CN116827571A - Host intrusion risk prediction method and device, electronic equipment and readable storage medium - Google Patents

Host intrusion risk prediction method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN116827571A
CN116827571A CN202210288662.8A CN202210288662A CN116827571A CN 116827571 A CN116827571 A CN 116827571A CN 202210288662 A CN202210288662 A CN 202210288662A CN 116827571 A CN116827571 A CN 116827571A
Authority
CN
China
Prior art keywords
event
target
historical
host
events
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210288662.8A
Other languages
Chinese (zh)
Inventor
钟海
张振海
林少翔
谭林
韩健
罗文印
齐煌
张露明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SF Technology Co Ltd
Original Assignee
SF Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SF Technology Co Ltd filed Critical SF Technology Co Ltd
Priority to CN202210288662.8A priority Critical patent/CN116827571A/en
Publication of CN116827571A publication Critical patent/CN116827571A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a host intrusion risk prediction method, a device, electronic equipment and a readable storage medium, wherein the host intrusion risk prediction method queries a second historical event from historical events, obtains the historical generation times of operations corresponding to a target event according to the number of the historical events of the second historical event, evaluates the possibility that the operations corresponding to the target event are intrusion operations through the information advantages of big data, and further determines the intrusion risk prediction result of the target host. On the other hand, compared with the traditional method, the host intrusion risk prediction method provided by the application does not need to specially set a specific detection rule aiming at each intrusion mode and each intrusion method, so that the operation cost and the detection cost can be greatly reduced.

Description

Host intrusion risk prediction method and device, electronic equipment and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for predicting risk of host intrusion, an electronic device, and a readable storage medium.
Background
Hosts (servers) are an important production resource and data storage site for an enterprise, and are the ultimate goal of hackers in launching network attacks. Whether the intrusion event on the host can be timely and accurately found, and timely alarm and disposal are important subjects in the field of network security.
In the current network security field, a method is generally adopted, namely, on the basis of knowing the attack mode and attack manipulation characteristics of an attacker, detection rules are set in a targeted manner, and events (such as network connection, command input and the like) occurring on a host are checked in a hard-coded manner and the captured events are alarmed. Such conventional methods cannot cope with the ever-changing attack methods and techniques, and particularly the unknown attack methods, a large number of false positives are easily generated, which results in excessive cost of manual processing.
Disclosure of Invention
The application provides a host intrusion risk prediction method, a device, electronic equipment and a readable storage medium, and aims to solve the problem that the existing host intrusion risk prediction method cannot cope with different attack modes and methods, particularly the unknown attack method.
In a first aspect, the present application provides a method for predicting risk of host intrusion, including:
Acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event;
according to the target event type, selecting a first historical event from preset historical events;
selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event;
and determining an intrusion risk prediction result of the target host according to the number of the historical events.
In one possible implementation manner of the present application, the determining, according to the number of the historical events, an intrusion risk prediction result of the target host includes:
counting the total number of the first historical events to obtain a total value of the historical events;
calculating a first occurrence probability of the target event according to the total historical event value and the number of the historical events;
and if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, judging that the target host has intrusion risk.
In one possible implementation manner of the present application, if the first occurrence probability is less than or equal to a target probability threshold corresponding to the target event type, determining that the target host has an intrusion risk includes:
If the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, acquiring a related event of the target event, wherein a host address, a login user identity and event occurrence time contained in event information of the related event are the same as the host address, the login user identity and the event occurrence time contained in the target event information;
acquiring second occurrence probability of each associated event, and determining a risk event in each associated event according to each second occurrence probability;
counting the event types of the risk events in the associated events and the event types of the target events to obtain the number of the event types;
and if the number of the event types is greater than or equal to the preset number, judging that the target host has an intrusion risk.
In one possible implementation manner of the present application, after the determining that the target host has an intrusion risk if the number of event types is greater than or equal to a preset number, the method further includes:
generating an alarm work order according to the risk event and the target event in each associated event;
and displaying the alarm work order on a preset target terminal.
In one possible implementation manner of the present application, if the first occurrence probability is less than or equal to a target probability threshold corresponding to the target event type, before determining that the target host has an intrusion risk, the method further includes:
classifying the first historical events according to the event information of each first historical event to obtain a plurality of historical event sets, wherein the event information of the first historical events in each historical event set is the same;
determining the occurrence probability sum of the first historical events in each historical event set according to the total historical event value and the number of the first historical events in each historical event set;
and setting the minimum occurrence probability sum as a target probability threshold corresponding to the target event type.
In one possible implementation of the present application, the event type of the target event includes one of a network connection event, a process creation event, and a command operation event.
In one possible implementation manner of the present application, before the selecting, according to the target event type, the first historical event from the preset historical events, the method further includes:
extracting historical events of each host from a host cluster containing target hosts;
Storing each historical event in each preset database according to the event type to obtain each historical event library;
the selecting, according to the target event type, a first historical event from preset historical events includes:
selecting a target historical event library from the historical event libraries according to the target event type;
and extracting the historical events in the target historical event library to obtain a first historical event.
In a second aspect, the present application provides a host intrusion risk prediction apparatus, including:
the system comprises an acquisition unit, a prediction unit and a prediction unit, wherein the acquisition unit is used for acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event;
the first selection unit is used for selecting a first historical event from preset historical events according to the target event type;
the second selection unit is used for selecting a second historical event containing the target event information from the first historical events to obtain the number of the historical events of the second historical event;
and the determining unit is used for determining an intrusion risk prediction result of the target host according to the number of the historical events.
In a possible implementation of the application, the determining unit is further configured to:
counting the total number of the first historical events to obtain a total value of the historical events;
calculating a first occurrence probability of the target event according to the total historical event value and the number of the historical events;
and if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, judging that the target host has intrusion risk.
In a possible implementation of the application, the determining unit is further configured to:
if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, acquiring a related event of the target event, wherein a host address, a login user identity and event occurrence time contained in event information of the related event are the same as the host address, the login user identity and the event occurrence time contained in the target event information;
acquiring second occurrence probability of each associated event, and determining a risk event in each associated event according to each second occurrence probability;
counting the event types of the risk events in the associated events and the event types of the target events to obtain the number of the event types;
And if the number of the event types is greater than or equal to the preset number, judging that the target host has an intrusion risk.
In a possible implementation of the application, the determining unit is further configured to:
generating an alarm work order according to the risk event and the target event in each associated event;
and displaying the alarm work order on a preset target terminal.
In a possible implementation of the application, the determining unit is further configured to:
classifying the first historical events according to the event information of each first historical event to obtain a plurality of historical event sets, wherein the event information of the first historical events in each historical event set is the same;
determining the occurrence probability sum of the first historical events in each historical event set according to the total historical event value and the number of the first historical events in each historical event set;
and setting the minimum occurrence probability sum as a target probability threshold corresponding to the target event type.
In a possible implementation of the application, the first selection unit is further configured to:
extracting historical events of each host from a host cluster containing target hosts;
storing each historical event in each preset database according to the event type to obtain each historical event library;
Selecting a target historical event library from the historical event libraries according to the target event type;
and extracting the historical events in the target historical event library to obtain a first historical event.
In a third aspect, the present application also provides an electronic device, including a processor, a memory, and a computer program stored in the memory and executable on the processor, the processor executing the steps in any one of the host intrusion risk prediction methods provided by the present application when calling the computer program in the memory.
In a fourth aspect, the present application further provides a readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of any of the host intrusion risk prediction methods provided by the present application.
In summary, the host intrusion risk prediction method provided by the application includes: acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event; according to the target event type, selecting a first historical event from preset historical events; selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event; and determining an intrusion risk prediction result of the target host according to the number of the historical events. Therefore, the host intrusion risk prediction method provided by the embodiment of the application queries the second historical event from the historical events, obtains the historical generation times of the operation corresponding to the target event according to the number of the historical events of the second historical event, evaluates the possibility that the operation corresponding to the target event is an intrusion operation through the information advantage of big data, and further determines the intrusion risk prediction result of the target host. On the other hand, compared with the traditional method, the host intrusion risk prediction method provided by the application does not need to specially set a specific detection rule aiming at each intrusion mode and each intrusion method, so that the operation cost and the detection cost can be greatly reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a host intrusion risk prediction method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a method for predicting risk of host intrusion according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of another method for predicting risk of host intrusion according to an embodiment of the present application;
FIG. 4 is a schematic block diagram of a host system according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of an embodiment of a host intrusion risk prediction device according to the present application;
fig. 6 is a schematic structural diagram of an embodiment of an electronic device provided in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
In describing embodiments of the present application, it should be understood that the terms "first," "second," and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or number of features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more of the described features. In the description of the embodiments of the present application, the meaning of "plurality" is two or more, unless explicitly defined otherwise.
The following description is presented to enable any person skilled in the art to make and use the application. In the following description, details are set forth for purposes of explanation. It will be apparent to one of ordinary skill in the art that the present application may be practiced without these specific details. In other instances, well-known processes have not been described in detail in order to avoid unnecessarily obscuring the description of the embodiments of the application. Thus, the present application is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
The embodiment of the application provides a host intrusion risk prediction method, a device, electronic equipment and a readable storage medium. The host intrusion risk prediction device may be integrated in an electronic device, and the electronic device may be a server or a device such as a terminal.
The execution main body of the host intrusion risk prediction method in the embodiment of the present application may be a host intrusion risk prediction device provided in the embodiment of the present application, or different types of electronic devices such as a server device, a physical host, or a User Equipment (UE) that are integrated with the host intrusion risk prediction device, where the host intrusion risk prediction device may be implemented in a hardware or software manner, and the UE may specifically be a terminal device such as a smart phone, a tablet computer, a notebook computer, a palm computer, a desktop computer, or a personal digital assistant (Personal Digital Assistant, PDA).
The electronic device may be operated in a single operation mode, or may also be operated in a device cluster mode.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a host intrusion risk prediction system according to an embodiment of the present application. The host intrusion risk prediction system may include an electronic device 101, where a host intrusion risk prediction apparatus is integrated in the electronic device 101.
In addition, as shown in FIG. 1, the host intrusion risk prediction system may also include a memory 102 for storing data, such as text data.
It should be noted that, the schematic view of the scenario of the host intrusion risk prediction system shown in fig. 1 is only an example, and the host intrusion risk prediction system and the scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided by the embodiments of the present application, and as a person of ordinary skill in the art can know that, along with the evolution of the host intrusion risk prediction system and the appearance of a new service scenario, the technical solution provided by the embodiments of the present application is equally applicable to similar technical problems.
In the embodiment of the present application, an electronic device is used as an execution body, and for simplicity and convenience of description, the execution body is omitted in the subsequent method embodiment, and the host intrusion risk prediction method includes: acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event; according to the target event type, selecting a first historical event from preset historical events; selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event; and determining an intrusion risk prediction result of the target host according to the number of the historical events.
Referring to fig. 2, fig. 2 is a flow chart of a host intrusion risk prediction method according to an embodiment of the present application. It should be noted that although a logical order is depicted in the flowchart, in some cases the steps depicted or described may be performed in a different order than presented herein. The host intrusion risk prediction method specifically may include the following steps 201 to 204, where:
201. and acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event.
In the embodiment of the application, the host may refer to a server host. A server host is one type of computer that provides computing or application services to other clients (e.g., PC's, smartphones, ATM's, etc. terminals and even large devices such as train systems). For example, the host may refer to a server host in the express logistics company for managing user information and distributing the tasks of the express staff.
An event refers to an operation performed by a user on a host. Illustratively, the target event in the embodiment of the present application may refer to a real-time event in the target host, where the definition of real-time may be adjusted according to the service requirement. For example, real time may refer to an event generated on the day of performing the steps 201 to 204, i.e., on the day of performing the steps 201 to 204, as a real time event, or real time may refer to an event generated on the day of performing the steps 201 to 204 and the previous day, i.e., on the day of performing the steps 201 to 204 and the previous day, as a real time event. For example, when step 201-step 204 is performed on 10 2/2022 to detect the risk of intrusion of the target host, if the user performs an operation on the target host on 10/2022, a corresponding event is generated, and the corresponding event can be used as the target event to detect whether the target host has the risk of intrusion in real time, so as to achieve the purpose of real-time protection.
In the embodiment of the application, the target event can be acquired by reading the event log of the target host. For example, the event log may be collected from the target host through a preset component, and then sent to a preset log processing server, and the event log received therein is sent to a real-time data stream through the log processing server, and the electronic device reads the event log from the real-time data stream to obtain the target event. For example, the electronic device may obtain the target event by collecting an event log from the target Host based on a component in a Host intrusion detection system (Host-based Intrusion Detection System, HIDS), then transmitting the event log to a preset log processing server, and transmitting the event log received therein to a Kafka real-time data stream through the log processing server, and reading the event log from the Kafka real-time data stream by the electronic device.
The host-based intrusion detection system is a detection system that is focused on the inside of the host system, monitors the dynamic behavior of all or part of the host system and the state of the entire host system, and for example, open-source OSSEC may be used as the host-based intrusion detection system in the embodiment of the present application.
Kafka is a high throughput distributed publish-subscribe messaging system that can handle all action flow data in a host system, with the aim of unifying on-line and off-line message processing through Hadoop parallel loading mechanisms, and also to provide real-time messages through clusters.
For ease of understanding, hereinafter, real-time events are considered to be transmitted via real-time data streams, unless specifically indicated.
The event type may refer to the type of operation corresponding to the event, and may be obtained by querying a field identifier carried by the event. In some embodiments, the event type of the target event may include one of all preset types that may be generated by the host. For example, a total of 4 preset types may be generated in the host: when the event type of the target event is one of the event type a, the event type b, the event type c and the event type d. At this time, the target host may be detected in real time, and any generated real-time event is taken as a target event.
In other embodiments, the event type of an event may be one of a pre-selected preset type among all possible preset types generated by the host. For example, among all preset types that may be generated by the host, a preset type that easily judges whether the corresponding host is intruded may be selected in advance as the event type. For example, the event type may be any one of a network connection event, a process creation event, and a command operation event among all preset types that may be generated by the host. At this time, the target host may be detected in real time, and if the event type of the real-time event is not one of the network connection event, the process creation event, and the command operation event, the real-time event is filtered and the real-time detection of the target host is continued.
The network connection event refers to an event (such as an event generated when an interface accesses) generated when the host initiates to other network addresses (intranet or extranet). When an invasion occurs, after an attacker enters a victim host in a certain way, the attacker tries to connect to a malicious control server (such as a C2 server) preset in a public network environment, and after the connection is successful, the attacker can remotely control the victim host through the connected malicious control server to execute any command or steal key data. It is relatively easy to determine whether the corresponding host is hacked through the network connection event.
Process creation events refer to events that occur when process creation data is newly generated on a host. In the case of an intrusion, when an attacker enters the victim host in some way, the attacker can execute instructions by way of creating processes, or steal critical data. It is relatively easy to determine whether the corresponding host is hacked by the process creation event.
The command operation event refers to an event generated when user command operation data is newly generated on the host. In the case of an intrusion, when an attacker enters the victim host in some way, the attacker can execute instructions or steal critical data by executing operation commands. It is relatively easy to determine whether the corresponding host is hacked by commanding the operation event.
Therefore, by acquiring the target event with the target event type being one of the network connection event, the process creation event and the command operation event, the intrusion risk of the target host can be effectively evaluated, the event with the event type being not one of the network connection event, the process creation event and the command operation event can be filtered, the calculated amount when the intrusion risk of the target host is predicted is reduced, the calculation force requirement is reduced, and the cost of a host system where the target host is located is reduced. For ease of understanding, the description below is given with all preset types that may be generated by the host as network connection events, process creation events, and command operation events, i.e., the target time type is one of network connection events, process creation events, and command operation events, but this should not be construed as limiting the embodiments of the present application.
The event information refers to operation information included in an event, and thus if the event information of two events is the same, the operations corresponding to these 2 events can be considered to be the same. The event information of one event may contain various types of information, and it is understood that for events of different event types, the types of information of the contained event information are not identical. For example, when the target event type is a network connection event, the target event type may include information such as event occurrence time, login user identity, host IP address, target port, etc.; when the target event type is a process creation event, the target event type may include information such as event occurrence time, login user identity, host IP address, process name, etc.; when the target event type is a command operation event, the target event type may include information such as event occurrence time, login user identity, host IP address, execution user identity, operation command, and the like.
For example, an event occurrence time of an event may refer to a target period of time that the event occurs in a plurality of pre-divided periods of time. For example, 24 hours a day may be pre-divided into 24 time periods: 0:00-1:00 (0), 1:00-2:00 (denoted as 1) … … 23:00-0:00 of the next day (denoted as 23). If the target event occurs at 1:05, the event occurrence time of the target event is 1 period.
The target IP address may be understood as an IP address of a host that receives a network connection request when performing network connection, and may be understood as a connection target host of two network connection events when the target IP addresses in the event information of the 2 network connection events are the same.
When the target event type is a network connection event, the host IP address may be understood as the host IP address that initiates the network connection request when the network connection is performed, and when the host IP addresses in the event information of the 2 network connection events are the same, it may be understood that the network connection initiating hosts of the 2 network connection events are the same.
When the target event type is a process creation event or a command operation event, the IP address of the host refers to the IP address of the host where the process is created and the IP address of the host where the command operation is performed, respectively.
202. And selecting a first historical event from preset historical events according to the target event type.
Historical events may refer to all non-real-time events that occur before an intrusion risk prediction is performed on a target host by an electronic device. For example, if a real-time event is defined as an event that occurs on the day of performing steps 201-204, then a historical event may refer to all events that occurred by the day of the electronic device performing steps 201-204, i.e., intrusion risk prediction on the target host. In order to facilitate subsequent reading, the electronic device may store all events generated before the current day of intrusion risk prediction on the target host in different preset databases according to event types, so as to obtain a plurality of historical event databases storing historical events.
The first historical event refers to a corresponding historical event with the same event type as the target event type. For example, if the historical event refers to all events generated before the current day of intrusion risk prediction on the target host, and the electronic device has stored all events generated before the current day of intrusion risk prediction on the target host in different preset databases according to event types, to obtain a plurality of historical event databases storing historical events, on the current day of intrusion risk prediction on the target host, the electronic device may select the target database from the historical event databases storing the historical events according to the target event types, to obtain the first historical event stored in the target database.
In some embodiments, the target host is a separately configured server host, where the historical event may refer to all events generated in the target host before the intrusion risk prediction is performed on the target host by the electronic device.
In other embodiments, the target host exists in a host cluster of the host system, and the historical event may refer to all events generated in the host cluster before the electronic device performs intrusion risk prediction on the target host. At this time, before the step of selecting the first historical event from the preset historical events according to the target event type, a plurality of historical event databases storing the historical events may be obtained by the following method:
(1) Historical events for each host are extracted from a host cluster containing the target host.
(2) And respectively storing each historical event in each preset database according to the event type to obtain each historical event library.
The preset database may be a background database of the express logistics company. For example, the preset database may be a database in a system for managing user information and distributing work tasks of the express delivery company.
203. And selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event.
The second historical event refers to a first historical event which contains target event information, namely, the first historical event contains event information identical to the target event. For ease of understanding, the description will be given taking as an example that the event type of the first history event is a network connection event. When the event type of the first history event is a network connection event, the event information included in the first history event may include: the second historical event refers to the historical event that the event occurrence time, the login user identity, the host IP address, the target IP address and the target port are the same as the target event in the first historical event, and according to the description of the event information, the number of the historical events corresponding to the target event is the number of times of the operation corresponding to the target event before the intrusion risk detection of the target host is performed, provided that the event information contained in the network connection event is only the event occurrence time, the login user identity, the host IP address, the target IP address and the target port. It can be understood that, since the host IP address of the second historical event is the same as the target event, the second historical event is actually a historical event occurring in the target host, and since the target host usually exists as a part of the host cluster, the historical event database stores the historical events of each host in the host cluster, and when the second historical event is acquired, the electronic device still needs to read the event information in each first historical event to determine the second historical event, which cannot be directly obtained from the target host, which will not be described in detail below.
The following specifically describes the second history event as an example: assuming that the event occurrence time, login user identity, host IP address, target IP address, and target port of the target event are 10, root, 100.10.1.10, 100.10.2.20, and 8000, respectively, the second historical event refers to the event occurrence time, login user identity, host IP address, target IP address, and target port of the first historical event are 10, root, 100.10.1.10, 100.10.2.20, and 8000, respectively, where 10 corresponding to the event occurrence time refers to the time period in which the connection time is 10:00-11:00 in one day, and specific reference may be made to the above description.
It should be noted that, besides the event occurrence time, the login user identity, the host IP address, the target IP address, and the target port, the event information included in the network connection event may also include other types of information, where the second historical event may be a historical event corresponding to other types of information and being the same as the target event in the first historical event, or may be a historical event corresponding to the other types of information and being the same as the target event in the first historical event only. For example, the event information included in the network connection event may further include relatively unimportant information such as connection time, and when the connection time is 25 minutes, the second historical event may refer to a historical event in which the event occurrence time, the login user identity, the host IP address, the target IP address, and the target port are the same as the target event, and the connection time in the corresponding event information is also 25 minutes, or may refer to a historical event in which the event occurrence time, the login user identity, the host IP address, the target IP address, and the target port are the same as the target event in the first historical event, and the value of the connection time in the corresponding event information is not limited. For ease of understanding, hereinafter, event information contained in a network connection event is considered to be the only event occurrence time, login user identity, host IP address, destination port, unless specifically stated.
The number of history events refers to the number of second history events selected. For example, when 10 second history events are selected, the number of history events is 10.
204. And determining an intrusion risk prediction result of the target host according to the number of the historical events.
The intrusion risk prediction result refers to a judgment result of whether the host has an intrusion risk. In the embodiment of the present application, the target event may refer to an event generated in real time in the target host, and thus, the intrusion risk prediction result obtained through steps 201 to 204 may refer to whether the operation corresponding to the target event is an intrusion operation.
In some embodiments, the probability that the operation corresponding to the target event occurs before the intrusion risk prediction is performed on the target host may be calculated according to the number of the historical events, and whether the target host has the intrusion risk is determined according to the probability. At this time, the step of determining the intrusion risk prediction result of the target host according to the number of the historical events may be implemented by:
(a) And counting the total number of the first historical events to obtain a total value of the historical events.
The total value of the historical events refers to the total number of the first historical events, namely the total value of the historical events with the event type being the target event type. If the electronic equipment stores all the events generated before the current day of intrusion risk prediction on the target host in different preset databases according to the event types respectively to obtain a plurality of historical event databases storing historical events, the electronic equipment can count the total number of the historical events in the historical event databases corresponding to the target event types at the moment to obtain a total value of the historical events.
(b) And calculating to obtain the first occurrence probability of the target event according to the total historical event value and the number of the historical events.
For example, the first occurrence probability may be calculated from a ratio between the number of historical events and a total value of the historical events. For example, when the number of the history events is 10 and the total value of the history events is 10000, the first occurrence probability is 0.1%.
The following exemplifies the source of the computing method, taking the example that the target event type of the target event is a network connection event:
setting a target event L of which the target time type is a network connection event i Refers to at IP address a i User u actively accesses IP address b at time t i Port p of (i.e. target event L) i Event occurrence time, login user identity, host IP address, destination port t, u, a, respectively i 、b i And p, the occurrence probability of the event can be calculated by the equation (1):
P(L i )=P(a i ,u,t,b i p) formula (1)
Wherein t, u, a i 、b i And p respectively refer to target event L i Event occurrence time, login user identity, host IP address, destination port, P (L) i ) Is the first occurrence probability.
After the formula (1) is processed, the formula (2) can be obtained:
P(L i )=P(a i )P(u|a i )P(t|u,a i )P(b i |t,u,a i )P(p|b i ,t,u,a i ) Formula (2)
Wherein t, u, a i 、b i And p respectively refer to target event L i Event occurrence time, login user identity, host IP address, destination port, P (L) i ) Is the first occurrence probability, P (a i ) Refers to a host a i Probability of initiating network access, P (u|a i ) Refers to a host a i On the probability that login user u initiates network access, P (t|u, a i ) Refers to a host a i On the probability that login user u initiates network access at time t, P (b) i |t,u,a i ) Refers to a host a i On the way, the login user u sends to the destination host b at time t i Probability of initiating network access, P (p|b i ,t,u,a i ) Refers to a host a i On the way, the login user u sends to the destination host b at time t i The probability of port p initiating network access.
P(a i ) Can be calculated by the formula (3):
wherein P (a) i ) Refers to a host a i Probability of initiating network access, m i Refers to a host a i The number of network connection requests initiated, i.e. the host IP address in the first history is a i M refers to the total value of the historical events.
P(u|a i ) Can be calculated by the formula (4):
wherein P (u|a) i ) Refers to a host a i On the probability that login user u initiates network access, m i Refers to a host a i The number of network connection requests initiated, i.e. the host IP address in the first history is a i Number of history events, m iu Refers to m i In the corresponding historical events, the number of the historical events with the login user identity of u. P (t|u, a) i ) Can be calculated by the formula (5):
wherein P is%t|u,a i ) Refers to a host a i On the probability that login user u initiates network access at time t, m iu Refers to m i In the corresponding historical events, the number of the historical events with the login user identity of u, m iut Refers to m iu In the corresponding historical events, the event occurrence time is the number of the historical events of t.
P(b i |t,u,a i ) Can be calculated by the formula (6):
wherein P (b) i |t,u,a i ) Refers to a host a i On the way, the login user u sends to the destination host b at time t i Probability of initiating network access, m iut Refers to m iu In the corresponding historical events, the number of the historical events with the event occurrence time of t, m iutbi Refers to m iut In the corresponding historical event, the target IP address is b i Is a function of the number of historical events. P (p|b) i ,t,u,a i ) Can be calculated by the formula (7):
wherein P (p|b) i ,t,u,a i ) Refers to a host a i On the way, the login user u sends to the destination host b at time t i Probability of port p initiating network access, m iutbi Refers to m iut In the corresponding historical event, the target IP address is b i Number of history events, m iutbip Refers to m iutbi In the corresponding historical events, the target port is the historical event number of p, namely the historical event number of the second historical event containing the target event information.
The formula (3) -the formula (7) are multiplied and combined to obtain a formula (8):
/>
wherein L is i Refers to a target event, P (L i ) Is the first occurrence probability, m iutbip Refers to m iutbi In the corresponding historical events, the target port is the number of the historical events p, namely the number of the historical events of the second historical event containing the target event information, and M refers to the total value of the historical events.
It can be seen that the first occurrence probability can be calculated by the total value of the historical events and the number of the historical events.
It should be noted that, when the target event type of the target event is a process creation event or a command operation event, the above calculation manner may still be referred to, and details thereof are not described herein.
(c) And if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, judging that the target host has intrusion risk.
If the first occurrence probability is smaller than or equal to the target probability threshold corresponding to the target event type, the target event is an event with small probability, and the event is possibly generated by intrusion operation.
In some embodiments, the target probability threshold may be determined according to equation (9):
Tr=min[P(L x1ux2tx3bx4px5 )],x 1 ,x 2 ,x 3 ,x 4 ,x 5 e Z type son (9)
Wherein Tr refers to a target probability threshold, L x1ux2tx3bx4px5 Means that the event occurrence time, the login user identity, the host IP address, the target IP address and the target port are t respectively x3 、u x2 、a x1 、b x4 And p x5 P (L) x1ux2tx3bx4px5 ) Means that the event occurrence time, the login user identity, the host IP address, the target IP address and the target port are t respectively x3 、u x2 、a x1 、b x4 And p x5 And Z is a positive integer. For example, event occurrence time, login user identity, masterThe IP address, the target IP address and the target port are t respectively x3 、u x2 、a x1 、b x4 And p x5 2 of the first history events, and P (L) when the total history event value is 10000 x1ux2tx3bx4px5 ) 0.2%. The electronic device classifies the first historical events according to the event information of each first historical event to obtain a plurality of historical event sets, wherein the first historical events in each historical event set contain the same event information, and it can be understood that each historical event set can be regarded as corresponding to the same operation. And then the electronic equipment selects an occurrence probability and a minimum target set of the first historical event corresponding to the occurrence of each historical event set, takes the occurrence probability sum of the first historical event in the target set as a target probability threshold, and when the first occurrence probability is smaller than the occurrence probability sum, the operation corresponding to the target event is the operation with the minimum occurrence probability since the system to which the target host belongs is used, so that the operation corresponding to the target event can be judged to be possibly an intrusion operation, and the target host has an intrusion risk.
After determining the intrusion risk prediction result of the target host, if the intrusion risk prediction result is that the target host has the risk of being intruded, the target event can be stored in a corresponding preset real-time alarm pool.
The preset real-time alert pool is a database for storing events, in some embodiments, a preset real-time alert pool is used to store real-time events of an event type that determine the probability of occurrence, in other embodiments, a preset real-time alert pool may be used to store all real-time events that determine the probability of occurrence.
In summary, the host intrusion risk prediction method provided by the embodiment of the application includes: acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event; according to the target event type, selecting a first historical event from preset historical events; selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event; and determining an intrusion risk prediction result of the target host according to the number of the historical events. Therefore, the host intrusion risk prediction method provided by the embodiment of the application queries the second historical event from the historical events, obtains the historical generation times of the operation corresponding to the target event according to the number of the historical events of the second historical event, evaluates the possibility that the operation corresponding to the target event is an intrusion operation through the information advantage of big data, and further determines the intrusion risk prediction result of the target host. On the other hand, compared with the traditional method, the host intrusion risk prediction method provided by the embodiment of the application does not need to specially set a specific detection rule for each intrusion mode and each method, so that the operation cost and the detection cost can be greatly reduced.
If the prediction is performed only from the first occurrence probability of the target event, when the normal service on the target host is adjusted to cause the operation corresponding to the target event to be different from the previous operation, the intrusion risk prediction result provided above may generate false alarm. Therefore, in order to improve the accuracy of intrusion risk prediction, the intrusion risk prediction result of the target host can be comprehensively judged by combining the target event and the real-time event which contains the same login user identity and event occurrence time as the target event.
Referring to fig. 3, at this time, the step of determining that the target host has an intrusion risk "includes:
301. and if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, acquiring an associated event of the target event.
The host address, the login user identity and the event occurrence time contained in the event information of the associated event are the same as the host address, the login user identity and the event occurrence time contained in the target event information. The host address refers to an IP address of the host, and the explanation of the IP address of the host may be referred to above, which is not described herein.
In the embodiment of the present application, the associated event may refer to a real-time event, where the definition of real-time may be adjusted according to the service requirement, and details are not repeated.
In the embodiment of the application, the related event can be acquired by reading the event log of the host. When the first occurrence probability is determined to be less than or equal to the target probability threshold corresponding to the target event type, the electronic device may first store the target event in a corresponding preset real-time alert pool according to the target event type, then collect event logs from a host cluster where the target host is located through a preset component, send the event logs to a preset log processing server, send the event logs received therein to a real-time data stream through the log processing server, read the event logs from the real-time data stream, and compare a host address, a login user identity and an event occurrence time contained in the target event information with a host address, a login user identity and an event occurrence time recorded in each event log to obtain an associated event. For example, the electronic device may obtain the associated event by collecting the event log from the host cluster where the target host is located based on the component in the host type intrusion detection system, then transmitting the event log to a preset log processing server, and transmitting the event log received therein to the Kafka real-time data stream through the log processing server, where the electronic device reads the event log from the Kafka real-time data stream.
It should be noted that, the event type of the related event may be the target event type or may not be the target event type, and the following is exemplified as an example:
assume that the target event type of the target event is a network connection event, and the host address, the login user identity, and the event occurrence time contained in the target event information are respectively: 100.10.1.10, root, 10, wherein 10 corresponding to the event occurrence time means that the connection time is in a time period of 10:00-11:00 in one day, and specific reference may be made to the above description. In step 301, the electronic device screens the real-time event for the host address, the login user identity and the event occurrence time, which are respectively: 100.10.1.10, root, 10 to get the associated event. At this time, the event type of the associated event may be the target event type, or may be one of a process creation event and a command operation event.
302. And acquiring second occurrence probability of each associated event, and determining a risk event in each associated event according to each second occurrence probability.
The method for obtaining the second occurrence probability of the associated event may refer to the method for obtaining the first occurrence probability, which is not described herein in detail. If the second occurrence probability of an associated event is smaller than or equal to the probability threshold value corresponding to the event type of the associated event, the occurrence probability of the associated event is extremely low, and the associated event can be judged to be a risk event.
The risk event refers to that the operation corresponding to the event may be an intrusion operation, so in the embodiment of the present application, the risk event in the associated event refers to that the host address, the login user identity and the event occurrence time in the corresponding event information are the same as the host address, the login user identity and the event occurrence time in the target event information, and the occurrence probability is less than or equal to the corresponding probability threshold, and the corresponding operation may be a real-time event of the intrusion operation.
It should be noted that, each step in the embodiment of the present application is only for convenience of description, and each flow in the steps may be sequentially adjusted. For example, the occurrence probability of each real-time event may be compared with the probability threshold corresponding to each real-time event, the real-time event whose occurrence probability is smaller than or equal to the corresponding probability threshold is stored in a preset real-time alert pool, and then the real-time event in the preset real-time alert pool is screened according to the host address, the login user identity and the event occurrence time of the target event, so as to obtain the associated risk event of the target event, and the description of the preset real-time alert pool may refer to the above, which is not repeated specifically.
303. And counting the event types of the risk events in the associated events and the event types of the target events to obtain the number of the event types.
The number of event types refers to the number of event types in a set of associated risk events and target events for the target event. If the associated risk event of the target event includes a real-time event whose event type is a process creation event and a command operation event, and the target event type of the target event is a network connection event, the number of event types is 3. In another example, if the associated risk event of the target event only includes a real-time event whose event type is a process creation event, and the target event of the target event is a network connection event, the number of event types is 2.
304. And if the number of the event types is greater than or equal to the preset number, judging that the target host has an intrusion risk.
If the number of event types is greater than or equal to the preset number, the fact that the same login user performs suspected invasion operations in three dimensions of network connection, process creation and command operation in the same time on the same host is indicated, so that the target host can be judged to have invasion risks. Compared with the method from step 201 to step 204, the method from step 301 to step 304 is more accurate, and can avoid misjudgment caused by single-dimension judgment.
The preset number may be set according to the scene requirement, for example, when the event type of the target event includes one of a network connection event, a process creation event, and a command operation event, the preset number may be set to 2, that is, as long as the target host is considered to have an intrusion risk in multiple dimensions, it may be determined that the target host has an intrusion risk.
After determining that the target host has an intrusion risk in steps 301-304, the electronic device may generate an alert work order according to the associated risk event and the target event of the target event, and display information in the alert work order on a preset target terminal. The embodiment of the application does not limit the type of the target terminal, and the target terminal can be a smart phone, an express logistics management platform and the like.
In addition, the electronic device may also update the historical event database in real-time if the historical event is stored in the historical event database. For example, when the event generated by the host computer on the day when the steps 201-204 are executed is defined as a real-time event, the electronic device may store the real-time event generated on the day into the historical event database according to the corresponding event type, so as to update the historical event database in real time, and the description of the historical event database may refer to the above, which is not described in detail.
In order to better implement the host intrusion risk prediction method in the embodiment of the present application, a schematic diagram of a host system is further provided in the embodiment of the present application, and referring to fig. 4, the host system in fig. 4 includes each host module, a host-based intrusion detection module, a log centralization module, a Hadoop distributed file module, a Kafka module, each historical event database module, each preset real-time alarm pool module, a persistent library module, and a work order system module.
The following is an exemplary description of the flow of intrusion risk prediction and the functionality of the host intrusion risk prediction system of fig. 4 from the perspective of the overall host system, based on fig. 4:
(A) And reading event logs in each host module through the host type intrusion detection module, and gathering the event logs into a log gathering module.
(B) The log centralizing module sends event logs collected and summarized in the log centralizing module to the Kafka module to obtain each real-time event, and then the first historical event of each real-time event is selected from the corresponding historical event database module according to the event type of each real-time event in the Kafka module, wherein the historical event database module 1, the historical event database module 2 and the historical event database module 3 can respectively correspond to the event type: network connection events, process creation events and command operation events, and simultaneously, statistics of total historical event values corresponding to all real-time events is carried out.
(C) According to the event information of each real-time event, selecting a second historical event of each real-time event from the first historical events of each real-time event, and simultaneously counting the number of the historical events of the second historical event corresponding to each real-time event.
(D) And calculating, by the real-time prediction module, a first occurrence probability of each real-time event according to the total historical event value corresponding to each real-time event and the number of the historical events of the second historical event.
(E) And selecting a probability threshold value corresponding to each real-time event according to the event type of each real-time event, comparing the first occurrence probability of each real-time event with the corresponding probability threshold value, and storing the real-time event with the corresponding first occurrence probability smaller than or equal to the corresponding probability threshold value in a preset real-time alarm pool module 1.
(F) And correlating the real-time events according to the host address, the login user identity and the event occurrence time of the real-time events to obtain a plurality of correlated real-time event sets, wherein each real-time event set comprises the real-time event and the correlated risk event corresponding to the real-time event, and transmitting the real-time event set to a preset real-time alarm pool module 2. Meanwhile, the data in the preset real-time warning pool module 1 and the preset real-time warning pool module 2 are stored in the persistence library module.
(G) According to the real-time event set in the preset real-time alarm pool module 2, determining the intrusion risk prediction result of each host, generating an alarm work order according to the real-time event set in the preset real-time alarm pool module 2 through a work order system, and displaying the alarm work order on a target terminal.
(H) Assuming that the definition of the real-time event is the event generated by the host computer on the same day in the example, the real-time event in the Kafka module on the same day is stored in each historical event database module in a lasting manner through the Hadoop distributed file module every day so as to update each historical event database module in real time.
In order to better implement the host intrusion risk prediction method according to the embodiment of the present application, on the basis of the host intrusion risk prediction method, the embodiment of the present application further provides a host intrusion risk prediction apparatus, as shown in fig. 5, which is a schematic structural diagram of an embodiment of the host intrusion risk prediction apparatus according to the embodiment of the present application, where the host intrusion risk prediction apparatus 400 includes:
an obtaining unit 401, configured to obtain a target event in a target host to be predicted, and a target event type and target event information of the target event;
a first selection unit 402, configured to select, according to the target event type, a first historical event from preset historical events;
A second selecting unit 403, configured to select, from the first historical events, a second historical event that includes the target event information, and obtain a number of historical events of the second historical event;
and the determining unit 404 is configured to determine an intrusion risk prediction result of the target host according to the number of the historical events.
In a possible implementation of the present application, the determining unit 404 is further configured to:
counting the total number of the first historical events to obtain a total value of the historical events;
calculating a first occurrence probability of the target event according to the total historical event value and the number of the historical events;
and if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, judging that the target host has intrusion risk.
In a possible implementation of the present application, the determining unit 404 is further configured to:
if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, acquiring a related event of the target event, wherein a host address, a login user identity and event occurrence time contained in event information of the related event are the same as the host address, the login user identity and the event occurrence time contained in the target event information;
Acquiring second occurrence probability of each associated event, and determining a risk event in each associated event according to each second occurrence probability;
counting the event types of the risk events in the associated events and the event types of the target events to obtain the number of the event types;
and if the number of the event types is greater than or equal to the preset number, judging that the target host has an intrusion risk.
In a possible implementation of the present application, the determining unit 404 is further configured to:
generating an alarm work order according to the risk event and the target event in each associated event;
and displaying the alarm work order on a preset target terminal.
In a possible implementation of the present application, the determining unit 404 is further configured to:
classifying the first historical events according to the event information of each first historical event to obtain a plurality of historical event sets, wherein the event information of the first historical events in each historical event set is the same;
determining the occurrence probability sum of the first historical events in each historical event set according to the total historical event value and the number of the first historical events in each historical event set;
And setting the minimum occurrence probability sum as a target probability threshold corresponding to the target event type.
In a possible implementation of the present application, the first selection unit 402 is further configured to:
extracting historical events of each host from a host cluster containing target hosts;
storing each historical event in each preset database according to the event type to obtain each historical event library;
selecting a target historical event library from the historical event libraries according to the target event type;
and extracting the historical events in the target historical event library to obtain a first historical event.
In the implementation, each unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each unit may be referred to the foregoing method embodiment, which is not described herein again.
The host intrusion risk prediction device can execute the steps in the host intrusion risk prediction method in any embodiment, so that the beneficial effects of the host intrusion risk prediction method in any embodiment of the present application can be realized, and detailed descriptions are omitted herein.
In addition, in order to better implement the host intrusion risk prediction method according to the embodiment of the present application, on the basis of the host intrusion risk prediction method, the embodiment of the present application further provides an electronic device, and referring to fig. 6, fig. 6 shows a schematic structural diagram of the electronic device according to the embodiment of the present application, and specifically, the electronic device according to the embodiment of the present application includes a processor 501, where the processor 501 is configured to implement each step of the host intrusion risk prediction method in any embodiment when executing a computer program stored in a memory 502; alternatively, the processor 501 may be configured to implement the functions of the modules in the corresponding embodiment as shown in fig. 5 when executing the computer program stored in the memory 502.
By way of example, a computer program may be partitioned into one or more modules/units that are stored in memory 502 and executed by processor 501 to accomplish an embodiment of the application. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in a computer device.
Electronic devices may include, but are not limited to, a processor 501, a memory 502. It will be appreciated by those skilled in the art that the illustrations are merely examples of electronic devices and are not limiting of electronic devices, and may include more or fewer components than illustrated, or may combine certain components, or different components.
The processor 501 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center for an electronic device, with various interfaces and lines connecting various parts of the overall electronic device.
The memory 502 may be used to store computer programs and/or modules, and the processor 501 may implement various functions of the computer device by executing or executing the computer programs and/or modules stored in the memory 502, and invoking data stored in the memory 502. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data (such as audio data, video data, etc.) created according to the use of the electronic device, and the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the host intrusion risk prediction apparatus, the electronic device and the corresponding units described above may refer to the description of the host intrusion risk prediction method in any embodiment, and the description is not repeated herein.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions or by controlling associated hardware, which may be stored on a readable storage medium and loaded and executed by a processor.
Therefore, the embodiment of the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps in the host intrusion risk prediction method in any embodiment of the present application, and specific operations may refer to the description of the host intrusion risk prediction method in any embodiment, which is not described herein.
Wherein the readable storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
The steps in the host intrusion risk prediction method in any embodiment of the present application may be executed by the instructions stored in the readable storage medium, so that the beneficial effects that the host intrusion risk prediction method in any embodiment of the present application may be achieved, which is described in detail in the foregoing, and will not be repeated herein.
The above description is provided in detail of a host intrusion risk prediction method, a device, a storage medium and an electronic apparatus provided by the embodiments of the present application, and specific examples are applied to describe the principles and implementations of the present application, where the description of the above embodiments is only for helping to understand the method and core ideas of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, the present description should not be construed as limiting the present application.

Claims (10)

1. A host intrusion risk prediction method, comprising:
acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event;
according to the target event type, selecting a first historical event from preset historical events;
Selecting a second historical event containing the target event information from the first historical event to obtain the number of the historical events of the second historical event;
and determining an intrusion risk prediction result of the target host according to the number of the historical events.
2. The method of claim 1, wherein determining the intrusion risk prediction result of the target host according to the number of historical events comprises:
counting the total number of the first historical events to obtain a total value of the historical events;
calculating a first occurrence probability of the target event according to the total historical event value and the number of the historical events;
and if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, judging that the target host has intrusion risk.
3. The method of claim 2, wherein determining that the target host has an intrusion risk if the first occurrence probability is less than or equal to a target probability threshold corresponding to the target event type, comprises:
if the first occurrence probability is smaller than or equal to a target probability threshold corresponding to the target event type, acquiring a related event of the target event, wherein a host address, a login user identity and event occurrence time contained in event information of the related event are the same as the host address, the login user identity and the event occurrence time contained in the target event information;
Acquiring second occurrence probability of each associated event, and determining a risk event in each associated event according to each second occurrence probability;
counting the event types of the risk events in the associated events and the event types of the target events to obtain the number of the event types;
and if the number of the event types is greater than or equal to the preset number, judging that the target host has an intrusion risk.
4. The method for predicting risk of intrusion of a host according to claim 3, wherein after determining that the target host has risk of intrusion if the number of event types is greater than or equal to a preset number, the method further comprises:
generating an alarm work order according to the risk event and the target event in each associated event;
and displaying the alarm work order on a preset target terminal.
5. The method for predicting risk of intrusion of a host according to claim 2, wherein if the first occurrence probability is less than or equal to a target probability threshold corresponding to the target event type, before determining that the target host has an intrusion risk, the method further comprises:
classifying the first historical events according to the event information of each first historical event to obtain a plurality of historical event sets, wherein the event information of the first historical events in each historical event set is the same;
Determining the occurrence probability sum of the first historical events in each historical event set according to the total historical event value and the number of the first historical events in each historical event set;
and setting the minimum occurrence probability sum as a target probability threshold corresponding to the target event type.
6. The host intrusion risk prediction method according to claim 1, wherein the event type of the target event comprises one of a network connection event, a process creation event, and a command operation event.
7. The method according to any one of claims 1-6, wherein before the selecting a first historical event from the preset historical events according to the target event type, the method further comprises:
extracting historical events of each host from a host cluster containing target hosts;
storing each historical event in each preset database according to the event type to obtain each historical event library;
the selecting, according to the target event type, a first historical event from preset historical events includes:
selecting a target historical event library from the historical event libraries according to the target event type;
And extracting the historical events in the target historical event library to obtain a first historical event.
8. A host intrusion risk prediction apparatus, comprising:
the system comprises an acquisition unit, a prediction unit and a prediction unit, wherein the acquisition unit is used for acquiring a target event in a target host to be predicted, and a target event type and target event information of the target event;
the first selection unit is used for selecting a first historical event from preset historical events according to the target event type;
the second selection unit is used for selecting a second historical event containing the target event information from the first historical events to obtain the number of the historical events of the second historical event;
and the determining unit is used for determining an intrusion risk prediction result of the target host according to the number of the historical events.
9. An electronic device comprising a processor, a memory and a computer program stored in the memory and executable on the processor, the processor implementing the steps in the host intrusion risk prediction method according to any one of claims 1 to 7 when the computer program is executed by the processor.
10. A readable storage medium, characterized in that it has stored thereon a computer program, which when executed by a processor, implements the steps of the host intrusion risk prediction method according to any one of claims 1 to 7.
CN202210288662.8A 2022-03-22 2022-03-22 Host intrusion risk prediction method and device, electronic equipment and readable storage medium Pending CN116827571A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210288662.8A CN116827571A (en) 2022-03-22 2022-03-22 Host intrusion risk prediction method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210288662.8A CN116827571A (en) 2022-03-22 2022-03-22 Host intrusion risk prediction method and device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN116827571A true CN116827571A (en) 2023-09-29

Family

ID=88111447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210288662.8A Pending CN116827571A (en) 2022-03-22 2022-03-22 Host intrusion risk prediction method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN116827571A (en)

Similar Documents

Publication Publication Date Title
US9870470B2 (en) Method and apparatus for detecting a multi-stage event
EP2979424B1 (en) Method and apparatus for detecting a multi-stage event
US20160164893A1 (en) Event management systems
CN112073389B (en) Cloud host security situation awareness system, method, device and storage medium
US20160248788A1 (en) Monitoring apparatus and method
CN110602135B (en) Network attack processing method and device and electronic equipment
JP2019079492A (en) System and method for detection of anomalous events on the basis of popularity of convolutions
CN109255237B (en) Security event correlation analysis method and device
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US9942255B1 (en) Method and system for detecting abusive behavior in hosted services
CN108234486A (en) A kind of network monitoring method and monitoring server
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN114357447A (en) Attacker threat scoring method and related device
TWI619031B (en) Metadata server, network device and automatic resource management method
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
CN114826727B (en) Flow data acquisition method, device, computer equipment and storage medium
CN115801305B (en) Network attack detection and identification method and related equipment
CN110460558B (en) Method and system for discovering attack model based on visualization
CN116827571A (en) Host intrusion risk prediction method and device, electronic equipment and readable storage medium
CN114465816A (en) Detection method and device for password spray attack, computer equipment and storage medium
CN106254375B (en) A kind of recognition methods of hotspot equipment and device
KR102002560B1 (en) Artificial intelligence based target account reconnaissance behavior detection apparatus
US11425156B2 (en) Dynamic gathering of attack symptoms
CN116938605B (en) Network attack protection method and device, electronic equipment and readable storage medium
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination