CN117313095B - System and method for real-time monitoring and recording unknown virus behavior track - Google Patents
System and method for real-time monitoring and recording unknown virus behavior track Download PDFInfo
- Publication number
- CN117313095B CN117313095B CN202311596341.5A CN202311596341A CN117313095B CN 117313095 B CN117313095 B CN 117313095B CN 202311596341 A CN202311596341 A CN 202311596341A CN 117313095 B CN117313095 B CN 117313095B
- Authority
- CN
- China
- Prior art keywords
- data
- behavior
- access
- database
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012544 monitoring process Methods 0.000 title claims abstract description 38
- 238000002955 isolation Methods 0.000 claims abstract description 3
- 230000006399 behavior Effects 0.000 claims description 157
- 230000006870 function Effects 0.000 claims description 67
- 238000004422 calculation algorithm Methods 0.000 claims description 32
- 238000004088 simulation Methods 0.000 claims description 20
- 238000012549 training Methods 0.000 claims description 19
- 230000002093 peripheral effect Effects 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 12
- 230000015654 memory Effects 0.000 claims description 12
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 11
- 238000007726 management method Methods 0.000 claims description 10
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000012098 association analyses Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 4
- 238000000586 desensitisation Methods 0.000 claims description 4
- 238000009826 distribution Methods 0.000 claims description 4
- 230000002452 interceptive effect Effects 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000006835 compression Effects 0.000 claims description 2
- 238000007906 compression Methods 0.000 claims description 2
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000001514 detection method Methods 0.000 claims description 2
- 238000004821 distillation Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims description 2
- 230000002045 lasting effect Effects 0.000 claims description 2
- 230000001105 regulatory effect Effects 0.000 claims 1
- 239000003795 chemical substances by application Substances 0.000 description 37
- 238000010586 diagram Methods 0.000 description 3
- WVCHIGAIXREVNS-UHFFFAOYSA-N 2-hydroxy-1,4-naphthoquinone Chemical compound C1=CC=C2C(O)=CC(=O)C(=O)C2=C1 WVCHIGAIXREVNS-UHFFFAOYSA-N 0.000 description 2
- 101000822425 Arthrobacter sp. (strain KUJ 8602) Guanidinobutyrase Proteins 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 229920004934 Dacron® Polymers 0.000 description 1
- 241000287828 Gallus gallus Species 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000013140 knowledge distillation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 239000005020 polyethylene terephthalate Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3034—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a storage system, e.g. DASD based or network based
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Mathematical Physics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Quality & Reliability (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Computational Linguistics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a system and a method for monitoring and recording unknown virus behavior tracks in real time, which are matched with an Agent subsystem and a gateway subsystem, and based on the establishment of a Hook function, a virtual database and a disguised database on the basis of an operating system layer and a standard bottom function library, a multi-level data isolation access architecture is completed, the information monitoring and collection of all program complete data access behavior tracks are realized, the full-flow monitoring and recording of the complete data stealing behavior tracks of unknown viruses, known virus varieties and unknown attack means are realized under the condition of preventing the acquisition of real data.
Description
Technical Field
The invention provides a system and a method for monitoring and recording unknown virus behavior tracks in real time, which are applied to the technical fields of data safety and protection.
Background
Abbreviations and nouns are explained as follows:
database: refers to a container that stores Data, also known as a Data Store (Data Store), which is capable of storing large amounts of structured and unstructured Data, including various types of Data, including text, digital, image, audio, and the like.
hook: chinese is translated into "hooks" or "hooks," which are essentially a piece of program that processes a message, which is suspended into the system by a system call, and each time a particular message is sent out, the hook program captures the message first, i.e., the hook function has control first.
Sequence prediction algorithm model: is an artificial intelligence algorithm model, and predicts future trend through analysis and modeling of historical data.
Model knowledge distillation: a machine learning model compression method is used to migrate knowledge of a large model (teacher model) into a smaller model (student model).
As data becomes more valuable, preventing loss of important, confidential, and private data becomes a critical task in data security. For enterprises, the light data loss can cause service interruption, and the heavy data loss can cause production stagnation and large cost increase, and even reveal important research results and key confidentiality. Personal privacy data loss may lead to fraud and even life threatening events.
The existing data anti-disclosure protection means mainly detect and protect from the network security level, for example, a firewall limits data flow according to access control list, security policy, IP address and other rules; the VPN encrypts data in the network transmission process so that the data cannot be accessed by unauthorized users; the access control sets an access control mechanism through data and user classification and division rights, and limits the access rights of users to the data; DLP performs mirror analysis on data traffic to automatically discover, collect, classify, audit and monitor sensitive data, and EDR detects known malicious software on a terminal side, and identifies the malicious software by checking system processes or network traffic, so as to isolate and treat the threats.
With the increasing secrecy and intellectualization of attack means, the above technical means still have the following problems:
1. the attack surface is not fully protected, such as virus variety or unknown virus, non-network poisoning, illegal operation of legal personnel, stolen use of account numbers, data theft after hijacking of advanced means programs, and the like.
2. The network traffic can not be subjected to auditing and post analysis after being mirrored, and meanwhile, the data transmitted by encryption can not be effectively detected.
3. The complete behavior track of the variant virus/abnormal program cannot be obtained, for example, the EDR immediately kills once the abnormality is found, so that the follow-up operation of the virus cannot be obtained, such as the frequency of data stealing, the classification and preference of data access types, the track and path of network outgoing after the data stealing, the latency of data stealing to outgoing and the like.
Disclosure of Invention
The invention provides a system and a method for monitoring and recording unknown virus behavior tracks in real time, which specifically adopts a structure shown in figure 1, takes data as a protection object, and realizes the following functions by mounting Hook functions on an operating system kernel layer and a standard bottom api function library, completing transparent non-perception audit record and access conversion when processes access the data.
1. Automatic discovery of data assets: the main stream relational databases and non-relational databases in the domestic and foreign industries can be searched and identified, and the main stream relational databases comprise Oracle, SQLserver, DB, mySQL, cache, sybase, informix, teradata, postgreSQL, highgo, mongoDB, ES, HANA, dameng (DM 7), nanguo general (GBase), hunan Dada Jin Cang, shentong, langchao KDB, hunan Shangchu and the like.
2. Program data access multi-level isolation: (1) real data access of trusted programs; (2) virtual data access by untrusted programs; firstly, creating a simulation database according to the data content in an original database by adopting a virtual database mode, wherein the virtual database is positioned in a virtual disk, the data content is a backup of desensitized data in the original database, and when the database is found to be an untrusted program, the access path of the database is transferred to the simulation database through a Hook function of an operating system; (3) And when the virus program is found, the access path of the virus program is transferred to the disguised database through the Hook function of the mounted operating system.
3. Multi-level program exception behavior identification: (1) The method comprises the steps of identifying an untrusted program, identifying whether the trusted program has abnormal behaviors through multi-model association training and reasoning of data access behaviors, and switching to an untrusted program access principle after the abnormal behaviors are found, so that the influence of misjudgment on a service can be greatly reduced, and the identification of an outgoing behavior track (comprising temporary hard disk storage, network hidden outgoing and storage peripheral hidden copies) after data theft is increased, so that the accuracy of abnormal judgment is improved, and the abnormal and suspicious behaviors of the trusted program after virus dynamic injection hijacking can be effectively found; for example, after reading database data, creating a file to store the data to a disk, and then carrying out steal and external transmission on the data through hidden network access, or transmitting the steal and external transmission on the data to a USB memory peripheral, or transferring the data to other broilers for hidden and external transmission; (2) Virus program identification, namely, establishing a complete data decoy access environment by arranging decoy data in an original database and a simulation database and establishing a disguised database of full decoy data, and when a program touches the decoy data, identifying the legitimacy of access behaviors according to model reasoning and switching database access paths; the decoy data adopts an algorithm for fitting simulation to the original data, and supports random texts comprising inserted rows and columns in the structured data, decoy files, unstructured data and the like.
4. And monitoring the whole flow behavior track of program data access, recording the whole flow of data access of all programs for kernel and bottom api function library levels, including data scanning detection, data stealing access (file creation, reading, writing, deleting, linking, modifying and naming), network/peripheral hidden and external connection and data hidden and external sending, and correlating from the aspects of access operation and behavior, including function call relation, memory access track, disk IO access track, network access track, peripheral access track and the like, so as to obtain the whole flow behavior track information of trusted programs, untrusted programs and virus programs.
Fig. 2 is a system for monitoring and recording an unknown virus behavior track in real time, which is disclosed by the invention and comprises a server Agent subsystem (hereinafter referred to as an Agent) and a gateway management subsystem (hereinafter referred to as a gateway), wherein the Agent comprises a data discovery module, a kernel Hook module, a behavior monitoring module, a behavior collection reporting module, a behavior model reasoning module and a virtual database module; the gateway comprises a function configuration module, a behavior information recording module, a behavior learning training module, a log alarming module, an Agent data synchronization module and a database module.
Specifically, the Agent includes the following modules:
1. and a data discovery module: the method can automatically search and find the database and the data file on the server, and supports the mainstream relational and non-relational databases in the domestic and foreign industries, including Oracle, SQLserver, DB, mySQL, cache, sybase, informix, teradata, postgreSQL, highgo and MongoDB, ES, HANA, dameng (DM 7), nanfu (GBase), hunan Dacron Jin Cang, shentong, langchao KDB, hunan Shangquan and the like.
2. The kernel Hook module: and (3) based on a function replacement calling mechanism of the kernel ko, and a file, network, system and memory mount monitoring mechanism of the eBPF, mounting behavior monitoring processing codes to the kernel of the operating system.
3. Behavior monitoring module: and collecting behavior information of the program in the process of accessing files and data in real time, wherein the behavior information comprises various access behavior information of the data, the files, a memory, a hard disk and a network, and function access, access size and time length of a kernel and a bottom api function library such as glibc, and the function call relation of the whole flow is tracked and recorded, and all the behavior information is transmitted into a behavior collection and reporting module.
4. The behavior collection reporting module: and packaging the behavior information into a communication interface format through mechanisms such as queue caching, message merging and packaging and the like, and reporting the communication interface format to a gateway management subsystem.
5. Behavior model reasoning module: and carrying out reasoning analysis on the behavior data recorded by the behavior monitoring module according to the behavior model issued by the gateway to obtain a normal or abnormal judging result.
6. Virtual database module: and creating a virtual disk on the server deployed by the Agent, and simultaneously backing up and desensitizing the original data according to the type and data file distribution of the database on the server obtained by the data discovery module or according to the type and data file distribution of the database issued by the gateway and combining a sensitive field format to obtain a simulated database and a disguised database.
Specifically, the gateway comprises the following modules:
1. and a function configuration module: the method provides a flexible security policy configuration interface for users, wherein the configuration interface can be a graphical interface or a command line mode, and provides all function configurations, such as recommendation and manual confirmation after trusted programs, untrusted programs and virus program model reasoning, manual and automatic model training starting, data discovery starting and the like.
2. The behavior information recording module: and converting various message interface data formats reported by the Agent into a structured format of a database and storing the structured format into a database module.
3. A database module: and the system is responsible for storing function configuration data and program behavior information reported by the Agent in a lasting mode, so that the history record is not lost after the system is restarted.
4. Behavior learning training module: performing association analysis on the behavior data of each terminal received from all the agents to obtain process behavior data required by process behavior baseline learning, and finally obtaining a process behavior portraits model applicable to all the Agent terminals;
the multi-algorithm association model is adopted during training, and comprises a self-adaptive dynamic regular algorithm model which can be used for dynamically adjusting parameters according to newly recorded data, a sequence prediction algorithm model which can be used for predicting attack behavior trend of viruses, a multi-mode association recognition algorithm model which is used for recognizing different access behavior information and different function call relations generated by different varieties of viruses, and a graph theory algorithm which is used for constructing a multi-dimensional (function access track, function call relation, memory, hard disk, data, files, network and peripheral) relationship graph, so that forward access behavior relationship graphs of all trusted programs accessing the data, abnormal access behavior relationship graphs of non-trusted programs and interactive access behavior relationship graphs of attack objects, whole attack track processes, data hidden and external transmission of the data of the virus programs in a data server are obtained, wherein the data hidden external transmission comprises storage peripheral.
Agent data synchronization module: and sending the configuration data and the model data to the Agent through configuration triggering or timing triggering, so as to ensure that the Agent uses the latest configuration and model and keeps consistent with each other.
6. And a log alarm module: and carrying out structured format processing on the abnormal behavior reported by the Agent discovery, and sending the abnormal behavior to a database module for storing records to be used as follow-up audit tracing.
The invention also provides a method for real-time monitoring and recording the unknown virus behavior track, which adopts the system for real-time monitoring and recording the unknown virus behavior track, wherein the gateway is independently deployed, and the agents are deployed along with a database server (windows and Linux are all available), as shown in figure 3.
After the Agent is deployed, according to a configuration strategy issued by a gateway, starting data discovery, reporting the discovered database and data file to a gateway management subsystem, displaying information to a user after the gateway receives the information, and enabling the user to start to establish a simulation database and a disguise database according to the display information, wherein the gateway automatically informs the Agent, and the Agent subsystem establishes a virtual disk environment and starts data reading backup and desensitization to complete establishment of the simulation database and the disguise database; the Agent mounts the kernel and the Hook function of the bottom function library, completes the installation and deployment of the behavior monitoring module, and realizes the information monitoring and collection of the data access behaviors of all programs; and reporting the monitored program information to the gateway, storing the program behavior information in a database of the gateway when the gateway receives the program behavior information, displaying the program behavior information to a user, and issuing a trusted process to the Agent after the user manually confirms or reaches the running time, wherein the Agent completes the switching of the trusted process to access the real database at the moment.
When the gateway receives the behavior information and reaches a certain amount or learning time, the behavior learning training module starts multi-algorithm model association training, model distillation processing is performed after the training is completed, model scale is reduced, and running performance is improved; the method comprises the steps that a model is issued to an Agent through an Agent data synchronization module, the Agent stores the model locally and starts to receive behavior information data of a behavior monitoring module for reasoning and judging, if an abnormal behavior exists in a trusted process, the trusted process is set as a suspicious process, the suspicious process is switched to an access simulation database, meanwhile, the access behavior of the trusted process is continuously monitored, and the suspicious process is reported to a gateway; once touch decoy data is found, the touch decoy data is set as a virus program, and the touch decoy data is switched to access a disguised database; therefore, for unknown viruses, known virus variants and unknown attack means, the whole-flow monitoring and recording of the complete data stealing behavior track can be realized under the condition that the real data are prevented from being acquired.
The gateway performs association analysis on all behaviors of the same abnormal process, including data and file access functions and behaviors, memory access functions and behaviors, storage access functions and behaviors, network access functions and behaviors, peripheral access functions and behaviors, and time sequences and calling relations among the peripheral access functions and behaviors, so that external addresses of attackers or peripheral access behaviors are traced, and complete behavior information, time sequences and attack surface track information are obtained.
Compared with the prior art, the invention has the beneficial effects that:
1. the simulation database and the disguised database are established through virtual disk, database simulation, data desensitization and data decoy technologies, and the full-flow behavior monitoring and recording of illegal data access to the program are realized while the data is ensured not to be stolen, tampered or damaged through the kernel of an operating system and the Hook technology of the bottom API library.
2. The multi-algorithm association model based on the self-adaptive dynamic normalization algorithm, the sequence prediction algorithm, the multi-mode association recognition algorithm and the atlas theory algorithm greatly improves the prediction accuracy and the misjudgment rate of illegal behaviors.
3. Based on the full-flow behavior information recorded to the program for accessing the data, the multi-algorithm association model further improves the reasoning prediction accuracy of viruses and untrusted programs, and virus varieties and novel viruses can be effectively identified at each stage of attack of the program on the data.
Drawings
FIG. 1 is a schematic diagram of a multi-level program data access architecture according to the present invention.
FIG. 2 is a schematic diagram of a system and subsystem module architecture according to the present invention.
FIG. 3 is a schematic diagram of a system deployment according to the present invention.
Detailed Description
The system is deployed in a database access network, wherein a gateway subsystem is deployed on a single device, and an Agent subsystem is deployed on a server where a database is located, so that the protection of the database is completed.
1. The gateway subsystem is started and then performs function configuration, configuration data are stored in the database module, the configuration data are further sent to each module in the gateway, and meanwhile, the configuration data are sent to the Agent subsystem through the Agent data synchronization module, so that the function can be normally used without reconfiguration after the gateway subsystem is restarted again.
The agent subsystem is started along with the starting of the server where the database is located, and the function configuration parameters are obtained through network interface communication with the gateway system; and after the acquisition is completed, starting corresponding functions according to the configuration strategy issued by the gateway subsystem.
3. And the data discovery function is that the Agent reports the discovered database and the data file to the gateway management subsystem according to the gateway issuing start switch, and the gateway management subsystem displays the information to the user after receiving the information.
4. And the Agent subsystem establishes a virtual disk environment according to the gateway issuing function configuration, starts data reading backup and desensitization according to the discovered database and the data file, and completes the establishment of the simulation database and the disguised database.
5. The program behavior monitoring function, agent opens automatically according to the database server environment, through carrying on the mount of kernel and bottom layer function library Hook function, when the monitoring program operates the data, the used kernel function and bottom layer api function library call time sequence and relation, memory access function and behavior, network access function and behavior, and time sequence and call relation each other; and reporting the collected program type and behavior information to a gateway subsystem.
6. The method comprises the steps that program behavior learning training is carried out, a gateway stores program behavior information received from an Agent into a database in a structured format, when the behavior information record reaches a certain amount or learning time, a behavior learning training module starts multi-algorithm model association training, the self-adaptive dynamic regular algorithm model is used for dynamically adjusting parameters according to newly recorded data, the self-adaptive dynamic regular algorithm model can be used for predicting attack behavior trend of viruses, the multi-mode association recognition algorithm model is used for recognizing different access behavior information and different function calling relations generated by different varieties of the viruses, a graph theory algorithm is used for constructing a data access multi-dimensional relation graph, and therefore a positive access behavior relation graph of all trusted programs accessing the data, an abnormal access behavior relation graph of non-trusted programs and an interactive access behavior relation graph of a data object, the whole attack track process, data hidden transmission and a network of a virus program, the data hidden transmission comprises a storage graph, the positive direction model and the negative direction model of the trusted program are established after training is completed, meanwhile, the Agent is sent to the model to be subjected to inference processing, and the data is stored by the Agent algorithm model.
7. And the gateway reports the behavior information through the Agent to analyze the program type and the associated access behavior, and presents the program type and the associated access behavior to a user in a webpage form through a user function configuration module, so that the user can automatically inform the Agent subsystem after the webpage configuration completes the trusted process, and the Agent subsystem can save the trusted configuration of the program for use by a subsequent behavior judgment result.
8. When a program accesses data, if the program accesses the data for the first time, the program is processed according to the non-trusted program level, the program behavior monitoring module re-images the access path to the simulation database, meanwhile, reliability judgment is carried out according to AI model reasoning of configuration and access behavior issued by a gateway, and different processes are carried out according to reliability results:
8.1, a program behavior monitoring module allows the trusted process to access the original database when the trusted process finds that the trusted process needs to access the protected data, and still monitors the whole program access behavior of the trusted process, and the behavior information is deduced and predicted by a behavior model reasoning module, if the trusted process finds that the trusted process matches an abnormal behavior model or touches a decoy or a file decoy in a simulation database, the data access path of the trusted process is converted into a disguised database; if the forward behavior model is not matched, the program is identified as an untrusted program, and the data access path of the untrusted program is converted into a virtual database.
8.2, the non-trusted process re-mirrors the access path to the simulation database, and at the same time, monitors and records the complete program access behavior information and track, and if the abnormal behavior model is found to be matched or touches the decoy or the file decoy in the simulation database, the program is judged to be a virus program.
8.3, the virus program re-images the access path to the disguised database, and meanwhile, the complete program access behavior information and track of the virus program are still monitored and recorded.
9. Whether the program is a trusted program, an untrusted program or a virus program, the data access function and behavior, the memory access function and behavior, the storage access function and behavior, the network access function and behavior and the time sequence and calling relation among the functions and behavior are all recorded, so that the whole complete chain record of behavior information, the time sequence and an attack surface path is obtained and reported to a gateway for storage, firstly, the whole complete chain record is used as a sample for training the behavior again, secondly, specific viruses and families thereof can be analyzed, and the specific information is displayed to a user in real time on a Web page of the gateway again, and finally recorded historical data can be used as a trace query.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (5)
1. A system for monitoring and recording unknown virus behavior tracks in real time is characterized by comprising an Agent subsystem and a gateway subsystem, wherein the Agent subsystem is deployed on a server of the database, the gateway subsystem is deployed in a database server network as independent equipment, and the gateway subsystem is specifically deployed in the database server network as independent equipment
The Agent subsystem comprises:
A. and a data discovery module: the database and the data file on the server are automatically searched and found, so that mainstream relational databases and non-relational databases in the domestic and foreign industries are supported;
B. the kernel Hook module: based on a function replacement calling mechanism of the kernel ko, a file, a network, a system and a memory mount monitoring mechanism of the eBPF, a behavior monitoring processing code is mounted to an operating system kernel;
C. behavior monitoring module: the method comprises the steps of collecting behavior information of a program on files and data access in real time, wherein the behavior information comprises various behavior information aiming at data, files, memories, hard disks and networks, access functions, access sizes and access duration of a kernel and a bottom api function library, function call relations and access tracks of the whole flow, and transmitting all the behavior information into a behavior collection reporting module; meanwhile, the access behavior information is transmitted into a behavior model reasoning module, and a judging result of the program being a trusted program, an untrusted program and a virus program is obtained, and a database access path of the untrusted program and the virus program is switched;
D. the behavior collection reporting module: the behavior information is packaged into a communication interface format through a queue cache and a message merging and packaging mechanism and reported to a gateway management subsystem;
E. behavior model reasoning module: carrying out reasoning analysis on the behavior data recorded by the behavior monitoring module according to the behavior model issued by the gateway management subsystem to obtain a judging result of the program belonging to the trusted, untrusted and virus program;
F. virtual database module: creating a virtual disk on a server deployed by an Agent, and simultaneously, according to the type of a database and the data file distribution on the server obtained by a data discovery module or according to the type of the database and the data file distribution issued by a gateway management subsystem, combining a sensitive field format, performing desensitization processing on original data, and using a fitting simulation algorithm to generate a simulation database and a disguised database;
the gateway management subsystem comprises:
A. and a function configuration module: providing a flexible security policy configuration interface for a user, wherein the configuration interface is in a graphical interface or command line mode, providing all function configurations, including recommendation and manual confirmation after reasoning of trusted programs, untrusted programs and virus program models, starting manual and automatic model training, and starting data discovery;
B. the behavior information recording module: converting various message interface data formats reported by an Agent into a structured format of a database and storing the structured format into a database module;
C. a database module: the method is responsible for storing function configuration data and program behavior information reported by an Agent in a lasting mode, and historical configuration and record are not lost after the system is restarted;
D. behavior learning training module: performing association analysis on the behavior data of each terminal received from all the agents, tracking the whole flow behavior data of the program, and adopting a multi-algorithm association model algorithm to finally obtain a process behavior portrait model applicable to all the Agent subsystems;
and E, agent data synchronization module: the configuration data and the model data of the gateway management subsystem are issued to the agents through configuration triggering and timing models, so that the agents are ensured to use the latest configuration and model and keep consistent with each other;
F. and a log alarm module: and carrying out structured format processing on the abnormal behavior reported by Agent discovery, sending the abnormal behavior to a database module for storing records, and providing the abnormal behavior to a user through a Web page for inquiring and displaying program behavior history information and behavior tracks to be used as follow-up audit tracing.
2. The system for monitoring and recording unknown virus behavior tracks in real time according to claim 1, wherein the behavior learning training module and the behavior model reasoning module adopt a multi-algorithm association model, the multi-algorithm association training module comprises a self-adaptive dynamic regulation algorithm model which can be used for dynamically regulating parameters according to newly recorded data, the sequence prediction algorithm model can be used for predicting attack behavior trends of viruses, the multi-mode association recognition algorithm model is used for recognizing different access behavior information and different function call relations generated by different varieties of viruses, the graph theory algorithm is used for constructing a multi-dimensional relationship graph, the multi-dimensional relationship graph comprises a relationship graph of function access tracks, function call relations, memory access, hard disk access, data and file access, network access and peripheral access, and accordingly a forward access behavior graph of all trusted programs accessing data, an abnormal access behavior graph of non-trusted programs and an attack object of data theft of a virus program in a data server, the whole hidden track process, data hidden attack graph and interactive access behavior relationship of a network are obtained, and the data hidden and the hidden and external transmission comprises storing peripheral.
3. The system for real-time monitoring and recording of unknown virus behavior tracks according to claim 1, wherein a multi-level program isolation access architecture is adopted based on kernel-level Hook function mounting, trusted programs access a real database, untrusted programs access a simulation database, virus programs access a disguise database, the access behaviors of the programs are inferred in real time through an AI multi-algorithm correlation model to obtain the reliability of real-time access, and the original database, the simulation database and the disguise database are switched according to the identified trusted programs, the identified untrusted programs and the identified virus programs, so that the aim of preventing data from being divulged is achieved.
4. The system for real-time monitoring and recording of unknown virus behavior trace according to claim 1, wherein the system is characterized in that based on kernel-level Hook function mounting, full-flow trace monitoring and recording of program data access behaviors are realized, wherein the data access behaviors comprise data scanning detection, data stealing access, network and peripheral hidden and external connection access and data hidden and external transmission; meanwhile, based on a multistage program isolation access architecture, the forward access behavior information of a trusted program and the abnormal access behavior information of an untrusted program are monitored and recorded under the condition that data is not revealed, and meanwhile, for unknown viruses, known virus varieties and unknown attack means, the complete data access behavior track, attack track process, data hidden external transmission and interactive access behavior of a network are monitored and recorded, wherein the data hidden external transmission comprises a storage peripheral.
5.A method for real-time monitoring of a trace of an unknown virus behavior, characterized in that a system for real-time monitoring of a trace of an unknown virus behavior is used according to any one of claims 1-4, the method comprising the steps of:
step 1: after the Agent is deployed, automatically completing data asset discovery, reporting asset information to a gateway, displaying the asset information to a user after the gateway receives the asset information, starting to establish a simulation database and a disguise database according to the display information by the user, automatically informing an Agent subsystem by the gateway to establish a virtual disk environment, starting data reading backup and desensitizing, and completing establishment of the simulation database and the disguise database;
step 2: the Agent mounts the kernel and the Hook function of the bottom function library, completes the installation and deployment of the behavior monitoring module, and realizes the information monitoring and collection of the data access behaviors of all programs;
step 3: the Agent automatically reports the monitored program information to the gateway, the gateway receives the program information and then displays the program information to a user, and the user manually confirms or reaches the running time and then sends the trusted process to the Agent;
step 4: the gateway starts multi-algorithm model association training according to configuration, model distillation compression processing is carried out after training is completed, and the model is issued to the Agent through the Agent data synchronization module;
step 5: the Agent performs real-time reasoning operation according to the model and the monitored access behavior, and combines a multi-level data isolation access architecture, and if the Agent finds that the trusted process has abnormal behavior, the Agent is set as an untrusted process, and the trusted process is switched to access the simulation database; when the high-risk behavior of touch decoy data is found, the touch decoy data is set as a virus process, and the virus process is switched to access to a disguised database, so that the whole process monitoring and recording of the complete data access behavior track of all programs are realized;
step 6: the gateway performs association analysis on all behaviors of the same process, including data access functions and behaviors, memory access functions and behaviors, storage access functions and behaviors, network access functions and behaviors, peripheral access functions and behaviors, and time sequences and calling relations among the peripheral access functions and behaviors, and trace the external address or peripheral access of the virus program, so that complete behavior information, time sequences and attack surface track information are obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311596341.5A CN117313095B (en) | 2023-11-28 | 2023-11-28 | System and method for real-time monitoring and recording unknown virus behavior track |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311596341.5A CN117313095B (en) | 2023-11-28 | 2023-11-28 | System and method for real-time monitoring and recording unknown virus behavior track |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117313095A CN117313095A (en) | 2023-12-29 |
| CN117313095B true CN117313095B (en) | 2024-02-13 |
Family
ID=89250188
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311596341.5A Active CN117313095B (en) | 2023-11-28 | 2023-11-28 | System and method for real-time monitoring and recording unknown virus behavior track |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117313095B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN108768960A (en) * | 2018-05-10 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, storage medium and computer equipment |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9516054B2 (en) * | 2014-04-14 | 2016-12-06 | Trap Data Security Ltd. | System and method for cyber threats detection |
-
2023
- 2023-11-28 CN CN202311596341.5A patent/CN117313095B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN108768960A (en) * | 2018-05-10 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, storage medium and computer equipment |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
Non-Patent Citations (2)
| Title |
|---|
| A Real-Time and Adaptive-Learning Malware Detection Method Based on API-Pair Graph;SHAOJIE YANG 等;IEEE;全文 * |
| 基于多重异质图的恶意软件相似性度量方法;谷勇浩 等;软件学报;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117313095A (en) | 2023-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112787992B (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
| Salem et al. | A survey of insider attack detection research | |
| KR100351306B1 (en) | Intrusion Detection System using the Multi-Intrusion Detection Model and Method thereof | |
| CN108121914B (en) | Document divulgence protection tracking system | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| CN112560027A (en) | Data safety monitoring system | |
| CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
| Fu et al. | Security threats to Hadoop: data leakage attacks and investigation | |
| CN111404948A (en) | Security system and method based on computer network monitoring | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN115758355A (en) | Lesojous software defense method and system based on fine-grained access control | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN111885019A (en) | Network security situation element extraction method based on attack and defense information comparison | |
| CN116094817A (en) | Network security detection system and method | |
| Yu et al. | TRINETR: an intrusion detection alert management systems | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN117708880A (en) | Intelligent security processing method and system for banking data | |
| CN101848117A (en) | Illegal external connection monitoring method and system thereof | |
| CN117313095B (en) | System and method for real-time monitoring and recording unknown virus behavior track | |
| CN115525924A (en) | Information safety system based on cloud computing | |
| CN115587357A (en) | Threat scene analysis method and system based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |