CN117009962A - Anomaly detection method, device, medium and equipment based on effective label - Google Patents

Anomaly detection method, device, medium and equipment based on effective label Download PDF

Info

Publication number
CN117009962A
CN117009962A CN202311290891.4A CN202311290891A CN117009962A CN 117009962 A CN117009962 A CN 117009962A CN 202311290891 A CN202311290891 A CN 202311290891A CN 117009962 A CN117009962 A CN 117009962A
Authority
CN
China
Prior art keywords
monitoring
detection
target
effective
subsequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311290891.4A
Other languages
Chinese (zh)
Other versions
CN117009962B (en
Inventor
陈伟胜
孙洪伟
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Antan Network Security Technology Co ltd
Original Assignee
Shenzhen Antan Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Antan Network Security Technology Co ltd filed Critical Shenzhen Antan Network Security Technology Co ltd
Priority to CN202311290891.4A priority Critical patent/CN117009962B/en
Publication of CN117009962A publication Critical patent/CN117009962A/en
Application granted granted Critical
Publication of CN117009962B publication Critical patent/CN117009962B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/254Fusion techniques of classification results, e.g. of results related to same input data
    • G06F18/256Fusion techniques of classification results, e.g. of results related to same input data of results relating to different input data, e.g. multimodal recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The present invention relates to the field of data processing, and in particular, to an anomaly detection method, apparatus, medium, and device based on an effective tag. Comprising the following steps: operating the executable file to be detected corresponding to the target event in a sandbox, and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to perform operation behavior monitoring; when the monitoring strategy corresponding to the monitoring identifier in any effective detection subsequence is hit, carrying out effectiveness updating processing on each target detection subsequence; when all monitoring strategies corresponding to all monitoring identifiers included in any abnormal behavior detection sequence are hit, determining that the target event has an attack behavior corresponding to the abnormal behavior detection sequence. In the invention, part of the effective detection subsequences can be changed into invalid detection subsequences, so that the number of opened effective detection subsequences can be reduced, and the consumption of computing resources is reduced.

Description

Anomaly detection method, device, medium and equipment based on effective label
Technical Field
The present invention relates to the field of data processing, and in particular, to an anomaly detection method, apparatus, medium, and device based on an effective tag.
Background
Due to the attribute and behavior characteristics of various event information in the current terminal equipment, the method is multiple in variety and quick in change iteration, and a scene of feature change of mutual conversion between a security state and a threat state exists. In order to enable security analysts to globally observe the current tag states of various event information and the distribution states of threat tags of terminals in the network at the first time, the security situation in the network is mastered so as to respond and treat, and various events are generally portrayed.
In the prior art, the degree of abnormality of the executable file corresponding to the target event can be determined through the image description information output by the target event. Further testing is then performed on some suspicious executable files to more accurately determine if they are abnormal files. In further detection, all abnormal behavior monitoring strategies are usually opened to monitor abnormal behavior, but the abnormal detection consumes more computing resources.
Disclosure of Invention
Aiming at the technical problem that the abnormality detection consumes more computing resources, the invention adopts the following technical scheme:
according to one aspect of the present invention, there is provided an abnormality detection method based on an effective tag, the method including the steps of:
Acquiring a plurality of abnormal behavior detection sequences; the abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated;
generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence; the target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to the effective identification bit to the last monitoring identifier in the abnormal behavior detection sequence;
respectively configuring a valid tag or a dead tag for each target detection subsequence;
operating the executable file to be detected corresponding to the target event in a sandbox, and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to perform operation behavior monitoring; the effective detection subsequence is a target detection subsequence corresponding to the effective label;
each time the monitoring strategy corresponding to the monitoring identifier in any effective detection subsequence is hit, carrying out effectiveness updating processing on each target detection subsequence, and returning to the step of starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences for operation behavior monitoring;
When all monitoring strategies corresponding to all monitoring identifiers included in any abnormal behavior detection sequence are hit, determining that an attack behavior corresponding to the abnormal behavior detection sequence exists in the target event;
the validity update process includes:
matching the target update identifier with each valid target monitoring identifier; the target update identifier is a monitoring identifier corresponding to the currently hit monitoring strategy; the effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the effective detection subsequence;
if the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying an effective label of an effective detection subsequence to which the effective target monitoring identifier belongs to an ineffective label; the pre-effective detection sequence is a monitoring identifier sequence behind a monitoring identifier corresponding to a current effective identification bit in an effective detection subsequence to which a target updating identifier belongs;
if the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
Further, the validity update process further includes:
Matching the target update identifier with each of the non-valid target monitoring identifiers; the invalid target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the invalid detection subsequence; the invalid detection subsequence is a target detection subsequence corresponding to the invalid tag;
if the matching is successful, the effective identification bit in the invalid detection subsequence to which the invalid target monitoring identifier belongs is moved one bit backwards, and a new invalid detection subsequence is generated;
the invalid tag of the new invalid detection subsequence is modified to be a valid tag.
Further, configuring a valid tag or a dead tag for each target detection subsequence, respectively, includes:
before the operation behavior monitoring starts, valid tags are configured for all target detection subsequences;
after the operation behavior monitoring starts, a valid tag or a dead tag is respectively configured for each target detection subsequence according to the result of the validity updating process.
Further, before the executable file to be tested corresponding to the target event is run in the sandbox, the method further includes:
acquiring a hash value of an initial executable file corresponding to the target event;
and determining the initial executable file as the executable file to be tested according to the hash value corresponding to the initial executable file.
Further, obtaining the hash value of the initial executable file corresponding to the target event includes:
acquiring a judging rule set and a judging value set corresponding to a target event; the judging rule set comprises a plurality of judging rules, and each judging rule comprises a corresponding rule hit path and judging information; the judging value set comprises a plurality of judging values;
performing judgment processing on each judgment value according to the judgment information to generate at least one judgment hit rule corresponding to the target event;
taking a preset portrait tag corresponding to the hit judgment rule as tag information of the target event;
if the label information of the target event belongs to a preset abnormal label type, acquiring a hash value of an initial executable file corresponding to the target event.
Further, obtaining a decision rule set corresponding to the target event includes:
determining a prefix information set and a prefabrication rule set corresponding to the target event according to the json log of the target event; the prefix information set comprises a plurality of preset json field storage paths; the prefabrication rule set comprises a plurality of prefabrication rules, and each prefabrication rule comprises corresponding judgment information and hit field names;
after splicing and combining hit field names in each prefabricated rule with each preset json field storage path, generating a plurality of rule hit paths corresponding to each prefabricated rule;
And generating a plurality of judgment rules corresponding to each prefabrication rule according to the rule hit paths corresponding to each prefabrication rule and the corresponding judgment information.
Further, determining, according to the json log of the target event, a prefix information set and a prefabrication rule set corresponding to the target event, including:
generating an event type identifier of the target event according to the value of the event type field in the json log;
and determining a prefix information set and a preset rule set corresponding to the target event according to the event type identification of the target event.
According to a second aspect of the present invention, there is provided an abnormality detection apparatus based on a valid tag, the apparatus comprising:
the sequence acquisition module is used for acquiring a plurality of abnormal behavior detection sequences; the abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated;
the subsequence generation module is used for generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence; the target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to the effective identification bit to the last monitoring identifier in the abnormal behavior detection sequence;
The label configuration module is used for respectively configuring valid labels or invalid labels for each target detection subsequence;
the operation monitoring module is used for operating the executable file to be detected corresponding to the target event in the sandbox and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to monitor operation behaviors; the effective detection subsequence is a target detection subsequence corresponding to the effective label;
the validity updating module is used for carrying out validity updating processing on each target detection subsequence when the monitoring strategy corresponding to the monitoring identifier in any one of the valid detection subsequences is hit, and returning to a step of starting all monitoring strategies corresponding to all monitoring identifiers included in all the valid detection subsequences for carrying out operation behavior monitoring;
the abnormal judgment module is used for determining that the target event has an attack behavior corresponding to the abnormal behavior detection sequence when the monitoring strategies corresponding to all the monitoring identifiers included in any abnormal behavior detection sequence are hit;
the validity update process includes:
matching the target update identifier with each valid target monitoring identifier; the target update identifier is a monitoring identifier corresponding to the currently hit monitoring strategy; the effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the effective detection subsequence;
If the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying an effective label of an effective detection subsequence to which the effective target monitoring identifier belongs to an ineffective label; the pre-effective detection sequence is a monitoring identifier sequence behind a monitoring identifier corresponding to a current effective identification bit in an effective detection subsequence to which a target updating identifier belongs;
if the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
According to a third aspect of the present invention, there is provided a non-transitory computer-readable storage medium storing a computer program which, when executed by a processor, implements an anomaly detection method based on an active tag as described above.
According to a fourth aspect of the present invention, there is provided an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing an anomaly detection method based on an active tag as described above when the computer program is executed by the processor.
The invention has at least the following beneficial effects:
in the invention, each valid detection subsequence comprises a plurality of monitoring strategies, so that after the valid detection subsequence is started, the method is equivalent to starting all the monitoring strategies. It is highly likely that the monitor identifier in one valid detection sub-sequence is exactly the valid target monitor identifier in the other valid detection sub-sequence. Meanwhile, the corresponding monitoring strategies in any effective detection subsequence are in an on state, so that the on monitoring strategy for one effective detection subsequence can simultaneously meet the on monitoring purposes of the effective target monitoring identifiers corresponding to other effective detection subsequences. Therefore, part of the valid detection subsequences can be changed into invalid detection subsequences, so that the number of the opened valid detection subsequences can be reduced, and the consumption of computing resources is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an anomaly detection method based on an effective tag according to an embodiment of the present invention;
fig. 2 is a block diagram of an abnormality detection device based on an effective tag according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
As a possible embodiment of the present invention, as shown in fig. 1, there is provided an abnormality detection method based on an effective tag, the method including the steps of:
step 1: obtaining a plurality of abnormal behavior detection sequences W 1 、W 2 、…、W D 、…、W J . Wherein W is D For the D-th abnormal behavior detection sequence, W D =(W D 1 、W D 2 、…、W D E 、…、W D G(D) ),W D E Is W D E-th monitoring identifier of (c), one for each abnormal behavior monitoring policy. G (D) is W D E=1, 2, …, G (D). J is the total number of abnormal behavior detection sequences, d=1, 2, …, J. The abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated.
Step 2: and generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence. The target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to the effective identification bit to the last monitoring identifier in the abnormal behavior detection sequence.
Typically in the initial state, the validation flag is located on the first monitor identifier in each abnormal behavior detection sequence. And will gradually move backward with the validity update process. Meanwhile, the corresponding target detection subsequence is gradually shortened along with the backward movement of the effective identification bit. In W D =(W D 1 、W D 2 、…、W D E 、…、W D G(D) ) For example, the validation flag in initial state is set at W D 1 The target detection subsequence generated correspondingly at this time is (W D 1 、W D 2 、…、W D E 、…、W D G(D) ). Later, the effective identification bit is moved to W along with the validity updating process D 3 The target detection subsequence generated correspondingly at this time is (W D 3 、W D 4 、…、W D E 、…、W D G (D) )。
Step 3: a valid tag or a dead tag is configured for each target detection subsequence, respectively.
Specifically, a valid tag or a dead tag is configured for each target detection sub-sequence according to the following steps.
Step 31: before the start of the operational behavior monitoring, valid tags are configured for all target detection sub-sequences.
Step 32: after the operation behavior monitoring starts, a valid tag or a dead tag is respectively configured for each target detection subsequence according to the result of the validity updating process.
Specifically, by the type of the tag corresponding to each target detection sub-sequence, it is possible to determine whether the target detection sub-sequence is a valid detection sub-sequence or an invalid detection sub-sequence.
Step 4: and operating the executable file to be detected corresponding to the target event in a sandbox, and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to perform operation behavior monitoring. The effective detection subsequence is a target detection subsequence corresponding to the effective label.
Step 5: when the monitoring strategies corresponding to the monitoring identifiers in any effective detection subsequence are hit, carrying out effectiveness updating processing on each target detection subsequence, and returning to the step of starting the monitoring strategies corresponding to all the monitoring identifiers in all the effective detection subsequences for operation behavior monitoring.
And in the initial state, all target detection subsequences are configured with valid tags. And in the later period, a part of valid detection subsequences are gradually changed into invalid detection subsequences along with the validity updating process, or a part of invalid detection subsequences are changed into valid detection subsequences. Therefore, the monitoring strategies in the on state in the behavior detection process are all the most likely to be hit at present, and meanwhile, the number of the monitoring strategies in the on state in the behavior monitoring can be reduced because the invalid detection subsequence is in the off state, so that the occupation of computing resources is reduced.
Step 6: when all monitoring strategies corresponding to all monitoring identifiers included in any abnormal behavior detection sequence are hit, determining that the target event has an attack behavior corresponding to the abnormal behavior detection sequence.
The validity update process includes:
step 51: the target update identifier is matched with each valid target monitoring identifier. The target update identifier is a monitoring identifier corresponding to the currently hit monitoring policy. The effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the effective detection subsequence.
Step 52: if the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying the effective label of the effective detection sub-sequence to which the effective target monitoring identifier belongs to an ineffective label. The pre-validation detection sequence is a monitoring identifier sequence behind the monitoring identifier corresponding to the current validation identification bit in the effective detection subsequence to which the target update identifier belongs.
If the matching is unsuccessful and the effective target monitoring identifier does not belong to any pre-effective detection sequence, the label of the detection sub-sequence corresponding to the effective target monitoring identifier is kept as an effective label unchanged.
Step 53: if the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
The following examples are described, as the monitor identifiers included in the plurality of valid detection sub-sequences are (PD 1, PD2, PD3, PD 4), (PD 2, BD2, PD3, PD 4), (PD 1, BD2, PD3, PD 4), respectively. The valid target monitor identifier in each valid detection sub-sequence is the first monitor identifier, and assuming that the current target update identifier is PD1, the pre-valid detection sequences are (PD 2, PD3, PD 4) of (PD 1, PD2, PD3, PD 4) and (BD 2, PD3, PD 4) of (PD 1, BD2, PD3, PD 4).
Since the target update identifier PD1 is different from the valid target monitor identifier PD2 in (PD 2, BD2, PD3, PD 4) and PD2 belongs to the pre-valid detection sequence (PD 2, PD3, PD 4), the validity flag of (PD 2, BD2, PD3, PD 4) is modified to be an invalid flag, i.e. the valid detection subsequence becomes an invalid detection subsequence, after the processing of step 52.
Since the valid target monitor identifier in (PD 1, PD2, PD3, PD 4) and (PD 1, BD2, PD3, PD 4) is the same as the target update identifier PD1, the process of step 53 is performed, and (PD 1, PD2, PD3, PD 4) becomes a new valid detection subsequence (PD 2, PD3, PD 4); (PD 1, BD2, PD3, PD 4) becomes a new valid detection subsequence (BD 2, PD3, PD 4). The validation identification bit is still the location of the first monitoring identifier of the valid detection subsequence.
Further, the validity update process further includes:
step 54: the target update identifier is matched with each of the invalid target monitor identifiers. The invalid target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the invalid detection subsequence. The invalid detection subsequence is a target detection subsequence corresponding to the invalid tag.
Step 55: if the matching is successful, the effective identification bit in the ineffective detection subsequence to which the ineffective target monitoring identifier belongs is moved one bit backwards, and a new ineffective detection subsequence is generated.
If the matching is unsuccessful, the invalid state of the current invalid detection subsequence is not changed, and the current invalid detection subsequence is kept unchanged.
Step 56: the invalid tag of the new invalid detection subsequence is modified to be a valid tag.
In this embodiment, each valid detection sub-sequence includes a plurality of monitoring strategies, so that after the valid detection sub-sequence is turned on, all the monitoring strategies are turned on. It is highly likely that the monitor identifier in one valid detection sub-sequence is exactly the valid target monitor identifier in the other valid detection sub-sequence. Meanwhile, the corresponding monitoring strategies in any effective detection subsequence are in an on state, so that the on monitoring strategy for one effective detection subsequence can simultaneously meet the on monitoring purposes of the effective target monitoring identifiers corresponding to other effective detection subsequences. Therefore, part of the valid detection subsequences can be changed into invalid detection subsequences, so that the number of the opened valid detection subsequences can be reduced, and the consumption of computing resources is reduced.
As another embodiment of the present invention, before the executable file to be tested corresponding to the target event is run in the sandbox, the method further includes:
step 41: and acquiring a hash value of the initial executable file corresponding to the target event.
Specifically, step 41 includes:
step 411: and acquiring a judging rule set and a judging value set corresponding to the target event. The decision rule set includes a plurality of decision rules, each decision rule including a corresponding rule hit path and decision information. The set of decision values includes a plurality of decision values.
In step 431: after splicing and combining the hit field name in each prefabricated rule with each preset json field storage path, generating a plurality of rule hit paths corresponding to each prefabricated rule, and taking each rule hit path as a corresponding value index to acquire a corresponding judgment value.
In step 411, obtaining a set of decision rules corresponding to the target event includes:
step 421: and determining a prefix information set and a prefabrication rule set corresponding to the target event according to the json log of the target event. The prefix information set comprises a plurality of preset json field storage paths. The prefabrication rule set comprises a plurality of prefabrication rules, and each prefabrication rule comprises corresponding judgment information and hit field names.
Specifically, step 421 includes:
step 422: and generating an event type identifier of the target event according to the value of the event type field in the json log.
Step 423: and determining a prefix information set and a preset rule set corresponding to the target event according to the event type identification of the target event.
The prefix information set and the prefabricated rule set can be configured in advance according to actual use scenes. And after the configuration is completed, the corresponding event type identifiers are respectively given so as to carry out screening and use in the later use process. The prefix information library may include the following prefix information sets:
process_behavior: process_info_parent.file_info,process_info_self.file_info。
file_behavior: process_info.file_info,file_info。
the process_behavir and the file_behavir are event type identifiers corresponding to the two prefix information sets respectively. Similarly, the preset rule set may also set the corresponding event type identifier in the above manner.
Since the data in the json log conforms to the data form of the tree structure. So if multiple fields are all in the same leaf node, the parent node paths corresponding to the multiple fields are the same as the parent node paths corresponding to the same leaf node are the same. The parent node path in this embodiment is prefix information in the prefix information set. In an actual usage scenario, a parent node path is made up of the name of each parent node. The specific form is as follows xxx. The name of the leaf node where the md5 field is located is file_info. And the name of the parent node corresponding to the file_info is process_info_parent. Essentially each prefix information is the deposit path information of the corresponding field. Therefore, according to the actual storage paths of the fields to be detected in different events, the actual storage paths can be set as prefix information corresponding to the fields in advance.
Step 431: and after splicing and combining the hit field name in each prefabricated rule with each preset json field storage path, generating a plurality of rule hit paths corresponding to each prefabricated rule.
Step 441: and generating a plurality of judgment rules corresponding to each prefabrication rule according to the rule hit paths corresponding to each prefabrication rule and the corresponding judgment information.
Specifically, the ith prefabrication rule A in the prefabrication rule set corresponding to the target event i =(A i 2 ,A i 3 );A i 2 Is A i Corresponding judgment information A i 3 Is A i The corresponding hit field name. N-th prefix information B in prefix information set corresponding to target event m n
The pre-made rules are spliced with each prefix information to generate more new rule hit paths, as follows. Specifically, B m n And A is a i 3 Regular hit path C generated after splicing i n =B m n .A i 3 . Wherein "" is a predetermined connector.
And then combining the new rule hit path with the corresponding judgment information to form more new judgment rules.
The following examples illustrate: hit field name A i 3 =md5, and the corresponding prefix information is process_info_parent. After the splicing process, two rule hit paths are finally generated, namely process_info_parent. Therefore, the number of the corresponding judging rules can be two finally, and the judging rules can be expanded according to actual needs.
In this embodiment, after the splicing and combining processing, a plurality of corresponding decision rules are generated. And furthermore, the judgment rule configuration of the same field value under different value indexes can be satisfied, and the development workload of developers can be reduced. Meanwhile, if the storage path of the field value is changed in the later use process, maintenance personnel only need to form corresponding prefix information according to the changed storage path and replace corresponding original prefix information with the updated prefix information, so that the judging rule corresponding to the field value can still be maintained to be effective. And new corresponding judging rules do not need to be redeveloped, so that the development efficiency can be improved and the later maintenance difficulty can be reduced.
Step 412: and carrying out judgment processing on each judgment value according to the judgment information, and generating at least one judgment hit rule corresponding to the target event.
Step 413: and taking the preset portrait label corresponding to the hit rule as label information of the target event.
Step 414: if the label information of the target event belongs to a preset abnormal label type, acquiring a hash value of an initial executable file corresponding to the target event.
Step 42: and determining the initial executable file as the executable file to be tested according to the hash value corresponding to the initial executable file.
According to the collected known malicious executable files, corresponding hash values can be generated according to the files, and therefore a hash value blacklist library corresponding to the known malicious files can be formed. And comparing the hash value corresponding to the initial executable file with hash values in a hash value blacklist library to quickly determine whether the unknown initial executable file is a malicious executable file or not so as to determine whether the unknown initial executable file is the executable file to be tested in the embodiment.
According to the method and the device for judging whether the initial executable file is the executable file to be tested or not according to the label information of the target event and the hash value of the initial executable file causing the target event, the judging accuracy can be improved.
According to a second aspect of the present invention, as shown in fig. 2, there is provided an abnormality detection apparatus based on an effective tag, the apparatus including:
the sequence acquisition module is used for acquiring a plurality of abnormal behavior detection sequences. The abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated.
And the subsequence generation module is used for generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence. The target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to the effective identification bit to the last monitoring identifier in the abnormal behavior detection sequence.
And the label configuration module is used for respectively configuring valid labels or invalid labels for each target detection subsequence.
And the operation monitoring module is used for operating the executable file to be detected corresponding to the target event in the sandbox, and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to monitor operation behaviors. The effective detection subsequence is a target detection subsequence corresponding to the effective label.
And the validity updating module is used for carrying out validity updating processing on each target detection subsequence when the monitoring strategy corresponding to the monitoring identifier in any one of the valid detection subsequences is hit, and returning to the step of starting all monitoring strategies corresponding to all monitoring identifiers included in all the valid detection subsequences to carry out operation behavior monitoring.
The anomaly determination module is used for determining that the target event has an attack behavior corresponding to the anomaly detection sequence when the monitoring strategies corresponding to all the monitoring identifiers included in any anomaly detection sequence are hit.
The validity update process includes:
the target update identifier is matched with each valid target monitoring identifier. The target update identifier is a monitoring identifier corresponding to the currently hit monitoring policy. The effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in the effective detection subsequence.
If the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying the effective label of the effective detection sub-sequence to which the effective target monitoring identifier belongs to an ineffective label. The pre-validation detection sequence is a monitoring identifier sequence behind the monitoring identifier corresponding to the current validation identification bit in the effective detection subsequence to which the target update identifier belongs.
If the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present invention described in the above section of the exemplary method of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (m/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. The network adapter communicates with other modules of the electronic device via a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAmD systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary method" section of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. An anomaly detection method based on an effective label is characterized by comprising the following steps:
acquiring a plurality of abnormal behavior detection sequences; the abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated;
generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence; the target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to an effective identification bit to a last monitoring identifier in the abnormal behavior detection sequence;
Respectively configuring a valid tag or a dead tag for each target detection subsequence;
operating the executable file to be detected corresponding to the target event in a sandbox, and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to perform operation behavior monitoring; the effective detection subsequence is a target detection subsequence corresponding to an effective label;
each time the monitoring strategy corresponding to the monitoring identifier in any effective detection subsequence is hit, carrying out effectiveness updating processing on each target detection subsequence, and returning to the step of starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences for operation behavior monitoring;
when all monitoring strategies corresponding to all monitoring identifiers included in any abnormal behavior detection sequence are hit, determining that the target event has attack behaviors corresponding to the abnormal behavior detection sequence;
the validity update process includes:
matching the target update identifier with each valid target monitoring identifier; the target update identifier is a monitoring identifier corresponding to the currently hit monitoring strategy; the effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in an effective detection subsequence;
If the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying an effective label of an effective detection subsequence to which the effective target monitoring identifier belongs to an ineffective label; the pre-effective detection sequence is a monitoring identifier sequence behind a monitoring identifier corresponding to a current effective identification bit in an effective detection subsequence to which a target updating identifier belongs;
if the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
2. The method of claim 1, wherein the validity update process further comprises:
matching the target update identifier with each of the non-valid target monitoring identifiers; the invalid target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in an invalid detection subsequence; the invalid detection subsequence is a target detection subsequence corresponding to an invalid tag;
if the matching is successful, moving the effective identification bit in the ineffective detection subsequence to which the ineffective target monitoring identifier belongs one bit backwards to generate a new ineffective detection subsequence;
And modifying the invalid tag of the new invalid detection subsequence into a valid tag.
3. The method of claim 2, wherein configuring a valid tag or a invalid tag for each target detection subsequence, respectively, comprises:
before the operation behavior monitoring starts, valid tags are configured for all target detection subsequences;
after the operation behavior monitoring starts, according to the result of the validity updating process, a valid tag or a invalid tag is respectively configured for each target detection subsequence.
4. The method of claim 2, wherein before running the executable file under test corresponding to the target event in the sandbox, the method further comprises:
acquiring a hash value of an initial executable file corresponding to the target event;
and determining the initial executable file as the executable file to be tested according to the hash value corresponding to the initial executable file.
5. The method of claim 4, wherein obtaining the hash value of the initial executable file corresponding to the target event comprises:
acquiring a judging rule set and a judging value set corresponding to a target event; the judging rule set comprises a plurality of judging rules, and each judging rule comprises a corresponding rule hit path and judging information; the judging value set comprises a plurality of judging values;
Performing judgment processing on each judgment value according to the judgment information to generate at least one judgment hit rule corresponding to the target event;
taking a preset portrait tag corresponding to the hit judgment rule as tag information of the target event;
if the tag information of the target event belongs to a preset abnormal tag type, acquiring a hash value of an initial executable file corresponding to the target event.
6. The method of claim 5, wherein obtaining a set of decision rules corresponding to a target event comprises:
determining a prefix information set and a prefabrication rule set corresponding to the target event according to the json log of the target event; the prefix information set comprises a plurality of preset json field storage paths; the prefabrication rule set comprises a plurality of prefabrication rules, and each prefabrication rule comprises corresponding judgment information and hit field names;
after splicing and combining hit field names in each prefabricated rule with each preset json field storage path, generating a plurality of rule hit paths corresponding to each prefabricated rule;
and generating a plurality of judgment rules corresponding to each prefabrication rule according to the rule hit paths corresponding to each prefabrication rule and the corresponding judgment information.
7. The method of claim 6, wherein determining the prefix information set and the pre-made rule set corresponding to the target event based on the json log of the target event comprises:
generating an event type identifier of the target event according to the value of the event type field in the json log;
and determining a prefix information set and a prefabricated rule set corresponding to the target event according to the event type identifier of the target event.
8. An anomaly detection device based on an active tag, the device comprising:
the sequence acquisition module is used for acquiring a plurality of abnormal behavior detection sequences; the abnormal behavior detection sequence comprises monitoring identifiers corresponding to attack sub-behaviors which are sequentially initiated;
the subsequence generation module is used for generating a target detection subsequence corresponding to each abnormal behavior detection sequence according to the effective identification bit in each abnormal behavior detection sequence; the target detection subsequence is a monitoring identifier sequence formed from a monitoring identifier corresponding to an effective identification bit to a last monitoring identifier in the abnormal behavior detection sequence;
the label configuration module is used for respectively configuring valid labels or invalid labels for each target detection subsequence;
The operation monitoring module is used for operating the executable file to be detected corresponding to the target event in the sandbox and starting the monitoring strategies corresponding to all the monitoring identifiers included in all the effective detection subsequences to monitor operation behaviors; the effective detection subsequence is a target detection subsequence corresponding to an effective label;
the validity updating module is used for carrying out validity updating processing on each target detection subsequence when the monitoring strategy corresponding to the monitoring identifier in any valid detection subsequence is hit, and returning to the step of starting all monitoring strategies corresponding to all monitoring identifiers included in all valid detection subsequences for carrying out operation behavior monitoring;
the abnormal judgment module is used for determining that the target event has attack behaviors corresponding to the abnormal behavior detection sequences when the monitoring strategies corresponding to all the monitoring identifiers included in any abnormal behavior detection sequence are hit;
the validity update process includes:
matching the target update identifier with each valid target monitoring identifier; the target update identifier is a monitoring identifier corresponding to the currently hit monitoring strategy; the effective target monitoring identifier is a monitoring identifier corresponding to a currently effective identification bit in an effective detection subsequence;
If the matching is unsuccessful and the effective target monitoring identifier belongs to at least one pre-effective detection sequence, modifying an effective label of an effective detection subsequence to which the effective target monitoring identifier belongs to an ineffective label; the pre-effective detection sequence is a monitoring identifier sequence behind a monitoring identifier corresponding to a current effective identification bit in an effective detection subsequence to which a target updating identifier belongs;
if the matching is successful, the effective identification bit in the effective detection subsequence to which the effective target monitoring identifier belongs is moved one bit backwards, and a new effective detection subsequence is generated.
9. A non-transitory computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a valid tag-based anomaly detection method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements a valid tag-based anomaly detection method as claimed in any one of claims 1 to 7 when the computer program is executed.
CN202311290891.4A 2023-10-08 2023-10-08 Anomaly detection method, device, medium and equipment based on effective label Active CN117009962B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311290891.4A CN117009962B (en) 2023-10-08 2023-10-08 Anomaly detection method, device, medium and equipment based on effective label

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311290891.4A CN117009962B (en) 2023-10-08 2023-10-08 Anomaly detection method, device, medium and equipment based on effective label

Publications (2)

Publication Number Publication Date
CN117009962A true CN117009962A (en) 2023-11-07
CN117009962B CN117009962B (en) 2023-12-08

Family

ID=88574788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311290891.4A Active CN117009962B (en) 2023-10-08 2023-10-08 Anomaly detection method, device, medium and equipment based on effective label

Country Status (1)

Country Link
CN (1) CN117009962B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
CN111651767A (en) * 2020-06-05 2020-09-11 腾讯科技(深圳)有限公司 Abnormal behavior detection method, device, equipment and storage medium
CN115442109A (en) * 2022-08-31 2022-12-06 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for determining network attack result
CN115955329A (en) * 2022-11-28 2023-04-11 鹏城实验室 Network security protection method, terminal and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
CN111651767A (en) * 2020-06-05 2020-09-11 腾讯科技(深圳)有限公司 Abnormal behavior detection method, device, equipment and storage medium
CN115442109A (en) * 2022-08-31 2022-12-06 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for determining network attack result
CN115955329A (en) * 2022-11-28 2023-04-11 鹏城实验室 Network security protection method, terminal and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郭渊博 等: "内部威胁检测中用户行为模式画像方法研究", 通信学报, vol. 39, no. 12, pages 2018282 - 1 *

Also Published As

Publication number Publication date
CN117009962B (en) 2023-12-08

Similar Documents

Publication Publication Date Title
EP3178011B1 (en) Method and system for facilitating terminal identifiers
CN110929259B (en) Process security verification white list generation method and device
CN109995523B (en) Activation code management method and device and activation code generation method and device
CN111435393B (en) Object vulnerability detection method, device, medium and electronic equipment
CN109871290B (en) Call stack tracking method and device applied to Java and storage medium
CN117009911B (en) Abnormality determination method and device for target event, medium and electronic equipment
CN113111005A (en) Application program testing method and device
CN117009962B (en) Anomaly detection method, device, medium and equipment based on effective label
US20140283080A1 (en) Identifying stored vulnerabilities in a web service
CN114679295B (en) Firewall security configuration method and device
CN115964701A (en) Application security detection method and device, storage medium and electronic equipment
US11662927B2 (en) Redirecting access requests between access engines of respective disk management devices
CN117034261B (en) Exception detection method and device based on identifier, medium and electronic equipment
CN117034210B (en) Event image generation method and device, storage medium and electronic equipment
CN117034260B (en) Event judgment information generation method and device, medium and electronic equipment
CN116861429B (en) Malicious detection method, device, equipment and medium based on sample behaviors
CN116400988B (en) Target parameter returning method, storage medium and electronic equipment
CN116861428B (en) Malicious detection method, device, equipment and medium based on associated files
CN116992439B (en) User behavior habit model determining method, device, equipment and medium
CN116760644B (en) Terminal abnormality judging method, system, storage medium and electronic equipment
CN116910756B (en) Detection method for malicious PE (polyethylene) files
CN117077138B (en) Anomaly detection method, system, medium and equipment based on browser
CN117033318B (en) Method and device for generating data to be tested, storage medium and electronic equipment
CN116781389B (en) Determination method of abnormal data list, electronic equipment and storage medium
CN111177704B (en) Binding identification method, binding identification device, binding identification equipment and binding identification medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant