CN113672939A - Method, device, equipment and medium for analyzing terminal behavior alarm traceability - Google Patents
Method, device, equipment and medium for analyzing terminal behavior alarm traceability Download PDFInfo
- Publication number
- CN113672939A CN113672939A CN202110966818.9A CN202110966818A CN113672939A CN 113672939 A CN113672939 A CN 113672939A CN 202110966818 A CN202110966818 A CN 202110966818A CN 113672939 A CN113672939 A CN 113672939A
- Authority
- CN
- China
- Prior art keywords
- alarm
- tracing
- behavior
- chain
- analyzing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 126
- 230000008569 process Effects 0.000 claims abstract description 57
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000012544 monitoring process Methods 0.000 claims abstract description 16
- 238000011156 evaluation Methods 0.000 claims abstract description 10
- 230000006399 behavior Effects 0.000 claims description 130
- 238000004590 computer program Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 claims description 4
- 238000000547 structure data Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 9
- 238000011160 research Methods 0.000 abstract description 5
- 210000001367 artery Anatomy 0.000 abstract description 3
- 238000012098 association analyses Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for analyzing terminal behavior alarm traceability, which comprise the following steps: monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database; matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision record result; automatically tracing the context according to the alarm point of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform; and carrying out risk grade evaluation on the traceability chain through the data platform. Therefore, the data of the tracing chain is analyzed and processed, the risk level of the tracing chain is evaluated, powerful data support and judgment basis is provided for the alarm behavior, the event relevance and the accuracy of the risk alarm can be improved, the behavior log record of the incoming and outgoing arteries of the risk alarm event is obtained, the tedious processes of manual retrieval analysis, manual research and judgment and manual tracing are reduced, the detection rate is improved, and the false alarm rate is reduced.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method, a device, equipment and a medium for analyzing alarm tracing of terminal behaviors.
Background
In the practical application scene of terminal security products, a large number of various high, medium and low risk alarms can be generated, when a security worker needs to make a decision to judge whether a single alarm is normal or real attack penetration behavior, the security worker needs to combine other products or manual terminals to deeply investigate the single alarm, or the large number of alarms are false alarms, and the excessive security alarms or the false alarms bring risk alarm auditing fatigue to the security event handling.
At present, in the prior art, instant tracing is carried out through malicious file rule characteristics or information failure detection (IOC), tracing data is reported as a single alarm, the alarm risk grading level is the same as or consistent with the alarm risk grading level Of a tracing origin, and the tracing cannot be carried out again afterwards or secondary complete tracing on a certain alarm or risk point is carried out.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, a device and a medium for analyzing a terminal behavior alarm trace source, which can implement regular collision analysis and automatic trace source of a terminal, improve a detection rate and reduce a false alarm rate. The specific scheme is as follows:
a method for analyzing terminal behavior alarm traceability comprises the following steps:
monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database;
matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision record result;
automatically tracing the context according to the alarm point of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform;
and performing risk grade evaluation on the traceability chain through the data platform.
Preferably, in the method for analyzing the terminal behavior alarm trace source provided in the embodiment of the present invention, the method further includes:
displaying the alarm behavior to the user in a complete event form; the complete event is in the form of combining a plurality of related alarm points into one event.
Preferably, in the method for analyzing the terminal behavior alarm trace-to-source provided in the embodiment of the present invention, the performing automatic context trace-to-source according to the alarm point of the collision record result to form a trace-to-source chain includes:
tracking a parent-child process and a related node operation object which are related to the alarm point context of the collision record result from the local database;
and taking tree structure data of a parent-child relationship formed by splicing the whole tracking process chain and the node operation objects as a source tracing chain.
Preferably, in the method for analyzing tracing to a source of a terminal behavior alarm provided in the embodiment of the present invention, the tracking a parent-child process and a related node operation object associated with an alarm point context of the collision record result from the local database includes:
acquiring a parent process ID and a child process ID of a current node operation object corresponding to the alarm point of the collision record result;
tracking the log information of the parent process ID from the local database through the parent process ID until no process node of the parent process ID is tracked;
and tracking the log information of the sub-process ID from the local database through the sub-process ID until the sub-process ID no-process node is tracked.
Preferably, in the method for analyzing the terminal behavior alarm traceability provided in the embodiment of the present invention, while forming the traceability chain, the method further includes:
and receiving a platform tracing instruction by using a terminal tracing interface to obtain the corresponding tracing chain.
Preferably, in the method for analyzing the terminal behavior alarm traceability provided by the embodiment of the present invention, the performing risk rating on the traceability chain through the data platform includes:
analyzing the tracing chain through the data platform, comparing and referring each node of the tracing chain with a known alarm list so as to evaluate the risk weight of each node of the tracing chain and reevaluate the risk level of the tracing chain.
Preferably, in the method for analyzing the terminal behavior alarm trace source provided in the embodiment of the present invention, the displaying the alarm behavior to the user in the form of a complete event includes:
and displaying the information and the risk level of each node of the tracing chain corresponding to the alarm behavior in a complete event form through diagrams and data.
The embodiment of the invention also provides a device for analyzing the alarm tracing of the terminal behavior, which comprises the following steps:
the data monitoring module is used for monitoring terminal behavior data;
the log analysis module is used for reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log into a local database;
the collision recording module is used for matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision recording result;
the automatic tracing module is used for performing automatic context tracing according to the alarm point of the collision record result to form a tracing chain and automatically submitting the tracing chain to a data platform;
and the data platform is used for carrying out risk grade evaluation on the traceability chain.
The embodiment of the present invention further provides a device for analyzing the terminal behavior alarm traceability, which includes a processor and a memory, wherein the processor implements the method for analyzing the terminal behavior alarm traceability provided in the embodiment of the present invention when executing the computer program stored in the memory.
The embodiment of the present invention further provides a computer-readable storage medium, configured to store a computer program, where the computer program, when executed by a processor, implements the method for analyzing the terminal behavior alarm traceability, provided by the embodiment of the present invention.
According to the technical scheme, the method for analyzing the alarm tracing of the terminal behavior comprises the following steps: monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database; matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision record result; automatically tracing the context according to the alarm point of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform; and carrying out risk grade evaluation on the traceability chain through the data platform.
According to the method for analyzing the terminal behavior alarm traceability, the terminal rule collision analysis and the automatic traceability log association analysis can be realized to form the traceability chain, and then the traceability chain is automatically submitted to the data platform to analyze and process the data of the traceability chain and evaluate the risk level of the traceability chain, so that powerful data support and judgment basis is provided for the alarm behavior, the event relevance and the accuracy of the risk alarm can be improved, the behavior log record of the incoming and outgoing pulses of the risk alarm event is obtained, the tedious processes of manual retrieval analysis, manual research and judgment and manual traceability are reduced, the detection rate is improved, and the false alarm rate is reduced.
In addition, the invention also provides a corresponding device, equipment and a computer readable storage medium aiming at the method for analyzing the terminal behavior alarm traceability, so that the method has higher practicability, and the device, the equipment and the computer readable storage medium have corresponding advantages.
Drawings
In order to more clearly illustrate the embodiments of the present invention or technical solutions in related arts, the drawings used in the description of the embodiments or related arts will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for analyzing a terminal behavior alarm trace source according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a device for analyzing a terminal behavior alarm trace source according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a method for analyzing alarm tracing of terminal behavior, which comprises the following steps as shown in figure 1:
s101, monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database;
it should be noted that the local database has a full log storage function, and the invention can dynamically store the behavior log in the full local data through the terminal. The behavior log is a behavior log for monitoring file operation, registry operation, process operation, network connection and the like of an operating system by hooking a process (hook), or an event log obtained by monitoring through a similar sysmon tool. The behavior log may include file operations, registry operations, process creation, network connection, driver loading, process access and wmi (windows Management instrumentation) events, and the like. Preferably, the behavior log may be stored by a high-performance IO database (e.g., leveldb, rocksdb, berkeleydb, etc.) so that relevant data may be retrieved at a later time according to conditions.
S102, matching and colliding predefined behavior characteristics serving as preset alarm rules with a behavior log to obtain a collision record result;
in particular, the predefined behavior feature may be a pre-programmed alarm exception behavior feature. The preset alarm rule is a summary of abnormal behavior analysis, and a characteristic regular expression with alarm risk is written for matching and colliding with the behavior log to obtain a collision record result (namely, a collided behavior log). In the process of executing the matching collision, whether the collision meets the conditions of risk level active or any passive node (including process, file, registry, network and the like) can be judged, and when the conditions are met, the next process is carried out.
S103, performing automatic context tracing according to the alarm points of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform;
it should be noted that the collision record result includes a plurality of alarm points, and the automatic tracing log association analysis can be determined according to the alarm points and the risk level to form a tracing chain. The tracing is to upwards find the behavior logs of the parent process and the parent process of the parent process until the top-level node through the node of a certain event, and downwards find the behavior logs of the child process and the child process of the child process until the last-level node. The tracing chain is a behavior log chain with a parent-child relationship, which is formed by connecting the tracing data in series through a node relationship. The data platform may be a big data analysis platform.
And S104, carrying out risk grade evaluation on the source tracing chain through the data platform.
The data platform has a function of secondary retrieval and analysis of the traceable link points, and can analyze each node and information and comprehensively analyze alarm quantity to evaluate the risk level of an event, so that the alarm event is more accurately rated. In practical application, if there are other high-risk confirmation alarms and other related alarms in the alarm context traceability chain, the alarm determines suspicious or dangerous behaviors, provides behavior parameters and additional information of the traceability chain and the incoming and outgoing routes of the alarm, provides powerful data support and judgment basis for the alarm behaviors, finds out event sources such as malicious files, program vulnerabilities, file attack and intrusion methods and the like to the greatest extent, and provides intuitive, simple, accurate and efficient judgment basis for network security workers to analyze data.
In the method for analyzing the terminal behavior alarm traceability provided by the embodiment of the invention, the terminal rule collision analysis and the automatic traceability log association analysis can be realized to form the traceability chain, and then the traceability chain is automatically submitted to the data platform to analyze and process the data of the traceability chain and evaluate the risk level of the traceability chain, so that a powerful data support and judgment basis is provided for the alarm behavior, the event association and the accuracy of the risk alarm can be improved, the behavior log record of the incoming and outgoing pulses of the risk alarm event is obtained, the tedious processes of manual retrieval analysis, manual research and judgment and manual traceability are reduced, the detection rate is improved, and the false alarm rate is reduced.
Further, in specific implementation, in the method for analyzing the terminal behavior alarm trace source provided in the embodiment of the present invention, the method may further include: displaying the alarm behavior to the user in a complete event form; the complete event is in the form of a plurality of related alarm points which are related and merged into one event. Specifically, the information and risk level of each node of the tracing chain corresponding to the alarm behavior can be displayed in a complete event form through diagrams and data. Therefore, the alarm is displayed to the user in a complete event form instead of the traditional alarm element form, so that the analysis and judgment of the terminal alarm behavior are more visual, simple, convenient, accurate and efficient, and the user can carry out deep data analysis and treatment operation. The traditional alarm elements are in the form of a single alarm list or are merged by the same alarm, and the alarms are not internally related.
In specific implementation, in the method for analyzing the terminal behavior alarm trace source provided in the embodiment of the present invention, step S103 performs automatic context trace source according to the alarm point of the collision record result, so as to form a trace source chain, which includes: tracking a parent-child process and a related node operation object (such as a file, a process, a network, a registry and the like) which are related to the alarm point context of the collision record result from a local database; and taking tree structure data of a parent-child relationship formed by splicing the whole tracking process chain and the node operation objects as a source tracing chain.
In a specific implementation, the tracking, from the local database, the parent-child process and the related node operation object associated with the alarm point context of the collision record result in the above step may specifically include: acquiring a parent process ID and a child process ID of a current node operation object corresponding to an alarm point of a collision record result; tracking the log information of the parent process ID from the local database through the parent process ID until no process node of the parent process ID is tracked; and judging whether the sub-process is finished or not, and if not, waiting for a period of time, and then tracking the log information of the sub-process ID downwards from the local database through the sub-process ID until no process node of the sub-process ID is tracked. And then, the data of the parent-child relationship nodes can be spliced into a json format to form a traceability chain.
Further, in a specific implementation, in the method for analyzing the terminal behavior alarm traceability provided in the embodiment of the present invention, while forming a traceability chain, the method may further include: and receiving a platform tracing instruction by using the terminal tracing interface to obtain a corresponding tracing chain. Therefore, backtracking query can be carried out on a certain event at any time through the backtracking interface so as to obtain behavior and context records of each node of the risk alarm backtracking chain, and the backtracking condition can be a third party information source, flow alarm or manual retrieval, and is not limited to IP; the flow alarm tracing is a tracing chain which judges risks through flow characteristics and searches related process events through linkage of the quintuple and the terminal. The obtained traceability chain can be automatically submitted to a data platform, so that node traceability of post-manual or third-party information data is effectively supported, and traceability chain risk rating is obtained and analyzed.
In specific implementation, in the method for analyzing the terminal behavior alarm traceability provided in the embodiment of the present invention, the step S104 may perform risk level assessment on the traceability chain through the data platform, and specifically may include: analyzing the tracing chain through the data platform, comparing and referring each node of the tracing chain with the known alarm list so as to evaluate the risk weight of each node of the tracing chain and re-evaluate the risk level of the tracing chain. Therefore, each node of the tracing chain is subjected to secondary retrieval and analysis through the data platform and is associated with the known alarm list, and comprehensive study, evaluation and redefinition and risk rating evaluation are carried out, so that the false alarm rate can be further reduced, and the detection rate can be further improved. In addition, the data platform can also combine various data sources, such as threat conditions, flow alarm, manual retrieval and other source alarm, and call a tracing interface to initiate a custom parameter tracing request to a specified terminal. And if the tracing interface obtains the related tracing chain according to the tracing request parameter and automatically uploads the related tracing chain to the data platform.
It should be noted that, the invention uses the behavior rule as the risk warning source, and adds the source tracing chain node for secondary analysis by the active source tracing method, and finally scores the comprehensive risk level of the source tracing chain, and considers the third party information source, and is not limited by the time point of the source tracing (related according to the log storage space), such as threat information, flow warning, manual retrieval and other source modes to carry out terminal passive source tracing, so as to obtain more and more perfect source tracing chain data containing other information node data, thereby improving the terminal detection rate and reducing the false alarm rate.
Based on the same inventive concept, the embodiment of the present invention further provides a device for analyzing the terminal behavior alarm traceability, and because the principle of the device for solving the problem is similar to the aforementioned method for analyzing the terminal behavior alarm traceability, the implementation of the device can refer to the implementation of the method for analyzing the terminal behavior alarm traceability, and repeated parts are not described again.
In specific implementation, the apparatus for analyzing tracing to a source of a terminal behavior alarm provided in the embodiment of the present invention, as shown in fig. 2, specifically includes:
the data monitoring module 11 is used for monitoring terminal behavior data; the data monitoring module 11 may be a lightweight system monitoring tool sysmon, which implements recording of process creation, file access, and network information through system services and a driver, and writes related information into a log event of a windows; the sysmon can collect all events according to the configuration file xml and can set a filter tag; providing configuration parameters when the sysmon program is operated, and starting to record all event logs after the configuration parameters are installed successfully;
the log analysis module 12 is used for reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log into a local database; it should be noted that the event log can be browsed and viewed in the application program and service log > Microsoft > Windows > Sysmon > Operational in the event log viewer, the Sysmon event log can be analyzed and formatted by the log analyzing module 12, and the analyzed formatted log is stored in the local database;
the collision recording module 13 is configured to perform matching collision on the behavior log with predefined behavior characteristics as a preset alarm rule to obtain a collision recording result; it should be noted that, the collision recording module 13 may learn and write a preset alarm rule of a regular expression through the formatted log, and mark a risk level for the rule;
the automatic tracing module 14 is configured to perform automatic context tracing according to the alarm point of the collision record result, form a tracing chain, and automatically submit the tracing chain to the data platform 15;
and the data platform 15 is used for carrying out risk level assessment on the traceability chain.
In the device for analyzing the terminal behavior alarm traceability provided by the embodiment of the invention, powerful data support and judgment basis are provided for alarm behaviors through the interaction of the four modules and the data platform, the event relevance and accuracy of risk alarm can be improved, the behavior log record of the incoming and outgoing arteries of the risk alarm event is obtained, the tedious processes of manual retrieval analysis, manual research and judgment and manual traceability are reduced, the detection rate is improved, and the false alarm rate is reduced.
For more specific working processes of the modules and the data platform, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
Correspondingly, the embodiment of the invention also discloses equipment for analyzing the alarm tracing of the terminal behavior, which comprises a processor and a memory; the method for analyzing the terminal behavior alarm tracing source disclosed in the foregoing embodiments is implemented when the processor executes the computer program stored in the memory.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Further, the present invention also discloses a computer readable storage medium for storing a computer program; when being executed by a processor, the computer program realizes the method for analyzing the terminal behavior alarm traceability disclosed in the foregoing.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device, the equipment and the storage medium disclosed by the embodiment correspond to the method disclosed by the embodiment, so that the description is relatively simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
To sum up, the method for analyzing the terminal behavior alarm traceability provided by the embodiment of the present invention includes: monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database; matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision record result; automatically tracing the context according to the alarm point of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform; and carrying out risk grade evaluation on the traceability chain through the data platform. Therefore, regular collision analysis of the terminal and automatic tracing log association analysis can be realized to form a tracing chain, and then the tracing chain is automatically submitted to a data platform so as to analyze and process data of the tracing chain, evaluate the risk level of the tracing chain, provide powerful data support and judgment basis for alarm behaviors, improve event association and accuracy of risk alarm, obtain behavior log records of incoming and outgoing arteries of risk alarm events, reduce the tedious processes of manual retrieval analysis, manual research and judgment and manual tracing, improve the detection rate and reduce the false alarm rate. In addition, the invention also provides a corresponding device, equipment and a computer readable storage medium aiming at the method for analyzing the terminal behavior alarm traceability, so that the method has higher practicability, and the device, the equipment and the computer readable storage medium have corresponding advantages.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for analyzing the terminal behavior alarm tracing source provided by the invention are introduced in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for analyzing tracing of terminal behavior alarm is characterized by comprising the following steps:
monitoring terminal behavior data, reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log in a local database;
matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision record result;
automatically tracing the context according to the alarm point of the collision record result to form a tracing chain, and automatically submitting the tracing chain to a data platform;
and performing risk grade evaluation on the traceability chain through the data platform.
2. The method for analyzing tracing of terminal behavior alarm according to claim 1, further comprising:
displaying the alarm behavior to the user in a complete event form; the complete event is in the form of combining a plurality of related alarm points into one event.
3. The method for analyzing the alarm trace-to-source of the terminal behavior according to claim 2, wherein the automatic context trace-to-source is performed according to the alarm point of the collision record result to form a trace-to-source chain, comprising:
tracking a parent-child process and a related node operation object which are related to the alarm point context of the collision record result from the local database;
and taking tree structure data of a parent-child relationship formed by splicing the whole tracking process chain and the node operation objects as a source tracing chain.
4. The method for alarm tracing analysis of terminal behavior according to claim 3, wherein the tracking of parent-child processes and related node operation objects associated with the alarm point context of the collision record result from the local database comprises:
acquiring a parent process ID and a child process ID of a current node operation object corresponding to the alarm point of the collision record result;
tracking the log information of the parent process ID from the local database through the parent process ID until no process node of the parent process ID is tracked;
and tracking the log information of the sub-process ID from the local database through the sub-process ID until the sub-process ID no-process node is tracked.
5. The method for analyzing tracing to the source of terminal behavior alarms according to claim 4, characterized in that while forming a tracing chain, it further comprises:
and receiving a platform tracing instruction by using a terminal tracing interface to obtain the corresponding tracing chain.
6. The method for analyzing tracing of terminal behavior alarms according to claim 5, wherein said performing risk rating on said tracing chain through said data platform comprises:
analyzing the tracing chain through the data platform, comparing and referring each node of the tracing chain with a known alarm list so as to evaluate the risk weight of each node of the tracing chain and reevaluate the risk level of the tracing chain.
7. The method for analyzing tracing to terminal behavior alarm source according to claim 2, wherein said displaying alarm behavior to user in form of complete event comprises:
and displaying the information and the risk level of each node of the tracing chain corresponding to the alarm behavior in a complete event form through diagrams and data.
8. The utility model provides a device of terminal behavior warning traceability analysis which characterized in that includes:
the data monitoring module is used for monitoring terminal behavior data;
the log analysis module is used for reading and analyzing the terminal behavior data in real time to obtain a behavior log and storing the behavior log into a local database;
the collision recording module is used for matching and colliding predefined behavior characteristics serving as preset alarm rules with the behavior log to obtain a collision recording result;
the automatic tracing module is used for performing automatic context tracing according to the alarm point of the collision record result to form a tracing chain and automatically submitting the tracing chain to a data platform;
and the data platform is used for carrying out risk grade evaluation on the traceability chain.
9. An apparatus for analyzing tracing of terminal behavior alarm, comprising a processor and a memory, wherein the processor implements the method for analyzing tracing of terminal behavior alarm according to any one of claims 1 to 7 when executing the computer program stored in the memory.
10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the method for terminal behavior alarm traceability analysis of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110966818.9A CN113672939A (en) | 2021-08-23 | 2021-08-23 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110966818.9A CN113672939A (en) | 2021-08-23 | 2021-08-23 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113672939A true CN113672939A (en) | 2021-11-19 |
Family
ID=78544940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110966818.9A Pending CN113672939A (en) | 2021-08-23 | 2021-08-23 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672939A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114168966A (en) * | 2021-12-07 | 2022-03-11 | 哈尔滨利云科技有限公司 | Big data analysis-based security protection upgrade mining method and information security system |
| CN114598506A (en) * | 2022-02-22 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
| CN115061841A (en) * | 2022-05-19 | 2022-09-16 | 深信服科技股份有限公司 | Alarm merging method and device, electronic equipment and storage medium |
| CN115442279A (en) * | 2022-09-02 | 2022-12-06 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for positioning warning source and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027529A (en) * | 2016-05-25 | 2016-10-12 | 华中科技大学 | Intrusion detection system and method based on traceability information |
| US20170220664A1 (en) * | 2016-02-01 | 2017-08-03 | Dell Software Inc. | Systems and methods for logging and categorizing performance events |
| CN107769958A (en) * | 2017-09-01 | 2018-03-06 | 杭州安恒信息技术有限公司 | Server network security event automated analysis method and system based on daily record |
| CN110266670A (en) * | 2019-06-06 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of processing method and processing device of terminal network external connection behavior |
| CN111555902A (en) * | 2020-03-25 | 2020-08-18 | 国网思极网安科技(北京)有限公司 | Positioning system and method for network transmission abnormity |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
-
2021
- 2021-08-23 CN CN202110966818.9A patent/CN113672939A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170220664A1 (en) * | 2016-02-01 | 2017-08-03 | Dell Software Inc. | Systems and methods for logging and categorizing performance events |
| CN106027529A (en) * | 2016-05-25 | 2016-10-12 | 华中科技大学 | Intrusion detection system and method based on traceability information |
| CN107769958A (en) * | 2017-09-01 | 2018-03-06 | 杭州安恒信息技术有限公司 | Server network security event automated analysis method and system based on daily record |
| CN110266670A (en) * | 2019-06-06 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of processing method and processing device of terminal network external connection behavior |
| CN111555902A (en) * | 2020-03-25 | 2020-08-18 | 国网思极网安科技(北京)有限公司 | Positioning system and method for network transmission abnormity |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114168966A (en) * | 2021-12-07 | 2022-03-11 | 哈尔滨利云科技有限公司 | Big data analysis-based security protection upgrade mining method and information security system |
| CN114168966B (en) * | 2021-12-07 | 2022-07-19 | 深圳市晖拓信息科技有限公司 | Big data analysis-based security protection upgrade mining method and information security system |
| CN114598506A (en) * | 2022-02-22 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
| CN115061841A (en) * | 2022-05-19 | 2022-09-16 | 深信服科技股份有限公司 | Alarm merging method and device, electronic equipment and storage medium |
| CN115442279A (en) * | 2022-09-02 | 2022-12-06 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for positioning warning source and storage medium |
| CN115442279B (en) * | 2022-09-02 | 2024-04-26 | 杭州安恒信息技术股份有限公司 | Alarm source positioning method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113672939A (en) | Method, device, equipment and medium for analyzing terminal behavior alarm traceability | |
| CN112787992B (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| CN112651006A (en) | Power grid security situation perception platform framework | |
| CN111866016A (en) | Log analysis method and system | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
| CN117834308B (en) | Network security situation awareness method, system and medium | |
| CN111126729A (en) | Intelligent safety event closed-loop disposal system and method thereof | |
| CN111786974A (en) | Network security assessment method and device, computer equipment and storage medium | |
| CN113381980A (en) | Information security defense method and system, electronic device and storage medium | |
| CN109684863B (en) | Data leakage prevention method, device, equipment and storage medium | |
| CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN113778806A (en) | Method, device, equipment and storage medium for processing safety alarm event | |
| CN118157961A (en) | Active simulation intrusion evaluation and full-link visual protection system, method and equipment | |
| CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
| CN115514582B (en) | Industrial Internet attack chain correlation method and system based on ATT & CK | |
| CN113067835B (en) | Integrated self-adaptive collapse index processing system | |
| CN116861422A (en) | API interface detection and protection method, device, equipment and storage medium | |
| CN114490261A (en) | Terminal security event linkage processing method, device and equipment | |
| CN115277472A (en) | Network security risk early warning system and method for multidimensional industrial control system | |
| CN114584391A (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN112989403A (en) | Method, device and equipment for detecting database destruction and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |