TW202213142A - System and method for information security protection and computer readable medium - Google Patents

System and method for information security protection and computer readable medium Download PDF

Info

Publication number
TW202213142A
TW202213142A TW109132912A TW109132912A TW202213142A TW 202213142 A TW202213142 A TW 202213142A TW 109132912 A TW109132912 A TW 109132912A TW 109132912 A TW109132912 A TW 109132912A TW 202213142 A TW202213142 A TW 202213142A
Authority
TW
Taiwan
Prior art keywords
behavior
information
abnormal
security protection
program
Prior art date
Application number
TW109132912A
Other languages
Chinese (zh)
Other versions
TWI781448B (en
Inventor
蔡天浩
陳勝裕
鄭棕翰
李宜昌
陳彥仲
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109132912A priority Critical patent/TWI781448B/en
Publication of TW202213142A publication Critical patent/TW202213142A/en
Application granted granted Critical
Publication of TWI781448B publication Critical patent/TWI781448B/en

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A system and a corresponding method for information security protection are provided. The system includes a plurality of behavior collection modules and a behavior analysis module. Each of the behavior collection modules is respectively installed on a corresponding terminal device. The protection modes of each terminal device includes at least a user mode. Each behavior collection module is configured to detect and collect behavior information of each process executed by the corresponding terminal device in the user mode. The behavior analysis module is configured to determine whether an abnormal behavior occurs in each terminal device according to the behavior information collected by the behavior collection modules, and record the abnormal behavior and sends an alert when the abnormal behavior occurs. The present invention further provides a computer-readable medium for performing the method for information security protection.

Description

資安防護系統、方法及電腦可讀媒介 Information security protection system, method and computer readable medium

本發明係有關資安防護,且特別係有關一種資安防護系統與方法。 The present invention relates to information security protection, and in particular, to an information security protection system and method.

隨著開源軟體的興盛,享受開源軟體的便利之際,也會面臨到各種的資安漏洞,已公開的軟體漏洞在數年內仍可被駭客利用來入侵,原因可能是維運人員無法判斷軟體的安全更新是否影響運作,或是版本更新造成的成本是否值得。因此,如何有效地追蹤漏洞以及可能的入侵是很大的挑戰。 With the prosperity of open source software, while enjoying the convenience of open source software, it will also face various information security loopholes. The open software loopholes can still be exploited by hackers for a few years. The reason may be that maintenance personnel cannot Determine whether a software security update affects operation, or whether the cost of a version update is worth it. Therefore, how to effectively track down vulnerabilities and possible intrusions is a great challenge.

在現有技術中,對主機內所有檔案進行靜態程式碼掃描(又稱為白箱掃描),以檢視哪些程式具有漏洞,是一種追蹤漏洞與入侵的方法,但這樣的掃描與識別會耗費大量時間,尤其對於存放有大量資料的服務主機,掃描整個檔案系統更是事半功倍。因此,需要一種有效、快速、精確地追蹤漏洞以及可能的入侵的技術,並耗費較少時間與資源。 In the prior art, static code scanning (also known as white box scanning) is performed on all files in the host to check which programs have vulnerabilities, which is a method of tracking vulnerabilities and intrusions, but such scanning and identification will consume a lot of time , especially for service hosts that store a large amount of data, scanning the entire file system is more effective. Therefore, there is a need for a technique to track vulnerabilities and possible intrusions efficiently, quickly, and accurately, while consuming less time and resources.

為解決上述問題,本發明提供一種資安防護系統,該系統包括複數行為蒐集模組以及行為分析模組。該等行為蒐集模組各係安裝一對應之端點裝置,其中,各該端點裝置之保護模式至少具有使用者模式,各該行為蒐集模組用於以該使用者模式偵測並蒐集對應之該端點裝置所執行的每一程序之行為資訊。行為分析模組用於根據該等行為蒐集模組所蒐集之該等行為資訊判斷各該端點裝置是否出現異常行為,以於出現該異常行為時,記錄該異常行為並發出警報。 In order to solve the above problems, the present invention provides an information security protection system, which includes a plurality of behavior collection modules and a behavior analysis module. Each of the behavior collection modules is installed with a corresponding endpoint device, wherein the protection mode of each endpoint device has at least a user mode, and each behavior collection module is used for detecting and collecting corresponding information in the user mode. The behavior information of each program executed by the endpoint device. The behavior analysis module is used to determine whether each of the endpoint devices has abnormal behavior according to the behavior information collected by the behavior collection module, so as to record the abnormal behavior and issue an alarm when the abnormal behavior occurs.

本發明另提供一種資安防護方法,包括:以複數端點裝置中之各該端點裝置之使用者模式偵測並蒐集各該端點裝置所執行之每一程序之行為資訊;根據該等行為資訊判斷各該端點裝置是否出現異常行為;以及於出現該異常行為時,記錄該異常行為並發出警報。 The present invention further provides an information security protection method, comprising: detecting and collecting behavior information of each program executed by each of the end-point devices in a user mode of each of the end-point devices; The behavior information determines whether each of the endpoint devices has abnormal behavior; and when the abnormal behavior occurs, records the abnormal behavior and issues an alarm.

本發明復提供一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行上述之資安防護方法。 The present invention further provides a computer-readable medium, which is applied to a computing device or a computer and stores instructions for executing the above-mentioned information security protection method.

本發明係以使用者模式持續蒐集各端點裝置內的執行程序與其相關之行為資訊,並傳送到雲端之行為分析模組集中分析,以提供異常執行行為之輕量化監控。另外,本發明亦可比對漏洞情資和過往記錄之程序行為資訊,以檢查漏洞程式是否正在或曾經執行,進而有效識別漏洞程式之運行狀態,以此判斷真實的資安風險。 The present invention continuously collects the execution program in each endpoint device and its related behavior information in the user mode, and transmits it to the behavior analysis module in the cloud for centralized analysis, so as to provide lightweight monitoring of abnormal execution behavior. In addition, the present invention can also compare the vulnerability information with the program behavior information recorded in the past to check whether the vulnerable program is or has been executed, and then effectively identify the running state of the vulnerable program, thereby judging the real information security risk.

100:資安防護系統 100: Information Security Protection System

110:行為蒐集模組 110: Behavior Collection Module

115:端點裝置 115: Endpoint device

120:行為分析模組 120: Behavior Analysis Module

122:行為基準建立模組 122: Behavioural Benchmarking Module

124:行為異常判斷模組 124: Abnormal behavior judgment module

130:漏洞分析模組 130: Vulnerability Analysis Module

140:漏洞情資資料庫 140: Vulnerability Information Database

S210~S270:方法步驟 S210~S270: Method steps

S310~S370:方法步驟 S310~S370: method steps

S410~S460:方法步驟 S410~S460: method steps

圖1為根據本發明一實施例之一種資安防護系統的方塊圖。 FIG. 1 is a block diagram of an information security protection system according to an embodiment of the present invention.

圖2至圖4為根據本發明一實施例之一種資安防護方法的流程圖。 2 to 4 are flowcharts of an information security protection method according to an embodiment of the present invention.

以下藉由特定的具體實施例說明本發明之實施方式,在本技術領域具有通常知識者可由本說明書所揭示之內容輕易地瞭解本發明之其他優點及功效。 The embodiments of the present invention are described below by means of specific embodiments, and those skilled in the art can easily understand other advantages and effects of the present invention from the contents disclosed in this specification.

圖1為根據本發明一實施例之一種資安防護系統100的方塊圖。資安防護系統100包括複數行為蒐集模組110、行為分析模組120以及漏洞分析模組130。各該行為蒐集模組110分別安裝於各端點裝置115。端點裝置115可為任何一種能執行程序之電子裝置,例如伺服器、電腦或物聯網裝置。各該端點裝置115之保護模式包括核心模式(kernel mode,或稱為ring以0)及使用者模式(user mode,或稱為ring 3)。各該行為蒐集模組110用於以該使用者模式偵測並蒐集對應之端點裝置115所執行的每一程序之行為資訊,並將該等行為資訊傳送至雲端之行為分析模組120集中分析。 FIG. 1 is a block diagram of an information security protection system 100 according to an embodiment of the present invention. The information security protection system 100 includes a plurality of behavior collection modules 110 , a behavior analysis module 120 and a vulnerability analysis module 130 . Each of the behavior collection modules 110 is installed on each of the endpoint devices 115 respectively. The endpoint device 115 can be any electronic device capable of executing programs, such as a server, a computer, or an Internet of Things device. The protection modes of each of the endpoint devices 115 include a kernel mode (or ring 0) and a user mode (user mode, or ring 3). Each of the behavior collection modules 110 is used to detect and collect behavior information of each program executed by the corresponding endpoint device 115 in the user mode, and transmit the behavior information to the behavior analysis module 120 in the cloud for centralization analyze.

在一實施例中,該行為蒐集模組110係以非常輕量方式監控該端點裝置115之虛擬檔案系統的變化,以進行後續作業,故有效且效能耗損極少,並可適用於在不同運算能力的機器或設備。 In one embodiment, the behavior collection module 110 monitors the changes of the virtual file system of the endpoint device 115 in a very lightweight manner for subsequent operations, so it is effective and consumes little power consumption, and can be applied to different operations. capable machine or equipment.

例如,端點裝置115以Linux為作業系統,行為蒐集模組110以使用者模式監控其虛擬檔案系統之變化,以偵測是否有新程序被執行,且於新程序執行時偵測並蒐集其執行期間之行為資訊,再將該行為資訊傳送至行為分析模組120。在一實施例中,該行為資訊可包括該新程序之程序識別碼(process ID)、父程序識別碼(parent process ID)、程序名稱(例如該新程序執行檔名稱)、執行該新程序之完整指令(包括執行指令及執行參數)、該新程序所載入或執行之檔案與其檔案類型(例如執行檔或共用函式庫)及檔案內容雜湊值(hash value)、該新程序使用之檔案描述符(file descriptor)與相對應之檔案資訊、該新程序使用之檔案(例如讀取與寫入之檔案)與其檔案內容雜湊值、以及該新程序所開啟之各種通訊協定之服務埠,例如傳輸控制協定(Transmission Control Protocol,TCP)與使用者資料協定(User Datagram Protocol,UDP)之服務埠,其中,上述雜湊值可用已知之任何一種演算法產生,例如安全雜湊演算法一號(Secure Hash Algorithm 1,SHA-1)。 For example, the endpoint device 115 uses Linux as the operating system, and the behavior collection module 110 monitors the changes of its virtual file system in user mode to detect whether a new program is executed, and detects and collects the new program when the new program is executed. The behavior information during execution is sent to the behavior analysis module 120 . In one embodiment, the behavior information may include a process identifier of the new program. ID), parent process ID, program name (such as the name of the executable file of the new program), the complete command to execute the new program (including the execution command and execution parameters), the file loaded or executed by the new program The file and its file type (such as executable file or shared library) and the hash value of the file content, the file descriptor used by the new program and the corresponding file information, the file used by the new program ( Such as read and write files) and the hash value of the file content, as well as the service ports of various communication protocols opened by the new program, such as Transmission Control Protocol (TCP) and User Datagram Protocol (User Datagram Protocol, UDP) service port, wherein the hash value can be generated by any known algorithm, such as Secure Hash Algorithm 1 (SHA-1).

在另一實施例中,端點裝置115可執行其他種類之作業系統,且上述之虛擬檔案系統可替換為其他種類之檔案系統。 In another embodiment, the endpoint device 115 can execute other kinds of operating systems, and the above-mentioned virtual file systems can be replaced with other kinds of file systems.

行為分析模組120用於接收並記錄行為蒐集模組110所傳送之行為資訊,根據該等行為資訊判斷各該端點裝置115是否出現異常行為,以於出現異常行為時,記錄該異常行為並發出警報。 The behavior analysis module 120 is used to receive and record the behavior information sent by the behavior collection module 110, and determine whether each of the endpoint devices 115 has abnormal behavior according to the behavior information, so as to record the abnormal behavior and record the abnormal behavior when the abnormal behavior occurs. Send out a warning.

漏洞分析模組130用於自漏洞情資資料庫140接收漏洞情資,並比對該漏洞情資與行為分析模組120所記錄之行為資訊,以判斷端點裝置115中是否有該漏洞情資中之漏洞程式正在執行或曾被執行,且於該漏洞程式正在執行或曾被執行時發出警報。 The vulnerability analysis module 130 is configured to receive vulnerability information from the vulnerability information database 140 and compare the vulnerability information with the behavior information recorded by the behavior analysis module 120 to determine whether the endpoint device 115 has the vulnerability information. The vulnerable program in the fund is being executed or has been executed, and an alert is issued when the vulnerable program is executing or has been executed.

本實施例中,漏洞情資資料庫140為獨立於資安防護系統100之外的外部資料庫。在另一實施例中,漏洞情資資料庫140可為隸屬於資安防護系統100之內部資料庫。 In this embodiment, the vulnerability information database 140 is an external database independent of the information security protection system 100 . In another embodiment, the vulnerability information database 140 may be an internal database subordinate to the information security protection system 100 .

行為蒐集模組110、行為分析模組120以及漏洞分析模組130均可為軟體、硬體或韌體;若為硬體,則可為具有資料處理與運算能力之處理單元、處理器、電腦或伺服器;若為軟體或韌體,則可包括處理單元、處理器、電腦或伺服器可執行之指令。 The behavior collection module 110 , the behavior analysis module 120 and the vulnerability analysis module 130 can all be software, hardware or firmware; if they are hardware, they can be processing units, processors, computers with data processing and computing capabilities or server; in the case of software or firmware, it may include instructions executable by a processing unit, processor, computer or server.

在一實施例中,行為分析模組120、漏洞分析模組130以及漏洞情資資料庫140可安裝於或實作為同一硬體或複數分散之不同硬體。 In one embodiment, the behavior analysis module 120, the vulnerability analysis module 130, and the vulnerability information database 140 may be installed on or implemented as the same hardware or as a plurality of discrete hardware.

行為分析模組120包括行為基準建立模組122及行為異常判斷模組124。當行為分析模組120收到來自行為蒐集模組110之行為資訊,會記錄該行為資訊,並檢查產生該行為資訊之端點裝置115是否已完成行為基準建立模組122之行為基準建立;若尚未完成,則該端點裝置115為新加入之新端點裝置,由行為基準建立模組122執行圖2流程以根據該行為資訊為該新端點裝置115建立行為基準;若已完成,則該端點裝置115為已加入之已知端點裝置,由行為異常判斷模組124執行圖3流程以根據該行為資訊判斷該已知端點裝置115是否有異常行為。 The behavior analysis module 120 includes a behavior benchmark establishing module 122 and a behavior abnormality judging module 124 . When the behavior analysis module 120 receives the behavior information from the behavior collection module 110, it will record the behavior information, and check whether the endpoint device 115 that generates the behavior information has completed the behavior benchmark establishment by the behavior benchmark establishment module 122; If not completed, the endpoint device 115 is a newly added new endpoint device, and the behavior benchmark establishing module 122 executes the process of FIG. 2 to establish a behavior benchmark for the new endpoint device 115 according to the behavior information; if completed, then The endpoint device 115 is a known endpoint device that has been added, and the abnormal behavior determination module 124 executes the process of FIG. 3 to determine whether the known endpoint device 115 has an abnormal behavior according to the behavior information.

圖2為根據本發明一實施例之一種資安防護方法的流程圖,以下為其說明: FIG. 2 is a flowchart of an information security protection method according to an embodiment of the present invention, and its description is as follows:

在步驟S210,行為蒐集模組110持續偵測並蒐集新端點裝置115所執行之程序之行為資訊,接著進至步驟S220。 In step S210, the behavior collection module 110 continuously detects and collects behavior information of the programs executed by the new endpoint device 115, and then proceeds to step S220.

在步驟S220,行為蒐集模組110將行為資訊傳送至行為基準建立模組122,接著進至步驟S230,其中,後續之步驟S230~S270均由行為基準建立模組122執行。 In step S220 , the behavior collecting module 110 transmits the behavior information to the behavior benchmark establishing module 122 , and then proceeds to step S230 , wherein the subsequent steps S230 to S270 are all executed by the behavior benchmark establishing module 122 .

在步驟S230,行為基準建立模組122將所接收之行為資訊與可信賴程序名單(亦稱為程序白名單)、惡意程序名單(亦稱為程序黑名單)、以及分析端點裝置115中除該新端點裝置115以外之其他端點裝置115的行為資訊所得之已知行為類型(例如已知正常行為及已知異常行為)比對,以將該行為資訊歸類為所有端點裝置115之共同基準、該新端點裝置115之自主行為、或異常行為。 In step S230 , the behavior benchmark establishing module 122 removes the received behavior information from the list of trusted programs (also referred to as program whitelist), the malicious program list (also referred to as program blacklist), and the analysis endpoint device 115 The known behavior types (eg, known normal behavior and known abnormal behavior) obtained from behavior information of other endpoint devices 115 other than the new endpoint device 115 are compared to classify the behavior information as all endpoint devices 115 common baseline, autonomous behavior of the new endpoint device 115, or anomalous behavior.

在一實施例中,該可信賴程序名單例如可包括作業系統內含之程序及知名應用軟體之程序,而該惡意程序名單可包括已知之病毒程序、木馬程序及綁架程序等惡意程序。 In one embodiment, the list of trusted programs may include, for example, programs included in the operating system and programs of well-known application software, and the list of malicious programs may include known malicious programs such as virus programs, Trojan horse programs, and kidnapping programs.

詳言之,若該可信賴程序名單包括該行為資訊所對應之程序,或該行為資訊符合該已知正常行為,則行為基準建立模組122將該行為資訊歸類為所有端點裝置115之共同基準,並於步驟S240將該行為資訊之全部或部分加入該共同基準。反之,若該惡意程序名單包括該行為資訊所對應之程序,或該行為資訊符合該已知異常行為,則行為基準建立模組122將該行為資訊歸類為異常行為,且於步驟S260記錄該異常行為,並發出警報以通知資安防護系統100之管理人員或維運人員,其中,記錄該異常行為之步驟包括記錄該行為資訊及該行為資訊所對應之程序的啟動時間。 In detail, if the trusted program list includes the program corresponding to the behavior information, or the behavior information conforms to the known normal behavior, the behavior benchmark establishing module 122 classifies the behavior information as all endpoint devices 115 . A common benchmark is added, and all or part of the behavior information is added to the common benchmark in step S240. On the contrary, if the malicious program list includes the program corresponding to the behavior information, or the behavior information conforms to the known abnormal behavior, the behavior benchmark establishing module 122 classifies the behavior information as abnormal behavior, and records the behavior information in step S260. abnormal behavior, and issue an alarm to notify the management or maintenance personnel of the information security protection system 100, wherein the step of recording the abnormal behavior includes recording the behavior information and the activation time of the program corresponding to the behavior information.

另一方面,若該可信賴程序名單及該惡意程序名單均不包括該行為資訊所對應之程序,且該行為資訊不符合該已知正常行為亦不符合該已知異常行為,例如僅有該新端點裝置115會執行之程序,則行為基準建立模組122將該行為資訊歸類為該新端點裝置115獨有之自主行為,且於步驟S250通報資安防護系統100之管理人員或維運人員,以供該人員判定該行為資訊是否 屬於正常行為;若該人員判定為非正常行為,則流程進入步驟S260;若該人員判定為正常行為,則行為基準建立模組122在步驟S270將該行為資訊之全部或部分加入該新端點裝置115特有之自主行為。 On the other hand, if neither the trusted program list nor the malicious program list includes the program corresponding to the behavior information, and the behavior information does not conform to the known normal behavior or the known abnormal behavior, for example, only the The procedure to be executed by the new endpoint device 115, the behavior benchmark establishing module 122 classifies the behavior information as an autonomous behavior unique to the new endpoint device 115, and notifies the administrator of the information security protection system 100 or the information security protection system 100 in step S250. Maintenance personnel, for the personnel to determine whether the behavior information is It is a normal behavior; if the person is determined to be an abnormal behavior, the process goes to step S260; if the person is determined to be a normal behavior, the behavior benchmark establishing module 122 adds all or part of the behavior information to the new endpoint in step S270 Autonomous behavior specific to device 115.

行為基準建立模組122會為該新端點裝置115持續執行圖2流程,並持續觀察該新端點裝置115執行程序之規律,若經過一段預設時間後,該新端點裝置115執行程序之規律沒有變化,則行為基準建立模組122判定該新端點裝置115已完成行為基準建立,並停止執行該新端點裝置115之圖2流程。 The behavior benchmark establishing module 122 will continue to execute the process of FIG. 2 for the new endpoint device 115, and continuously observe the regularity of the program execution of the new endpoint device 115. If a predetermined period of time has elapsed, the new endpoint device 115 will execute the program. If the rule does not change, the behavior benchmark establishing module 122 determines that the new endpoint device 115 has completed the behavior benchmark establishment, and stops executing the process of FIG. 2 for the new endpoint device 115 .

圖3為根據本發明一實施例之一種資安防護方法的流程圖,以下為其說明: FIG. 3 is a flowchart of an information security protection method according to an embodiment of the present invention, and its description is as follows:

在步驟S310,行為蒐集模組110持續偵測並蒐集已知端點裝置115所執行之程序之行為資訊,接著進至步驟S320。 In step S310, the behavior collection module 110 continuously detects and collects behavior information of the programs executed by the known endpoint device 115, and then proceeds to step S320.

在步驟S320,行為蒐集模組110將行為資訊傳送至行為異常判斷模組124,接著進至步驟S330,其中,後續之步驟S330~S370均由行為異常判斷模組124執行。 In step S320 , the behavior collection module 110 transmits the behavior information to the abnormal behavior judgment module 124 , and then proceeds to step S330 , wherein the subsequent steps S330 to S370 are executed by the abnormal behavior judgment module 124 .

在步驟S330,行為異常判斷模組124接收行為資訊,然後根據行為基準建立模組122先前建立之共同基準和產生該行為資訊之已知端點裝置115之自主行為,判斷該行為資訊是否為正常行為。 In step S330, the abnormal behavior judgment module 124 receives the behavior information, and then judges whether the behavior information is normal according to the common benchmark previously established by the behavior benchmark establishment module 122 and the autonomous behavior of the known endpoint device 115 that generates the behavior information Behavior.

步驟S330包含至少一條件,行為異常判斷模組124會在步驟S330將所接收之行為資訊和該共同基準及該自主行為比對,以判斷該行為資訊是否符合上述條件;若該行為資訊符合每一條件,則該行為資訊為正常行為,且流程結束;若該行為資訊不符合任一條件,則流程進入步驟S340。 Step S330 includes at least one condition. The behavior abnormality determination module 124 compares the received behavior information with the common benchmark and the autonomous behavior in step S330 to determine whether the behavior information meets the above conditions; if the behavior information meets each If a condition is met, the behavior information is a normal behavior, and the process ends; if the behavior information does not meet any of the conditions, the process proceeds to step S340.

例如,由於攻擊者入侵後往往會植入惡意控制程序,因此執行未知程序屬於高風險行為,所以上述條件之一為該行為資訊中之程序名稱必須與已加入該共同基準或該自主行為中之至少一項行為資訊相同。 For example, since attackers often implant malicious control programs after intrusion, executing unknown programs is a high-risk behavior. Therefore, one of the above conditions is that the program name in the behavior information must be the same as the program name that has been added to the common benchmark or the autonomous behavior. At least one behavioral information is the same.

另外,攻擊者可能未植入新的程式,但透過變更執行指令造成正常行為的異變,以達到惡意控制目的。例如,某端點裝置使用Netcat網路管理工具,執行指令「'nc' '目標機器' '目標服務埠'」原本用於判斷終端裝置之服務是否正常,但若攻擊者執行「'nc' '-1' '特定服務埠'」則變成受害終端裝置開啟可被外部存取之服務或對外傳輸資料之異常行為。因此,上述條件之一為該行為資訊所對應之程序的執行指令及執行參數必須與已加入該共同基準或該自主行為中之至少一項行為資訊完全一致。 In addition, the attacker may not implant a new program, but change the execution command to cause the mutation of normal behavior, so as to achieve the purpose of malicious control. For example, an endpoint device uses the Netcat network management tool to execute the command "'nc' 'target machine' 'target service port'" originally used to determine whether the service of the terminal device is normal, but if the attacker executes "'nc' ' -1' 'specific service port'" becomes the abnormal behavior of the victim terminal device opening services that can be accessed externally or externally transmitting data. Therefore, one of the above conditions is that the execution instructions and execution parameters of the program corresponding to the behavior information must be completely consistent with at least one behavior information that has been added to the common benchmark or the autonomous behavior.

同理,為避免原本正常程序之執行檔被攻擊者竄改或載入額外之未知程序,所以上述條件之一為該行為資訊所對應之程序所載入或執行的檔案與其雜湊值必須與已加入該共同基準或該自主行為中之至少一項行為資訊完全一致。若有雜湊值不一致,表示對應之檔案已被竄改,可能已出現資安漏洞。 Similarly, in order to prevent the original normal program's execution file from being tampered with by an attacker or loading additional unknown programs, one of the above conditions is that the file loaded or executed by the program corresponding to the behavior information and its hash value must be the same as the one that has been added. At least one behavior information in the common benchmark or the autonomous behavior is completely consistent. If the hash value is inconsistent, it means that the corresponding file has been tampered with, and there may be an information security loophole.

此外,上述條件之一為該行為資訊所對應之程序所開啟之服務埠與其對應之通訊協定必須與已加入該共同基準或該自主行為中之至少一項行為資訊完全一致。若有不一致,則表示該程序有新開啟或異動之服務埠,這可能為開啟可遠端控制之後門。 In addition, one of the above conditions is that the service port opened by the program corresponding to the behavior information and its corresponding communication protocol must be completely consistent with at least one behavior information that has been added to the common benchmark or the autonomous behavior. If there is any inconsistency, it means that the program has a newly opened or changed service port, which may be a back door that can be remotely controlled.

再者,上述條件之一為該行為資訊所對應之程序所載入或執行之程序樹狀關係必須於該共同基準或該自主行為中有相同之程序樹狀關係。行為異常判斷模組124可根據程序識別碼及父程序識別碼於行為資訊中之關聯, 以檢查所接收之行為資訊是否符合此條件。例如,行為異常判斷模組124透過上述識別碼之關聯,分析出某端點裝置115之新程序Telnet為透過bash程序載入執行,而此bash程序則是由Apache ActiveMQ程序所載入執行。雖然該共同基準包括Apache ActiveMQ執行bash之行為資訊,也包括bash執行Telnet之行為資訊,但並未包括Apache ActiveMQ執行bash再執行Telnet之行為資訊,故行為異常判斷模組124將此新程序Telnet之行為資訊判斷為異常行為。 Furthermore, one of the above conditions is that the program tree relationship loaded or executed by the program corresponding to the behavior information must have the same program tree relationship in the common benchmark or the autonomous behavior. The abnormal behavior judging module 124 can be based on the association between the program identifier and the parent program identifier in the behavior information, to check whether the received behavioral information meets this condition. For example, the abnormal behavior judging module 124 analyzes that the new program Telnet of a certain endpoint device 115 is loaded and executed through the bash program through the association of the above identification codes, and the bash program is loaded and executed by the Apache ActiveMQ program. Although the common benchmark includes the behavior information of Apache ActiveMQ executing bash and the behavior information of bash executing Telnet, it does not include the behavior information of Apache ActiveMQ executing bash and then executing Telnet, so the abnormal behavior judgment module 124 uses the new program Telnet as the behavior information. The behavior information is judged as abnormal behavior.

本發明並不限於上述條件。在另一實施例中,可省略上述條件其中一部分。或者,在又一實施例中,可根據程序之行為資訊之內容定義更多條件。 The present invention is not limited to the above-mentioned conditions. In another embodiment, some of the above conditions may be omitted. Alternatively, in yet another embodiment, more conditions may be defined according to the content of the program's behavior information.

接著,在步驟S340,行為異常判斷模組124檢查在行為分析模組120已記錄之其他端點裝置115之行為資訊中,是否有與行為異常判斷模組124於步驟S330所判斷之行為資訊相似且已被判斷為正常行為之行為資訊;如果有,則流程結束;如果沒有,則流程進入步驟S350。上述之其他端點裝置115為除了產生於步驟S330所判斷之該行為資訊的該已知端點裝置115以外之所有端點裝置115。上述之「相似」係指兩項行為資訊中,步驟S330之上述全部條件所涉及之程序名稱、執行指令與執行參數等內容均相同。 Next, in step S340, the abnormal behavior determination module 124 checks whether there is any behavior information similar to the behavior information determined by the abnormal behavior determination module 124 in step S330 in the behavior information of other endpoint devices 115 recorded by the behavior analysis module 120. And the behavior information that has been judged to be normal behavior; if there is, the process ends; if not, the process goes to step S350. The other endpoint devices 115 mentioned above are all endpoint devices 115 except the known endpoint device 115 that generates the behavior information determined in step S330. The above "similar" means that in the two behavior information, the program names, execution instructions and execution parameters involved in all the above conditions in step S330 are the same.

在步驟S350,行為異常判斷模組124檢查在行為分析模組120已記錄之其他端點裝置115之行為資訊中,是否有與行為異常判斷模組124於步驟S330所判斷之行為資訊相似且已被判斷為異常行為之行為資訊;如果有,則流程進入步驟S370;如果沒有,則流程進入步驟S360。 In step S350, the behavior abnormality judging module 124 checks whether the behavior information of the other endpoint devices 115 recorded by the behavior analysis module 120 is similar to the behavior information judged by the behavior abnormality judging module 124 in step S330 and has been Behavior information judged to be abnormal behavior; if there is, the process goes to step S370; if not, the process goes to step S360.

在步驟S360,行為異常判斷模組124通報資安防護系統100之管理人員或維運人員,以供該人員判定此行為資訊是否屬於正常行為;若該人 員判定為非正常行為,則流程進入步驟S370;若該人員判定為正常行為,則流程結束。在步驟S370,行為異常判斷模組124判斷此行為資訊為異常行為,所以記錄此異常行為,並發出警報以通知資安防護系統100之管理人員或維運人員。 In step S360, the abnormal behavior determination module 124 notifies the management personnel or maintenance personnel of the information security protection system 100 for the personnel to determine whether the behavior information is a normal behavior; If the employee determines that the behavior is abnormal, the process proceeds to step S370; if the employee determines that the behavior is normal, the process ends. In step S370, the behavior abnormality determination module 124 determines that the behavior information is abnormal behavior, so records the abnormal behavior, and issues an alarm to notify the management personnel or maintenance personnel of the information security protection system 100.

圖4為圖1之漏洞分析模組130所執行之資安防護方法的流程圖。 FIG. 4 is a flowchart of an information security protection method executed by the vulnerability analysis module 130 of FIG. 1 .

在步驟S410,漏洞分析模組130自漏洞情資資料庫140接收最新的漏洞情資。漏洞分析模組130可分析該漏洞情資,以確認會產生資安漏洞之程式(以下簡稱為漏洞程式)的版本、程序名稱與檔案之雜湊值。例如,漏洞分析模組130自漏洞情資資料庫140接收到的漏洞情資編號為CVE-2019-17571,漏洞分析模組130分析此漏洞情資後,得知Apache Log4j版本1.2至1.2.17為漏洞程式,可被遠端控制以執行任意程式碼,且漏洞分析模組130可自該漏洞情資取得具有資安漏洞之Apache Log4j檔案的雜湊值,例如Apache Log4j版本1.2.17之執行檔雜湊值為"5af35056b4d257e4b64b9e8069c0746e8b08629f",且版本1.2.16之執行檔雜湊值為"0278c9d0ae02132ab6d00e709926c227022e85a4",依此類推,接著進至步驟S420。 In step S410 , the vulnerability analysis module 130 receives the latest vulnerability information from the vulnerability information database 140 . The vulnerability analysis module 130 can analyze the vulnerability information to confirm the hash value of the version, the program name and the file of the program that will generate the information security vulnerability (hereinafter referred to as the vulnerability program). For example, the vulnerability information number received by the vulnerability analysis module 130 from the vulnerability information database 140 is CVE-2019-17571. After analyzing the vulnerability information, the vulnerability analysis module 130 learns that Apache Log4j versions 1.2 to 1.2.17 It is a vulnerability program, which can be remotely controlled to execute arbitrary code, and the vulnerability analysis module 130 can obtain the hash value of the Apache Log4j file with information security vulnerabilities from the vulnerability information, such as the executable file of Apache Log4j version 1.2.17 The hash value is "5af35056b4d257e4b64b9e8069c0746e8b08629f", and the hash value of the executable file of version 1.2.16 is "0278c9d0ae02132ab6d00e709926c227022e85a4", and so on, and then proceeds to step S420.

在步驟S420,漏洞分析模組130取得行為分析模組120記錄之行為資訊,接著進至步驟S430。 In step S420, the vulnerability analysis module 130 obtains the behavior information recorded by the behavior analysis module 120, and then proceeds to step S430.

在步驟S430,漏洞分析模組130將漏洞程式之檔案雜湊值和行為分析模組120所記錄之行為資訊中的所有曾經或正在運行的程序所載入或執行檔案之雜湊值比對,以判斷端點裝置115中是否有漏洞程式正在執行或曾被 執行;如果沒有漏洞程式正在執行或曾被執行,則流程返回步驟S420,以持續追蹤新端點裝置或新執行程序是否有資安漏洞;如果有漏洞程式正在執行或曾被執行,則流程進入步驟S440。 In step S430, the vulnerability analysis module 130 compares the file hash value of the vulnerability program with the hash value of the files loaded or executed by all the programs that have been or are running in the behavior information recorded by the behavior analysis module 120 to determine Whether a vulnerable program is being executed or has been Execute; if no vulnerable program is being executed or has been executed, the flow returns to step S420 to continuously track whether the new endpoint device or the newly executed program has an information security vulnerability; if any vulnerable program is being executed or has been executed, the flow enters Step S440.

在步驟S440,漏洞分析模組130根據行為分析模組120記錄之行為資訊判斷該漏洞程式是否曾開啟對外服務,例如是否曾透過TCP或UDP服務埠以開啟對外服務,接著進至步驟S450。 In step S440, the vulnerability analysis module 130 determines whether the vulnerability program has opened external services, such as whether it has opened external services through a TCP or UDP service port, according to the behavior information recorded by the behavior analysis module 120, and then proceeds to step S450.

在步驟S450,漏洞分析模組130判斷該漏洞程式是否與行為異常判斷模組124所記錄之異常行為有關。以上述之Apache ActiveMQ與Telnet的異常執行關係及漏洞情資CVE-2019-17571為例,漏洞分析模組130比對漏洞情資CVE-2019-17571與該異常行為,可發現Apache ActiveMQ曾開啟對外服務,曾使用到漏洞程式Apache Log4j並出現異常行為,據此,可判斷攻擊者之前可能利用CVE-2019-17571漏洞進行零日攻擊(zero-day attack)而開啟Telnet服務作為後門以利後續存取控制,接著進至步驟S460。 In step S450 , the vulnerability analysis module 130 determines whether the vulnerability program is related to the abnormal behavior recorded by the abnormal behavior determination module 124 . Taking the abnormal execution relationship between Apache ActiveMQ and Telnet and the vulnerability information CVE-2019-17571 as an example, the vulnerability analysis module 130 compares the vulnerability information CVE-2019-17571 with the abnormal behavior, and it can be found that Apache ActiveMQ has been opened to the outside world. The service used the vulnerability program Apache Log4j and exhibited abnormal behavior. Based on this, it can be judged that the attacker may have used the CVE-2019-17571 vulnerability to conduct a zero-day attack and opened the Telnet service as a backdoor to facilitate future survival. Take control, and then proceed to step S460.

在步驟S460,漏洞分析模組130發出警報以通知資安防護系統100之管理人員或維運人員,該警報之內容可包括漏洞程式之相關資訊、漏洞程式之執行狀態(正在執行或曾被執行)、執行漏洞程式之端點裝置115與程序、漏洞程式是否曾開啟對外服務、以及漏洞程式是否與異常行為有關。 In step S460, the vulnerability analysis module 130 issues an alarm to notify the management or maintenance personnel of the information security protection system 100. The content of the alarm may include relevant information of the vulnerability program, and the execution status of the vulnerability program (being executed or previously executed). ), the endpoint device 115 executing the vulnerable program and the program, whether the vulnerable program has opened external services, and whether the vulnerable program is related to abnormal behavior.

此外,本發明還揭示一種電腦可讀媒介,係應用於具有處理器(例如,CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於執行此電腦可讀媒介時執行上述之方法及各步驟。 In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (eg, CPU, GPU, etc.) and/or memory, and stores instructions, and can utilize the computing device or computer. The computer executes the computer-readable medium through a processor and/or a memory, so as to execute the above-mentioned methods and steps when executing the computer-readable medium.

綜上所述,本發明可持續蒐集各端點裝置內的執行程序與其行為資訊,並傳送到雲端集中分析,以監控是否出現異常行為,並掌握即時之執行狀態。當收到新公開之漏洞情資,本發明亦可分析漏洞情資並比對過往記錄之行為資訊,以檢查是否有漏洞程式正在執行或曾經執行,故能有效識別漏洞程式運行狀態,以判斷真實之資安風險,並降低資安管理成本。本發明亦能透過先前記錄之異常行為,在漏洞公開後進行回溯,以揭露先前發生之零日攻擊。 To sum up, the present invention can continuously collect the execution program and its behavior information in each endpoint device, and transmit it to the cloud for centralized analysis, so as to monitor whether abnormal behavior occurs and grasp the real-time execution status. When the newly disclosed vulnerability information is received, the present invention can also analyze the vulnerability information and compare the behavior information recorded in the past to check whether a vulnerable program is being executed or has been executed, so it can effectively identify the running state of the vulnerable program to determine Real information security risks and reduce information security management costs. The present invention can also backtrack after the vulnerability is disclosed through the abnormal behaviors recorded previously, so as to reveal the zero-day attack that occurred previously.

本發明係以使用者模式進行監控,且僅監控新執行之程序,若是漏洞程式未曾執行,則根本不需要分析與追蹤漏洞確切的發生位置,故本發明之監控非常輕量,對於端點裝置之負擔極小,且能有效降低監控漏洞之成本。例如,在四核心處理器與1GB記憶體的端點裝置環境測試,本發明監控虛擬檔案系統之變化並判斷是否有新程序僅需0.00015秒,對比乾淨的相同環境,以C語言撰寫之Hello World程式單次執行時間平均為0.0032秒,由此可見本發明之監控不僅有效,且對於效能損耗極少,亦可適用在不同運算能力之裝置或設備。相較於對端點裝置內所有檔案進行白箱掃描以搜尋資安漏洞,本發明可以更精準地且更有效率地找出哪些漏洞程式有被執行之風險。 The present invention performs monitoring in user mode, and only monitors newly executed programs. If the vulnerable program has not been executed, there is no need to analyze and track the exact location of the vulnerability. Therefore, the monitoring of the present invention is very lightweight, and is suitable for endpoint devices. The burden is extremely small, and it can effectively reduce the cost of monitoring loopholes. For example, in the end-point device environment test with a quad-core processor and 1GB memory, the present invention monitors the changes of the virtual file system and judges whether there is a new program in only 0.00015 seconds. Compared with the same clean environment, Hello World written in C language The average single execution time of the program is 0.0032 seconds. It can be seen that the monitoring of the present invention is not only effective, but also has little performance loss, and can also be applied to devices or equipment with different computing capabilities. Compared with performing white box scanning on all files in the endpoint device to search for information security vulnerabilities, the present invention can more accurately and efficiently find out which vulnerable programs are at risk of being executed.

上述實施形態僅例示性說明本發明之原理及其功效,而非用於限制本發明。任何在本技術領域具有通常知識者均可在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above-mentioned embodiments are only used to illustrate the principle and effect of the present invention, but are not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention should be as listed in the patent application scope described later.

100:資安防護系統 100: Information Security Protection System

110:行為蒐集模組 110: Behavior Collection Module

115:端點裝置 115: Endpoint device

120:行為分析模組 120: Behavior Analysis Module

122:行為基準建立模組 122: Behavioural Benchmarking Module

124:行為異常判斷模組 124: Abnormal behavior judgment module

130:漏洞分析模組 130: Vulnerability Analysis Module

140:漏洞情資資料庫 140: Vulnerability Information Database

Claims (12)

一種資安防護系統,包括: An information security protection system, comprising: 複數行為蒐集模組,各係安裝於一對應之端點裝置,其中,各該端點裝置之保護模式至少具有使用者模式,各該行為蒐集模組用於以該使用者模式偵測並蒐集對應之該端點裝置所執行的每一程序之行為資訊;以及 A plurality of behavior collection modules, each installed in a corresponding endpoint device, wherein the protection mode of each endpoint device has at least a user mode, and each behavior collection module is used for detecting and collecting data in the user mode Corresponding behavior information for each program executed by the endpoint device; and 行為分析模組,用於根據該等行為蒐集模組所蒐集之該等行為資訊判斷各該端點裝置是否出現異常行為,以於出現該異常行為時,記錄該異常行為並發出警報。 The behavior analysis module is used for judging whether each of the endpoint devices has abnormal behavior according to the behavior information collected by the behavior collection module, so as to record the abnormal behavior and issue an alarm when the abnormal behavior occurs. 如請求項1所述之資安防護系統,其中,該行為分析模組包括: The information security protection system according to claim 1, wherein the behavior analysis module includes: 行為基準建立次模組,用以於一新端點裝置新加入於該等端點裝置時,將該新端點裝置之行為資訊與可信賴程序名單、惡意程序名單、以及分析該等端點裝置中除該新端點裝置外之其他該端點裝置的行為資訊所得之已知行為類型進行比對,以將該新端點裝置之該行為資訊歸類為該等端點裝置之共同基準、該新端點裝置之自主行為或異常行為,以於出現該異常行為時,記錄該異常行為並發出警報。 The behavioral benchmark establishes a sub-module for when a new endpoint device is newly added to the endpoint device, the behavior information of the new endpoint device and the list of trusted programs and malicious programs, and analyzing the endpoints Compare the known behavior types obtained from the behavior information of other endpoint devices in the device except the new endpoint device, so as to classify the behavior information of the new endpoint device as the common benchmark of these endpoint devices , the autonomous behavior or abnormal behavior of the new endpoint device, so as to record the abnormal behavior and issue an alarm when the abnormal behavior occurs. 如請求項2所述之資安防護系統,其中,該行為分析模組復包括: The information security protection system according to claim 2, wherein the behavior analysis module further comprises: 行為異常判斷次模組,於該新端點裝置加入該等端點裝置後,根據該共同基準、該新端點裝置之該自主行為以及該等端點裝置中除該新端點裝置外之其他該端點裝置的相似行為資訊,判斷該行為資訊為正常行為或該異常行為,以於出現該異常行為時,記錄該異常行為並發出警報。 An abnormal behavior judgment sub-module, after the new endpoint device is added to the endpoint devices, according to the common benchmark, the autonomous behavior of the new endpoint device, and the endpoint devices other than the new endpoint device Similar behavior information of other end-point devices is used to determine whether the behavior information is normal behavior or the abnormal behavior, so as to record the abnormal behavior and issue an alarm when the abnormal behavior occurs. 如請求項1所述之資安防護系統,復包括: The information security protection system as described in claim 1, further includes: 漏洞分析模組,用於接收漏洞情資,以比對該漏洞情資與該等行為資訊,以判斷該等端點裝置中是否有該漏洞情資中之漏洞程式正在執行或曾被執行,俾於該漏洞程式正在執行或曾被執行時發出警報。 The vulnerability analysis module is used to receive vulnerability information and compare the vulnerability information with the behavior information to determine whether the vulnerable program in the vulnerability information is being executed or has been executed in the endpoint devices, To alert when the vulnerable program is executing or has been executed. 如請求項4所述之資安防護系統,其中,該漏洞分析模組復用於根據該等行為資訊判斷該漏洞程式是否曾開啟對外服務,以將此判斷之結果列入該警報中。 The information security protection system according to claim 4, wherein the vulnerability analysis module is reused to determine whether the vulnerable program has opened external services according to the behavior information, so as to include the result of the determination in the alert. 如請求項4所述之資安防護系統,其中,該漏洞分析模組復用於判斷該漏洞程式是否與該行為分析模組所記錄之該異常行為有關,以將此判斷之結果列入該警報中。 The information security protection system according to claim 4, wherein the vulnerability analysis module is reused to determine whether the vulnerability program is related to the abnormal behavior recorded by the behavior analysis module, so as to include the judgment result in the on alert. 一種資安防護方法,包括: An information security protection method, comprising: 以複數端點裝置中之各該端點裝置之使用者模式偵測並蒐集各該端點裝置所執行之每一程序之行為資訊; Detecting and collecting behavior information of each program executed by each of the endpoint devices using the user mode of each of the endpoint devices; 根據該等行為資訊判斷各該端點裝置是否出現異常行為;以及 Determine whether each of the endpoint devices has abnormal behavior according to the behavior information; and 於出現該異常行為時,記錄該異常行為並發出警報。 When the abnormal behavior occurs, the abnormal behavior is recorded and an alarm is issued. 如請求項7所述之資安防護方法,其中,該根據該等行為資訊判斷各該端點裝置是否出現該異常行為之步驟包括: The information security protection method according to claim 7, wherein the step of judging whether each of the endpoint devices has the abnormal behavior according to the behavior information includes: 於新端點裝置新加入於該等端點裝置時,將該新端點裝置之行為資訊與可信賴程序名單、惡意程序名單以及分析該等端點裝置中之除該新端點裝置外之其他該端點裝置的行為資訊所得之已知行為類型進行比對,以將該新端點裝置之行為資訊歸類為該等端點裝置之共同基準、該新端點裝置之自主行為或異常行為。 When a new endpoint device is newly added to the endpoint devices, the behavior information of the new endpoint device and the list of trusted programs and malicious programs, and analyze the endpoint devices other than the new endpoint device. Compare the known behavior types obtained from the behavior information of the other endpoint devices to classify the behavior information of the new endpoint device as the common benchmark of the endpoint devices, the autonomous behavior or abnormality of the new endpoint device Behavior. 如請求項8所述之資安防護方法,其中,該根據該等行為資訊判斷各該端點裝置是否出現該異常行為之步驟復包括: The information security protection method according to claim 8, wherein the step of judging whether each of the endpoint devices has the abnormal behavior according to the behavior information further comprises: 於該新端點裝置加入該端點裝置後,根據該共同基準、該新端點裝置之自主行為以及該端點裝置中之其他該端點裝置的相似行為資訊,判斷該行為資訊為正常行為或該異常行為。 After the new end-point device is added to the end-point device, according to the common benchmark, the autonomous behavior of the new end-point device, and the similar behavior information of other end-point devices in the end-point device, determine that the behavior information is a normal behavior or the abnormal behavior. 如請求項7所述之資安防護方法,復包括: The information security protection method as described in claim 7, further includes: 接收漏洞情資; receive vulnerability information; 比對該漏洞情資與該等行為資訊,以判斷該等端點裝置中是否有該漏洞情資中之漏洞程式正在執行或曾被執行;以及 Compare the vulnerability information with the behavior information to determine whether the vulnerable program in the vulnerability information is executing or has been executed on the endpoint devices; and 於該漏洞程式正在執行或曾被執行時發出警報。 Alerts when the vulnerable program is executing or has been executed. 如請求項10所述之資安防護方法,復包括: The information security protection method as described in claim 10 further includes: 根據該等行為資訊判斷該漏洞程式是否曾開啟對外服務,以將此判斷之結果列入該警報中,或者,判斷該漏洞程式是否與該行為分析模組所記錄之該異常行為有關,以將此判斷之結果列入該警報中。 According to the behavior information, determine whether the vulnerable program has opened external services, so as to include the judgment result in the alert, or determine whether the vulnerable program is related to the abnormal behavior recorded by the behavior analysis module, so as to identify whether the vulnerable program is related to the abnormal behavior recorded by the behavior analysis module. The result of this judgment is included in the alert. 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項7至11之任一者所述之資安防護方法。 A computer-readable medium, applied in a computing device or a computer, stores instructions for executing the information security protection method described in any one of claims 7 to 11.
TW109132912A 2020-09-23 2020-09-23 System and method for information security protection and computer readable medium TWI781448B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109132912A TWI781448B (en) 2020-09-23 2020-09-23 System and method for information security protection and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109132912A TWI781448B (en) 2020-09-23 2020-09-23 System and method for information security protection and computer readable medium

Publications (2)

Publication Number Publication Date
TW202213142A true TW202213142A (en) 2022-04-01
TWI781448B TWI781448B (en) 2022-10-21

Family

ID=82197385

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109132912A TWI781448B (en) 2020-09-23 2020-09-23 System and method for information security protection and computer readable medium

Country Status (1)

Country Link
TW (1) TWI781448B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110691064B (en) * 2018-09-27 2022-01-04 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN111193719A (en) * 2019-12-14 2020-05-22 贵州电网有限责任公司 Network intrusion protection system
CN111556473A (en) * 2020-05-08 2020-08-18 国家计算机网络与信息安全管理中心 Abnormal access behavior detection method and device

Also Published As

Publication number Publication date
TWI781448B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US10812499B2 (en) Detection of adversary lateral movement in multi-domain IIOT environments
US9954872B2 (en) System and method for identifying unauthorized activities on a computer system using a data structure model
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US11606368B2 (en) Threat control method and system
JP5248612B2 (en) Intrusion detection method and system
AU2016333461B2 (en) Non-intrusive digital agent for behavioral monitoring of cybersecurity-related events in an industrial control system
Mukhopadhyay et al. A comparative study of related technologies of intrusion detection & prevention systems
US10805343B2 (en) Network security using artificial intelligence and high speed computing
WO2021098313A1 (en) Blockchain-based host security monitoring method and apparatus, medium and electronic device
US10931706B2 (en) System and method for detecting and identifying a cyber-attack on a network
US20090276852A1 (en) Statistical worm discovery within a security information management architecture
US11785034B2 (en) Detecting security risks based on open ports
Nikolai et al. A system for detecting malicious insider data theft in IaaS cloud environments
US20210367958A1 (en) Autonomic incident response system
JP6616045B2 (en) Graph-based combination of heterogeneous alerts
Celdrán et al. Behavioral fingerprinting to detect ransomware in resource-constrained devices
KR102311997B1 (en) Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis
IL258345B2 (en) Bio-inspired agile cyber-security assurance framework
RU2630415C2 (en) Method for detecting anomalous work of network server (options)
TWI781448B (en) System and method for information security protection and computer readable medium
JP2023050189A (en) Threat control method and system
Muggler et al. Cybersecurity management through logging analytics
WO2021208353A1 (en) Device and method for dynamically measuring trusted state of computer based on call stack track
Bhuyan et al. Alert management and anomaly prevention techniques
Afzulpurkar et al. Outgoing data filtration for detecting spyware on personal computers

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent