CN117834198A - Analysis method and system for detecting abnormal program of host - Google Patents
Analysis method and system for detecting abnormal program of host Download PDFInfo
- Publication number
- CN117834198A CN117834198A CN202311703151.9A CN202311703151A CN117834198A CN 117834198 A CN117834198 A CN 117834198A CN 202311703151 A CN202311703151 A CN 202311703151A CN 117834198 A CN117834198 A CN 117834198A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- module
- processes
- analysis
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 78
- 238000004458 analytical method Methods 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 claims abstract description 276
- 230000008569 process Effects 0.000 claims abstract description 230
- 230000000750 progressive effect Effects 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 26
- 238000001514 detection method Methods 0.000 claims description 16
- 238000013515 script Methods 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 10
- 241000700605 Viruses Species 0.000 claims description 8
- 238000004519 manufacturing process Methods 0.000 claims description 7
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 6
- 238000005206 flow analysis Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 239000000758 substrate Substances 0.000 claims description 6
- 238000013528 artificial neural network Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 230000009467 reduction Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims description 4
- 238000005065 mining Methods 0.000 claims description 3
- 238000003012 network analysis Methods 0.000 claims description 3
- 238000007639 printing Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 abstract 1
- 206010000117 Abnormal behaviour Diseases 0.000 description 10
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 230000005484 gravity Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000007500 overflow downdraw method Methods 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an analysis method and system for detecting abnormal programs of a host, which belongs to the field of computers and specifically comprises the following steps: the method comprises the steps of analyzing and detecting abnormal processes, dynamically adjusting CPU and memory usage thresholds according to system loads, analyzing processes exceeding the thresholds, uploading process IDs and names to an ES log, analyzing process network traffic by using process traffic feature matching, judging whether overseas IP and port traffic are contained, uploading the process IDs and names of suspicious information to the ES log, finding hidden processes and uploading corresponding process names and IDs by timing inspection, periodically scanning executable files of the processes by using a sensitive process model, uploading relevant information, and finally carrying out total statistics analysis on the information exceeding the thresholds, abnormal traffic, hidden and malicious features by using a layer sequence progressive method, setting scores for each module, grading and ranking the associated process IDs, and carrying out detailed statistics and display.
Description
Technical Field
The invention belongs to the field of big data/AI, and particularly relates to an analysis method and an analysis system for detecting abnormal programs of a host.
Background
Computer viruses and malware threats have become an important issue in the internet age today. These programs may have serious consequences such as user data leakage, system crashes, network disruption, etc., and conventional security software, such as antivirus software and firewalls, can detect and block some known viruses and malicious programs, but have relatively weak detection and prevention capabilities for unknown or variant viruses and malicious programs, and have great limitations.
The Chinese patent with the authority bulletin number of CN105491055B discloses a network host abnormal event detection method based on a mobile agent, which is characterized in that a host data acquisition and analysis mobile agent is dispatched to a sensitive process according to the detection result of a monitoring system, and data acquisition and security analysis tasks are executed; firstly, collecting host resource information including CPU utilization rate, hard disk IO, network flow, system process, memory utilization rate and the like in a target host through a mobile agent; judging whether an illegal process exists by adopting a black-and-white list method, extracting flow characteristics by adopting a NetFlow model, comparing the flow characteristics with a normal mode to judge whether abnormal flow exists, and carrying out fusion analysis on host information by adopting a multi-source information fusion method to judge whether the abnormality exists; according to the analysis result, adopting a dynamic isolation management and control strategy for the abnormal host, and reducing the security threat of the abnormal host to other network hosts; the host data collection and abnormal behavior detection method provided by the patent is simple and efficient, has small data collection and analysis task amount, and can be applied online in real time.
For example, chinese patent with the authority of CN109918902B discloses a method and a system for identifying abnormal behavior of a host, where the method includes: acquiring host data and data of other hosts in a group to which the host belongs; judging whether the host has abnormal behaviors or not according to the host data, the data of other hosts in the group to which the host belongs and a preset model; if the host has abnormal behaviors, judging whether the host has malicious behaviors according to a preset malicious behavior library; if the host has malicious behaviors, sending first prompt information to a user, and acquiring the danger level of the host according to the number of the abnormal behaviors of the host; if the host computer does not have malicious behaviors, sending second prompt information to the user; the method and the system realize timely and active detection of the abnormal behavior of the host, and avoid loss to the user caused by incapability of timely detecting the abnormal behavior of the host.
The above prior art has the following problems: 1) For unknown or variant viruses and malicious programs, the detection and prevention capability is relatively weak; 2) Model extensibility is low.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an analysis method and an analysis system for detecting a host abnormal program, which dynamically adjust CPU and memory use thresholds according to system loads, analyze whether an overseas IP and port flow, a hidden process and a malicious process are contained in a process, upload IDs and names of related processes to an ES log, analyze summarized statistical information by adopting a layer sequence progressive method, score and rank alarm related process IDs, and perform detailed statistical display.
In order to achieve the above purpose, the present invention provides the following technical solutions:
an analysis method for detecting abnormal programs of a host, comprising:
step S1: filtering out normally used processes by setting a process white list;
step S2: according to the system load condition, dynamically adjusting a threshold value of a CPU memory through a substrate control manager, and uploading a process ID and a name exceeding the threshold value to an ES log;
step S3: analyzing the process network flow by utilizing process flow characteristic matching, comparing the process network flow with a normal mode to judge whether abnormal flow exists, and uploading a process ID and a name of abnormal flow information to an ES log;
step S4: checking whether a hidden process exists or not at regular time, and uploading the ID and the name of the hidden process to an ES log;
step S5: the method comprises the steps of periodically scanning an executable file of a process by using a sensitive process model, and uploading a process ID and a name with malicious features to an ES log;
step S6: and carrying out total statistics analysis on information exceeding a threshold value, abnormal flow, hidden and malicious characteristics by adopting a layer sequence progressive method, setting a score for each module, grading and displaying associated process IDs, and timely sending notification to suspicious processes.
Specifically, the specific steps of the step S1 include: judging whether an illegal process exists by adopting a process black-and-white list matching method, and if the illegal process exists, adding the illegal process into an abnormal process list.
Specifically, the specific steps of the step S2 include:
step S201: acquiring the number of correctable ECC errors recorded by a CPU (Central processing Unit) through a substrate control manager;
step S202: and setting a monitoring threshold, and prompting a system administrator to take measures when the number of the memory correctable ECC errors exceeds the threshold.
Specifically, the abnormal traffic information in step S3 includes: traffic data is analyzed by a source IP address, a destination IP address, a source communication port number, a destination communication port number, a layer three protocol type, a type of service (TOS) byte, a logical network port that is input or output by a network device.
Specifically, the specific steps of the step S3 include:
step S301: acquiring a network message IP packet structure by using a packet grabbing Libpcap library;
step S302: using a Wireshark network analysis tool, resolving out the five-tuple of the IP packet: source address, destination address, source port, destination port, protocol number information and flow size of current message;
step S303: extracting process flow characteristics, searching an inode number corresponding to a key formed by five-tuple in a ConnInode Hash cache table, and if the inode number does not exist, re-reading and refreshing the cache table to establish new mapping with the inode;
step S304: establishing a process flow characteristic library, traversing, filtering interface flow information, refreshing a cache table, establishing mapping between index nodes and processes, and storing flow characteristics related to the index nodes and the processes;
step S305: according to a matching algorithm, searching the corresponding process of the inode number in the ConnInode Hash cache table, comparing the real-time network flow data with the process flow characteristics of the known cache table, analyzing the identified process activity, and finding out abnormal or suspicious behaviors.
Specifically, the specific steps of the step S4 include:
step S401: defining a hidden process detection script, scanning a currently running process list through a and/bin/ps command, and identifying a hidden process;
step S402: editing an uploading script, connecting to an ES cluster by using an ES client library, and creating and updating a corresponding log record;
step S403: and (3) periodically executing the two scripts by using a timing task scheduler, periodically comparing the output of the/proc catalog with the output of the/bin/ps command, outputting if inconsistent is found, checking a process list, and judging and uploading hidden process information through comparison.
Specifically, the specific steps of the step S5 include:
step S501: constructing a sensitive process list according to malicious processes detected by the network security monitoring system;
step S502: constructing a sensitive process data feature vector according to the time slices;
step S503: performing dimension reduction analysis on the process data feature vector by adopting a PCA method, and extracting main features;
step S504: sending the extracted features into a trained BP three-layer neural network recognition model, and judging whether abnormal points exist or not;
step S505: if abnormal points exist, counting abnormal points by adopting a sliding window, comparing thresholds, judging whether the abnormal points are abnormal processes, if the abnormal points are abnormal processes, adding a sensitive process into a sensitive process list, and traversing the sensitive process list.
Specifically, the malicious process in step S501 includes: virus programs, mining programs, halyard programs, logic bombs, zombie programs, worms, trojans, and the processes are associated with and hidden from the functions of the display process list interface by running instructions.
Specifically, the specific steps of the step S6 include:
step S601: collecting and summarizing statistical information, giving different weights to different statistical information, and setting scores for each module according to the importance and resource occupation condition of the module;
step S602: the score of each module is subjected to progressive analysis of the layer sequence, the score is sequenced from high to low, and meanwhile, different modules can be classified into different layers according to a certain rule;
step S603: according to the score of each module, sorting the associated process IDs from high to low according to the score;
step S604: and presenting the analysis result in the form of a chart or a report, and evaluating the running condition of the system.
An analysis system for host exception program detection, comprising: a cpu memory module, a network flow analysis module, a hidden process module, a malicious feature module, a production log module and a log summarization analysis module,
the CPU memory module is used for performing CPU and memory analysis on the process;
the network flow analysis module is used for analyzing the IP addresses and port flows accessed by the processes and reporting the processes of suspicious IP and abnormal flows;
the hidden progress module is used for screening and reporting the ps-ef progress and the hidden progress compared with different tools;
the malicious feature module is used for scanning and reporting the processes except the white list according to the malicious feature library;
the production log module is used for printing the data generated by each module and synchronizing the data to the ES of the attack log;
the log summarization analysis module is used for counting scores and sequencing the abnormal process modules by acquiring the ES data of the attack log.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention provides an analysis system for detecting abnormal programs of a host, and optimizes and improves the structure, the operation steps and the flow, and the system has the advantages of simple flow, low investment and operation cost and low production and working costs.
2. The invention provides an analysis method for detecting abnormal programs of a host, which comprises the steps of detecting and summarizing the abnormal programs through different modules, grading and sorting according to respective specific gravity, continuously superposing scores through different modules, reminding the abnormal programs and displaying module details, so that the false alarm rate can be reduced, and the traceability analysis is facilitated.
3. The invention provides an analysis method for detecting abnormal programs of a host, which is convenient for adding a detection module, can simply expand and report the subsequent newly added module, gives a basic score according to specific gravity by a platform, gathers analysis logs on an ES and a console for analysis, and can reduce the resource waste of a detection agent to the host.
Drawings
FIG. 1 is a flow chart of an analysis method for detecting an abnormal program of a host computer according to the present invention;
FIG. 2 is a system analysis flow chart of an analysis method for detecting an abnormal program of a host computer according to the present invention;
FIG. 3 is a diagram of an analysis system architecture for host exception procedure detection according to the present invention;
Detailed Description
In order that the technical means, the creation characteristics, the achievement of the objects and the effects of the present invention may be easily understood, it should be noted that in the description of the present invention, the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings are merely for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements to be referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "a", "an", "the" and "the" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The invention is further described below in conjunction with the detailed description.
Example 1
Referring to fig. 1-2, an embodiment of the present invention is provided: an analysis method for detecting abnormal programs of a host comprises the following steps:
step S1: filtering out normally used processes by setting a process white list;
the process whitelist includes: 1) The common process list generated by the server is a process white list generated after partial detection; 2) Manually adding process related information by a server manager; 3) And confirming the information as related information of the normal process. The process white list can only be operated by the program allowed by the administrator, so that the risk of utilizing the loopholes by potential attackers in the system is reduced, the safety and controllability of the system are enhanced, the risk of sensitive data leakage can be prevented, illegal behaviors are detected, and warning is given.
Step S2: according to the system load condition, dynamically adjusting a threshold value of a CPU memory through a substrate control manager, and uploading a process ID and a name exceeding the threshold value to an ES log;
the method for adjusting the threshold value of the CPU memory is different according to the type and configuration of the system, and comprises the following specific steps: (1) entering a system view or console; (2) find options related to CPU memory threshold settings; (3) selecting a proper slider bar to change the threshold value of the CPU memory; (4) confirm the change and save the setting. The invention adopts a method of dynamically adjusting the threshold value, realizes the flexibility, the real-time performance and the stability of the system, better utilizes the system resources and improves the efficiency and the performance of the system.
Step S3: analyzing the process network flow by utilizing process flow characteristic matching, comparing the process network flow with a normal mode to judge whether abnormal flow exists, and uploading a process ID and a name of abnormal flow information to an ES log;
common network traffic types include: TCP traffic, UDP traffic, ICMP traffic, HTTP traffic, HTTPS traffic, DNS traffic, FTP traffic, SSH traffic.
The purpose of monitoring network traffic is: network performance optimization, security enhancement, resource management, billing and cost control, troubleshooting, and problem localization. The invention monitors and analyzes the process network traffic so as to timely find abnormal network traffic, such as illegal hacking attack, malicious software transmission and the like, so that corresponding defending measures can be timely taken, and the network security is improved.
Step S4: checking whether a hidden process exists or not at regular time, and uploading the ID and the name of the hidden process to an ES log;
the invention adopts the purpose of timely checking whether the hidden process exists or not to monitor the state of the system in real time, timely find and monitor the hidden process in the system, timely find and prevent potential malicious attack behaviors, ensure reasonable distribution and efficient utilization of system resources, and maintain the performance and response speed of the system.
Step S5: the method comprises the steps of periodically scanning an executable file of a process by using a sensitive process model, and uploading a process ID and a name with malicious features to an ES log;
the principle of the method for detecting the malicious feature process is mainly based on matching known malicious software features or on pattern recognition of unknown malicious software behavior patterns. There are various methods for detecting malicious feature processes, mainly including: signature-based methods, model-based methods, abnormal behavior-based methods, machine learning-based methods, process communication-based methods, combined methods. The signature-based method is based on the principle that features in known malicious software are extracted, a malicious software feature library is constructed, and then a malicious process is identified by comparing the known malicious software features with a behavior pattern of a process to be detected, but unknown malicious software cannot be detected; the abnormal behavior-based method is to analyze the difference between the behavior mode of the process and the normal behavior mode by monitoring the behavior mode of the process, judge whether the process is a malicious process, and analyze the behavior of the process by a large amount of computing resources and time although unknown malicious software can be detected; the machine learning-based method is to train a model by utilizing a machine learning algorithm, construct classifiers by analyzing the behavior characteristics of known malicious software and normal software, and then use the classifiers to identify whether a new process is a malicious process or not, but a large amount of data is required for training; the method based on process communication is to analyze communication modes and contents by monitoring communication among processes and judging whether the process is a malicious process or not, but a large amount of computing resources and time are needed to analyze communication data. The sensitive process model used in the invention is to build an independent sensitive process in the system, the process can sense the behaviors of other processes, and block and report when suspicious behaviors are found, has higher authority and sensitivity, can monitor the behaviors of other processes, and can take actions to protect the safety and stability of the system when necessary, thus being capable of being used for preventing attacks of malicious software, viruses, trojans and the like.
Step S6: and carrying out total statistics analysis on information exceeding a threshold value, abnormal flow, hidden and malicious characteristics by adopting a layer sequence progressive method, setting a score for each module, grading and displaying associated process IDs, and timely sending notification to suspicious processes.
The specific steps of the step S1 include: judging whether an illegal process exists by adopting a process black-and-white list matching method, and if the illegal process exists, adding the illegal process into an abnormal process list.
The specific steps of the step S2 include:
step S201: acquiring the number of correctable ECC errors recorded by a CPU (Central processing Unit) through a substrate control manager;
step S202: and setting a monitoring threshold, and prompting a system administrator to take measures when the number of the memory correctable ECC errors exceeds the threshold.
The threshold setting of the CPU memory is mainly set according to the actual service load condition, and common parameters include: 1) CPU utilization, generally recommended to be 70% -80%; 2) Setting a threshold value for the number of processes, and triggering AMF processing when the number of running processes in the system exceeds the threshold value; 3) Memory utilization; 4) Disk usage.
The abnormal flow information in step S3 includes: traffic data is analyzed by a source IP address, a destination IP address, a source communication port number, a destination communication port number, a layer three protocol type, a type of service (TOS) byte, a logical network port that is input or output by a network device.
The specific steps of the step S3 include:
step S301: acquiring a network message IP packet structure by using a packet grabbing Libpcap library;
step S302: using a Wireshark network analysis tool, resolving out the five-tuple of the IP packet: source address, destination address, source port, destination port, protocol number information and flow size of current message;
step S303: extracting process flow characteristics, searching an inode number corresponding to a key formed by five-tuple in a ConnInode Hash cache table, and if the inode number does not exist, re-reading and refreshing the cache table to establish new mapping with the inode;
inodes are a special data structure in the file system that stores metadata information about files or directories, such as file size, creation time, modification time, etc., conninode hash is a hash table pointing to the connected inodes for storing and managing information of network connections.
Step S304: establishing a process flow characteristic library, traversing, filtering interface flow information, refreshing a cache table, establishing mapping between index nodes and processes, and storing flow characteristics related to the index nodes and the processes;
step S305: according to a matching algorithm, searching the corresponding process of the inode number in the ConnInode Hash cache table, comparing the real-time network flow data with the process flow characteristics of the known cache table, analyzing the identified process activity, and finding out abnormal or suspicious behaviors.
The method for searching the specific inode number by using the matching algorithm mainly uses a hash function to map the inode number to a position in a hash table, and then obtains corresponding process information by searching the position.
The specific steps of the step S4 include:
step S401: defining a hidden process detection script, scanning a currently running process list through a and/bin/ps command, and identifying a hidden process;
step S402: editing an uploading script, connecting to an ES cluster by using an ES client library, and creating and updating a corresponding log record;
step S403: and (3) periodically executing the two scripts by using a timing task scheduler, periodically comparing the output of the/proc catalog with the output of the/bin/ps command, outputting if inconsistent is found, checking a process list, and judging and uploading hidden process information through comparison.
The step of periodically executing the script using the timed task scheduler includes:
(1) The task and the script to be executed can be determined by a program written by you per se or a pre-existing script file;
(2) Installing a timing Task Scheduler, wherein the timing Task Scheduler is automatically executed in a specified time interval, and common timing Task schedulers comprise Task schedulers and the like in a crontab, windows system in a Unix/Linux system;
(3) Configuring a timing task according to the provided task name, description, script file to be executed, and the like;
(4) Setting execution time and execution frequency of tasks;
(5) After the configuration is completed, the configuration information of the timing task is saved and tested.
The specific steps of the step S5 include:
step S501: constructing a sensitive process list according to malicious processes detected by the network security monitoring system;
step S502: constructing a sensitive process data feature vector according to the time slices;
the function and meaning of constructing the feature vector of the sensitive process data according to the time slices are mainly embodied in the following aspects:
(1) Feature extraction: by dividing the process data into time slices, behavior characteristics of the process in each time slice can be extracted, including CPU utilization rate, memory occupation condition, network flow and the like, and the characteristics can reflect running states and behavior modes of the process;
(2) Data dimension reduction: after the behavior characteristics of the process in each time slice are extracted, a plurality of characteristics can be combined into a high-dimensional characteristic vector by using a data dimension reduction technology such as principal component analysis, linear discriminant analysis and the like, so that the dimension of data can be reduced, and the calculation complexity is reduced;
(3) Model training: the classifier capable of identifying the sensitive process can be trained by inputting the process data feature vector into the machine learning model, and can be used for detecting unknown malicious processes, so that the safety and stability of the system are improved;
(4) Abnormality detection: since the sensitive process usually has an abnormal behavior pattern, by comparing the difference between the behavior characteristics of the process in each time slice and the normal behavior characteristics, the abnormal process can be detected, and potential malicious software or unauthorized operation can be timely discovered and processed;
(5) And (3) system optimization: by analyzing the process data feature vector, the running state and the resource use condition of the system can be known, the configuration and the management of the system can be optimized, and the performance and the response speed of the system can be improved.
Step S503: performing dimension reduction analysis on the process data feature vector by adopting a PCA method, and extracting main features;
step S504: sending the extracted features into a trained BP three-layer neural network recognition model, and judging whether abnormal points exist or not;
the BP three-layer neural network recognition model is a neural network model comprising an input layer, an hidden layer and an output layer, wherein the input layer is connected with the hidden layer and the hidden layer is connected with the output layer through weights, and the network model is mainly trained through a back propagation algorithm. The method is mainly characterized in that in the forward propagation process of signals, the signals pass through an implicit layer from an input layer and finally reach an output layer; and in the process of back propagation of the error signal, the weight and the bias from the hidden layer to the output layer and the weight and the bias from the input layer to the hidden layer are sequentially adjusted from the output layer to the hidden layer and finally to the input layer. The method adopts the BP three-layer neural network, has strong generalization capability, robustness and fault tolerance, can better approximate the process data characteristics, and reduces the probability of failure or error.
Step S505: if abnormal points exist, counting abnormal points by adopting a sliding window, comparing thresholds, judging whether the abnormal points are abnormal processes, if the abnormal points are abnormal processes, adding a sensitive process into a sensitive process list, and traversing the sensitive process list.
The malicious process in step S501 includes: virus programs, mining programs, halyard programs, logic bombs, zombie programs, worms, trojans, and the processes are associated with and hidden from the functions of the display process list interface by running instructions.
The hazards of malicious processes include: 1) Destroying system files and data; 2) Occupying system resources; 3) Revealing personal information; 4) Attack other systems; 5) Network security is compromised. For infected malicious processes, timely cleaning and processing are needed, so that timely and effective detection and identification of the malicious processes are particularly important.
The specific steps of the step S6 include:
step S601: collecting and summarizing statistical information, giving different weights to different statistical information, and setting scores for each module according to the importance and resource occupation condition of the module;
the method for scoring the associated process ID comprises the following steps: firstly, defining a scoring standard according to a plurality of factors such as the association degree of the process ID and the target process, the importance degree of the process, the behavior mode of the process and the like, then collecting data related to the process ID, including the behavior data of the process, the use condition of system resources, network communication data and the like, secondly, carrying out deep analysis on the collected process data to determine the association degree of the process ID and the target process and other related factors, calculating a score for each associated process ID according to an analysis result and the scoring standard, and finally outputting the calculated scoring result in a proper mode.
Step S602: the score of each module is subjected to progressive analysis of the layer sequence, the score is sequenced from high to low, and meanwhile, different modules can be classified into different layers according to a certain rule;
step S603: according to the score of each module, sorting the associated process IDs from high to low according to the score;
step S604: and presenting the analysis result in the form of a chart or a report, and evaluating the running condition of the system.
Example 2
Referring to fig. 3, another embodiment of the present invention is provided: an analysis system for host exception program detection, comprising: a cpu memory module, a network flow analysis module, a hidden process module, a malicious feature module, a production log module and a log summarization analysis module,
the CPU memory module is used for performing CPU and memory analysis on the process;
the network flow analysis module is used for analyzing the IP addresses and port flows accessed by the processes and reporting the processes of suspicious IP and abnormal flows;
the hidden progress module is used for screening and reporting the ps-ef progress and the hidden progress compared with different tools;
the malicious feature module is used for scanning and reporting the processes except the white list according to the malicious feature library;
the production log module is used for printing the data generated by each module and synchronizing the data to the ES of the attack log;
the log summarization analysis module is used for counting scores and sequencing the abnormal process modules by acquiring the ES data of the attack log.
The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are all within the protection of the present invention.
Claims (10)
1. An analysis method for detecting abnormal program of host computer, comprising:
step S1: filtering out normally used processes by setting a process white list;
step S2: according to the system load condition, dynamically adjusting a threshold value of a CPU memory through a substrate control manager, and uploading a process ID and a name exceeding the threshold value to an ES log;
step S3: analyzing the process network flow by utilizing process flow characteristic matching, comparing the process network flow with a normal mode to judge whether abnormal flow exists, and uploading a process ID and a name of abnormal flow information to an ES log;
step S4: checking whether a hidden process exists or not at regular time, and uploading the ID and the name of the hidden process to an ES log;
step S5: the method comprises the steps of periodically scanning an executable file of a process by using a sensitive process model, and uploading a process ID and a name with malicious features to an ES log;
step S6: and carrying out total statistics analysis on information exceeding a threshold value, abnormal flow, hidden and malicious characteristics by adopting a layer sequence progressive method, setting a score for each module, grading and displaying associated process IDs, and timely sending notification to suspicious processes.
2. The method for analyzing abnormal program detection of a host as claimed in claim 1, wherein the specific steps of the step S1 include: judging whether an illegal process exists by adopting a process black-and-white list matching method, and if the illegal process exists, adding the illegal process into an abnormal process list.
3. The method for analyzing abnormal program detection of a host as claimed in claim 2, wherein the specific steps of step S2 include:
step S201: acquiring the number of correctable ECC errors recorded by a CPU (Central processing Unit) through a substrate control manager;
step S202: and setting a monitoring threshold, and prompting a system administrator to take measures when the number of the memory correctable ECC errors exceeds the threshold.
4. The method for analyzing abnormal program detection of a host as claimed in claim 3, wherein the abnormal traffic information in the step S3 comprises: traffic data is analyzed by a source IP address, a destination IP address, a source communication port number, a destination communication port number, a layer three protocol type, a type of service (TOS) byte, a logical network port that is input or output by a network device.
5. The method for analyzing abnormal program detection of a host computer according to claim 4, wherein the specific steps of step S3 include:
step S301: acquiring a network message IP packet structure by using a packet grabbing Libpcap library;
step S302: using a Wireshark network analysis tool, resolving out the five-tuple of the IP packet: source address, destination address, source port, destination port, protocol number information and flow size of current message;
step S303: extracting process flow characteristics, searching an inode number corresponding to a key formed by five-tuple in a ConnInode Hash cache table, and if the inode number does not exist, re-reading and refreshing the cache table to establish new mapping with the inode;
step S304: establishing a process flow characteristic library, traversing, filtering interface flow information, refreshing a cache table, establishing mapping between index nodes and processes, and storing flow characteristics related to the index nodes and the processes;
step S305: according to a matching algorithm, searching the corresponding process of the inode number in the ConnInode Hash cache table, comparing the real-time network flow data with the process flow characteristics of the known cache table, analyzing the identified process activity, and finding out abnormal or suspicious behaviors.
6. The method for analyzing abnormal program detection of a host computer according to claim 5, wherein the specific steps of step S4 include:
step S401: defining a hidden process detection script, scanning a currently running process list through a and/bin/ps command, and identifying a hidden process;
step S402: editing an uploading script, connecting to an ES cluster by using an ES client library, and creating and updating a corresponding log record;
step S403: and (3) periodically executing the two scripts by using a timing task scheduler, periodically comparing the output of the/proc catalog with the output of the/bin/ps command, outputting if inconsistent is found, checking a process list, and judging and uploading hidden process information through comparison.
7. The method for analyzing abnormal program detection of a host computer according to claim 6, wherein the specific steps of step S5 include:
step S501: constructing a sensitive process list according to malicious processes detected by the network security monitoring system;
step S502: constructing a sensitive process data feature vector according to the time slices;
step S503: performing dimension reduction analysis on the process data feature vector by adopting a PCA method, and extracting main features;
step S504: sending the extracted features into a trained BP three-layer neural network recognition model, and judging whether abnormal points exist or not;
step S505: if abnormal points exist, counting abnormal points by adopting a sliding window, comparing thresholds, judging whether the abnormal points are abnormal processes, if the abnormal points are abnormal processes, adding a sensitive process into a sensitive process list, and traversing the sensitive process list.
8. The method for analyzing the detection of abnormal programs of a host computer according to claim 7, wherein the malicious process in the step S501 comprises: virus programs, mining programs, halyard programs, logic bombs, zombie programs, worms, trojans, and the processes are associated with and hidden from the functions of the display process list interface by running instructions.
9. The method for analyzing abnormal program detection of a host computer according to claim 8, wherein the specific step of step S6 comprises:
step S601: collecting and summarizing statistical information, giving different weights to different statistical information, and setting scores for each module according to the importance and resource occupation condition of the module;
step S602: the score of each module is subjected to progressive analysis of the layer sequence, the score is sequenced from high to low, and meanwhile, different modules can be classified into different layers according to a certain rule;
step S603: according to the score of each module, sorting the associated process IDs from high to low according to the score;
step S604: and presenting the analysis result in the form of a chart or a report, and evaluating the running condition of the system.
10. An analysis system for host computer abnormal program detection, which is implemented based on the analysis method for host computer abnormal program detection according to any one of claims 1 to 9, comprising: a cpu memory module, a network flow analysis module, a hidden process module, a malicious feature module, a production log module and a log summarization analysis module,
the CPU memory module is used for performing CPU and memory analysis on the process;
the network flow analysis module is used for analyzing the IP addresses and port flows accessed by the processes and reporting the processes of suspicious IP and abnormal flows;
the hidden progress module is used for screening and reporting the ps-ef progress and the hidden progress compared with different tools;
the malicious feature module is used for scanning and reporting the processes except the white list according to the malicious feature library;
the production log module is used for printing the data generated by each module and synchronizing the data to the ES of the attack log;
the log summarization analysis module is used for counting scores and sequencing the abnormal process modules by acquiring the ES data of the attack log.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311703151.9A CN117834198A (en) | 2023-12-12 | 2023-12-12 | Analysis method and system for detecting abnormal program of host |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311703151.9A CN117834198A (en) | 2023-12-12 | 2023-12-12 | Analysis method and system for detecting abnormal program of host |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117834198A true CN117834198A (en) | 2024-04-05 |
Family
ID=90512512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311703151.9A Pending CN117834198A (en) | 2023-12-12 | 2023-12-12 | Analysis method and system for detecting abnormal program of host |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117834198A (en) |
-
2023
- 2023-12-12 CN CN202311703151.9A patent/CN117834198A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| McHugh | Intrusion and intrusion detection | |
| US8839430B2 (en) | Intrusion detection in communication networks | |
| US20140165207A1 (en) | Method for detecting anomaly action within a computer network | |
| CN110839019A (en) | Network security threat tracing method for power monitoring system | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| JP2015076863A (en) | Log analyzing device, method and program | |
| US7836503B2 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
| CN113839935A (en) | Network situation awareness method, device and system | |
| CN116860489A (en) | System and method for threat risk scoring of security threats | |
| CN110035062A (en) | A kind of network inspection method and apparatus | |
| CN111859374B (en) | Method, device and system for detecting social engineering attack event | |
| CN113438249A (en) | Attack tracing method based on strategy | |
| US20210367958A1 (en) | Autonomic incident response system | |
| US10623428B2 (en) | Method and system for detecting suspicious administrative activity | |
| CN110460558B (en) | Method and system for discovering attack model based on visualization | |
| Rastogi et al. | Network anomalies detection using statistical technique: A chi-square approach | |
| CN117834198A (en) | Analysis method and system for detecting abnormal program of host | |
| Yang et al. | Design a hybrid flooding attack defense scheme under the cloud computing environment | |
| Zheng et al. | Traffic anomaly detection and containment using filter-ary-sketch | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| KR102478984B1 (en) | Determine method for malicious file by linking with events in user terminal and system using them | |
| CN117609990B (en) | Self-adaptive safety protection method and device based on scene association analysis engine | |
| Sun et al. | Automatic intrusion response system based on aggregation and cost | |
| KR102267411B1 (en) | A system for managing security of data by using compliance | |
| Ganame et al. | Defining a simple metric for real-time security level evaluation of multi-sites networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |