[go: up one dir, main page]

CN115459988A - Security defense method and device based on ATT & CK model, electronic equipment and storage medium - Google Patents

Security defense method and device based on ATT & CK model, electronic equipment and storage medium Download PDF

Info

Publication number
CN115459988A
CN115459988A CN202211072451.7A CN202211072451A CN115459988A CN 115459988 A CN115459988 A CN 115459988A CN 202211072451 A CN202211072451 A CN 202211072451A CN 115459988 A CN115459988 A CN 115459988A
Authority
CN
China
Prior art keywords
rule base
terminal device
matching
rules
preset threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211072451.7A
Other languages
Chinese (zh)
Other versions
CN115459988B (en
Inventor
潘东东
孙洪伟
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202211072451.7A priority Critical patent/CN115459988B/en
Publication of CN115459988A publication Critical patent/CN115459988A/en
Application granted granted Critical
Publication of CN115459988B publication Critical patent/CN115459988B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本说明书实施例涉及网络安全技术领域,特别涉及一种基于ATT&CK模型的安全防御方法、装置、电子设备及存储介质。其中,基于ATT&CK模型的安全防御方法包括:对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。本说明书提供的技术方案解决ATT&CK模型不能够适配不同终端设备的问题。

Figure 202211072451

The embodiments of this specification relate to the technical field of network security, and in particular to a security defense method, device, electronic device, and storage medium based on the ATT&CK model. Wherein, the security defense method based on the ATT&CK model includes: monitoring the process startup on the terminal device, determining the rule base currently used by the terminal device for security defense; responding to monitoring the process startup on the terminal device , determining the hardware resource consumption on the terminal device after the process is started, and the matching between the process and the rules in the rule base; based on the hardware resource consumption and the matching, the rule base Perform an update so that the terminal device uses the updated target rule base for security defense, and return to the step of determining the rule base currently used by the terminal device for security defense. The technical solution provided in this manual solves the problem that the ATT&CK model cannot be adapted to different terminal devices.

Figure 202211072451

Description

基于ATT&CK模型的安全防御方法、装置、电子设备及存储 介质Security defense method, device, electronic equipment and storage based on ATT&CK model medium

技术领域technical field

本说明书实施例涉及网络安全技术领域,特别涉及一种基于ATT&CK模型的安全防御方法、装置、电子设备及存储介质。The embodiments of this specification relate to the technical field of network security, and in particular to a security defense method, device, electronic device and storage medium based on the ATT&CK model.

背景技术Background technique

ATT&CK模型作为一种细颗粒度的攻防框架,提供了可被非法利用的进程及其对应的启动参数的防御规则信息。As a fine-grained attack-defense framework, the ATT&CK model provides defense rule information of processes that can be illegally exploited and their corresponding startup parameters.

虽然ATT&CK模型的规则覆盖较广,但由于不同终端设备具有各自的使用场景,因此ATT&CK模型的规则并不能适配不同终端设备(例如并非所有的疑似攻击行为都是非法并需要拦截的)。Although the rules of the ATT&CK model cover a wide range, because different terminal devices have their own usage scenarios, the rules of the ATT&CK model cannot be adapted to different terminal devices (for example, not all suspected attacks are illegal and need to be intercepted).

发明内容Contents of the invention

为了解决ATT&CK模型不能够适配不同终端设备的问题,本说明书实施例提供了一种基于ATT&CK模型的安全防御方法、装置、电子设备及存储介质。In order to solve the problem that the ATT&CK model cannot be adapted to different terminal devices, the embodiments of this specification provide a security defense method, device, electronic device, and storage medium based on the ATT&CK model.

第一方面,本说明书实施例提供了一种基于ATT&CK模型的安全防御方法,应用于终端设备,所述终端设备上预先安装有初始的规则库,所述规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的,该方法包括:In the first aspect, the embodiment of this specification provides a security defense method based on the ATT&CK model, which is applied to the terminal device, and the initial rule base is pre-installed on the terminal device, and the rule base is based on the existing ATT&CK model. The rules are extracted according to the preset method, and the method includes:

对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;Monitoring the process startup status on the terminal device, and determining the rule base currently used by the terminal device for security defense;

响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;In response to monitoring the start of a process on the terminal device, determining the hardware resource consumption on the terminal device after the start of the process and the matching between the process and the rules in the rule base;

基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。Based on the hardware resource consumption and the matching situation, update the rule base, so that the terminal device uses the updated target rule base for security defense, and return the information that determines that the terminal device is currently performing security defense. Steps for the rule base.

在一种可能的设计中,所述规则库中的规则存储在按照指定算法加密的XML文件中;In a possible design, the rules in the rule base are stored in an XML file encrypted according to a specified algorithm;

所述规则至少包括:进程名、启动参数和当前规则的默认操作,所述默认操作包括拦截和放行。The rule at least includes: a process name, a startup parameter, and a default operation of the current rule, and the default operation includes interception and release.

在一种可能的设计中,所述规则还包括父进程和自定义参数,所述自定义参数包括数字签名的验证结果,和/或微软CAT签名的验证结果,和/或厂商信息。In a possible design, the rule further includes a parent process and custom parameters, where the custom parameters include a verification result of a digital signature, and/or a verification result of a Microsoft CAT signature, and/or manufacturer information.

在一种可能的设计中,所述响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况,包括:In a possible design, in response to monitoring the start of a process on the terminal device, determine the hardware resource consumption on the terminal device after the process starts to start, and the relationship between the process and the rules in the rule base matches, including:

响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述终端设备上的总CPU占用率和总内存占用率,将所述总CPU占用率和所述总内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of the process on the terminal device, monitor the total CPU usage and the total memory usage on the terminal device after the process starts to start, and calculate the total CPU usage and the total memory usage As the hardware resource consumption on the terminal device;

和/或,and / or,

响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述进程对应的CPU占用率和内存占用率,将所述进程对应的CPU占用率和内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of a process on the terminal device, monitor the CPU usage rate and memory usage rate corresponding to the process after the process starts to start, and use the CPU usage rate and memory usage rate corresponding to the process as the terminal hardware resource consumption on the device;

将所述进程的进程名和启动参数与所述规则库中的规则进行匹配,得到所述进程与所述规则库中规则的匹配情况。Matching the process name and startup parameters of the process with the rules in the rule base to obtain the matching situation between the process and the rules in the rule base.

在一种可能的设计中,所述基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,包括:In a possible design, updating the rule base based on the hardware resource consumption situation and the matching situation includes:

在第一指定时间内所述总CPU占用率高于第一预设阈值和/或所述总内存占用率高于第二预设阈值的情况下;In a case where the total CPU usage is higher than a first preset threshold and/or the total memory usage is higher than a second preset threshold within a first specified time;

或者,在第一指定时间内所述总CPU占用率不高于第一预设阈值且所述总内存占用率不高于第二预设阈值,但是在所述进程完全启动之后的第二指定时间内,所述进程对应的CPU占用率高于第三预设阈值和/或所述进程对应的内存占用率高于第四预设阈值的情况下;Or, the total CPU usage is not higher than the first preset threshold and the total memory usage is not higher than the second preset threshold within the first specified time, but the second specified time after the process is fully started Within a certain period of time, when the CPU usage rate corresponding to the process is higher than the third preset threshold and/or the memory usage rate corresponding to the process is higher than the fourth preset threshold;

若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept;

若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept.

在一种可能的设计中,所述基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,包括:In a possible design, updating the rule base based on the hardware resource consumption situation and the matching situation includes:

在所述进程未完全启动时,所述进程对应的CPU占用率高于第五预设阈值和/或所述进程对应的内存占用率高于第六预设阈值的情况下;When the process is not fully started, the CPU usage rate corresponding to the process is higher than the fifth preset threshold and/or the memory usage rate corresponding to the process is higher than the sixth preset threshold;

和/或,在所述进程未完全启动时,所述进程对应的CPU占用率升高的速率高于第七预设阈值和/或所述进程对应的内存占用率升高的速率高于第八预设阈值的情况下;And/or, when the process is not fully started, the rate of increase of the CPU usage rate corresponding to the process is higher than the seventh preset threshold and/or the rate of increase of the memory usage rate corresponding to the process is higher than the seventh preset threshold. Eight preset threshold cases;

若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept;

若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept.

在一种可能的设计中,所述规则库具有对外调用接口,所述对外调用接口用于对规则进行添加、删除和/或修改;In a possible design, the rule base has an external call interface, and the external call interface is used to add, delete and/or modify rules;

所述方法还包括:The method also includes:

响应于检测到所述规则库的对外调用接口被调用,将所述对外调用接口针对的进程与所述规则库中的规则进行匹配;In response to detecting that the external call interface of the rule base is called, matching the process targeted by the external call interface with the rules in the rule base;

获取所述对外调用接口返回的进程的匹配结果,响应于接收到的用户基于所述匹配结果发送的修改指令,依据所述修改指令对所述规则库进行更新。Acquire the matching result of the process returned by the external call interface, and update the rule base according to the modification instruction in response to the received modification instruction sent by the user based on the matching result.

第二方面,本说明书实施例还提供了一种基于ATT&CK模型的安全防御装置,应用于终端设备,所述终端设备上预先安装有初始的规则库,所述规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的,该装置包括:In the second aspect, the embodiment of this specification also provides a security defense device based on the ATT&CK model, which is applied to terminal equipment, and the initial rule base is pre-installed on the terminal equipment, and the rule base is based on the existing ATT&CK model. The rules are extracted according to the preset method, and the device includes:

第一确定模块,用于对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;The first determination module is configured to monitor the process startup status on the terminal device, and determine the rule base currently used by the terminal device for security defense;

第二确定模块,用于响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;The second determining module is configured to, in response to monitoring the startup of the process on the terminal device, determine the consumption of hardware resources on the terminal device after the startup of the process, and the matching situation between the process and the rules in the rule base ;

更新模块,用于基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。An update module, configured to update the rule base based on the hardware resource consumption and the matching situation, so that the terminal device uses the updated target rule base for security defense, and returns to determine the current status of the terminal device. The steps of the rule base used for security defense.

第三方面,本说明书实施例还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现本说明书任一实施例所述的方法。In the third aspect, the embodiment of this specification also provides an electronic device, including a memory and a processor, the computer program is stored in the memory, and when the processor executes the computer program, the computer program described in any embodiment of this specification is realized. described method.

第四方面,本说明书实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行本说明书任一实施例所述的方法。In the fourth aspect, the embodiment of this specification also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer is instructed to execute the method described in any embodiment of this specification .

本说明书实施例提供了一种基于ATT&CK模型的安全防御方法、装置、电子设备及存储介质,首先对终端设备上的进程启动情况进行监控,确定终端设备当前进行安全防御使用的规则库;然后响应于监控到终端设备上进程的启动,确定进程开始启动后终端设备上的硬件资源消耗情况、以及进程与规则库中规则的匹配情况;最后基于硬件资源消耗情况和匹配情况,对规则库进行更新,以使终端设备使用更新后的目标规则库进行安全防御,返回确定终端设备当前进行安全防御使用的规则库的步骤。因此,上述技术方案可以解决不同使用场景下的ATT&CK模型本地化问题,即能够使得ATT&CK模型适配不同终端设备的使用需求,从而可以防止ATT&CK模型的规则误报;而且考虑到硬件资源消耗情况,可以防止终端设备的系统性能降低。The embodiment of this specification provides a security defense method, device, electronic equipment, and storage medium based on the ATT&CK model. First, the process startup status on the terminal equipment is monitored, and the rule base currently used by the terminal equipment for security defense is determined; then respond Based on monitoring the start of the process on the terminal device, determine the hardware resource consumption on the terminal device after the process starts, and the matching between the process and the rules in the rule base; finally, update the rule base based on the hardware resource consumption and matching , so that the terminal device uses the updated target rule base for security defense, and returns to the step of determining the rule base currently used by the terminal device for security defense. Therefore, the above technical solution can solve the localization problem of the ATT&CK model in different usage scenarios, that is, it can make the ATT&CK model adapt to the usage requirements of different terminal devices, thereby preventing false positives of the rules of the ATT&CK model; and considering the consumption of hardware resources, System performance degradation of the terminal device can be prevented.

附图说明Description of drawings

为了更清楚地说明本说明书实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本说明书的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of this specification or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are For some embodiments of this specification, those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本说明书一实施例提供的一种基于ATT&CK模型的安全防御方法流程图;Fig. 1 is a flow chart of a security defense method based on the ATT&CK model provided by an embodiment of this specification;

图2是本说明书一实施例提供的一种电子设备的硬件架构图;FIG. 2 is a hardware architecture diagram of an electronic device provided by an embodiment of this specification;

图3是本说明书一实施例提供的一种基于ATT&CK模型的安全防御装置结构图。Fig. 3 is a structural diagram of a security defense device based on the ATT&CK model provided by an embodiment of this specification.

具体实施方式detailed description

为使本说明书实施例的目的、技术方案和优点更加清楚,下面将结合本说明书实施例中的附图,对本说明书实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本说明书一部分实施例,而不是全部的实施例,基于本说明书中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本说明书保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of this specification more clear, the technical solutions in the embodiments of this specification will be clearly and completely described below in conjunction with the drawings in the embodiments of this specification. Obviously, the described embodiments It is a part of the embodiments of this specification, not all of them. Based on the embodiments in this specification, all other embodiments obtained by those of ordinary skill in the art without making creative efforts belong to the protection of this specification. scope.

如前所述,虽然ATT&CK模型的规则覆盖较广,但由于不同终端设备具有各自的使用场景,因此ATT&CK模型的规则并不能适配不同终端设备(例如并非所有的疑似攻击行为都是非法并需要拦截的)。As mentioned above, although the rules of the ATT&CK model cover a wide range, because different terminal devices have their own usage scenarios, the rules of the ATT&CK model cannot be adapted to different terminal devices (for example, not all suspected attacks are illegal and require intercepted).

因此,针对不同的用户需求与ATT&CK模型的使用场景,不能完全一刀切,要做到ATT&CK模型的自适应及本地化。Therefore, according to different user needs and usage scenarios of the ATT&CK model, it cannot be completely one-size-fits-all, and the ATT&CK model must be adaptive and localized.

发明人在研发过程中发现:可以将ATT&CK模型的规则进行归纳总结来形成初始的规则库,然后在待防御的终端设备的进程启动后,可以监控终端设备当前的硬件资源消耗情况以及进程与规则库的匹配情况,最后可以基于硬件资源消耗情况和匹配情况,对规则库进行更新,以利用更新后得到的目标规则库对终端设备进行安全防御,如此既能够防止ATT&CK模型的规则误报,又能够防止终端设备的系统性能降低。The inventor discovered during the research and development process that the rules of the ATT&CK model can be summarized to form an initial rule base, and then after the process of the terminal device to be defended is started, the current hardware resource consumption of the terminal device and the process and rules can be monitored Finally, based on the hardware resource consumption and matching situation, the rule base can be updated to use the updated target rule base to protect the terminal device. This can prevent false positives of the rules of the ATT&CK model, and It is possible to prevent the degradation of the system performance of the terminal device.

下面介绍本说明实施例的发明构思。The following introduces the inventive concept of the illustrated embodiment.

请参考图1,本说明书实施例提供了一种基于ATT&CK模型的安全防御方法,该方法包括:Please refer to Figure 1, the embodiment of this specification provides a security defense method based on the ATT&CK model, the method includes:

步骤100:对终端设备上的进程启动情况进行监控,确定终端设备当前进行安全防御使用的规则库;Step 100: Monitor the process startup status on the terminal device, and determine the rule base currently used by the terminal device for security defense;

步骤102:响应于监控到终端设备上进程的启动,确定进程开始启动后终端设备上的硬件资源消耗情况、以及进程与规则库中规则的匹配情况;Step 102: In response to monitoring the start of the process on the terminal device, determine the consumption of hardware resources on the terminal device after the start of the process, and the matching between the process and the rules in the rule base;

步骤104:基于硬件资源消耗情况和匹配情况,对规则库进行更新,以使终端设备使用更新后的目标规则库进行安全防御,返回确定终端设备当前进行安全防御使用的规则库的步骤。Step 104: Update the rule base based on hardware resource consumption and matching, so that the terminal device uses the updated target rule base for security defense, and return to the step of determining the rule base currently used by the terminal device for security defense.

本说明书实施例中,首先对终端设备上的进程启动情况进行监控,确定终端设备当前进行安全防御使用的规则库;然后响应于监控到终端设备上进程的启动,确定进程开始启动后终端设备上的硬件资源消耗情况、以及进程与规则库中规则的匹配情况;最后基于硬件资源消耗情况和匹配情况,对规则库进行更新,以使终端设备使用更新后的目标规则库进行安全防御,返回确定终端设备当前进行安全防御使用的规则库的步骤。因此,上述技术方案可以解决不同使用场景下的ATT&CK模型本地化问题,即能够使得ATT&CK模型适配不同终端设备的使用需求,从而可以防止ATT&CK模型的规则误报;而且考虑到硬件资源消耗情况,可以防止终端设备的系统性能降低。In the embodiment of this specification, firstly, monitor the start-up of the process on the terminal device, and determine the rule base currently used by the terminal device for security defense; hardware resource consumption, and the matching between the process and the rules in the rule base; finally, based on the hardware resource consumption and matching, the rule base is updated so that the terminal device uses the updated target rule base for security defense, and returns OK Steps of the rule base currently used by the terminal device for security defense. Therefore, the above technical solution can solve the localization problem of the ATT&CK model in different usage scenarios, that is, it can make the ATT&CK model adapt to the usage requirements of different terminal devices, thereby preventing false positives of the rules of the ATT&CK model; and considering the consumption of hardware resources, System performance degradation of the terminal device can be prevented.

下面描述图1所示的各个步骤的执行方式。The execution manner of each step shown in FIG. 1 is described below.

针对步骤100:For step 100:

可以知道的是,ATT&CK模型主要整合了历史的黑客组织和攻击事件,以攻击策略为线索将不同攻击策略所对应的攻击技术和软件相联系,其为信息安全从业者提供了一个可执行的中等抽象化的模型。It can be known that the ATT&CK model mainly integrates historical hacker organizations and attack events, and uses attack strategies as clues to connect attack technologies and software corresponding to different attack strategies, which provides information security practitioners with an executable medium Abstract model.

在本说明书一个实施例中,为了终端设备的安全,预先在终端设备上安装了初始的规则库,初始的规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的。基于在终端设备上安装了初始的规则库,本实施例中终端设备当前进行安全防御使用的规则库可以是初始的规则库,或者是更新后的规则库。In one embodiment of this specification, for the safety of the terminal device, an initial rule base is pre-installed on the terminal device, and the initial rule base is obtained by extracting the rules of the existing ATT&CK model in a preset manner. Based on the initial rule base installed on the terminal device, the rule base currently used by the terminal device for security defense in this embodiment may be the initial rule base or an updated rule base.

在本说明书一个实施例中,规则库中的规则存储在按照指定算法加密的XML文件中;In one embodiment of this specification, the rules in the rule base are stored in an XML file encrypted according to a specified algorithm;

规则至少包括:进程名、启动参数和当前规则的默认操作,默认操作包括拦截和放行。The rules at least include: process name, startup parameters, and default actions of the current rule, and the default actions include interception and release.

在本实施例中,通过对已有的ATT&CK模型的规则进行提取来形成初始规则库,从而有利于后续进程的匹配,进而有利于满足不同用户的使用场景需求。此外,通过将提取后的信息以加密的XML文件的方式落地,方便不被篡改和后续进程的匹配。其中,该加密方式可以是MD5或SHA等算法。In this embodiment, the initial rule base is formed by extracting the rules of the existing ATT&CK model, which facilitates the matching of subsequent processes, and further facilitates meeting the usage scenario requirements of different users. In addition, by landing the extracted information in the form of an encrypted XML file, it is convenient to prevent tampering and match with subsequent processes. Wherein, the encryption method may be an algorithm such as MD5 or SHA.

当然,还可以将提取后的信息以加密的数据库的方式落地,得到初始规则库。在此,不对提取后的信息的具体落地方式进行限定。Of course, the extracted information can also be implemented as an encrypted database to obtain the initial rule base. Here, the specific implementation manner of the extracted information is not limited.

通常而言,已有的ATT&CK模型的规则至少包括进程名、启动参数和当前规则对应的默认操作,不过也存在一些其它规则,例如父进程和自定义参数。Generally speaking, the rules of the existing ATT&CK model include at least the process name, startup parameters and default actions corresponding to the current rules, but there are also some other rules, such as parent process and custom parameters.

在本说明书一个实施例中,规则还包括父进程和自定义参数,自定义参数包括数字签名的验证结果,和/或微软CAT签名的验证结果,和/或厂商信息。In an embodiment of the present specification, the rule further includes a parent process and a custom parameter, and the custom parameter includes a verification result of a digital signature, and/or a verification result of a Microsoft CAT signature, and/or manufacturer information.

在本实施例中,通过配置还包括父进程和自定义参数的规则,可以将已有的ATT&CK模型的规则进行完整的归纳总结,从而有利于保证初始规则库的完整性和全面性。In this embodiment, the rules of the existing ATT&CK model can be completely summarized by configuring the rules that also include the parent process and user-defined parameters, thereby helping to ensure the integrity and comprehensiveness of the initial rule base.

针对步骤102:For step 102:

在本说明书一个实施例中,步骤102具体可以包括:In an embodiment of this specification, step 102 may specifically include:

响应于监控到终端设备上进程的启动,监控进程开始启动后终端设备上的总CPU占用率和总内存占用率,将总CPU占用率和总内存占用率作为终端设备上的硬件资源消耗情况;In response to monitoring the start of the process on the terminal device, monitor the total CPU usage rate and the total memory usage rate on the terminal device after the monitoring process starts, and use the total CPU usage rate and the total memory usage rate as the hardware resource consumption on the terminal device;

和/或,and / or,

响应于监控到终端设备上进程的启动,监控进程开始启动后进程对应的CPU占用率和内存占用率,将进程对应的CPU占用率和内存占用率作为终端设备上的硬件资源消耗情况;In response to monitoring the start of the process on the terminal device, monitor the CPU usage rate and memory usage rate corresponding to the process after the process starts, and use the CPU usage rate and memory usage rate corresponding to the process as the hardware resource consumption on the terminal device;

将进程的进程名和启动参数与规则库中的规则进行匹配,得到进程与规则库中规则的匹配情况。Match the process name and startup parameters of the process with the rules in the rule base to obtain the matching situation between the process and the rules in the rule base.

在本实施例中,通过考虑进程开始启动后终端设备上的总CPU占用率和总内存占用率以及进程与初始规则库的匹配情况,和/或,进程开始启动后进程对应的CPU占用率和内存占用率以及进程与初始规则库的匹配情况,可以实现既能够防止ATT&CK模型的规则误报,又能够防止终端设备的系统性能降低的效果。In this embodiment, by considering the total CPU occupancy rate and total memory occupancy rate on the terminal device after the process is started, and the matching situation between the process and the initial rule base, and/or, the CPU occupancy rate and the corresponding CPU occupancy rate of the process after the process is started. The memory occupancy rate and the matching between the process and the initial rule base can not only prevent false positives of the rules of the ATT&CK model, but also prevent the system performance of the terminal device from degrading.

需要说明的是,硬件资源消耗情况除了包括CPU占用率和内存占用率,还可以包括DMA终端设备和硬盘等外部设备的消耗情况,在此对硬件资源消耗情况不进行限定。It should be noted that, in addition to the CPU occupancy rate and the memory occupancy rate, the hardware resource consumption may also include the consumption of external devices such as DMA terminal devices and hard disks, and the hardware resource consumption is not limited here.

针对步骤104:For step 104:

在本说明书一个实施例中,步骤104具体可以包括:In an embodiment of this specification, step 104 may specifically include:

在第一指定时间内总CPU占用率高于第一预设阈值和/或总内存占用率高于第二预设阈值的情况下;When the total CPU usage is higher than a first preset threshold and/or the total memory usage is higher than a second preset threshold within the first specified time;

或者,在第一指定时间内总CPU占用率不高于第一预设阈值且总内存占用率不高于第二预设阈值,但是在进程完全启动之后的第二指定时间内,进程对应的CPU占用率高于第三预设阈值和/或进程对应的内存占用率高于第四预设阈值的情况下;Or, the total CPU usage is not higher than the first preset threshold and the total memory usage is not higher than the second preset threshold within the first specified time, but within the second specified time after the process is fully started, the corresponding When the CPU usage is higher than the third preset threshold and/or the memory usage corresponding to the process is higher than the fourth preset threshold;

若未在规则库匹配到与进程相对应的进程名和启动参数,则将与进程相对应的进程名和启动参数存储到XML文件中;其中,进程的默认操作设定为拦截;If the process name and the startup parameter corresponding to the process are not matched in the rule base, the process name and the startup parameter corresponding to the process are stored in the XML file; wherein, the default operation of the process is set to intercept;

若在规则库匹配到与进程相对应的进程名和启动参数,则将XML文件中与进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is modified to intercept.

在本实施例中,在第一指定时间内总CPU占用率高于第一预设阈值和/或总内存占用率高于第二预设阈值的情况下;或者,在第一指定时间内总CPU占用率不高于第一预设阈值且总内存占用率不高于第二预设阈值,但是在进程完全启动之后的第二指定时间内,进程对应的CPU占用率高于第三预设阈值和/或进程对应的内存占用率高于第四预设阈值的情况下,因此可以认为该进程当前的启动方式对终端设备“不友好”,这样在未在初始规则库匹配到与进程相对应的进程名和启动参数时,就可以将与进程相对应的进程名和启动参数存储到XML文件中,以得到与终端设备相对应的目标规则库,并将进程的默认操作设定为拦截。In this embodiment, when the total CPU usage is higher than the first preset threshold and/or the total memory usage is higher than the second preset threshold within the first specified time; or, the total CPU usage is higher than the second preset threshold within the first specified time The CPU usage rate is not higher than the first preset threshold and the total memory usage rate is not higher than the second preset threshold, but within the second specified time after the process is fully started, the corresponding CPU usage rate of the process is higher than the third preset threshold and/or the memory occupancy rate corresponding to the process is higher than the fourth preset threshold, so it can be considered that the current startup method of the process is "unfriendly" to the terminal device, so if the initial rule base does not match the process corresponding When the corresponding process name and start parameters are found, the process name and start parameters corresponding to the process can be stored in the XML file to obtain the target rule library corresponding to the terminal device, and the default operation of the process is set to intercept.

可以知道的是,本实施例除了监控系统的总CPU之外,还监控每个进程启动一段时间之后的CPU占用率,以减少通过监控总CPU占用率确定规则是否友好时,一个进程A启动过程中,另一个进程B启动所带来CPU占用,使得总CPU飙升的情况对判断规则是否友好的影响,进一步提高判断进程是否友好的准确性。It can be known that, in addition to monitoring the total CPU of the system, this embodiment also monitors the CPU occupancy rate of each process after starting for a period of time, so as to reduce the problem that a process A starts the process when determining whether the rule is friendly by monitoring the total CPU occupancy rate. Among them, the CPU occupation caused by the start of another process B, which makes the total CPU soar, has an impact on judging whether the rule is friendly, and further improves the accuracy of judging whether the process is friendly.

需要说明的是,具体的拦截操作需要调用者通过驱动层或直接调用系统API来实现,在此对具体的拦截操作的实现方式不进行限定。此外,本说明书实施例对第一预设阈值、第二预设阈值、第三预设阈值和第四预设阈值的具体数值不进行限定。It should be noted that the specific interception operation needs to be implemented by the caller through the driver layer or by directly invoking the system API, and the specific implementation manner of the interception operation is not limited here. In addition, the embodiment of this specification does not limit the specific values of the first preset threshold, the second preset threshold, the third preset threshold, and the fourth preset threshold.

在本说明书一个实施例中,步骤104具体可以包括:In an embodiment of this specification, step 104 may specifically include:

在进程未完全启动时,进程对应的CPU占用率高于第五预设阈值和/或进程对应的内存占用率高于第六预设阈值的情况下;When the process is not fully started, the CPU usage rate corresponding to the process is higher than the fifth preset threshold and/or the memory usage rate corresponding to the process is higher than the sixth preset threshold;

和/或,在进程未完全启动时,进程对应的CPU占用率升高的速率高于第七预设阈值和/或进程对应的内存占用率升高的速率高于第八预设阈值的情况下;And/or, when the process is not fully started, the rate of increase of the CPU usage rate corresponding to the process is higher than the seventh preset threshold and/or the rate of increase of the memory usage rate corresponding to the process is higher than the eighth preset threshold Down;

若未在规则库匹配到与进程相对应的进程名和启动参数,则将与进程相对应的进程名和启动参数存储到XML文件中;其中,进程的默认操作设定为拦截;If the process name and the startup parameter corresponding to the process are not matched in the rule base, the process name and the startup parameter corresponding to the process are stored in the XML file; wherein, the default operation of the process is set to intercept;

若在规则库匹配到与进程相对应的进程名和启动参数,则将XML文件中与进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is modified to intercept.

在本实施例中,由上文分析可知,在进程未完全启动时,进程对应的CPU占用率高于第五预设阈值和/或进程对应的内存占用率高于第六预设阈值的情况下;和/或,在进程未完全启动时,进程对应的CPU占用率升高的速率高于第七预设阈值和/或进程对应的内存占用率升高的速率高于第八预设阈值的情况下,可以认为该进程当前的启动方式对终端设备“不友好”,这样如果XML文件中与进程相对应的默认操作为放行,会直接对终端设备的其它进程不利,因此需要将XML文件中与进程相对应的默认操作修改为拦截。In this embodiment, it can be known from the above analysis that when the process is not fully started, the CPU usage rate corresponding to the process is higher than the fifth preset threshold and/or the memory usage rate corresponding to the process is higher than the sixth preset threshold and/or, when the process is not fully started, the rate of increase of the CPU usage rate corresponding to the process is higher than the seventh preset threshold and/or the rate of increase of the memory usage rate corresponding to the process is higher than the eighth preset threshold In the case of , it can be considered that the current startup method of the process is "unfriendly" to the terminal device, so if the default operation corresponding to the process in the XML file is release, it will directly be detrimental to other processes of the terminal device, so the XML file needs to be The default action corresponding to the process in is changed to intercept.

可以知道的是,本实施例除了监控系统的总CPU之外,还监控每个进程启动一段时间之后的CPU占用率,以减少通过监控总CPU占用率确定规则是否友好时,一个进程A启动过程中,另一个进程B启动所带来CPU占用,使得总CPU飙升的情况对判断规则是否友好的影响,进一步提高判断进程是否友好的准确性。It can be known that, in addition to monitoring the total CPU of the system, this embodiment also monitors the CPU occupancy rate of each process after starting for a period of time, so as to reduce the problem that a process A starts the process when determining whether the rule is friendly by monitoring the total CPU occupancy rate. Among them, the CPU occupation caused by the start of another process B, which makes the total CPU soar, has an impact on judging whether the rule is friendly, and further improves the accuracy of judging whether the process is friendly.

可以理解的是,上述方案对初始规则库的自动更新,下面介绍对初始规则库的手动更新的方案。It can be understood that, the above solution automatically updates the initial rule base, and the following describes a manual update solution for the initial rule base.

在本说明书一个实施例中,规则库具有对外调用接口,对外调用接口用于对规则进行添加、删除和/或修改;In an embodiment of the present specification, the rule base has an external call interface, and the external call interface is used to add, delete and/or modify rules;

方法还包括:Methods also include:

响应于检测到规则库的对外调用接口被调用,将对外调用接口针对的进程与规则库中的规则进行匹配;In response to detecting that the external call interface of the rule base is called, matching the process targeted by the external call interface with the rules in the rule base;

获取对外调用接口返回的进程的匹配结果,响应于接收到的用户基于匹配结果发送的修改指令,依据修改指令对规则库进行更新。Obtain the matching result of the process returned by the external call interface, and update the rule base according to the modification instruction in response to the received modification instruction sent by the user based on the matching result.

在本实施例中,通过对初始规则库进行配置对外调用接口,使得初始规则库能够被调用者进行主动或自适应修改,从而进一步增加了规则库在终端设备上的自适应性。In this embodiment, by configuring an external call interface for the initial rule base, the initial rule base can be actively or adaptively modified by the caller, thereby further increasing the adaptability of the rule base on the terminal device.

具体而言,当某进程启动后,规则的调用方在调用了规则匹配接口后,接口会返回判断结果:此条规则是否存在以及允许进程启动还是阻止进程启动。Specifically, when a process is started, after the caller of the rule calls the rule matching interface, the interface will return the judgment result: whether the rule exists and whether the process is allowed to start or prevented from starting.

如果此条规则在初始规则库中不存在:If this rule does not exist in the original rulebase:

此时默认返回允许进程启动。但如果调用方想禁止此进程的启动,则调用阻止进程启动的接口,此种情况下默认会将对应的进程和启动参数保存到规则库中,且规则中的拦截或放行选项改为拦截;At this time, the default returns to allow the process to start. However, if the caller wants to prohibit the startup of this process, the interface that prevents the startup of the process will be called. In this case, the corresponding process and startup parameters will be saved in the rule base by default, and the interception or release option in the rule is changed to interception;

如果此条规则在规则库中存在:If this rule exists in the rule base:

1)如果接口返回允许进程启动,则此时不需要调用方进行任何操作。但如果调用方不想放行此进程的启动,则调用方再调用另外一个接口:阻止进程启动,此时会将对应的XML文件的规则修改为拦截,下次该进程带同样的参数启动时,直接会被拦截。1) If the interface returns to allow the process to start, the caller does not need to perform any operations at this time. However, if the caller does not want to release the start of the process, the caller will call another interface: prevent the start of the process. At this time, the rules of the corresponding XML file will be modified to intercept, and the next time the process starts with the same parameters, directly will be blocked.

2)如果接口返回阻止进程启动,在调用方默许的情况下,默认会将此进程杀死。但如果调用方想放行此进程的启动,则调用方再调用另外一个接口:允许进程启动,此时会将对应的XML文件的规则修改为放行,下次该进程带同样的参数启动时,直接会被放行。2) If the interface returns to prevent the process from starting, the process will be killed by default if the caller acquiesces. However, if the caller wants to allow the start of this process, the caller calls another interface: allow the process to start. At this time, the rules of the corresponding XML file will be modified to allow, and the next time the process is started with the same parameters, directly will be released.

根据以上策略流程,就完成了ATT&CK对不同终端的自适应机制:某个(或某些)进程带某个(或某些)参数时可以启动,带某个(或某些)参数时不允许启动。According to the above policy process, ATT&CK’s adaptive mechanism for different terminals is completed: a certain (or some) process can be started when it has a certain (or some) parameters, and it is not allowed when it has a certain (or some) parameters start up.

如图2、图3所示,本说明书实施例提供了一种基于ATT&CK模型的安全防御装置。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。从硬件层面而言,如图2所示,为本说明书实施例提供的一种基于ATT&CK模型的安全防御装置所在电子设备的一种硬件架构图,除了图2所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中装置所在的电子设备通常还可以包括其他硬件,如负责处理报文的转发芯片等等。以软件实现为例,如图3所示,作为一个逻辑意义上的装置,是通过其所在电子设备的CPU将非易失性存储器中对应的计算机程序读取到内存中运行形成的。As shown in FIG. 2 and FIG. 3 , the embodiment of this specification provides a security defense device based on the ATT&CK model. The device embodiments can be implemented by software, or by hardware or a combination of software and hardware. From the hardware level, as shown in Figure 2, it is a hardware architecture diagram of the electronic equipment where the security defense device based on the ATT&CK model is provided in the embodiment of this specification, except for the processor, memory, and network shown in Figure 2 In addition to the interface and the non-volatile memory, the electronic device where the device in the embodiment is located may generally include other hardware, such as a forwarding chip responsible for processing messages, and the like. Taking software implementation as an example, as shown in Figure 3, as a device in a logical sense, it is formed by reading the corresponding computer program in the non-volatile memory into the memory and running it through the CPU of the electronic device where it is located.

如图3所示,本实施例提供的一种基于ATT&CK模型的安全防御装置,应用于终端设备,所述终端设备上预先安装有初始的规则库,所述规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的,该装置包括:As shown in Figure 3, a security defense device based on the ATT&CK model provided by this embodiment is applied to a terminal device, and an initial rule base is pre-installed on the terminal device, and the rule base is based on the existing ATT&CK model The rules are extracted according to the preset method, and the device includes:

第一确定模块300,用于对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;The first determination module 300 is configured to monitor the process startup status on the terminal device, and determine the rule base currently used by the terminal device for security defense;

第二确定模块302,用于响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;The second determining module 302 is configured to, in response to monitoring the startup of the process on the terminal device, determine the consumption of hardware resources on the terminal device after the startup of the process, and the matching between the process and the rules in the rule base Condition;

更新模块304,用于基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。An update module 304, configured to update the rule base based on the hardware resource consumption and the matching status, so that the terminal device uses the updated target rule base for security defense, and return to determine the terminal device The steps of the rule base currently used for security defense.

在本说明书实施例中,第一确定模块300可用于执行上述方法实施例中的步骤100,第二确定模块302可用于执行上述方法实施例中的步骤102,更新模块304可用于执行上述方法实施例中的步骤104。In this embodiment of the specification, the first determination module 300 can be used to execute step 100 in the above method embodiment, the second determination module 302 can be used to execute step 102 in the above method embodiment, and the update module 304 can be used to execute the above method implementation Step 104 in the example.

在本说明书的一个实施例中,所述规则库中的规则存储在按照指定算法加密的XML文件中;In one embodiment of this specification, the rules in the rule base are stored in an XML file encrypted according to a specified algorithm;

所述规则至少包括:进程名、启动参数和当前规则的默认操作,所述默认操作包括拦截和放行。The rule at least includes: a process name, a startup parameter, and a default operation of the current rule, and the default operation includes interception and release.

在本说明书的一个实施例中,所述规则还包括父进程和自定义参数,所述自定义参数包括数字签名的验证结果,和/或微软CAT签名的验证结果,和/或厂商信息。In an embodiment of the specification, the rule further includes a parent process and custom parameters, and the custom parameters include digital signature verification results, and/or Microsoft CAT signature verification results, and/or vendor information.

在本说明书的一个实施例中,第二确定模块302,用于执行如下操作:In an embodiment of this specification, the second determination module 302 is configured to perform the following operations:

响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述终端设备上的总CPU占用率和总内存占用率,将所述总CPU占用率和所述总内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of the process on the terminal device, monitor the total CPU usage and the total memory usage on the terminal device after the process starts to start, and calculate the total CPU usage and the total memory usage As the hardware resource consumption on the terminal device;

和/或,and / or,

响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述进程对应的CPU占用率和内存占用率,将所述进程对应的CPU占用率和内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of a process on the terminal device, monitor the CPU usage rate and memory usage rate corresponding to the process after the process starts to start, and use the CPU usage rate and memory usage rate corresponding to the process as the terminal hardware resource consumption on the device;

将所述进程的进程名和启动参数与所述规则库中的规则进行匹配,得到所述进程与所述规则库中规则的匹配情况。Matching the process name and startup parameters of the process with the rules in the rule base to obtain the matching situation between the process and the rules in the rule base.

在本说明书的一个实施例中,更新模块304,用于执行如下操作:In an embodiment of this specification, the update module 304 is configured to perform the following operations:

在第一指定时间内所述总CPU占用率高于第一预设阈值和/或所述总内存占用率高于第二预设阈值的情况下;In a case where the total CPU usage is higher than a first preset threshold and/or the total memory usage is higher than a second preset threshold within a first specified time;

或者,在第一指定时间内所述总CPU占用率不高于第一预设阈值且所述总内存占用率不高于第二预设阈值,但是在所述进程完全启动之后的第二指定时间内,所述进程对应的CPU占用率高于第三预设阈值和/或所述进程对应的内存占用率高于第四预设阈值的情况下;Or, the total CPU usage is not higher than the first preset threshold and the total memory usage is not higher than the second preset threshold within the first specified time, but the second specified time after the process is fully started Within a certain period of time, when the CPU usage rate corresponding to the process is higher than the third preset threshold and/or the memory usage rate corresponding to the process is higher than the fourth preset threshold;

若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept;

若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept.

在本说明书的一个实施例中,更新模块304,用于执行如下操作:In an embodiment of this specification, the update module 304 is configured to perform the following operations:

在所述进程未完全启动时,所述进程对应的CPU占用率高于第五预设阈值和/或所述进程对应的内存占用率高于第六预设阈值的情况下;When the process is not fully started, the CPU usage rate corresponding to the process is higher than the fifth preset threshold and/or the memory usage rate corresponding to the process is higher than the sixth preset threshold;

和/或,在所述进程未完全启动时,所述进程对应的CPU占用率升高的速率高于第七预设阈值和/或所述进程对应的内存占用率升高的速率高于第八预设阈值的情况下;And/or, when the process is not fully started, the rate of increase of the CPU usage rate corresponding to the process is higher than the seventh preset threshold and/or the rate of increase of the memory usage rate corresponding to the process is higher than the seventh preset threshold. Eight preset threshold cases;

若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept;

若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept.

在本说明书的一个实施例中,所述规则库具有对外调用接口,所述对外调用接口用于对规则进行添加、删除和/或修改;In one embodiment of this specification, the rule base has an external call interface, and the external call interface is used to add, delete and/or modify rules;

所述装置还包括:The device also includes:

调用模块,用于响应于检测到所述规则库的对外调用接口被调用,将所述对外调用接口针对的进程与所述规则库中的规则进行匹配;A calling module, configured to match the process targeted by the external calling interface with the rules in the rule base in response to detecting that the external calling interface of the rule base is called;

获取模块,用于获取所述对外调用接口返回的进程的匹配结果,响应于接收到的用户基于所述匹配结果发送的修改指令,依据所述修改指令对所述规则库进行更新。The obtaining module is configured to obtain the matching result of the process returned by the external call interface, and update the rule base according to the modification instruction received in response to the modification instruction sent by the user based on the matching result.

可以理解的是,本说明书实施例示意的结构并不构成对一种基于ATT&CK模型的安全防御装置的具体限定。在本说明书的另一些实施例中,一种基于ATT&CK模型的安全防御装置可以包括比图示更多或者更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件、软件或者软件和硬件的组合来实现。It can be understood that the structure shown in the embodiment of this specification does not constitute a specific limitation on a security defense device based on the ATT&CK model. In other embodiments of this specification, a security defense device based on the ATT&CK model may include more or fewer components than shown in the illustration, or combine some components, or split some components, or arrange different components . The illustrated components may be realized in hardware, software, or a combination of software and hardware.

上述装置内的各模块之间的信息交互、执行过程等内容,由于与本说明书方法实施例基于同一构思,具体内容可参见本说明书方法实施例中的叙述,此处不再赘述。The information interaction and execution process among the modules in the above-mentioned device are based on the same idea as the method embodiment of this specification, and the specific content can refer to the description in the method embodiment of this specification, and will not be repeated here.

本说明书实施例还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现本说明书任一实施例中的一种基于ATT&CK模型的安全防御方法。The embodiment of this specification also provides an electronic device, including a memory and a processor, where a computer program is stored in the memory, and when the processor executes the computer program, a method based on any one of the embodiments of this specification is implemented. The security defense method of ATT&CK model.

本说明书实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序在被处理器执行时,使所述处理器执行本说明书任一实施例中的一种基于ATT&CK模型的安全防御方法。The embodiment of this specification also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the processor executes any one of the implementations of this specification. A security defense method based on the ATT&CK model in the example.

具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。Specifically, a system or device equipped with a storage medium may be provided, on which a software program code for realizing the functions of any of the above embodiments is stored, and the computer (or CPU or MPU of the system or device) ) to read and execute the program code stored in the storage medium.

在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本说明书的一部分。In this case, the program code itself read from the storage medium can realize the function of any one of the above-mentioned embodiments, so the program code and the storage medium storing the program code constitute a part of this specification.

用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Tape, non-volatile memory card, and ROM. Alternatively, the program code can be downloaded from a server computer via a communication network.

此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。In addition, it should be clear that not only by executing the program code read by the computer, but also by making the operating system on the computer complete part or all of the actual operations through instructions based on the program code, so as to realize the function of any one of the embodiments.

此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展模块中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展模块上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。In addition, it can be understood that the program code read from the storage medium is written into the memory provided in the expansion board inserted into the computer or written into the memory provided in the expansion module connected to the computer, and then based on the program code The instruction causes the CPU installed on the expansion board or the expansion module to perform some or all of the actual operations, thereby realizing the functions of any one of the above-mentioned embodiments.

需要说明的是,在本文中,诸如第一和第二之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个…”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同因素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a" does not exclude the presence of additional same elements in the process, method, article or apparatus comprising said element.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储在计算机可读取的存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质中。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by program instructions related hardware, and the aforementioned programs can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上实施例仅用以说明本说明书的技术方案,而非对其限制;尽管参照前述实施例对本说明书进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本说明书各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of this specification, not to limit them; although this specification has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments in this specification.

Claims (10)

1.一种基于ATT&CK模型的安全防御方法,其特征在于,应用于终端设备,所述终端设备上预先安装有初始的规则库,所述规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的,该方法包括:1. A security defense method based on the ATT&CK model, characterized in that it is applied to a terminal device, the terminal device is pre-installed with an initial rule base, and the rule base is based on the preset rules of the existing ATT&CK model The method is obtained by extracting, and the method includes: 对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;Monitoring the process startup status on the terminal device, and determining the rule base currently used by the terminal device for security defense; 响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;In response to monitoring the start of a process on the terminal device, determining the hardware resource consumption on the terminal device after the start of the process and the matching between the process and the rules in the rule base; 基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。Based on the hardware resource consumption and the matching situation, update the rule base, so that the terminal device uses the updated target rule base for security defense, and return the information that determines that the terminal device is currently performing security defense. Steps for the rule base. 2.根据权利要求1所述的方法,其特征在于,所述规则库中的规则存储在按照指定算法加密的XML文件中;2. The method according to claim 1, wherein the rules in the rule base are stored in an XML file encrypted according to a specified algorithm; 所述规则至少包括:进程名、启动参数和当前规则的默认操作,所述默认操作包括拦截和放行。The rule at least includes: a process name, a startup parameter, and a default operation of the current rule, and the default operation includes interception and release. 3.根据权利要求2所述的方法,其特征在于,所述规则还包括父进程和自定义参数,所述自定义参数包括数字签名的验证结果,和/或微软CAT签名的验证结果,和/或厂商信息。3. The method according to claim 2, wherein the rule also includes a parent process and a custom parameter, and the custom parameter includes a verification result of a digital signature, and/or a verification result of a Microsoft CAT signature, and / or vendor information. 4.根据权利要求2所述的方法,其特征在于,所述响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况,包括:4. The method according to claim 2, characterized in that, in response to monitoring the start of the process on the terminal device, determining the hardware resource consumption on the terminal device after the start of the process and the process Matching with the rules in the rule base, including: 响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述终端设备上的总CPU占用率和总内存占用率,将所述总CPU占用率和所述总内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of the process on the terminal device, monitor the total CPU usage and the total memory usage on the terminal device after the process starts to start, and calculate the total CPU usage and the total memory usage As the hardware resource consumption on the terminal device; 和/或,and / or, 响应于监控到所述终端设备上进程的启动,监控所述进程开始启动后所述进程对应的CPU占用率和内存占用率,将所述进程对应的CPU占用率和内存占用率作为所述终端设备上的硬件资源消耗情况;In response to monitoring the start of a process on the terminal device, monitor the CPU usage rate and memory usage rate corresponding to the process after the process starts to start, and use the CPU usage rate and memory usage rate corresponding to the process as the terminal hardware resource consumption on the device; 将所述进程的进程名和启动参数与所述规则库中的规则进行匹配,得到所述进程与所述规则库中规则的匹配情况。Matching the process name and startup parameters of the process with the rules in the rule base to obtain the matching situation between the process and the rules in the rule base. 5.根据权利要求4所述的方法,其特征在于,所述基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,包括:5. The method according to claim 4, wherein said updating said rule base based on said hardware resource consumption and said matching situation comprises: 在第一指定时间内所述总CPU占用率高于第一预设阈值和/或所述总内存占用率高于第二预设阈值的情况下;In a case where the total CPU usage is higher than a first preset threshold and/or the total memory usage is higher than a second preset threshold within a first specified time; 或者,在第一指定时间内所述总CPU占用率不高于第一预设阈值且所述总内存占用率不高于第二预设阈值,但是在所述进程完全启动之后的第二指定时间内,所述进程对应的CPU占用率高于第三预设阈值和/或所述进程对应的内存占用率高于第四预设阈值的情况下;Or, the total CPU usage is not higher than the first preset threshold and the total memory usage is not higher than the second preset threshold within the first specified time, but the second specified time after the process is fully started Within a certain period of time, when the CPU usage rate corresponding to the process is higher than the third preset threshold and/or the memory usage rate corresponding to the process is higher than the fourth preset threshold; 若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept; 若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept. 6.根据权利要求4所述的方法,其特征在于,所述基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,包括:6. The method according to claim 4, wherein said updating said rule base based on said hardware resource consumption and said matching situation comprises: 在所述进程未完全启动时,所述进程对应的CPU占用率高于第五预设阈值和/或所述进程对应的内存占用率高于第六预设阈值的情况下;When the process is not fully started, the CPU usage rate corresponding to the process is higher than the fifth preset threshold and/or the memory usage rate corresponding to the process is higher than the sixth preset threshold; 和/或,在所述进程未完全启动时,所述进程对应的CPU占用率升高的速率高于第七预设阈值和/或所述进程对应的内存占用率升高的速率高于第八预设阈值的情况下;And/or, when the process is not fully started, the rate of increase of the CPU usage rate corresponding to the process is higher than the seventh preset threshold and/or the rate of increase of the memory usage rate corresponding to the process is higher than the seventh preset threshold. Eight preset threshold cases; 若未在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将与所述进程相对应的进程名和启动参数存储到所述XML文件中;其中,所述进程的默认操作设定为拦截;If the process name and startup parameters corresponding to the process are not matched in the rule base, the process name and startup parameters corresponding to the process are stored in the XML file; wherein, the default operation of the process set to intercept; 若在所述规则库匹配到与所述进程相对应的进程名和启动参数,则将所述XML文件中与所述进程相匹配的规则的默认操作修改为拦截。If the process name and startup parameters corresponding to the process are matched in the rule base, the default operation of the rule matching the process in the XML file is changed to intercept. 7.根据权利要求1-6中任一项所述的方法,其特征在于,所述规则库具有对外调用接口,所述对外调用接口用于对规则进行添加、删除和/或修改;7. The method according to any one of claims 1-6, wherein the rule base has an external calling interface, and the external calling interface is used to add, delete and/or modify rules; 所述方法还包括:The method also includes: 响应于检测到所述规则库的对外调用接口被调用,将所述对外调用接口针对的进程与所述规则库中的规则进行匹配;In response to detecting that the external call interface of the rule base is called, matching the process targeted by the external call interface with the rules in the rule base; 获取所述对外调用接口返回的进程的匹配结果,响应于接收到的用户基于所述匹配结果发送的修改指令,依据所述修改指令对所述规则库进行更新。Acquire the matching result of the process returned by the external call interface, and update the rule base according to the modification instruction in response to the received modification instruction sent by the user based on the matching result. 8.一种基于ATT&CK模型的安全防御装置,其特征在于,应用于终端设备,所述终端设备上预先安装有初始的规则库,所述规则库是对已有的ATT&CK模型的规则按照预设方式进行提取得到的,该装置包括:8. A security defense device based on the ATT&CK model, characterized in that it is applied to a terminal device, and the terminal device is pre-installed with an initial rule base, and the rule base is based on the rules of the existing ATT&CK model according to the preset Extracted by way of extraction, the device includes: 第一确定模块,用于对所述终端设备上的进程启动情况进行监控,确定所述终端设备当前进行安全防御使用的规则库;The first determination module is configured to monitor the process startup status on the terminal device, and determine the rule base currently used by the terminal device for security defense; 第二确定模块,用于响应于监控到所述终端设备上进程的启动,确定所述进程开始启动后终端设备上的硬件资源消耗情况、以及所述进程与所述规则库中规则的匹配情况;The second determining module is configured to, in response to monitoring the startup of the process on the terminal device, determine the consumption of hardware resources on the terminal device after the startup of the process, and the matching situation between the process and the rules in the rule base ; 更新模块,用于基于所述硬件资源消耗情况和所述匹配情况,对所述规则库进行更新,以使所述终端设备使用更新后的目标规则库进行安全防御,返回确定所述终端设备当前进行安全防御使用的规则库的步骤。An update module, configured to update the rule base based on the hardware resource consumption and the matching situation, so that the terminal device uses the updated target rule base for security defense, and returns to determine the current status of the terminal device. The steps of the rule base used for security defense. 9.一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现如权利要求1-7中任一项所述的方法。9. An electronic device, comprising a memory and a processor, wherein a computer program is stored in the memory, and when the processor executes the computer program, the method according to any one of claims 1-7 is implemented. 10.一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-7中任一项所述的方法。10. A computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, it causes the computer to execute the method according to any one of claims 1-7.
CN202211072451.7A 2022-09-02 2022-09-02 Security defense method, device, electronic device and storage medium based on ATT&CK model Active CN115459988B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211072451.7A CN115459988B (en) 2022-09-02 2022-09-02 Security defense method, device, electronic device and storage medium based on ATT&CK model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211072451.7A CN115459988B (en) 2022-09-02 2022-09-02 Security defense method, device, electronic device and storage medium based on ATT&CK model

Publications (2)

Publication Number Publication Date
CN115459988A true CN115459988A (en) 2022-12-09
CN115459988B CN115459988B (en) 2025-01-28

Family

ID=84300314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211072451.7A Active CN115459988B (en) 2022-09-02 2022-09-02 Security defense method, device, electronic device and storage medium based on ATT&CK model

Country Status (1)

Country Link
CN (1) CN115459988B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7530106B1 (en) * 2008-07-02 2009-05-05 Kaspersky Lab, Zao System and method for security rating of computer processes
US8161552B1 (en) * 2009-09-23 2012-04-17 Trend Micro, Inc. White list creation in behavior monitoring system
CN105262739A (en) * 2015-09-25 2016-01-20 上海斐讯数据通信技术有限公司 Security defense method, terminal, server, and system
CN109347876A (en) * 2018-11-29 2019-02-15 深圳市网心科技有限公司 A security defense method and related device
CN111651322A (en) * 2020-05-29 2020-09-11 山东中创软件商用中间件股份有限公司 Process monitoring alarm method, system and device
CN112214768A (en) * 2020-10-16 2021-01-12 新华三信息安全技术有限公司 Malicious process detection method and device
CN112269991A (en) * 2020-10-29 2021-01-26 珠海市魅族科技有限公司 Malicious application detection method and device, electronic equipment and medium
CN114338118A (en) * 2021-12-22 2022-04-12 北京未来智安科技有限公司 Threat detection method and device based on ATT & CK
CN114969744A (en) * 2022-06-23 2022-08-30 北京天融信网络安全技术有限公司 Process interception method and system, electronic device, and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7530106B1 (en) * 2008-07-02 2009-05-05 Kaspersky Lab, Zao System and method for security rating of computer processes
US8161552B1 (en) * 2009-09-23 2012-04-17 Trend Micro, Inc. White list creation in behavior monitoring system
CN105262739A (en) * 2015-09-25 2016-01-20 上海斐讯数据通信技术有限公司 Security defense method, terminal, server, and system
CN109347876A (en) * 2018-11-29 2019-02-15 深圳市网心科技有限公司 A security defense method and related device
CN111651322A (en) * 2020-05-29 2020-09-11 山东中创软件商用中间件股份有限公司 Process monitoring alarm method, system and device
CN112214768A (en) * 2020-10-16 2021-01-12 新华三信息安全技术有限公司 Malicious process detection method and device
CN112269991A (en) * 2020-10-29 2021-01-26 珠海市魅族科技有限公司 Malicious application detection method and device, electronic equipment and medium
CN114338118A (en) * 2021-12-22 2022-04-12 北京未来智安科技有限公司 Threat detection method and device based on ATT & CK
CN114969744A (en) * 2022-06-23 2022-08-30 北京天融信网络安全技术有限公司 Process interception method and system, electronic device, and storage medium

Also Published As

Publication number Publication date
CN115459988B (en) 2025-01-28

Similar Documents

Publication Publication Date Title
KR101122787B1 (en) Security-related programming interface
US8626125B2 (en) Apparatus and method for securing mobile terminal
US7661123B2 (en) Security policy update supporting at least one security service provider
WO2015124018A1 (en) Method and apparatus for application access based on intelligent terminal device
CN114329489A (en) Web application program vulnerability attack detection method, server, electronic equipment and storage medium
CN113452717B (en) Method and device for communication software safety protection, electronic equipment and storage medium
WO2017107830A1 (en) Application installation method, apparatus and electronic device
CN104376263A (en) Application behavior intercepting method and application behavior intercepting device
EP3270317A1 (en) Dynamic security module server device and operating method thereof
CN114035812B (en) Application software installation and/or operation method and device, electronic equipment and storage medium
CN104361282A (en) Mobile terminal security protecting method and device
US10121005B2 (en) Virus detection by executing electronic message code in a virtual machine
CN105868625B (en) Method and device for intercepting restart deletion of file
CN108965251B (en) A cloud-based security mobile phone protection system
CN116108435A (en) On-demand opening method and device of mobile terminal security aspect
CN113836529A (en) Process detection method, device, storage medium, and computer device
EP2728472B1 (en) User terminal, reliability management server, and method and program for preventing unauthorized remote operation
CN106650423A (en) Object sample file detecting method and device
US20060225071A1 (en) Mobile communications terminal having a security function and method thereof
CN116611058A (en) A kind of blackmail virus detection method and related system
CN107070878B (en) System and method for virus isolation of monitored application
WO2018049977A1 (en) Method and device for guaranteeing system security
CN115459988A (en) Security defense method and device based on ATT & CK model, electronic equipment and storage medium
CN106682500A (en) Detection method and device for target sample files
CN101593250A (en) Information security protection method, device and server device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant