CN112153062B

Movatterモバイル変換

Info

Publication number: CN112153062B
Application number: CN202011034350.1A
Authority: CN
Inventors: 余伟; 吴小景; 杨军; 张峥嵘; 邓智; 马圣; 张雷; 禹荣虎
Original assignee: Beijing VRV Software Corp Ltd
Current assignee: Beijing VRV Software Corp Ltd
Priority date: 2020-09-27
Filing date: 2020-09-27
Publication date: 2023-02-21
Anticipated expiration: 2040-09-27
Also published as: CN112153062A

Abstract

The embodiment of the invention provides a multi-dimensional suspicious terminal equipment detection method and a system, wherein the method comprises the following steps: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment. The embodiment of the invention analyzes by combining a big data technology and various security data, reduces the possibility of misjudgment of security events, improves the efficiency of security event processing, accelerates the investigation of suspicious terminals and further reduces the risk of a network.

Description

Multi-dimension-based suspicious terminal equipment detection method and system

Technical Field

The invention relates to the technical field of big data security, in particular to a multi-dimensional suspicious terminal equipment detection method and system.

Background

The big data era comes, the data scale of each industry is TB-level growth, and enterprises with high-value data sources occupy a vital core position in a big data industry chain. After large data concentration is realized, how to ensure the integrity, availability and confidentiality of network data is not influenced by security threats of information leakage and illegal tampering, and the method becomes a core problem to be considered for informatization health development.

With the progress and development of technology, the current network situation becomes more and more complex, and various security devices are widely used, but because the detection rules set by manufacturers for the own security devices are not very reasonable, the generated security events have a large data volume, and a large number of misjudged security events exist, so that the judgment of the user on the security of the terminal device managed by the user is seriously influenced, the terminal device possibly having a risk is not discovered, and the security risk of the whole network is increased.

Therefore, a method and a system for detecting suspicious terminal devices based on multiple dimensions are needed to solve the above problems.

Disclosure of Invention

Aiming at the problems in the prior art, the embodiment of the invention provides a multi-dimensional suspicious terminal device detection method and system.

In a first aspect, an embodiment of the present invention provides a method for detecting a suspicious terminal device based on multiple dimensions, including:

acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data;

and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.

Further, the determining the associated data by a preset process white list rule includes:

acquiring a process name of the terminal equipment corresponding to the associated data according to the IP address information of the equipment and the source port information;

matching the terminal device process names according to historical terminal device process names in the preset process white list rule, wherein the historical terminal device process names comprise conventional process names and suspicious process names;

if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.

Further, the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.

Further, the matching the associated data with the virus log in the virus data according to the device IP address information and the source port information, and if the matching is successful, determining that the terminal device to be detected is a high-risk device, including:

and matching the process name, the equipment IP address information and the MD5 value of the terminal equipment of the associated data in the virus data, and judging that the terminal equipment to be detected corresponding to the associated data is high-risk equipment if a corresponding virus log in the virus data is matched.

Further, the matching the process name, the device IP address information, and the MD5 value of the terminal device of the associated data in the virus data further includes:

if the association data and the virus data are not successfully matched, marking the association data for equipment abnormity judgment, and if the terminal equipment to be detected is abnormal, generating corresponding equipment abnormity information and updating a process white list and a corresponding virus library.

Further, the method further comprises:

and acquiring a risk value of the terminal equipment according to source IP address information and source port information of the historical threat flow data, and detecting the terminal equipment according to the sequence of the risk value from high to low.

In a second aspect, an embodiment of the present invention provides a multi-dimensional suspicious terminal device detection system, which is characterized in that the system includes:

the correlation module is used for acquiring a security event log through the flow data, and correlating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the equipment IP address information and the source port information to obtain correlation data;

and the judging module is used for judging the associated data through a preset process white list rule, matching virus logs in the associated data and the virus data according to the equipment IP address information and the source port information if the associated data is judged to be a suspicious process, and judging to know that the terminal equipment to be detected is high-risk equipment if the associated data is successfully matched with the virus logs in the virus data.

Further, the judging module comprises:

the first processing unit is used for acquiring a process name of the terminal equipment corresponding to the associated data according to the equipment IP address information and the source port information;

the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is the name of the suspicious process, judging that the associated data is the suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.

In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method as provided in the first aspect are implemented.

In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.

According to the multi-dimensional suspicious terminal equipment detection method and system provided by the embodiment of the invention, through a big data technology and by combining with multiple security data for analysis, the possibility of misjudgment of a security event is reduced, the efficiency of security event processing is improved, the investigation of a suspicious terminal is accelerated, and the risk of a network is further reduced.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic flowchart of a multi-dimensional suspicious terminal device detection method according to an embodiment of the present invention;

fig. 2 is an overall flowchart of suspicious terminal device detection according to an embodiment of the present invention;

fig. 3 is a result schematic diagram of a multi-dimensional suspicious terminal device detection system according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a schematic flowchart of a method for detecting a suspicious terminal device based on multiple dimensions according to an embodiment of the present invention, and as shown in fig. 1, an embodiment of the present invention provides a method for detecting a suspicious terminal device based on multiple dimensions, including:

step 101, obtaining a security event log through flow data, and associating terminal process data of a terminal device to be detected with the corresponding security event log according to device IP address information and source port information to obtain associated data.

In the embodiment of the invention, most of the risks in the network are from the terminal equipment at present, so that the embodiment of the invention judges whether the terminal equipment is high-risk equipment for initiating network attack by detecting the terminal equipment. Further, the relationship between the data needs to be correlated, and because the terminal device (i.e., the terminal device to be detected) generates traffic when attacking other devices, and the attack generates a corresponding process, according to the characteristics, the embodiment of the present invention captures the traffic data through the network probe, and generates a corresponding security event log. Meanwhile, terminal process data of the terminal equipment to be detected are obtained, and then the security event log with the same equipment IP address information and source port information is associated with the terminal process data, so that associated data of the two kinds of information is obtained. It should be noted that, in the embodiment of the present invention, association may be understood as a matching process between a security event log and terminal process data, and since an equipment terminal corresponding to a security event in the security event log is only a high-risk equipment, in the embodiment of the present invention, first, according to equipment IP address information and source port information of the terminal process data, a terminal equipment to be detected is associated with the security event log, so as to perform subsequent further detection.

Andstep 102, judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.

According to the multi-dimensional suspicious terminal equipment detection method provided by the embodiment of the invention, through a big data technology and by combining with various security data for analysis, the possibility of misjudgment of a security event is reduced, the efficiency of security event processing is improved, the investigation of a suspicious terminal is accelerated, and the risk of a network is further reduced.

On the basis of the above embodiment, the determining the associated data by presetting a process white list rule includes:

In the embodiment of the invention, a preset process white list rule is constructed according to source IP address information and source port information of threat flow data counted by history. Then, according to the IP address information and the source port information of the equipment in the terminal process data, obtaining a corresponding terminal equipment process name, matching the terminal equipment process name with the historical terminal equipment process name in a preset process white list rule, judging whether the terminal equipment process name is a suspicious process, and if not, judging that a security event is false alarm; if the process is suspicious, the terminal equipment is judged to be suspicious equipment, and whether the security event is false alarm needs to be further judged. In the embodiment of the invention, by setting the white list rule of the preset process, the IP which is determined to be the misjudged event can be filtered in the judgment process of the security event without statistics; in addition, white list filtering is carried out on the process data of the terminal equipment, and the conventional process is filtered without collection. Wherein, the judgment standard of the suspicious process is as follows: processes that are not in the process white list are all suspicious processes.

On the basis of the above embodiment, the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.

In the embodiment of the invention, according to the source IP address information and the source port information counted by history, the corresponding IP address information and the corresponding source port information are matched in the terminal process data one by one, so that the corresponding equipment IP address information of the suspicious process and the MD5 value of the process are obtained. And if the corresponding process name and the MD5 value exist in the preset white list, judging the security event as a misjudgment event.

On the basis of the above embodiment, matching the associated data with the virus log in the virus data according to the device IP address information and the source port information, and if matching is successful, determining that the terminal device to be detected is a high-risk device, including:

On the basis of the above embodiment, the matching, in the virus data, the process name of the terminal device, the device IP address information, and the MD5 value of the associated data further includes:

if the associated data and the virus data are not successfully matched, marking the associated data for equipment abnormity judgment, and if the terminal equipment to be detected is abnormal, generating corresponding equipment abnormity information and updating a process white list and a corresponding virus library.

In the embodiment of the invention, the terminal virus data mainly comes from the terminal equipment, and the spread of the virus also generates a process on the local equipment, so that the data of the virus process can be acquired by a terminal process data acquisition module of the terminal equipment. Fig. 2 is an overall flowchart of suspicious terminal device detection according to an embodiment of the present invention, which can refer to fig. 2, and after determining that a suspicious process exists in a terminal device to be detected according to source IP address information and source port information by presetting a white list, further querying whether a virus log exists on the terminal device to be detected in virus data, specifically, analyzing the virus data according to a name and IP address information of the suspicious process, and if a relevant virus log exists in the virus data (that is, the process name and IP address information of the virus log in the virus data are consistent with the process name and IP address information of the terminal device to be detected), determining that the security event is a real security event, determining that the terminal device is a high-risk device, and performing corresponding security processing on the terminal device having the suspicious process; if not, the corresponding terminal equipment needs to be checked manually to see whether abnormal conditions exist, such as machine jamming and system operation abnormity.

On the basis of the above embodiment, the method further includes:

In the embodiment of the invention, through the relationship among various data and the set threshold (for example, according to the source IP address information and the source port information of the equipment generating the attack, the attack times are obtained, and the event corresponding to the attack times meeting the preset threshold is determined as the security event), the risk values of the equipment corresponding to the security event are sequenced, so as to provide a basis for the subsequent network risk investigation.

Fig. 3 is a schematic structural diagram of a multi-dimensional suspicious terminal device detecting system according to an embodiment of the present invention, and as shown in fig. 3, an embodiment of the present invention provides a multi-dimensional suspicious terminal device detecting system, which includes anassociation module 301 and adetermination module 302, where theassociation module 301 is configured to obtain a security event log through traffic data, and associate terminal process data of a terminal device to be detected with a corresponding security event log according to device IP address information and source port information to obtain associated data; the determiningmodule 302 is configured to determine the associated data according to a preset process white list rule, match virus logs in the associated data and the virus data according to the device IP address information and the source port information if the associated data is determined to be a suspicious process, and determine that the terminal device to be detected is a high-risk device if the matching is successful.

The multi-dimensional suspicious terminal equipment detection system provided by the embodiment of the invention performs analysis by combining various security data through a big data technology, reduces the misjudgment possibility of security events, improves the efficiency of security event processing, accelerates the investigation of suspicious terminals and further reduces the risk of a network.

On the basis of the foregoing embodiment, the determining module includes a first processing unit and a second processing unit, where the first processing unit is configured to obtain, according to the device IP address information and the source port information, a process name of the terminal device corresponding to the associated data; the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.

The system provided by the embodiment of the present invention is used for executing the above method embodiments, and for details of the process and the details, reference is made to the above embodiments, which are not described herein again.

Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and referring to fig. 4, the electronic device may include: a processor (processor) 401, a communication Interface (Communications Interface) 402, a memory (memory) 403 and acommunication bus 404, wherein theprocessor 401, thecommunication Interface 402 and thememory 403 communicate with each other through thecommunication bus 404.Processor 401 may call logic instructions inmemory 403 to perform the following method: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.

In addition, the logic instructions in thememory 403 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.

In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the method for detecting a suspicious terminal device based on multiple dimensions, which includes: acquiring a security event log through the flow data, and associating the terminal process data of the terminal equipment to be detected with the corresponding security event log according to the IP address information and the source port information of the equipment to obtain associated data; and judging the associated data through a preset process white list rule, if the associated data is judged to be the suspicious process, matching the associated data with virus logs in the virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A multi-dimensional based suspicious terminal device detection method is characterized by comprising the following steps:

judging the associated data through a preset process white list rule, if the associated data is judged to be a suspicious process, matching the associated data with a virus log in virus data according to the IP address information of the equipment and the source port information, and if the matching is successful, judging that the terminal equipment to be detected is high-risk equipment;

the determining the associated data according to the preset process white list rule includes:

2. The multi-dimensional suspicious terminal device detecting method according to claim 1, wherein the preset process white list rule further includes a historical process MD5 value, so as to match the terminal device process name and the MD5 value corresponding to the associated data according to the historical terminal device process name and the historical process MD5 value, and obtain a matching result.

3. The method according to claim 2, wherein the matching between the associated data and a virus log in virus data is performed according to the device IP address information and the source port information, and if matching is successful, it is determined that the terminal device to be detected is a high-risk device, including:

4. The method according to claim 3, wherein the matching of the terminal device process name, device IP address information, and MD5 value of the associated data in the virus data further comprises:

5. The method according to claim 1, further comprising:

6. A suspicious terminal device detection system based on multiple dimensions is characterized by comprising:

the judging module is used for judging the associated data through a preset process white list rule, matching the associated data with virus logs in the virus data according to the IP address information of the equipment and the source port information if the associated data is judged to be a suspicious process, and judging to know that the terminal equipment to be detected is high-risk equipment if the associated data is successfully matched with the virus logs in the virus data;

the judging module comprises:

the second processing unit is used for matching the terminal equipment process name according to the historical terminal equipment process name in the preset process white list rule, wherein the historical terminal equipment process name comprises a conventional process name and a suspicious process name; if the matching result of the process name of the terminal equipment is a suspicious process name, judging that the associated data is a suspicious process; and if the matching result of the process name of the terminal equipment is the conventional process name, judging that the security event corresponding to the associated data is a false alarm event.

7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the multi-dimensional based suspicious terminal device detecting method according to any one of claims 1 to 5.

8. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, performs the steps of the multi-dimensional based suspicious terminal device detecting method according to one of the claims 1 to 5.