[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117744071B - Attack behavior detection method, device, equipment and storage medium - Google Patents

Attack behavior detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN117744071B
CN117744071B CN202311377258.9A CN202311377258A CN117744071B CN 117744071 B CN117744071 B CN 117744071B CN 202311377258 A CN202311377258 A CN 202311377258A CN 117744071 B CN117744071 B CN 117744071B
Authority
CN
China
Prior art keywords
data
rule
attack
system call
filtering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311377258.9A
Other languages
Chinese (zh)
Other versions
CN117744071A (en
Inventor
庞峥元
王忠儒
余伟强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dingniu Information Security Technology Jiangsu Co ltd
Beijing Digapis Technology Co ltd
Original Assignee
Dingniu Information Security Technology Jiangsu Co ltd
Beijing Digapis Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dingniu Information Security Technology Jiangsu Co ltd, Beijing Digapis Technology Co ltd filed Critical Dingniu Information Security Technology Jiangsu Co ltd
Priority to CN202311377258.9A priority Critical patent/CN117744071B/en
Publication of CN117744071A publication Critical patent/CN117744071A/en
Application granted granted Critical
Publication of CN117744071B publication Critical patent/CN117744071B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The application discloses a method, a device, equipment and a storage medium for detecting attack behaviors. When the method provided by the embodiment of the application is executed, firstly, the system call combined information, namely the mapping data, which is subjected to rule filtering, rule supplementing and form mapping can be obtained from the annular buffer area as the data to be detected, and the filtering data can be obtained by carrying out rule supplementing and filtering on the data to be detected. And inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result, and extracting data associated with the detection result from the mapping data as supplementary data. And then, carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result. The application directly carries out attack detection based on the system call combination information, so that the detection time efficiency can be improved, and meanwhile, the attack detection based on the system call combination information can avoid that an attacker bypasses the attack detection by deleting or falsifying the log.

Description

Attack behavior detection method, device, equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting an attack behavior.
Background
Host (host refers to various types of servers including bare metal server, virtual machine and cloud server) security defense is an important component of network security attack and defense system, since various service systems are running on the host and key service data are stored, host security defense is often the last line of defense in the face of network attack, and failure of host defense means that important service systems are affected or data leakage occurs. When the host is attacked, the attack behavior is accurately and timely found, attack information is rapidly collected, the attack result is clear, and the method is an important premise for subsequent defending response and defending tracing. Thus, accurate detection of host attack behavior is a key technology and core capability of host security defense systems.
The existing attack behavior detection method for the host is mainly divided into flow-based attack behavior detection and log-based attack behavior detection from the detection dimension. When the attack behavior detection method based on the traffic is used for carrying out attack behavior detection, after an attacker successfully invades the node, the detection mechanism of the attack traffic can be bypassed no matter the system key configuration file is tampered or sensitive data is stolen. The system log-based attack behavior detection is utilized, and the detection mechanism has the defects that the judgment of the attack behavior is from the system log data, the system log data is often generated after the attack behavior occurs, and meanwhile, the system log data cannot completely reflect all system call combination information, so that the attack detection based on the system log is firstly delayed in detection timeliness, and is easily and successfully bypassed by an attacker by deleting or tampering the log.
Therefore, how to improve the timeliness of attack behavior detection, and at the same time avoid that an attacker bypasses the attack detection by deleting or tampering with the log is a technical problem which needs to be solved by those skilled in the art.
Disclosure of Invention
Based on the problems, the application provides an attack behavior detection method, an attack behavior detection device, attack behavior detection equipment and a storage medium, which can improve the time efficiency of attack behavior detection and avoid an attacker from bypassing attack detection by deleting or falsifying logs.
The embodiment of the application discloses the following technical scheme:
An attack behavior detection method, the method comprising:
Obtaining mapping data from the annular buffer area as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping;
Performing supplementary rule filtering on the data to be detected to obtain filtered data;
inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result;
extracting data associated with the detection result from the mapping data as supplementary data;
and carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result.
In one possible implementation manner, before the acquiring the preprocessed system call combination information through the ring buffer as the data to be detected, the method further includes:
acquiring the system call combination information through a HOOK HOOK system call list;
performing rule filtering and rule supplementing on the system call combination information according to analysis data of the attack behavior detection rule file to obtain filtering and supplementing data;
the form mapping is carried out on the filtering supplementary data to obtain mapping data;
The mapping data is stored into the ring buffer.
In one possible implementation, the storing the mapping data into the ring buffer includes:
Identifying a byte size of the mapping data;
And when the byte size of the mapping data is smaller than or equal to the target byte size, executing the storing of the mapping data into the ring buffer.
In one possible implementation, the method further includes:
Discarding the mapping data when the byte size of the mapping data is greater than the target byte size.
In one possible implementation manner, the obtaining the system call combination information through the HOOK system call list includes:
Obtaining preliminary system call combination information through a HOOK HOOK system call list;
and carrying out information supplementation on the preliminary system call combination information to obtain the system call combination information.
In one possible implementation, the construction process of the pre-constructed abstract syntax tree includes:
acquiring an attack behavior detection rule file;
analyzing the attack behavior detection rule file to obtain analysis data;
and converting the analytic data into the abstract syntax tree.
An attack behavior detection device, the device comprising:
The first acquisition unit is used for acquiring mapping data from the annular buffer area as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping;
The rule filtering unit is used for carrying out rule filtering on the data to be detected to obtain filtered data;
the input unit is used for inputting the filtering data into a pre-constructed abstract syntax tree to obtain a detection result;
An extracting unit configured to extract data associated with the detection result from the mapping data as supplementary data;
And the output data supplementing unit is used for supplementing the output data of the detection result by utilizing the supplementing data to obtain an attack behavior detection complete output result.
In one possible implementation, the apparatus further includes:
The second acquisition unit is used for acquiring the system call combination information through a HOOK HOOK system call list;
The rule filtering and supplementing unit is used for carrying out rule filtering and rule supplementing on the system call combined information according to the analysis data of the attack behavior detection rule file to obtain filtering and supplementing data;
the form mapping unit is used for carrying out the form mapping on the filtering supplementary data to obtain the mapping data;
and the storage unit is used for storing the mapping data into the annular buffer area.
An attack behavior detection device comprising: the system comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the attack behavior detection method when executing the computer program.
A computer readable storage medium having instructions stored therein which, when executed on a terminal device, cause the terminal device to perform an attack behavior detection method as described above.
Compared with the prior art, the application has the following beneficial effects:
The application provides an attack behavior detection method, an attack behavior detection device, attack behavior detection equipment and a storage medium. Specifically, when the attack behavior detection method provided by the embodiment of the application is executed, mapping data can be firstly obtained from the ring buffer as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping. And then, carrying out supplementary rule filtering on the data to be detected to obtain filtered data, and inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result. And then extracts data associated with the detection result from the mapping data as supplementary data. And then, carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result. The application directly carries out attack detection based on the system call combination information, so that the detection time efficiency can be improved, and meanwhile, the attack detection based on the system call combination information can avoid that an attacker bypasses the attack detection by deleting or falsifying the log. In addition, attack detection can be directly carried out based on the source information, namely the system call combination information, so that the traceability of the attack detection can be improved.
Drawings
In order to more clearly illustrate this embodiment or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an exemplary application scenario provided in an embodiment of the present application;
FIG. 2 is a flow chart of a method for detecting attack behavior according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of an attack behavior detection device according to an embodiment of the present application.
Detailed Description
In order to make the present application better understood by those skilled in the art, the following description will make clear and complete descriptions of the technical solutions of the embodiments of the present application with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In order to facilitate understanding of the technical solution provided by the embodiments of the present application, the following description will first explain the background technology related to the embodiments of the present application.
Host (host refers to various types of servers including bare metal server, virtual machine and cloud server) security defense is an important component of network security attack and defense system, since various service systems are running on the host and key service data are stored, host security defense is often the last line of defense in the face of network attack, and failure of host defense means that important service systems are affected or data leakage occurs. When the host is attacked, the attack behavior is accurately and timely discovered, attack information is rapidly collected, the attack result is clear, and the method is an important premise for subsequent defense response and defending tracing. Thus, accurate detection of host attack behavior is a key technology and core capability of host security defense systems.
The existing attack behavior detection method for the host is mainly divided into flow-based attack behavior detection and log-based attack behavior detection from the detection dimension. Firstly, the attack behavior detection method based on the traffic can only detect the attack behavior implemented between nodes through network communication no matter the method for detecting the attack traffic is based on characteristics, rules or a machine learning model, and can bypass the detection mechanism of the attack traffic no matter the system key configuration file is tampered or sensitive data is stolen after an attacker successfully invades the node. The system log data can only represent a part of calling system call combination information when recording the system call combination information, and the system log data is usually generated after the attack action occurs, and meanwhile, the system log data cannot completely reflect all the system call combination information, so that the attack detection based on the system log is firstly delayed in detection timeliness and is easily successfully bypassed by an attacker by utilizing a means of deleting or tampering the log.
In order to solve the problem, the embodiment of the application provides a method, a device, equipment and a storage medium for detecting an attack behavior, which are characterized in that system call combined information, namely mapping data, which is subjected to rule filtering, rule supplementing and form mapping is firstly obtained from a ring buffer area to serve as data to be detected, and the filtering data is obtained by carrying out rule supplementing filtering on the data to be detected. And then inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result, and extracting data associated with the detection result from the mapping data as supplementary data. And then, carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result. The application directly carries out attack detection based on the system call combination information, so that the detection time efficiency can be improved, and meanwhile, the attack detection based on the system call combination information can avoid that an attacker bypasses the attack detection by deleting or falsifying the log. In addition, attack detection can be directly carried out based on the source information, namely the system call combination information, so that the traceability of the attack detection can be improved.
In order to facilitate understanding of the attack behavior detection method provided by the embodiment of the present application, the following description is made with reference to the scenario example shown in fig. 1. Referring to fig. 1, the diagram is a schematic frame diagram of an exemplary application scenario provided in an embodiment of the present application.
Firstly, the attack behavior detection system acquires mapping data from the ring buffer 110 as data to be detected, wherein the mapping data can be understood as system call combination information subjected to rule filtering, rule supplementing and form mapping; the system call combination information refers to the combination condition of the system call monitored and collected in the attack behavior detection; ring buffers (Ring buffers), also known as circular buffers or Ring queues, are a commonly used data structure for storing and managing data in fixed-size buffers. The filtered data is then obtained by supplementary rule filtering of the data to be detected by supplementary rule filter 120. Then inputting the filtered data into a pre-constructed abstract syntax tree 130 for attack behavior detection to obtain a detection result; the detection result comprises judgment of attack behaviors, attack behavior names, attack behavior classification, attack source information, attack time and possible influences; and extracts data associated with the detection result from the mapping data as supplementary data. Finally, the output data supplementation is carried out on the detection result by utilizing the supplementation data to obtain an attack behavior detection complete output result; the complete output result of the attack behavior detection comprises judgment of the attack behavior, attack behavior name, attack behavior classification, attack source information, attack time, possible influence, detailed description, threat level, recommended measures and the like, so that the detection timeliness can be improved, and the attack detection can be prevented from being bypassed by an attacker by deleting or falsifying the log. The traceability of attack detection can be improved.
Those skilled in the art will appreciate that the frame diagram shown in fig. 1 is but one example in which embodiments of the present application may be implemented. The scope of applicability of the embodiments of the application is not limited in any way by the framework.
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 2, the method is a flowchart of a method for detecting an attack behavior, and as shown in fig. 2, the method for detecting an attack behavior may include steps S201 to S205:
S201: and obtaining mapping data from the ring buffer area as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and formal mapping.
Because the user mode and the kernel mode cannot communicate directly, the attack behavior detection system needs to acquire the system call combination information through the ring buffer, which is subjected to rule filtering, rule supplementing and form mapping.
The user state and kernel state are two different modes of operation in the operating system that distinguish between code that operates at different privilege levels.
User Mode (User Mode): in the user state, the program runs at a lower privilege level, accessing only limited resources and performing limited operations. The code in the user state is typically an application or user process, such as a text editor, browser, or the like. In the user state, the program cannot directly access the underlying hardware device or execute privileged instructions. If a user mode program needs to perform privileged operations or access restricted resources, it must request kernel mode support through system calls.
Kernel Mode (Kernel Mode): kernel mode is a high privilege level of an operating system, where only the operating system kernel can run. In kernel mode, the operating system has full control of all resources and privileged instructions of the system. The kernel mode may execute privileged instructions, directly access hardware devices, and manage system resources. When the user program requests to execute the privileged operation, the processor is switched to the kernel mode and handed over to the operating system kernel to process the request. The kernel mode code is typically part of the operating system kernel and is used to manage system resources, schedule tasks, handle interrupts, and other core functions.
Among them, a ring buffer, also called a circular buffer or a ring queue, is a commonly used data structure for storing and managing data in a buffer of a fixed size. It organizes the data in a circular fashion, which efficiently cycles the space of the buffer.
In one possible implementation, the system call combination information refers to the combination of system calls detected and collected in the attack behavior detection. Specifically, the system call combination information includes the following aspects:
The process class: system calls such as fork, clone, execve, execveat, vfork, etc. involving creation, termination, state change, etc. of a process.
File class: system calls such as fcntl, open, create, close, read, write, dup, dup2, chown, chmod, chroot, mkdir, etc. are involved.
System control class: system calls that relate to system control and configuration, such as ioctl, sysinfo, stime, create_module, delete_module, init_module, and the like.
Memory management class: system calls such as mmap, munmap, mremap, brk, sbrk, shmctl, shmat, etc. are involved.
Network class: system calls involving network communications and operations, such as setdomainname, sethostid, sethostname, socket, bind, connect, accept, send, sendto, recv, recvfrom, listen, etc.
User management class: system calls, such as getuid, setuid, getgid, setgid, etc., that relate to user account management and rights settings.
Signal communication class: system calls, such as kill, signal, sigaction, etc., involving inter-process signal communications.
Pipeline type: system calls involving pipe communications and operations, such as pipe, fifo, etc.
The above only enumerates a portion of the system call combination information, and may actually include other more sub-divided classes of system calls. Attack behavior detection by monitoring and analyzing the combination of these system calls, it is possible to identify possible abnormal behavior or malicious attack behavior.
In one possible implementation manner, before the preprocessed system call combination information is obtained as the data to be detected through the ring buffer, the method further includes A1-A4:
a1: and acquiring the system call combination information through a HOOK HOOK system call list.
Acquiring the system call combination information through the HOOK system call list before storing the system call combination information in the ring buffer may intercept and process the system call before or after execution. The system call combination information is acquired through the HOOK system call list, and necessary filtering and supplementing can be performed on the system call combination information before the system call combination information is stored in the ring buffer area, so that the quality and the integrity of stored data are ensured as much as possible.
Among them, the HOOK system (Hooking System, HOOK system) is a technique commonly used in computer programming that allows programs to intercept and modify the behavior of the original code or operating system. By using a hook system, a developer can inject custom code to modify the behavior of a program before or after a particular event occurs.
In one possible implementation manner, the acquiring the system call combination information through the HOOK system call list includes B1-B2:
b1: and obtaining the initial system call combination information through the HOOK HOOK system call list.
In the HOOK system call list, the acquired system call information may be summarized for further analysis and processing. For example, sequence information of different system calls may be recorded, so as to obtain preliminary system call combination information.
B2: and carrying out information supplementation on the preliminary system call combination information to obtain the system call combination information.
And the preliminary system call combination information is subjected to information supplementation, so that more complete and detailed system call combination information can be obtained. The supplemental information may include a time stamp, timing relationship, etc. to generate system call combination information.
The following are important roles and reasons for the supplemental information:
Timestamp: by adding a timestamp to each system call, the specific time at which the system call occurred can be recorded. This is important for analyzing the order and timing relationship of system calls to determine the order of execution and the time interval of the system calls. The timestamp may also be used to analyze latency, response time, and performance issues of the system call.
Timing relationship: by recording the time sequence relation of the system call, the execution flow of the system call can be constructed, and the dependency relation and the influence relation between the system call can be known. This is very helpful for analyzing concurrent system calls, the order of execution of important system calls, etc.
System call combination information: by combining the supplemental timestamp, timing relationship, etc. information with the preliminary system call combination information, more comprehensive, detailed system call combination information can be generated. Such information may be provided to security and system administrators for analyzing system behavior, detecting abnormal operation, identifying potential security issues, and the like.
The purpose of the supplemental information is to better understand the system's behavior and provide a more accurate and comprehensive data base for subsequent system call analysis and problem investigation.
A2: and carrying out rule filtering and rule supplementing on the system call combined information according to the analysis data of the attack behavior detection rule file to obtain filtering and supplementing data.
The system call combination information is subjected to rule filtering and supplementing according to the analysis data of the attack behavior detection rule file, so that the data stored in the annular buffer area is further ensured to meet the expected safety requirement. The attack behavior detection rule file contains descriptions and matching rules for various attack behavior characteristics, and the rules can be used for filtering and supplementing the system call combination information so as to conveniently screen potential safety risks and abnormal behaviors from the abstract syntax tree.
The analysis data of the attack behavior detection rule file refers to analyzing the rule text into Token form, namely word segmentation form. For example, for signature rule files, pattern matching methods such as regular expressions may be used for segmentation and parsing.
The rule filtering is performed on the system call combination information because the variety of the system call combination information is many, but not all the system call combination information is related to the attack in the attack detection rule file, so the rule filtering is performed on the system call combination information according to the analysis data of the attack detection rule file to obtain the data related to the attack. For example, assuming that there are 100 kinds of attack behaviors in the attack behavior detection rule file, there are 136 kinds of system call combination information related to the 100 kinds of attack behaviors, there are 400 kinds of system call combination information of the whole system currently acquired through HOOK, but only 136 kinds of the system call combination information are concerned currently, and at this time, the 136 kinds of system call combination information are filtered out from the 400 kinds of system call combination information.
The rule supplementing of the system call combination information is performed because the information to be output according to the analysis data of the rule file may not be comprehensive enough, and the rule supplementing of the system call combination information according to the analysis data of the attack behavior detection rule file is required. Continuing with the above example, 136 kinds of system call combination information related to the attack in the current 100 are provided, but the information to be output according to the analysis data of the rule file is not necessarily all from the 136 kinds of system call combination information, and may need to know the context when the system call occurs, so that the rule supplement is needed for the system call combination information.
In one possible implementation, the attack detection rule file is a file of detection rules and policies for specifying specific security events. It typically contains a series of features or patterns for identifying malicious behavior or attack activities and triggering corresponding response measures.
Specifically, one attack detection rule file may include the following:
Rule name: the name of the rule is used to describe the security event or attack type to which the rule relates.
Rule description: the rule description contains information about rule purposes, application ranges, trigger conditions and the like.
Detecting rules: this part of the rules defines features, rules syntax and algorithms for detecting specific security events or attacks. For example, the detection rules may be implemented using regular expressions, keyword matching, pattern matching, and the like.
Response strategy: when a particular security event or attack is detected, the rule file may specify a corresponding response policy. For example, logging, intrusion prevention, alarm (send notification), remote kick-out, etc. measures may be selected.
The attack behavior detection rule file can be used in security devices such as a network security protection system, an intrusion detection system and the like, and potential security threats can be found and responded in time through detecting incoming or outgoing data. Different rule files can be customized for specific security events or attack types to improve detection accuracy and response efficiency.
A3: and performing the form mapping on the filtering supplementary data to obtain the mapping data.
The resulting filtered supplemental data may differ in form, which may result in the filtered supplemental data not being easy to process, analyze, and display. The form mapping of the filtered data can enable the data to be easier to process, analyze and display, so that different requirements and application scenes can be met.
Taking the same class of system calls as an example, execve and execveat are both system calls that control the start and execution of a process, these two system call functions have similar functions, both for loading and executing a new executable file, they differ in that execve can only use files under the current directory to start a process, while execveat can use files under any directory to start a process. Therefore, it is necessary to map both execve and execveat system call abstractions into one class. Other similar situations also include a system call to open or create a file (open, openat, openat 2), a system call to create a child process (clone, clone2, clone 3), etc.
A4: the mapping data is stored into the ring buffer.
After the processing, in order to facilitate the acquisition of the mapping data by the user mode and the kernel mode, the attack behavior detection can upload the mapping data to the ring buffer for storage.
In one possible implementation, the storing the mapping data into the ring buffer includes C1-C2:
C1: the byte size of the mapping data is identified.
Writing if the data to be written is greater than the remaining available data space can result in buffer area overflow, resulting in security holes and system crashes. It is also necessary to identify and judge the byte size of the mapping data before storing the mapping data in the ring buffer.
Where the target byte size refers to the space remaining in the ring buffer that can be used to store the mapped data. The method of calculating the remaining available space of the ring buffer is as follows:
first, the total size of the ring buffer is determined: first it is necessary to know the total size of the ring buffer, typically in bytes. The value may be obtained according to the system design or specific implementation.
Then, the byte size of the stored data is calculated: traversing the ring buffer, summing the byte sizes of the stored mapping data. If the data in the ring buffer is arranged in a continuous storage, the byte size of the stored data can be calculated by the position of the head and tail pointers.
Then, the remaining available space size is calculated: the size of the remaining available space is obtained by subtracting the byte size of the stored data from the total size of the ring buffer.
C2; and when the byte size of the mapping data is smaller than or equal to the target byte size, executing the storing of the mapping data into the ring buffer.
When the byte size of the mapping data is less than or equal to the target byte size, the mapping data may be stored to a start position or an end position of the ring buffer using a pointer operation or an array index or the like.
In one possible implementation, the method further comprises;
Discarding the mapping data when the byte size of the mapping data is greater than the target byte size.
Writing if the data to be written is greater than the remaining available data space can result in buffer area overflow, resulting in security holes and system crashes.
The size of the mapping data is very small in nature, and typically the byte size of the mapping data is larger than the remaining available data space of the ring buffer (i.e., the target byte size) only when the system is subject to a brute force attack. At this time, the mapping data is directly discarded.
S202: and carrying out supplementary rule filtering on the data to be detected to obtain filtered data.
In order to improve the detection efficiency of the abstract syntax tree, before the data to be detected is input into the pre-constructed abstract syntax tree, the complementary rules in the mapping data need to be filtered according to the analysis data of the attack behavior detection rule file by using defined rules. According to the rule type and the matching mode, the data to be detected can be traversed one by one, and rule matching operation is carried out on each piece of data. Filtering is carried out to obtain filtered data, so that the data volume processed by the abstract syntax tree in detecting the filtered data is small, and the time delay of the abstract syntax tree in the detecting process is reduced.
S203: and inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result.
After the filtered data to be detected is provided as input to the constructed abstract syntax tree, the abstract syntax tree is traversed in a predetermined order through each node of the abstract syntax tree using a traversal algorithm (e.g., a depth-first search or a breadth-first search). The abstract syntax tree then performs semantic analysis and detection operations for each node during traversal. Depending on the specific requirements, specific operations may be performed on each node, such as condition judgment, variable assignment, function call, etc. And judging whether the node meets the requirements or not by executing corresponding semantic analysis rules and detection logic, and generating a corresponding detection result.
Wherein, the detection result includes: determination of the attack, attack name, attack type, affected entity, attack source information, attack time, possible impact, etc.
Determination of attack behavior: yes or no.
Attack behavior name: the main attack means used by the attack behavior can be generally included, such as DIRTYPIPE vulnerability and right-raising attack, polkit vulnerability and right-raising attack, PHP Trojan horse file uploading attack, mySQL command execution attack and the like.
Attack behavior type: the attack is of which type, such as information reconnaissance class (Reconnaissance), rights-raising class (PRIVILEGE ESCALATION), command Execution class (Execution), information theft class (Exfiltration), etc.
Affected entities: an attacked target or entity, such as a server, an application, a network device, etc.
Attack source information: source IP address, port, or other identifying information of the attack.
Attack time: the timestamp at which the attack was detected.
Possible effects: attacks may cause damage or impact.
In one possible implementation, the pre-built abstract syntax tree construction process includes D1-D3:
D1: and acquiring an attack behavior detection rule file.
Specific rule definition and configuration information including attack types, rule conditions, threshold settings and the like can be obtained by obtaining the attack behavior detection rule file. These rules describe the characteristics of malicious behavior or attack patterns and the corresponding matching logic. These attack detection rule files are important bases for guiding attack detection.
D2: analyzing the attack behavior detection rule file to obtain analysis data.
And analyzing the attack behavior detection rule file into a Token sequence, and performing lexical analysis. Lexical analysis is a step in the compilation principle that converts an input character stream into meaningful morphemes (Token). Through lexical analysis, basic units such as each word, symbol, identifier and the like in the rule file can be identified, and a basis is provided for subsequent grammar analysis and other processing procedures.
D3: and converting the analytic data into the abstract syntax tree.
After obtaining the parsed data, the attack behavior detection system converts the parsed data (Token) into an abstract syntax tree (Abstract Syntax Tree, AST), which may be performed according to the following steps:
Defining node classes: first, a class of nodes is defined, which represents each node in an AST. Node classes typically contain two main member variables: node values and child node lists. The node value represents the logical structure of the current node, and may be an operator such as AND, OR, NOT or other types in the rule file. The child node list stores child nodes of the current node.
Traversing Token sequences: then, the Token sequence is traversed using a traversal algorithm. In the traversal process, the corresponding logic structure is judged according to the current Token type, and a corresponding node object is created.
Constructing AST: the node objects are then organized into an abstract syntax tree according to the order and logical relationships of the Token sequence. In the construction process, the parent-child relationship between nodes is determined according to the priority and the relevance between Token, so that the AST with the hierarchical structure is formed.
And (3) sub-node connection: and adding the corresponding child node to the child node list of the parent node according to the conventions in the Token sequence. In this way, the hierarchical relationship and logical structure between nodes can be stored in an AST.
Returning to the root node: finally, the root node of the AST is returned as an entry into the entire abstract syntax tree.
S204: and extracting data associated with the detection result from the mapping data as supplementary data.
To extract data associated with the detection result from the map data as supplementary data, first, it is determined how to associate the detection result with the map data. This may involve matching relationships between certain attributes or identifiers in the detection results and attributes or identifiers in the mapping data. For example, matching may be performed using a common unique identifier or some attribute value. The mapping data is then traversed, checking each entry or record one by one. And according to the selected association mode, finding a mapping data item associated with the detection result. Once the mapping data item associated with the detection result is found, the required relevant data is extracted according to the requirements. This may include extracting the value of a particular attribute from the item or the entire item itself, depending on the supplemental data that the user wishes to obtain.
For example, if the detection result only includes the data of the process class and has an attack, the supplementary data extracted from the mapping data at this time may include information such as a process identifier, a process name, a user, a thread, a time stamp, and a file name.
Specifically, according to the process identifier included in the detection result, information related to the process identifier, such as information of a process name, a user, a thread, and a time stamp, may be searched from the mapping data. In addition, if the attack behavior involves file read-write operation, corresponding file name information can be extracted from the mapping data.
In one possible implementation, the process class detection results may be supplemented with data from a system call such as 〈clone,clone3,fork,vfork,execve,execveat,close,etresuid,setsid,setuid,setgid,setpgid,setresgid,setsid,capset,chdir,chroot,prctl,fchdir〉.
And the network class detection result can be supplemented with data from system calls such as < socket, bind, getsockopt, connect, accept > and the like.
It is noted that by extracting the supplementary data and supplementing the output data with these data, the attack behavior can be better analyzed and understood, but it is also necessary to ensure the accuracy and security of the supplementary data. Meanwhile, the privacy and sensitive information of the user are protected, and the sensitive information is prevented from being leaked.
S205: and carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result.
After the supplementary data related to the detection result is obtained, the output data of the detection result can be supplemented by the data, so that the complete output result of the attack behavior detection is obtained. By combining this information with the detection results, a more comprehensive, more specific description and analysis can be provided, helping the user to further understand and determine whether an attack is present.
The output data is supplemented to the detection result by the supplementary data so as to obtain the output result of the attack behavior, and the method can be carried out according to the following steps: the supplementary data is first incorporated into the detection result to enrich the output result. The specific manner of operation depends on the structure and format of the data. For example, the supplemental data may be added to the detection result as a new attribute, or combined with an existing attribute. And then generating an output result of the attack behavior based on the addition of the supplementary data. This may include sorting, scoring, marking, etc. the detection results to determine if there is an attack and to provide relevant information. And finally, displaying and presenting the generated output result so as to be convenient for a user to understand and use. The results can be displayed in a chart, a text report, a visual interface and the like, so that a user can more intuitively know the detected attack.
In one possible implementation, the attack behavior detection complete output result may include: determination of attack, attack name, attack type, affected entity, attack source information, attack time, possible impact, detailed description, abnormal behavior, threat level, recommended measures, etc.
Detailed description: detailed descriptions of attack behavior, including steps, purposes, means, etc. of attack.
Abnormal behavior: the comparison of the attack behavior with the normal behavior indicates the abnormality of the attack behavior.
Threat level: the assessment of the degree of threat posed by an attack is generally classified as low, medium, high, etc.
Recommended measures: corresponding suggested and recommended countermeasures are provided for the detected attack behavior, including bug fix, security policy enhancement, and the like.
Based on the content of S201-S205, the system call combination information, i.e. the mapping data, which is subjected to rule filtering, rule supplementing and form mapping is obtained from the ring buffer, and is used as the data to be detected, and the filtering data is obtained by performing rule supplementing filtering on the data to be detected. Next, the filtered data is input into a pre-built abstract syntax tree to obtain a detection result, and data associated with the detection result is extracted from the mapping data as supplementary data. And finally, carrying out output data supplementation on the detection result by utilizing the supplementary data to obtain an attack behavior detection complete output result. The application directly carries out attack detection based on the system call combination information, so that the detection timeliness can be improved, and meanwhile, the attack detection directly based on the system call combination information can avoid that an attacker bypasses the attack detection by deleting or falsifying the log. In addition, attack detection can be directly carried out based on the source information, namely the system call combination information, so that the traceability of the attack detection can be improved.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an attack behavior detection device according to an embodiment of the present application. As shown in fig. 3, the attack behavior detection device includes:
a first obtaining unit 301, configured to obtain mapping data from the ring buffer as data to be detected, where the mapping data is system call combination information that is subjected to rule filtering, rule supplementing, and formal mapping;
a rule filtering unit 302, configured to perform rule filtering on the data to be detected to obtain filtered data;
an input unit 303, configured to input the filtered data into a pre-constructed abstract syntax tree to obtain a detection result;
an extracting unit 304 for extracting data associated with the detection result from the mapping data as supplementary data;
And the output data supplementing unit 305 is configured to supplement the output data of the detection result with the supplementing data to obtain an attack behavior detection complete output result.
In one possible implementation, the apparatus further includes:
The second acquisition unit is used for acquiring the system call combination information through a HOOK HOOK system call list;
The rule filtering and supplementing unit is used for carrying out rule filtering and rule supplementing on the system call combined information according to the analysis data of the attack behavior detection rule file to obtain filtering and supplementing data;
the form mapping unit is used for carrying out the form mapping on the filtering supplementary data to obtain the mapping data;
and the storage unit is used for storing the mapping data into the annular buffer area.
In one possible implementation, the storage unit includes:
An identifying unit configured to identify a byte size of the mapping data;
And the execution unit is used for executing the storage of the mapping data into the annular buffer area when the byte size of the mapping data is smaller than or equal to the target byte size.
In one possible implementation, the apparatus further includes:
and the discarding unit is used for discarding the mapping data when the byte size of the mapping data is larger than the target byte size.
In one possible implementation, the apparatus further includes:
The third acquisition unit is used for acquiring the attack behavior detection rule file;
the analysis unit is used for analyzing the attack behavior detection rule file to obtain analysis data;
And the data conversion unit is used for converting the analysis data into the abstract syntax tree.
In one possible implementation manner, the first obtaining unit includes:
a fourth obtaining unit, configured to obtain preliminary system call combination information through obtaining a HOOK system call list;
And the information supplementing unit is used for supplementing the information of the preliminary system call combination information to obtain the system call combination information.
In addition, the embodiment of the application also provides attack behavior detection equipment, which comprises the following steps: the system comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the attack behavior detection method when executing the computer program.
In addition, the embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores instructions which, when run on terminal equipment, cause the terminal equipment to execute the attack behavior detection method.
The embodiment of the application provides an attack behavior detection device, which firstly utilizes a first acquisition unit 301 to acquire mapping data from a ring buffer as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping, and a rule filtering unit 302 is utilized to perform rule filtering on the data to be detected to obtain filtered data. The input unit 303 inputs the filtered data into a pre-built abstract syntax tree to obtain a detection result. The extraction unit 304 is then used to extract data associated with the detection result from the mapping data as supplementary data, so that the output data supplementing unit 305 may supplement the detection result with the supplementary data to obtain an attack behavior detection complete output result. The application directly carries out attack detection based on the system call combination information, so that the detection time efficiency can be improved, and meanwhile, the attack detection based on the system call combination information can avoid that an attacker bypasses the attack detection by deleting or falsifying the log. In addition, attack detection can be directly carried out based on the source information, namely the system call combination information, so that the traceability of the attack detection can be improved.
The method, the device, the equipment and the storage medium for detecting the attack behavior provided by the application are described in detail. In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the application can be made without departing from the principles of the application and these modifications and adaptations are intended to be within the scope of the application as defined in the following claims.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for detecting an attack, the method comprising:
Obtaining mapping data from the annular buffer area as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping;
Performing supplementary rule filtering on the data to be detected to obtain filtered data;
inputting the filtered data into a pre-constructed abstract syntax tree to obtain a detection result;
extracting data associated with the detection result from the mapping data as supplementary data;
carrying out output data supplementation on the detection result by utilizing the supplementation data to obtain an attack behavior detection complete output result;
The filtering the data to be detected by the supplementary rule includes:
According to the analysis data of the attack detection rule file, using defined rules, filtering the data to be detected to obtain the filtered data; the attack behavior detection rule file comprises a rule name, a rule description, a detection rule and a response policy;
And the system call combination information carries out the rule filtering and the rule supplementing according to the analysis data of the attack behavior detection rule file.
2. The method of claim 1, wherein prior to said retrieving mapping data from the ring buffer as data to be detected, the method further comprises:
acquiring the system call combination information through a HOOK HOOK system call list;
performing rule filtering and rule supplementing on the system call combination information according to analysis data of the attack behavior detection rule file to obtain filtering and supplementing data;
the form mapping is carried out on the filtering supplementary data to obtain mapping data;
The mapping data is stored into the ring buffer.
3. The method of claim 2, wherein the storing the mapping data into the ring buffer comprises:
Identifying a byte size of the mapping data;
And when the byte size of the mapping data is smaller than or equal to the target byte size, executing the storing of the mapping data into the ring buffer.
4. A method according to claim 3, characterized in that the method further comprises:
Discarding the mapping data when the byte size of the mapping data is greater than the target byte size.
5. The method according to claim 2, wherein the obtaining the system call combination information through a HOOK system call list includes:
Obtaining preliminary system call combination information through a HOOK HOOK system call list;
and carrying out information supplementation on the preliminary system call combination information to obtain the system call combination information.
6. The method of claim 1, wherein the constructing of the pre-constructed abstract syntax tree comprises:
acquiring an attack behavior detection rule file;
analyzing the attack behavior detection rule file to obtain analysis data;
and converting the analytic data into the abstract syntax tree.
7. An attack detection device, the device comprising:
The first acquisition unit is used for acquiring mapping data from the annular buffer area as data to be detected, wherein the mapping data is system call combination information subjected to rule filtering, rule supplementing and form mapping;
the rule filtering unit is used for carrying out supplementary rule filtering on the data to be detected to obtain filtering data;
the input unit is used for inputting the filtering data into a pre-constructed abstract syntax tree to obtain a detection result;
An extracting unit configured to extract data associated with the detection result from the mapping data as supplementary data;
The output data supplementing unit is used for supplementing the output data of the detection result by utilizing the supplementing data to obtain an attack behavior detection complete output result;
The filtering the data to be detected by the supplementary rule includes:
According to the analysis data of the attack detection rule file, using defined rules, filtering the data to be detected to obtain the filtered data; the attack behavior detection rule file comprises a rule name, a rule description, a detection rule and a response policy;
And the system call combination information carries out the rule filtering and the rule supplementing according to the analysis data of the attack behavior detection rule file.
8. The apparatus of claim 7, wherein the apparatus further comprises:
The second acquisition unit is used for acquiring the system call combination information through a HOOK HOOK system call list;
The rule filtering and supplementing unit is used for carrying out rule filtering and rule supplementing on the system call combined information according to the analysis data of the attack behavior detection rule file to obtain filtering and supplementing data;
the form mapping unit is used for carrying out the form mapping on the filtering supplementary data to obtain the mapping data;
and the storage unit is used for storing the mapping data into the annular buffer area.
9. An attack behavior detection device, characterized by comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the attack behavior detection method according to any of claims 1-6 when the computer program is executed.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein instructions, which when run on a terminal device, cause the terminal device to perform the attack detection method according to any of claims 1-6.
CN202311377258.9A 2023-10-23 2023-10-23 Attack behavior detection method, device, equipment and storage medium Active CN117744071B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311377258.9A CN117744071B (en) 2023-10-23 2023-10-23 Attack behavior detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311377258.9A CN117744071B (en) 2023-10-23 2023-10-23 Attack behavior detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN117744071A CN117744071A (en) 2024-03-22
CN117744071B true CN117744071B (en) 2024-08-23

Family

ID=90255120

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311377258.9A Active CN117744071B (en) 2023-10-23 2023-10-23 Attack behavior detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117744071B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109240807A (en) * 2018-11-15 2019-01-18 成都网域复兴科技有限公司 A kind of malicious program detection system and method based on VMI
CN110659494A (en) * 2019-09-27 2020-01-07 重庆邮电大学 Extensible intelligent contract vulnerability detection method
CN111597089A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Linux system call event acquisition and caching device and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11363061B2 (en) * 2019-07-17 2022-06-14 Jayant Shukla Runtime detection of injection attacks on web applications via static and dynamic analysis
CN112989348B (en) * 2021-04-15 2021-08-17 中国电子信息产业集团有限公司第六研究所 Attack detection method, model training method, device, server and storage medium
CN116842516A (en) * 2022-03-23 2023-10-03 北京罗克维尔斯科技有限公司 Active defense method and device of vehicle-mounted system, electronic equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109240807A (en) * 2018-11-15 2019-01-18 成都网域复兴科技有限公司 A kind of malicious program detection system and method based on VMI
CN110659494A (en) * 2019-09-27 2020-01-07 重庆邮电大学 Extensible intelligent contract vulnerability detection method
CN111597089A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Linux system call event acquisition and caching device and method

Also Published As

Publication number Publication date
CN117744071A (en) 2024-03-22

Similar Documents

Publication Publication Date Title
CN108763031B (en) Log-based threat information detection method and device
EP3205072B1 (en) Differential dependency tracking for attack forensics
CN101751535B (en) Data loss protection through application data access classification
US20200201989A1 (en) Multi-point causality tracking in cyber incident reasoning
US8805995B1 (en) Capturing data relating to a threat
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US20230007014A1 (en) Detection of replacement/copy-paste attacks through monitoring and classifying api function invocations
CN114760106B (en) Network attack determination method, system, electronic equipment and storage medium
US20210026969A1 (en) Detection and prevention of malicious script attacks using behavioral analysis of run-time script execution events
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
CN113312615B (en) Terminal detection and response system
WO2024198285A1 (en) Method and system for reporting alarm event by vehicle-mounted firewall on basis of probe mechanism
Zuo Defense of Computer Network Viruses Based on Data Mining Technology.
US10491625B2 (en) Retrieving network packets corresponding to detected abnormal application activity
CN117744071B (en) Attack behavior detection method, device, equipment and storage medium
KR102447279B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
CN116595523A (en) Multi-engine file detection method, system, equipment and medium based on dynamic arrangement
CN115643044A (en) Data processing method, device, server and storage medium
Chaudhary et al. Comparative Study of Static and Hybrid Analysis Using Machine Learning and Artificial Intelligence in Smart Cities
US20240281531A1 (en) Systems and methods for determining and detecting malware families
KR102447280B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
KR102447278B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
US20230367871A1 (en) Event-triggered forensics capture
CN118585994A (en) Malicious file detection and warning method, device, equipment and storage medium
KR20230174954A (en) Method for managing externally imported files, apparatus for the same, computer program for the same, and recording medium storing computer program thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant