and the device for detecting the host behavior information judge the host behavior information from a global view angle and multiple dimensions based on the constructed behavior tag process chain. On the aspect of detection capability, a plurality of behaviors of the host are comprehensively judged according to a global visual angle and multiple dimensions and in combination with context, the detection result is more accurate and comprehensive, and the defects and inaccurate pain points of the traditional single-point detection scheme on complex aggressive behaviors are solved.
Example two
In order to implement the method corresponding to the above-mentioned embodiment to achieve the corresponding functions and technical effects, the following provides a device for detecting host behavior, as shown in fig. 2, the device comprising:
the acquisition module 1 is used for acquiring host behavior information;
the extraction module 2 is used for extracting the host behavior attribute in the host behavior information;
the generating module 3 is used for generating a host behavior label according to the host behavior attribute;
the building module 4 is used for building a behavior process chain according to the host behavior attribute; the behavior tag process chain is constructed according to the host behavior tag and the behavior process chain;
and the detection module 5 is used for performing association detection on the host behavior based on the behavior tag process chain to obtain a detection result.
In the implementation process, the behavior process chain is constructed according to the host behavior attribute, the behavior label process chain is constructed according to the host behavior label, and the host behavior is subjected to correlation detection based on the behavior label process chain to obtain a detection result, so that the detection efficiency of the host behavior can be improved, the specific host behavior is quickly and accurately captured by using a correlation detection mode, the occupation of resources is reduced, and the missed report and the false report are not easy to generate.
Further, the obtaining module 1 is further configured to:
monitoring a behavior event of a host to obtain initial host behavior information;
and filling the initial host behavior information to obtain the host behavior information.
In the implementation process, the initial host behavior information is filled, so that the obtained host behavior information is more accurate, the host behavior information can be ensured to accurately express the host behavior, and the reliability of the host behavior can be improved.
Further, the generating module 3 is further configured to:
judging whether the behavior attribute of the host meets the detection rule or not;
if so, extracting a behavior tag corresponding to the detection rule;
and pushing the behavior label to a graph engine for storage to obtain a host behavior label.
In the implementation process, corresponding behavior label extraction is carried out according to whether the host behavior attribute accords with the detection rule, each host behavior attribute can be accurately marked to obtain the host behavior label, and the subsequent detection of the host behavior is facilitated.
Further, the building module 4 is further configured to:
constructing node information according to the host behavior attribute;
constructing first edge relation information according to the host behavior attribute;
and constructing a behavior process chain according to the node information and the first edge relation information.
In the implementation process, the behavior process chain is constructed according to the node information and the first edge relation information, and the node information and the first edge relation information can be accurately expressed through the behavior process chain, so that the obtained behavior process chain is more accurate, and the host behavior attribute can be accurately expressed.
Further, the building module 4 is further configured to:
taking the host behavior label as second side relation information;
and constructing the behavior label process chain according to the second edge relation information and the behavior process chain.
In the implementation process, the host behavior tag is used as the second side relationship information, so that the behavior tag process chain can accurately reflect the host behavior tag, and the host behavior can be detected conveniently according to the host behavior tag.
Further, the building module 4 is further configured to:
and associating the second edge relationship information with the node information in the behavior process chain to generate a behavior label process chain.
In the implementation process, the second edge relation information is associated with the node information, so that the behavior process chain is complete, clear and reasonable, and the generated behavior tag process chain can improve the subsequent detection efficiency and is convenient to search.
Further, the detection module 5 is further configured to:
extracting associated behavior information of a behavior tag process chain;
extracting a specific behavior tag in the host behavior tags;
and performing correlation detection on the host behavior according to the correlation behavior information and the specific behavior tag to obtain a detection result.
In the implementation process, the host behavior is subjected to correlation detection according to the correlation behavior information and the specific behavior tag, so that the detection efficiency and the detection accuracy can be improved, and the specific host behavior can be accurately detected according to the specific behavior tag.
Further, the detection module 5 is further configured to:
performing threat judgment on the host behavior according to the associated behavior information and the specific behavior tag to obtain the host behavior with threat;
and marking the host behavior with the threat to obtain a detection result.
In the implementation process, the host behavior is judged to be threatened, the host behavior with the threat is accurately obtained and marked, and the condition of missing report or false report can be effectively avoided.
The apparatus for detecting host behavior may implement the method of the first embodiment. The alternatives in the first embodiment are also applicable to the present embodiment, and are not described in detail here.
The rest of the embodiments of the present application may refer to the contents of the first embodiment, and in this embodiment, details are not repeated.
EXAMPLE III
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the method for detecting a host behavior according to the first embodiment.
Alternatively, the electronic device may be a server.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. The electronic device may include a processor 31, a communication interface 32, a memory 33, and at least one communication bus 34. Wherein the communication bus 34 is used for realizing direct connection communication of these components. The communication interface 32 of the device in this embodiment is used for performing signaling or data communication with other node devices. The processor 31 may be an integrated circuit chip having signal processing capabilities.
The Processor 31 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 31 may be any conventional processor or the like.
The Memory 33 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 33 has stored therein computer readable instructions which, when executed by the processor 31, enable the apparatus to perform the various steps involved in the method embodiment of fig. 1 described above.
Optionally, the electronic device may further include a memory controller, an input output unit. The memory 33, the memory controller, the processor 31, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components may be electrically connected to each other via one or more communication buses 34. The processor 31 is adapted to execute executable modules stored in the memory 33, such as software functional modules or computer programs comprised by the device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 3 or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In addition, an embodiment of the present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the method for detecting a host behavior according to the first embodiment.
Embodiments of the present application further provide a computer program product, which when running on a computer, causes the computer to execute the method described in the method embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist alone, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included within the protection scope value of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and should be covered by the protection scope of the present application. Therefore, the protection range value of the application shall be subject to the protection range value of the claims.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (11)
1. A method for detecting host behavior, the method comprising:
acquiring host behavior information;
extracting host behavior attributes in the host behavior information;
generating a host behavior label according to the host behavior attribute;
constructing a behavior process chain according to the host behavior attribute;
constructing a behavior label process chain according to the host behavior label and the behavior process chain;
and performing correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result.
2. The method for detecting host behavior according to claim 1, wherein the step of obtaining host behavior information includes:
monitoring a behavior event of a host to obtain initial host behavior information;
and filling the initial host behavior information to obtain the host behavior information.
3. The method for detecting host behavior according to claim 1, wherein the step of generating a host behavior tag according to the host behavior attribute comprises:
judging whether the host behavior attribute accords with a detection rule or not;
if so, extracting a behavior tag corresponding to the detection rule;
and pushing the behavior label to a graph engine for storage to obtain the host behavior label.
4. The method for detecting host behavior according to claim 1, wherein the step of building a behavior process chain according to the host behavior attribute comprises:
constructing node information according to the host behavior attribute;
constructing first edge relation information according to the host behavior attribute;
and constructing the behavior process chain according to the node information and the first edge relation information.
5. The method for detecting host behavior according to claim 4, wherein the step of constructing a behavior tag process chain according to the host behavior tag and the behavior process chain includes:
taking the host behavior label as second side relation information;
and constructing the behavior label process chain according to the second edge relation information and the behavior process chain.
6. The method according to claim 5, wherein the step of constructing the behavior tag process chain according to the second edge relationship information and the behavior process chain comprises:
and associating the second edge relationship information with the node information in the behavior process chain to generate the behavior label process chain.
7. The method according to claim 1, wherein the step of performing association detection on the host behavior based on the behavior tag process chain to obtain a detection result includes:
extracting the associated behavior information of the behavior tag process chain;
extracting specific behavior tags from the host behavior tags;
and performing correlation detection on the host behavior according to the correlation behavior information and the specific behavior tag to obtain the detection result.
8. The method for detecting host behavior according to claim 7, wherein the step of performing the association detection on the host behavior according to the association behavior information and the specific behavior tag to obtain the detection result includes:
carrying out threat judgment on the host behavior according to the associated behavior information and the specific behavior tag to obtain the host behavior with the threat;
and marking the host behavior with the threat to obtain the detection result.
9. An apparatus for detecting host behavior, the apparatus comprising:
the acquisition module is used for acquiring the host behavior information;
the extraction module is used for extracting the host behavior attribute in the host behavior information;
the generating module is used for generating a host behavior label according to the host behavior attribute;
the building module is used for building a behavior process chain according to the host behavior attribute; the behavior tag process chain is constructed according to the host behavior tag and the behavior process chain;
and the detection module is used for carrying out correlation detection on the host behavior based on the behavior tag process chain to obtain a detection result.
10. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to make the electronic device execute the method for detecting host behavior according to any one of claims 1 to 8.
11. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the method of detecting host behavior according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310182102.9A CN115859279A (en) | 2023-03-01 | 2023-03-01 | Host behavior detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310182102.9A CN115859279A (en) | 2023-03-01 | 2023-03-01 | Host behavior detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115859279A true CN115859279A (en) | 2023-03-28 |
Family
ID=85659445
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310182102.9A Pending CN115859279A (en) | 2023-03-01 | 2023-03-01 | Host behavior detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115859279A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021077642A1 (en) * | 2019-10-24 | 2021-04-29 | 中国科学院信息工程研究所 | Network space security threat detection method and system based on heterogeneous graph embedding |
| CN114024775A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Host computer defect detection method and system based on EDR and NDR |
| CN114915501A (en) * | 2022-07-15 | 2022-08-16 | 北京微步在线科技有限公司 | Intrusion event detection method and device based on process behavior diagram and electronic equipment |
| CN115658443A (en) * | 2022-12-28 | 2023-01-31 | 北京微步在线科技有限公司 | Log filtering method and device |
-
2023
- 2023-03-01 CN CN202310182102.9A patent/CN115859279A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021077642A1 (en) * | 2019-10-24 | 2021-04-29 | 中国科学院信息工程研究所 | Network space security threat detection method and system based on heterogeneous graph embedding |
| CN114024775A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Host computer defect detection method and system based on EDR and NDR |
| CN114915501A (en) * | 2022-07-15 | 2022-08-16 | 北京微步在线科技有限公司 | Intrusion event detection method and device based on process behavior diagram and electronic equipment |
| CN115658443A (en) * | 2022-12-28 | 2023-01-31 | 北京微步在线科技有限公司 | Log filtering method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN108683687B (en) | Network attack identification method and system | |
| CN111917740B (en) | Abnormal flow alarm log detection method, device, equipment and medium | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN103034808A (en) | Scanning method, equipment and system and cloud management method and equipment | |
| CN112131249B (en) | Attack intention recognition method and device | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN104298586A (en) | Web system exception analytical method and device based on system log | |
| CN109240664B (en) | Method and terminal for collecting user behavior information | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| CN115801455B (en) | Method and device for detecting counterfeit website based on website fingerprint | |
| CN115146263B (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| CN108268775B (en) | Web vulnerability detection method and device, electronic equipment and storage medium | |
| CN116389148A (en) | Network security situation prediction system based on artificial intelligence | |
| CN115859279A (en) | Host behavior detection method and device, electronic equipment and storage medium | |
| CN115643119A (en) | Network attack detection method and device | |
| CN114003914A (en) | File security detection method and device, electronic equipment and storage medium | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN114996080A (en) | Data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230328 |