CN116032618A - Mining behavior detection method, system, device, medium and equipment - Google Patents

Mining behavior detection method, system, device, medium and equipment Download PDF

Info

Publication number
CN116032618A
CN116032618A CN202211722061.XA CN202211722061A CN116032618A CN 116032618 A CN116032618 A CN 116032618A CN 202211722061 A CN202211722061 A CN 202211722061A CN 116032618 A CN116032618 A CN 116032618A
Authority
CN
China
Prior art keywords
host
tested
mining
change value
state change
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211722061.XA
Other languages
Chinese (zh)
Inventor
腾飞
马森
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202211722061.XA priority Critical patent/CN116032618A/en
Publication of CN116032618A publication Critical patent/CN116032618A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of network security, in particular to a mining behavior detection method, system, device, medium and equipment. The method comprises the steps of obtaining a current resource state change value of a host to be tested; if the current resource state change value is greater than the first threshold value, performing abnormality judgment processing on the host to be tested; to determine whether mining behavior exists in the host to be tested. The invention can detect the mining behavior with unknown malicious mining characteristics, and can timely and effectively detect the mining behavior with unknown malicious mining characteristics. For the detection of the mining behavior, the mining Trojan horse which does not appear before can be prevented, so that the weak item of the detection of the unknown threat behavior by the existing detection mode is complemented. Meanwhile, the method is lighter, so that the resource occupancy rate of the host to be tested can be reduced, and the influence on the daily running performance of the host to be tested is further reduced.

Description

Mining behavior detection method, system, device, medium and equipment
Technical Field
The invention relates to the technical field of network security, in particular to a mining behavior detection method, system, device, medium and equipment.
Background
With the increasing popularity of internet applications, with the rapid development of the internet, network security problems are also becoming more and more serious. Among them, malicious "mining" attacks have become one of the most current cyber threats. "mining" refers to the exploitation of cryptocurrency. Taking mining bitcoin as an example, every time a period, the bitcoin system generates a calculation question for all miners, all computers in the internet can calculate the question, the first calculated miners can obtain corresponding rewards, and then broadcast to the world, and the process is mining.
The mining operation can be divided into active mining operation and passive mining operation, wherein the active mining operation refers to the active mining operation of individuals or groups by installing mining software, over-frequency tools and the like on professional machines or ordinary computers; passive "mining" refers to an attacker implanting a "mining" program into a victim's computer by various means, and "mining" is performed by the computing power of the victim's computer without the victim's knowledge, thereby obtaining benefits.
The mining activity also consumes a great deal of energy and resources, and causes a great deal of energy consumption and carbon emission. The data show that each "production" of one bit coin consumes energy equivalent to the annual electricity consumption of a three-port household. Secondly, the mining consumes a large amount of computing resources, so that the system, software and application service run slowly, and once the personal computer or the server is controlled by the mining program, data leakage or virus infection can be caused, and the network security problem is easily caused. Furthermore, "mining" can disrupt normal financial market order, hasten illicit criminal activity, and become a pathway for money laundering, tax evasion, terrorist financing and cross-border funds transfer.
In the prior related technology, a malicious feature library related to mining is basically established, corresponding features to be detected are matched with the malicious feature library, and whether mining behaviors exist or not is determined according to a matching result. However, in the prior art, the monitoring capability of the mining behavior with unknown malicious mining characteristics is low, and the mining behavior with unknown malicious mining characteristics cannot be timely and effectively detected.
Disclosure of Invention
Aiming at the technical problem that the mining behavior of unknown malicious mining characteristics cannot be timely and effectively detected, the technical scheme adopted by the invention is as follows:
according to an aspect of the present invention, there is provided a mining behavior detection method including the steps of:
acquiring a current resource state change value of a host to be tested;
if the current resource state change value is greater than the first threshold value, performing abnormality judgment processing on the host to be tested; determining whether ore digging behavior exists in the host to be tested;
the abnormality determination processing includes:
acquiring a current resource state change value corresponding to each process;
if the current resource state change value corresponding to any unknown progress is larger than a second threshold value, determining that the mining behavior exists in the host to be tested.
In the present invention, further, the abnormality determination processing further includes:
acquiring network flow of a host to be tested in a preset period;
if a plurality of data packets with fixed data structures exist in the network traffic and the data packets with the fixed data structures have the same sending frequency, determining that mining behavior exists in the host to be tested.
In the invention, further, the current resource state change value comprises a CPU occupancy rate change value, a disk occupancy rate change value and a GPU occupancy rate change value.
In the present invention, further, before obtaining the current resource state change value of the host to be tested, the method further includes:
acquiring a file characteristic value of each floor file in a host to be tested;
and carrying out malicious feature matching processing on each file feature value so as to determine malicious files from the plurality of landing files.
In the present invention, further, the method further comprises:
acquiring network traffic corresponding to a host to be tested;
and determining whether ore mining behaviors exist in the host to be tested according to the domain name and/or ip in each network flow.
According to a second aspect of the present invention, there is provided an mining behavior detection system, including a server and a plurality of clients, each client being connected to the server; the clients are respectively arranged on the corresponding hosts to be tested;
each client is used for executing the mining behavior detection method;
the server is used for receiving the detection result generated by each client.
In the invention, further, the client is used for obtaining the historical resource state change value of the corresponding host to be tested;
the server is used for generating a first threshold corresponding to the host to be tested according to the history resource state change value and sending the first threshold to the corresponding client.
According to a third aspect of the present invention, there is provided an mining behaviour detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the current resource state change value of the host to be tested;
the judging module is used for carrying out abnormality judgment processing on the host to be tested if the current resource state change value is larger than the first threshold value; determining whether ore digging behavior exists in the host to be tested;
the abnormality determination processing includes:
acquiring a current resource state change value corresponding to each process;
if the current resource state change value corresponding to any unknown progress is larger than a second threshold value, determining that the mining behavior exists in the host to be tested.
According to a fourth aspect of the present invention, there is provided a non-transitory computer readable storage medium storing a computer program which when executed by a processor implements a mining behavior detection method as described above.
According to a fifth aspect of the present invention, there is provided an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a mining behaviour detection method as described above when executing the computer program.
The invention has at least the following beneficial effects:
typically, when there is an ore-mining file to perform an ore-mining activity on the host, a large amount of operating resources in the host are occupied. Thus, when the mining behavior is started, the running resources on the host computer can change greatly. Based on the behavior characteristics, the method and the device acquire the change amplitude of the running resources of the host to be tested in real time by acquiring the current resource state change value of the host to be tested. If the current resource state change value is larger than the first threshold value, performing abnormality judgment processing on the host to be tested; to determine whether mining behavior exists in the host to be tested. The abnormality judgment processing is mainly used for judging the current resource state change value corresponding to each running state process in the host to be tested. To further determine whether mining behavior exists in the host to be tested. Generally, if an executable file is performing an ore mining activity, the operation resources occupied by the processes corresponding to the executable file also have a large-scale change. Therefore, if the current resource state change value corresponding to the process is greater than the second threshold value, the mining behavior in the host to be detected can be more accurately determined. So as to improve the detection capability of the mining behavior and prevent some unknown malicious mining behaviors.
Therefore, the invention can detect the mining behavior with unknown malicious mining characteristics, and can timely and effectively detect the mining behavior with unknown malicious mining characteristics. For the detection of the mining behavior, the mining Trojan horse which does not appear before can be prevented, so that the weak item of the detection of the unknown threat behavior by the existing detection mode is complemented.
Meanwhile, the method can determine the mining behavior only through the change amplitude of the operation resources of the host to be tested, and other software is not needed to cooperate. Thus, the method may occur in a more lightweight manner, such as a plug-in. The method is lighter, so that the resource occupancy rate of the host to be tested can be reduced, and the influence on the daily running performance of the host to be tested is further reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a mining behavior detection method according to an embodiment of the present invention.
Fig. 2 is a schematic block diagram of a mining behavior detection system according to an embodiment of the present invention.
Fig. 3 is a schematic block diagram of a mining behavior detection device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
According to an aspect of the present invention, as shown in fig. 1, there is provided a mining behavior detection method, the method including the steps of:
s100, obtaining a current resource state change value of the host to be tested.
Specifically, in this step, a corresponding monitoring client may be deployed on the host to be tested or an existing method may be used to obtain, in real time, a current resource state change value in the host to be tested. The current resource state change value is a difference value between the current running resource state value and the previous running resource state value. Specifically, the interval duration between the current time and the previous time can be adjusted according to the use requirement. Such as: the interval duration is 1s.
Preferably, the current resource state change value includes a CPU occupancy rate change value, a disk occupancy rate change value, and a GPU occupancy rate change value. As the mining files are once in operation in the host to be tested, most computing resources in the host to be tested are called to perform mining calculation. Therefore, when the mine excavation file starts to excavate mine, the occupancy rate of the computing resource in the host computer to be tested can be greatly changed. The method specifically comprises the step of greatly changing CPU occupancy rate, disk occupancy rate and GPU occupancy rate. The current resource status change value in this embodiment may be any one or a combination of several of a CPU occupancy rate change value, a disk occupancy rate change value, and a GPU occupancy rate change value.
And S200, if the current resource state change value is larger than a first threshold value, performing abnormality judgment processing on the host to be tested. To determine whether mining behavior exists in the host to be tested.
Generally, some conventionally used software also increases the CPU occupancy rate, disk occupancy rate, and GPU occupancy rate in the host to be tested when running. However, the variation is usually small, and the variation is generally 20% -30%. However, when the mining software is operated, the operation resources required are large, so the corresponding variation range is large, and the variation range is generally larger than 80%. The first threshold in this embodiment may be any value from 70% to 99%. E.g. the first threshold is 80%. Specifically, the first threshold value may be determined according to an actual usage scenario, as long as a change value corresponding to the conventional software is larger than a change value corresponding to the mining.
In addition, because some existing large-scale software is also executed, more running resources are needed. Such as: 3D rendering software or some large gaming software. Therefore, when a plurality of large-scale software runs together, there is also a very small possibility that the current resource state change value is larger than the first threshold value. In order to improve the recognition accuracy of the mining behavior, it is necessary to further perform abnormality judgment processing on the basis of the recognition accuracy to confirm whether the mining behavior exists in the host to be tested.
The abnormality determination processing includes:
s201, obtaining a current resource state change value corresponding to each process.
S202, if the current resource state change value corresponding to any unknown process is larger than a second threshold value, determining that mining behavior exists in the host to be tested.
Specifically, a current resource state change value corresponding to each process in the host to be tested can be obtained. Because of the larger change amplitude of the current resource state change value of the host to be tested in the S100, the current resource state change value is basically caused by running a process corresponding to malicious mining software. So if the process corresponding to the malicious mining software is performed, the corresponding current resource state change value also has larger change. The amplitude of the change is basically consistent with or slightly smaller than the amplitude of the change of the current resource state change value of the host to be tested. The second threshold is less than or equal to the first threshold. Such as 75% for the second threshold.
Therefore, if the current resource state change value caused by the running of the large-scale software together is larger than the first threshold value, there are larger current resource state change values corresponding to the processes, but the current resource state change value corresponding to each process is not larger than the second threshold value. If the current resource state change value of the first large program is 50%, the current resource state change value of the second large program is 40%. Thus, misjudgment occurring when a plurality of large-scale software runs together can be reduced.
In addition, the running program corresponding to the process can be determined through the process. And the running program can be verified by using the existing mode, such as a virus black-and-white list library verification mode. It may be determined whether the mining software running in the host under test is malware or unknown software. In this embodiment, the unknown process is a process corresponding to unknown software. Therefore, the accuracy of the judging result is further improved by further judging the amplitude of the current resource state change value corresponding to the process and whether the running software corresponding to the process is unknown software or not.
Typically, when there is an ore-mining file to perform an ore-mining activity on the host, a large amount of operating resources in the host are occupied. Thus, when the mining behavior is started, the running resources on the host computer can change greatly. Based on the behavior characteristics, the method and the device acquire the change amplitude of the running resources of the host to be tested in real time by acquiring the current resource state change value of the host to be tested. If the current resource state change value is larger than the first threshold value, performing abnormality judgment processing on the host to be tested; to determine
Whether ore digging behavior exists in the host computer to be tested. The abnormality judgment processing is mainly used for judging the current resource state change value corresponding to the 5-way running of each host to be tested. To further determine whether mining behavior exists in the host to be tested. In general, the number of the devices used in the system,
if the executable file is in the process of mining, the operation resources occupied by the process corresponding to the executable file also have larger change. Therefore, if the current resource state change value corresponding to the process is greater than the second threshold value, the mining behavior in the host to be detected can be more accurately determined. So as to improve the detection capability of the mining behavior and prevent some unknown malicious mining behaviors.
The existing mining behavior detection method mainly comprises the following two steps:
firstly, detecting at a flow end, monitoring and analyzing flow through mirror image flow, comparing and monitoring with the existing mining characteristics, and if the characteristic mining data exists in the flow, carrying out alarm treatment on the flow. But the monitoring capability is greatly reduced for unknown mine excavation characteristics.
Secondly, the detection is carried out at the terminal, the safe client is installed on the corresponding terminal to be detected, the safe terminal directly or indirectly carries out checking and killing in a mode of detecting the mining sample (hash value or md 5), the possibility of missing the unknown mining file is also high, and the terminal resource is occupied.
Compared with the prior art, the method and the device can detect the mining behavior with unknown malicious mining characteristics, and can timely and effectively detect the mining behavior with unknown malicious mining characteristics. For the detection of the mining behavior, the mining Trojan horse which does not appear before can be prevented, so that the weak item of the detection of the unknown threat behavior by the existing detection mode is complemented.
Compared with the prior art, the method can determine the mining behavior only through the unknown change amplitude of the running resources of the host computer and the process to be detected and whether the process name is unknown, and other software is not needed to cooperate. Thus, the method may occur in a more lightweight manner, such as an insert; when the process is realistic, the corresponding size of the program is only a few megabits. The method is lighter, so that the resource occupancy rate of the host to be tested can be reduced, and the influence on the daily running performance of the host to be tested is further reduced.
5 as one possible embodiment of the present invention, the abnormality determination process further includes:
and S203, acquiring network flow of the host to be tested in a preset period.
The preset period in this embodiment may be a period of time, such as 1min, after the current resource status change value is greater than the first threshold. Because, once an excavation activity is initiated, the excavation procedure requires high frequency communications with the mine pool. The host to be tested will constantly visit the corresponding mine pool after the mining action is started, thereby generating a large amount of flow communicated with the mine pool. The network traffic in this step may be obtained by existing packet capturing software.
S204, if a plurality of data packets with fixed data structures exist in the network traffic and the data packets with the fixed data structures have the same sending frequency, determining that mining behavior exists in the host to be tested.
Typically, the mining procedure communicates with the mine pool with traffic having two characteristics, one of which is that the data structure of the data packets used has a fixed form. Typically a Json file. And the other is that the frequency of the communication is a higher fixed value. If there is a large amount of data communicated with the Json file with the domain name abc.com website in a fixed data structure in a preset period, it can be further determined that the mining behavior exists in the host to be tested. Therefore, according to the characteristics of the network flow side when the mining program runs, the characteristics are used as new judging characteristics to further judge, so that the accuracy of the judging result of the invention is improved. The client analyzes the host state in real time, and the monitoring capability can be greatly improved through the host state and the network request domain name analysis.
As a possible embodiment of the present invention, before S100 is obtained the current resource status change value of the host to be tested, the method further comprises:
s110, obtaining a file characteristic value of each floor file in the host to be tested.
The floor file is the software (executable file) just installed on the host to be tested. The corresponding file characteristic value may be a hash value or MD5 value of the file.
And S120, carrying out malicious feature matching processing on each file feature value so as to determine malicious files from a plurality of landing files.
The malicious file in this embodiment may be mining software.
The application scenario is as follows:
an attacker installs the mining program to the host computer through fishing or implantation. The victim host is a windows system host.
An attacker induces a victim host or a remote victim host to download and install the mining program through phishing mail or other means. When the mining procedure lands on the victim host. And the client immediately matches the floor MD5 with the virus feature library, if the matching blacklist immediately alarms, if the matching is unsuccessful, the matching result is returned to the client.
When the mining program is not detected in the ground, the mining program runs normally. The client monitors the state of the host through the discontinuity, and counts the state fluctuation of the normal range of the host through long-time learning and analysis to determine the corresponding terminal state model. Firstly, monitoring a tested host according to a terminal state model, if a large change occurs, comparing the state fluctuation model with a state fluctuation model of a normal range of a victim host to find suspicious resource occupation, extracting access domain names, links, hosts and the like of the victim host to perform threat analysis, and if suspicious links, networks and processes are found, immediately giving an alarm. And secondly, if the sudden fluctuation of the running resources of the tested host is found, carrying out false alarm treatment according to the state of the host, the current occupied resource process and the like in the front and back time periods of the host.
And screening whether the malicious file exists in the floor file or not by matching and comparing the characteristic value with the characteristic value of the existing malicious file.
Since in the foregoing embodiments, the detection is mainly performed at runtime for the software that has been installed. Thus, a method of detecting a floor document is lacking. In the embodiment, the malicious files in the landing files are determined by detecting the file characteristic values of the landing files. Therefore, the mining software can be detected more comprehensively, so that the mining software can be detected more accurately and comprehensively.
As a possible embodiment of the invention, the method further comprises:
s300, obtaining network flow corresponding to the host to be tested.
S400, determining whether ore mining behaviors exist in the host to be tested according to the domain name and/or ip in each network flow.
In this embodiment, the malicious mining behavior is continuously detected from the network traffic side. Because, once an excavation activity is initiated, the excavation procedure requires high frequency communications with the mine pool. The host to be tested will constantly visit the corresponding mine pool after the mining action is started, thereby generating a large amount of network traffic communicated with the mine pool. From these network traffic, the domain name and/or ip corresponding to the mine pool may be extracted. Therefore, whether the malicious domain name and/or ip exist or not can be detected through monitoring and verification of the domain name and/or ip, and whether ore mining behaviors exist in the host to be detected or not is further determined.
In this embodiment, monitoring through network traffic is added to determine whether an ore mining behavior exists in the host to be tested. Therefore, the mining software can be detected more comprehensively, so that the mining software can be detected more accurately and comprehensively.
According to a second aspect of the present invention, as shown in fig. 2, there is provided an mining behavior detection system including a server and a plurality of clients, each of the clients being connected to the server. The clients are respectively arranged on the corresponding hosts to be tested.
Each client is used for executing the mining behavior detection method.
The server is used for receiving the detection result generated by each client.
The invention adopts a C/S architecture, and further can monitor whether ore mining activities occur in a plurality of hosts to be tested through one server. Compared with the prior art, the method and the device can detect the mining behavior with unknown malicious mining characteristics, and can timely and effectively detect the mining behavior with unknown malicious mining characteristics. For the detection of the mining behavior, the mining Trojan horse which does not appear before can be prevented, so that the weak item of the detection of the unknown threat behavior by the existing detection mode is complemented.
In addition, the method can determine the mining behavior only through the change amplitude of the running resources of the host computer and the process to be detected and whether the process name is unknown, and other software is not needed to cooperate. Thus, the method may occur in a more lightweight manner, such as an insert; when the process is realistic, the corresponding size of the program is only a few megabits. The method is lighter, so that the resource occupancy rate of the host to be tested can be reduced, and the influence on the daily running performance of the host to be tested is further reduced.
As a possible embodiment of the present invention, the client is configured to obtain a historical resource status change value corresponding to the host to be tested.
The server is used for generating a first threshold corresponding to the host to be tested according to the history resource state change value and sending the first threshold to the corresponding client.
Because the C/S architecture is adopted, and the client can monitor the state of the running resource of the host to be tested in real time. Therefore, the server can collect a large number of normal variation amplitude of the running resource state when the host to be tested normally runs. I.e., a large number of historical resource state change values. Therefore, through the support of a large amount of data, the normal change amplitude of the corresponding operation resource state in different use scenes can be more accurately determined, and a basis can be provided for determining a more accurate first threshold value. So as to further improve the detection accuracy of the mining behavior.
According to a third aspect of the present invention, as shown in fig. 3, there is provided an mining behavior detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the current resource state change value of the host to be tested.
And the judging module is used for carrying out abnormality judgment processing on the host to be tested if the current resource state change value is larger than the first threshold value. To determine whether mining behavior exists in the host to be tested.
The abnormality determination processing includes:
and obtaining a current resource state change value corresponding to each process.
If the current resource state change value corresponding to any unknown progress is larger than a second threshold value, determining that the mining behavior exists in the host to be tested.
Compared with the prior art, the method and the device can detect the mining behavior with unknown malicious mining characteristics, and can timely and effectively detect the mining behavior with unknown malicious mining characteristics. For the detection of the mining behavior, the mining Trojan horse which does not appear before can be prevented, so that the weak item of the detection of the unknown threat behavior by the existing detection mode is complemented.
Compared with the prior art, the method can determine the mining behavior only through the unknown change amplitude of the running resources of the host computer and the process to be detected and whether the process name is unknown, and other software is not needed to cooperate. Thus, the method may occur in a more lightweight manner, such as an insert; when the process is realistic, the corresponding size of the program is only a few megabits. The method is lighter, so that the resource occupancy rate of the host to be tested can be reduced, and the influence on the daily running performance of the host to be tested is further reduced.
Embodiments of the present invention also provide a non-transitory computer readable storage medium that may be disposed in an electronic device to store at least one instruction or at least one program for implementing one of the methods embodiments, the at least one instruction or the at least one program being loaded and executed by the processor to implement the methods provided by the embodiments described above.
Embodiments of the present invention also provide an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
Embodiments of the present invention also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to the various exemplary embodiments of the invention described in the present specification when the program product is run on the electronic device.
While certain specific embodiments of the invention have been described in detail by way of example, it will be appreciated by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the invention. Those skilled in the art will also appreciate that many modifications may be made to the embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.

Claims (10)

1. The mining behavior detection method is characterized by comprising the following steps of:
acquiring a current resource state change value of a host to be tested;
if the current resource state change value is larger than a first threshold value, performing abnormality judgment processing on the host to be tested; determining whether ore mining behaviors exist in the host to be tested;
the abnormality determination process includes:
acquiring a current resource state change value corresponding to each process;
if the current resource state change value corresponding to any unknown process is larger than a second threshold value, determining that the mining behavior exists in the host to be tested.
2. The method of claim 1, wherein the exception determination process further comprises:
acquiring network flow of the host to be tested in a preset period;
if a plurality of data packets with fixed data structures exist in the network flow and the data packets with the fixed data structures have the same sending frequency, determining that mining behavior exists in the host to be tested.
3. The method of claim 1, wherein the current resource status change values include a CPU occupancy change value, a disk occupancy change value, and a GPU occupancy change value.
4. The method of claim 1, wherein prior to obtaining the current resource state change value for the host under test, the method further comprises:
acquiring a file characteristic value of each floor file in the host to be tested;
and carrying out malicious feature matching processing on each file feature value so as to determine malicious files from a plurality of landing files.
5. The method according to claim 1, wherein the method further comprises:
acquiring network traffic corresponding to the host to be tested;
and determining whether ore mining behaviors exist in the host to be tested according to the domain name and/or ip in each network flow.
6. The mining behavior detection system is characterized by comprising a server and a plurality of clients, wherein each client is connected with the server; the clients are respectively arranged on the corresponding hosts to be tested;
each client is used for executing the mining behavior detection method;
the server is used for receiving the detection result generated by each client.
7. The system of claim 6, wherein the client is configured to obtain a historical resource status change value corresponding to the host under test;
the server is used for generating a first threshold corresponding to the host to be tested according to the history resource state change value and sending the first threshold to the corresponding client.
8. An mining behavior detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the current resource state change value of the host to be tested;
the judging module is used for carrying out abnormality judgment processing on the host to be tested if the current resource state change value is larger than a first threshold value; determining whether ore mining behaviors exist in the host to be tested;
the abnormality determination process includes:
acquiring a current resource state change value corresponding to each process;
if the current resource state change value corresponding to any unknown process is larger than a second threshold value, determining that the mining behavior exists in the host to be tested.
9. A non-transitory computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a mining behavior detection method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements a mining behavior detection method according to any one of claims 1 to 7 when executing the computer program.
CN202211722061.XA 2022-12-30 2022-12-30 Mining behavior detection method, system, device, medium and equipment Pending CN116032618A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211722061.XA CN116032618A (en) 2022-12-30 2022-12-30 Mining behavior detection method, system, device, medium and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211722061.XA CN116032618A (en) 2022-12-30 2022-12-30 Mining behavior detection method, system, device, medium and equipment

Publications (1)

Publication Number Publication Date
CN116032618A true CN116032618A (en) 2023-04-28

Family

ID=86070142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211722061.XA Pending CN116032618A (en) 2022-12-30 2022-12-30 Mining behavior detection method, system, device, medium and equipment

Country Status (1)

Country Link
CN (1) CN116032618A (en)

Similar Documents

Publication Publication Date Title
US9807120B2 (en) Method and system for automated incident response
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
US11316891B2 (en) Automated real-time multi-dimensional cybersecurity threat modeling
AU2015203069B2 (en) Deception network system
AU2015203086B2 (en) Threat indicator analytics system
CN109167781B (en) Network attack chain identification method and device based on dynamic correlation analysis
CN109271780A (en) Method, system and the computer-readable medium of machine learning malware detection model
US20140157415A1 (en) Information security analysis using game theory and simulation
CN112541022A (en) Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment
CN107733725B (en) Safety early warning method, device, equipment and storage medium
CN110839088A (en) Detection method, system, device and storage medium for dug by virtual currency
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
Pomorova et al. Multi-agent based approach for botnet detection in a corporate area network using fuzzy logic
CN104598820A (en) Trojan virus detection method based on feature behavior activity
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
CN113489703A (en) Safety protection system
CN112347484A (en) Software vulnerability detection method, device, equipment and computer readable storage medium
EP3252645B1 (en) System and method of detecting malicious computer systems
CN116032618A (en) Mining behavior detection method, system, device, medium and equipment
CN115484062A (en) Threat detection method, device and equipment based on APT attack graph
BehradFar et al. RAT hunter: Building robust models for detecting remote access trojans based on optimum hybrid features
Kono et al. An unknown malware detection using execution registry access
CN114598546B (en) Application defense method, device, apparatus, medium and program product
CN115967551B (en) Method and device for detecting falsified vulnerability of server side request based on vulnerability information guidance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination