CN115643082A - Method and device for determining lost host and computer equipment - Google Patents

Abstract

The embodiment of the present application provides a method, device and computer equipment for determining a compromised host, which detects malicious domain names on each host to be detected based on different types of initial security data of the hosts to be detected, and screens out suspected hosts from the hosts to be detected, Further determine the lost host from the suspected hosts according to the initial security data in the suspected hosts. The method for determining the compromised host provided by this application is based on the detection of malicious domain names, continues to determine the compromised host from the suspected hosts based on the initial security data in the suspected host, and improves the method of determining the compromised host only through the detection of malicious domain names. Issue with poor host accuracy.

Description

Method, device and computer equipment for determining a lost host

technical field

The present application relates to the technical field of communications, and in particular to a method, device and computer equipment for determining a lost host.

Background technique

A compromised host is a host that a network intrusion attacker has somehow gained control of. After gaining control, the attacker may use the host as a springboard to continue attacking other hosts in the enterprise intranet, and will actively communicate with the IP or domain name specified by the network intrusion attacker, and transmit the security data stored on it. In addition, compromised hosts are often characterized by irregularity and high concealment, and many intrusion actions are difficult to identify or confirm the success of the attack. Therefore, it is necessary to detect the failure of each host, and repair the lost host in time, so as to ensure the network security of the enterprise.

In related technologies, the method for determining the compromised host includes obtaining the domain name to be detected, and judging whether the domain name to be detected is a malicious domain name. If the domain name to be detected is a malicious domain name, the host to be detected that stores the domain name to be detected is directly determined as the compromised host .

However, the accuracy of the above method for determining the compromised host is low.

Contents of the invention

The embodiment of the present application provides a method, device, and computer equipment for determining a compromised host, which can determine the suspected host from the hosts to be detected after detecting malicious domain names on the host to be detected, and further determine the suspected host through the initial security data in the suspected host. Suspected hosts are all compromised hosts, which improves the problem of low accuracy caused by only detecting whether a host is compromised through malicious domain name detection.

The first aspect of the embodiment of the present application provides a method for determining a crashed host, the method for determining includes:

Acquiring initial security data of each host to be detected, where the initial security data is data generated during operation of the host to be detected;

merging each of the initial safety data based on a heterogeneous data fusion method to obtain target safety data;

Input the domain names to be detected in the target security data into the detection model to detect malicious domain names, and screen out suspected hosts from the hosts to be detected based on the detection results, and the domain names to be detected of the suspected hosts include The malicious domain name, the detection model is obtained by training normal domain names and malicious domain names;

Based on the initial security data of the suspected hosts, the compromised host is determined from the suspected hosts.

The second aspect of the embodiment of the present application provides a device for determining a lost host, the device includes:

An acquisition module, configured to acquire initial security data of each host to be detected, where the initial security data is data generated during operation of the host to be detected;

A fusion module, configured to fuse each of the initial security data based on a heterogeneous data fusion method to obtain target security data;

A detection and screening module, configured to input the domain names to be detected in the target security data into the detection model to detect malicious domain names, and screen out suspected hosts from each of the hosts to be detected based on the detection results, and the suspected hosts Each domain name to be detected includes the malicious domain name, and the detection model is obtained by training a normal domain name and a malicious domain name;

A determining module, configured to determine a compromised host from among the suspected hosts based on the initial security data of the suspected hosts.

The third aspect of the embodiments of the present application provides a computer device, including a processor and a memory for storing processor-executable instructions, and the processor is used for reading executable instructions from the memory and executing the instructions to implement the embodiments of the present application The method for determining a compromised host provided in the first aspect.

The fourth aspect of the embodiment of the present application provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the method for determining a compromised host provided in the first aspect of the embodiment of the present application is implemented.

The fifth aspect of the embodiment of the present application provides a computer program product, including a computer program. When the computer program is executed by a processor, the method for detecting a compromised host provided in the first aspect of the embodiment of the present application is implemented.

The technical solutions provided by the embodiments of the present application can at least achieve the following beneficial effects:

The method for determining a compromised host provided in the embodiment of the present application, the determination method is based on different types of initial security data of the host to be detected to detect the malicious domain name of each host to be detected, screen out the suspected host from the hosts to be detected, and further base on the suspected host Identify compromised hosts from suspected hosts using the initial security data in . The method for determining the compromised host provided by this application is based on the detection of malicious domain names, and continues to determine the compromised host from the suspected hosts based on the initial security data in the suspected hosts, which improves the method of determining the compromised host only through the detection of malicious domain names. Issue with poor host accuracy.

Description of drawings

FIG. 1 is an application scenario diagram of a method for determining a compromised host shown in an exemplary embodiment of the present application;

Fig. 2 is a schematic flowchart of a method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 3 is a schematic flowchart of a method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 4 is a schematic flowchart of another method for determining a failed host shown in an exemplary embodiment of the present application;

Fig. 5 is a schematic flowchart of another method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 6 is a schematic flowchart of another method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 7 is a schematic flowchart of another method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 8 is a schematic flowchart of another method for determining a crashed host shown in an exemplary embodiment of the present application;

Fig. 9 is a schematic flow chart of determining another crashed host shown in an exemplary embodiment of the present application;

Fig. 10 is a structural block diagram of an apparatus for determining a compromised host shown in an exemplary embodiment of the present application;

Fig. 11 is an internal structure diagram of a computer device shown in an exemplary embodiment of the present application.

Detailed ways

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with aspects of the present application as recited in the appended claims.

The terminology used in this application is for the purpose of describing particular embodiments only, and is not intended to limit the application. As used in this application and the appended claims, the singular forms "a", "the", and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It should also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of the present application, first information may also be called second information, and similarly, second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "at" or "when" or "in response to a determination."

Embodiments of the present disclosure may be applied to electronic devices such as terminal devices, computer systems, servers, etc., which may operate with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments and/or configurations suitable for use with electronic devices such as terminal devices, computer systems, servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick client Computers, handheld or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the foregoing.

Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server can be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including storage devices.

First of all, the technical terms that appear in this application are introduced:

Host: Refers to various devices used in computer networks or communication networks, including but not limited to computers, switches, routers, and security devices.

Compromised host: refers to a host that a network intrusion attacker gains control in some way. After gaining control, the attacker may use the compromised host as a springboard to continue attacking other hosts in the enterprise intranet; in addition, the compromised host is often characterized by irregularity and high concealment, and many intrusion actions are difficult to identify or cannot confirm the attack. Whether it is successful or not, but through various actions after the compromise, it can be judged that the host has been compromised. After the office equipment or server is attacked and controlled by an illegal organization, it will actively communicate with the server of the illegal organization by specifying an IP or domain name, and transmit the security data stored on it (such as personnel, assets, events, logs, configuration, policies, traffic, etc. data). Therefore, it is necessary to detect the loss of the host, and repair the lost host in time, so as to ensure the security of the enterprise network.

Domain Name System: (Domain Name System, referred to as DNS) is one of the important basic core services in the Internet. It is responsible for providing a unified domain name address space mapping service, mainly resolving domain names that are easy for people to remember into IP addresses that are easy for machines to recognize.

Malicious domain name: It is a domain name generated by Domain Generation Algorithm (DGA for short). It is often used by attackers in the domain name of malicious programs for communication between Trojan software and the control server.

Once a host becomes a compromised host, there will be a risk of leaking security data on it, and at the same time, it will pose a threat to other hosts that have an access relationship with it, bringing immeasurable losses to the enterprise. Therefore, each enterprise needs to determine in real time whether there is a compromised host among the hosts in the process of network operation. At present, a common method for determining whether a host is a compromised host is to perform malicious domain name detection on all hosts, and if a malicious domain name is detected in a host, then it is determined that the host is a compromised host.

The above-mentioned method for determining whether the host is a compromised host is determined only through malicious domain name detection, and its accuracy is relatively low.

In view of this, the embodiment of the present application proposes a method for determining a compromised host. On the basis of malicious domain name detection, continue to determine the compromised host from suspected hosts based on the security data in the suspected host, which improves the detection method only through malicious domain names. Methods Determining the compromised host leads to the problem that the accuracy of determining the compromised host is poor.

The method for determining a crashed host provided in the embodiment of the present application may be applied to the application environment shown in FIG. 1 . Wherein, multiple hosts 102 to be detected communicate with the target host 104 through the network. The data storage system can be integrated on the target host 104, or placed on the cloud or other network hosts. The target host 104 obtains the initial security data of the plurality of hosts to be detected 102, processes the initial security data of the plurality of hosts to be detected 102 to obtain target security data, and performs malicious domain name detection on the plurality of hosts to be detected 102 based on the target security data, According to the detection result, the suspected host is screened out from multiple hosts 102 to be detected, and after the suspected host is screened out, the security data of the suspected host is continuously obtained, so as to determine the lost host from the suspected hosts according to the security data of the suspected host. Wherein, the host to be detected 102 and the target host 104 can be implemented by an independent server or a server cluster composed of multiple servers.

The specific technical solutions of the embodiments of the present application will be exemplarily described below in conjunction with the accompanying drawings.

Fig. 2 is a schematic flowchart of a method for determining a crashed host shown in an exemplary embodiment of the present application. As shown in Figure 2, specifically include the following steps:

Step S100, acquiring initial security data of each host to be detected, where the initial security data is data generated during operation of the host to be detected;

Wherein, the host to be detected may be a target enterprise server device, and the number of hosts to be detected is at least one, or may be multiple, which is not limited here. The initial security data is the data generated during the operation of the host to be detected, which is used to support the subsequent determination of the compromised host. The initial security data may be obtained from the memory of the host to be detected, may be obtained from other monitoring devices, and may also be obtained from the memory of the host to be detected and other monitoring devices, which is not limited here. It should be noted here that other monitoring devices are devices for monitoring the running data of the host to be detected, such as flow monitoring devices, threat intelligence information monitoring devices, and the like. Exemplarily, the initial security data is, for example, the basic information of the host to be detected that is accessed in real time (such as the memory of the host to be detected, the kernel version of the host to be detected, etc.), asset data (such as system accounts, open ports, databases, etc.), Asset operation data (such as process behavior data, file access data, system operation data, network traffic data, etc.), threat intelligence information, behavior log data (such as DNS server request response logs, http hypertext transfer protocol, server access logs, login logs , process behavior log, file log, network log, etc.), network traffic data (network protocol, basic fields corresponding to the protocol, traffic data), etc.

In this application, the target host may send acquisition instructions to the host to be detected and/or other monitoring devices. After receiving the acquisition instruction sent by the target host, the host to be detected and/or other monitoring devices will store the initial security data Pack and send to the target host. The host to be detected and/or other monitoring devices carry the corresponding identification of each host to be detected when sending the data packet, so that the target host can determine the host to be detected corresponding to the data in the data packet based on the identification, and perform classified storage. Of course, the target host may also store data packets sent by multiple hosts to be detected and/or other monitoring devices in the same memory address, which is not limited in this application.

Different types of initial security data have the following advantages over a single type of initial security data:

A single type of initial safety data will have perception errors due to factors such as external interference, while different types of initial safety data can be accurate or seriously deviated from a single type of initial safety data, and the redundancy based on different types of initial safety data still remains It can provide accurate basis for determining the lost host.

A single type of initial security data can only provide characteristic information of a single aspect, and cannot be described as a whole. However, different types of initial security data can complement each other, supplement each other's definite information, and finally obtain a clearer and more accurate description.

The time and speed of obtaining and sending information of a single type of initial security data remain unchanged, while different types of initial security data can make up for the disadvantage of a single type of initial security data, and obtaining real-time data information can improve the efficiency of determining the compromised host.

Exemplarily, the target host sends initial security data acquisition instructions to host A, host B, and host C respectively. After host A, host B, and host C receive the acquisition instructions, host A packages the stored enterprise asset data and sends it to the target host, host B packages and sends the stored enterprise log data to the target host, and host C sends the stored enterprise user data to the target host.

Step S200, based on the heterogeneous data fusion method, the initial security data is fused to obtain the target security data;

Among them, the heterogeneous data fusion method is a processing method for data from different sources. It uses the above-mentioned initial security data from different hosts to be detected and/or other monitoring devices to perform filtering, completion, conversion, aggregation and merging. , analysis and extraction to obtain the target security data. The technologies and algorithms used in heterogeneous data fusion methods include, for example, least squares method, weighted average method, Kalman filter method, Bayesian estimation technology, minimum description length method, genetic algorithm, evidence function, etc.

The initial security data is fused by the heterogeneous data fusion method, and the output target security data can reduce the uncertainty in determining the compromised host and improve the quality of determining the compromised host. More importantly, the heterogeneous data fusion method can effectively utilize the redundancy and complementarity between different sources of data, so as to determine the compromised host more accurately from a global perspective, and the heterogeneous data fusion method can reduce the data According to the follow-up business, the IP summary table, IP session log and other intermediate table information will be generated, and the basic security data center will be comprehensively built to solve the conflicts between different types of initial security data, scattered attributes, incomplete and one-sided single-source data, etc. problems, and support the analysis needs of subsequent compromised hosts. The target security data obtained through the heterogeneous fusion method not only reduces the noise of the data to a certain extent, but also improves the occurrence of inaccurate host determination due to data islands, and can also support subsequent risk research and judgment of lost hosts analyze.

In one embodiment, as shown in FIG. 3, FIG. 3 is an optional method embodiment for fusing each initial security data shown in an exemplary embodiment of the present application. The method embodiment includes the following steps :

Step S201, based on the heterogeneous data fusion method, the initial security data is fused to obtain the intermediate security data;

Exemplarily, this embodiment of the application may perform the following operations on each initial security data:

Configure the data analysis algorithm for each initial security data to extract the key information of each initial security data; complete the key information of each initial security data; label the completed initial security data; finally obtain the intermediate security data .

Specifically: key information can be extracted from the IP address of each initial security data, the current host IP address, domain name, URL, protocol type, event content, etc., as shown in the following table:

Correlation completion is, for example, enriching the content of relevant data such as log data and fixed asset information (including the user ID of the user to which the device belongs, the organization ID of the user to which the device belongs, the location information of the user, and the communication information of the user, etc.).

In this embodiment of the present application, the technical and tactical ID of ATT&CK can be used to label the initial security data to classify and mark each initial security data, so as to facilitate the rapid classification of massive initial security data, and further improve the efficiency of data analysis and accuracy. Exemplarily, an image may include tags such as adult, female, yellow race, and long hair. For text, you can include tags such as subject, predicate, object, noun verb, etc.

Specifically, when labeling the initial security data, it is necessary to perform data feature extraction to obtain the features of the initial security data, and label the initial security data according to the features of the initial security data. For example, if a link to a known malicious site is found in the host application log, and the user visits the link, the host is marked with a "phishing risk".

The technical solution provided by the embodiment of the present application first pre-processes the initial security data, and then combines the subsequent determination methods with multiple key information extracted from the processed initial security data to make the determination of the compromised host more accurate. The error rate of determining the compromised host by only a single key information is reduced.

Step S202, performing standardization processing on the intermediate security data to obtain target security data, and the standardization processing is used to limit the data format of the security data and the expression form of the data content.

Among them, due to the different storage rules of each host to be detected and other monitoring devices when storing initial security data, there may be situations where the data format and data content expression cannot be unified, so in order to quickly determine the compromised host based on the initial security data , it is necessary to standardize the intermediate data, so as to unify the data format and the expression form of the data content of all intermediate data, and improve the efficiency of determining the compromised host.

Step S300, input the domain names to be detected in the target security data into the detection model to detect malicious domain names, and screen out suspected hosts from each host to be detected based on the detection results, and the domain names to be detected of the suspected hosts include malicious domain names, The detection model is trained from normal domain names and malicious domain names;

Wherein, the domain name to be detected comes from the target security data, for example, the domain name to be detected may be obtained from DNS log data in the target security data. By detecting the domain name to be detected, it can be detected whether the host to be detected has a communication relationship with the attacker. If the attacker uses the domain name to be detected to communicate with the host to be detected, it can be determined that the domain name to be detected is a malicious domain name. Suspected hosts are determined from each host to be detected. In the embodiment of the present application, the malicious domain name detection is performed on the domain name to be detected according to the detection model, and the detection result of the malicious domain name can be obtained more quickly through the detection model.

After the malicious domain name is obtained based on the above method, the host to be detected containing the malicious domain name may be screened as a suspected host. The suspected host may be one or multiple, which is not limited here.

In addition, in the embodiment of the present application, after the suspected host is screened out from the hosts to be detected, an alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to a medium level.

In another embodiment, as shown in FIG. 4, FIG. 4 is an optional method embodiment for obtaining a detection model shown in an exemplary embodiment of the present application. The method embodiment includes the following steps:

Step S301, obtaining multiple normal domain names and multiple malicious domain names;

Exemplarily, for example, the first 1,000,000 data in Alexa (http://www.secrepo.com) and Cisco data sets can be selected as samples of normal domain names: the selected normal domain names are, for example, google.com, facebook.com, youtube. com, baidu.com, yahoo.com, amazon.com, wikipedia.org, qq.com, twitter.com, etc.

It can be to obtain malicious domain name datasets from open source websites such as http://data.netlab.360.com/dga/, and select malicious domain names such as abcbot, ccleaner, dmsniff, fobber, madmax, necro, proslikefan, rovnix, tempedreve, vidro, etc. Domain name data set, and select the first 1,000,000 data from the malicious domain name data set as malicious domain name samples. The selected malicious domain names are, for example, kyyjpvvbi.com, bkiypvvjy.pages.dev, kyyjpvvbi.tk, vyvpykbij.com, kyyjpvvbi.pages.dev, yivvjbypk.com, ykjbpvviy.pages.dev, ykjbpvviy.com, kvyjiyvpb.pages.dev, pikbyjyvv.pages.dev, kyjivpvyb.pages.dev, etc.

After obtaining normal domain name samples and malicious domain name samples, the embodiment of the present application may also perform extraction operations such as cleaning the samples and extracting the main domain name.

Step S302, extracting feature information of each normal domain name and feature information of each malicious domain name, the feature information includes the character randomness of the domain name, the length of the character, the proportion of vowels in the character, the proportion of unique characters in the character and the top-level domain name at least one;

Wherein, the characteristic information includes, for example, at least one of character randomness, character length, proportion of vowels in characters, proportion of unique characters in characters, and top-level domain name.

The characteristics of the character randomness of normal domain names and malicious domain names are as follows: the character randomness of malicious domain names is greater than that of normal domain names;

The character lengths of normal domain names and malicious domain names are characterized by: the character length of normal domain names is within 19, concentrated between 8 and 12, and only a few normal domain names have a character length of more than 19; while the length of malicious domain names ranges from between 8 and 32, and there are two peaks, namely 12 and 30, in which the number of malicious domain names with a character length of 30 is more.

The characteristics of the proportion of vowel letters in the characters of normal domain names and malicious domain names are as follows: in order to facilitate the user's memory and to have better readability, the pinyin of normal domain names usually uses words or names, and often appears in words Or insert certain vowels into the name to make the domain name easier to read. And because malicious domain names are randomly generated without considering readability, the proportion of vowels in normal domain names is higher than that in malicious domain names.

The characteristics of the proportion of unique characters in normal domain names and malicious domain names are: unique characters are the number of different characters in the domain name, such as the unique character [b.a.i.d.u] of the domain name baidu, the number of characters is 5; the number of unique characters in the domain name urlzt.com There is [u.r.l.z.t] with character 4. Due to the great randomness of malicious domain names, the number of unique characters in them is relatively high, so the characteristic is that the proportion of unique characters in normal domain names is lower than that in malicious domain names.

The top-level domains of normal domain names and malicious domain names have the following characteristics: the top-level domain names of normal domain names generally use common top-level domain names, such as .cn and .com. The top-level domain names of malicious domain names are relatively random, and attackers will choose some top-level domain names that are not strictly reviewed, such as .biz and .ru. For example, normal domain names include 1933 commonly used top-level domain names and 67 other top-level domain names; then malicious domain names may include 1342 commonly used top-level domain names and 658 other top-level domain names. It can be seen that nearly two-thirds of malicious domain names are Top-level domains are top-level domains that are not commonly used. Therefore, the characteristic of the performance is that the proportion of common top-level domain names in the top-level domain names of normal domain names is higher than that of common top-level domain names in malicious domain names.

In machine learning, because the input items of the model basically need to be numerical variables, and the categorical variables themselves do not have numerical attributes, it is usually necessary to treat the categorical variables separately. Therefore, based on the above method, after extracting the feature information of normal domain names and malicious domain names, it is necessary to perform character-level label encoding on normal domain names and malicious domain names. Usually, variable conversion methods commonly used in the labelencoding tree model are used to convert category variables into numeric types. For example: convert [g, o, o, g, l, e, c, o, m] to [1, 2, 2, 1, 3, 4, 5, 6, 2, 7], so the normal domain name and The malicious domain name has completed the numerical conversion. In order to facilitate machine learning based on normal domain names and malicious domain names, a more robust detection model can be obtained.

Step S303, based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name, train the long short-term memory neural network to obtain a detection model.

Exemplarily, in the embodiment of the present application, the characteristic information of each normal domain name and the characteristic information of each malicious domain name can be divided into training data and test data. The data is used to train the long-short-term memory neural network to obtain the initial detection model, and then the test data can be predicted through the initial detection model, and the results can be obtained by cross-validation according to the correct rate, false positive rate, and recall rate found in the DGA domain name in the predicted results The best algorithm to get a detection model with better accuracy.

In the embodiment of the present application, after obtaining the detection model through the above training and prediction, the normal domain name samples and malicious domain name samples can be re-selected to perform secondary verification on the detection model, and further according to the verification results from the ratio of normal domain name and malicious domain name, algorithm selection , parameter tuning and other aspects to adjust to finally obtain a more optimized detection model.

Step S400, based on the initial security data of the suspected hosts, determine the compromised host from the suspected hosts.

Among them, after screening out the suspected hosts from the hosts to be detected based on the above method, the initial security data of the suspected hosts can be further obtained, and the IOC security threat intelligence can be matched based on the security data of the suspected hosts. According to the matching results, determine Whether the suspected host is a compromised host solves the problem that the accuracy of determining the compromised host is poor due to the determination of the compromised host only through malicious domain name detection.

In one embodiment, as shown in FIG. 5, FIG. 5 is an optional method embodiment for determining a crashed host shown in an exemplary embodiment of the present application. The method embodiment includes the following steps:

In step S401, risk data identification is performed on the initial security data of the suspected host through the risk data identification risk model to obtain identification results. The risk data identification risk model is obtained based on different types of risk data and different types of normal data based on neural network model training.

The risk data is obtained through model training based on neural network model training based on different types of risk data and different types of normal data. Normal data can be security data obtained from non-corrupted hosts, and risk data can be target asset data, vulnerability data, target user data, and threat intelligence data obtained from compromised hosts; normal data and risk data can also be historical The data collected during the process of determining the compromised host is not limited in this application. The trained risk data identification model may be stored in the target host.

After the application screens out suspected hosts from multiple hosts to be detected by the above-mentioned method, it can obtain different types of initial security data in the suspected hosts, and input different types of initial security data into the trained risk data identification model , to get the output result of the risk data identification model, the output result may be empty (that is, no risk data is identified from the initial security data), and the output result may also be the corresponding risk data, which may only include one type The risk data can also include a variety of different types of risk data; and the risk data can also carry risk type tags, so that based on the identification results of the risk identification model, the risk type of the suspected host can be quickly obtained and improved. Determination efficiency of compromised hosts.

Step S402, if the identification result is that risk data is identified from the initial security data of the suspected host, then determine the suspected host as a compromised host; the risk data includes at least one of target asset data, vulnerability data, target user data, and threat intelligence data The target asset data is asset data whose confidentiality level is higher than a predetermined level, and the target user data is user data with predetermined operation authority.

Wherein, based on the output result of the above-mentioned risk data identification model, the compromised host can be quickly determined from the suspected hosts. Specifically, if the identification result is that there is no risk data in the initial security data of the suspected host, then the suspected host is not a compromised host; on the contrary, if the identification result is that there are target asset data, vulnerability data , target user data and threat intelligence data, then it is determined that the suspected host is a compromised host.

Further, after the target host obtains the asset data, vulnerability data, user data, and threat intelligence data of the suspected host, it can continue to search for asset data with a confidentiality level greater than a predetermined level from the asset data of the suspected host. Find out whether there is vulnerability data from security data, find out whether there is user data with predetermined operation authority from user data, and find out whether there is threat intelligence data from initial security data, and determine whether the suspected host is a compromised host based on the search results . Among them, if the target host finds at least one of asset data (that is, target asset data) with a confidentiality level greater than a predetermined level, vulnerability data, user data with predetermined operation authority (that is, target user data) and threat intelligence data The suspected host is determined to be a compromised host. It should be noted here that the predetermined level and predetermined operation authority are determined by the enterprise according to its own business.

At the same time, in the embodiment of the present application, after it is determined that there is risk data in the suspected host, the alarm mechanism is triggered again, for example, the alarm level of the suspected host can be adjusted to a high level.

By determining whether there is risk data in the security data of the suspected hosts, the compromised host is determined from the suspected hosts, the risk data is easy to obtain, and it is possible to quickly determine whether the suspected hosts are all compromised hosts, and the efficiency of determining the compromised host is improved.

After the lost host is determined from multiple hosts to be detected through the above method, it is necessary to repair the lost host to avoid greater losses to the enterprise, thereby ensuring the network security of the enterprise. Specifically, as shown in FIG. 6, FIG. 6 is an optional method embodiment for repairing a failed host shown in an exemplary embodiment of the present application. The method embodiment includes the following steps:

Step S600, obtaining the risk data of the compromised host;

Wherein, the embodiment of the present application determines whether the suspected host is a compromised host based on the above-mentioned method according to whether there is risk data in the security data of the suspected host. Therefore, the compromised host must contain risk data. The target host can send an acquisition command to the compromised host to obtain the risk data sent by the compromised host. The risk data can be the target asset data, vulnerability data, target user data, and threat intelligence data. at least one of .

Step S700, determining the risk type of the compromised host based on the risk data of the compromised host;

Wherein, the embodiment of the present application may determine the risk type of the compromised host based on the obtained risk data of the compromised host, and the risk types include asset risk, vulnerability risk, user risk, and threat intelligence risk.

Then, if the risk data of the lost host is the target asset data, it is determined that the risk type of the lost host is asset risk;

If the risk data of the compromised host is vulnerability data, then determine that the risk type of the compromised host is vulnerability risk;

If the risk data of the compromised host is target user data, then determine that the risk type of the compromised host is user risk;

If the risk data of the compromised host is threat intelligence data, it is determined that the risk type of the compromised host is threat intelligence risk.

Furthermore, the embodiment of the present application may also trigger an alarm mechanism after determining that there is any risk of asset risk, vulnerability risk, user risk, and threat intelligence risk in the suspected host, for example, the alarm level of the suspected host may be Adjust to advanced;

In this embodiment of the present application, after it is determined that any two risks of asset risk, vulnerability risk, user risk, and threat intelligence risk exist in the suspected host, the alarm mechanism may be triggered, for example, the alarm level of the suspected host may be adjusted to the initial advanced;

In this embodiment of the present application, after it is determined that there are any three risks among asset risk, vulnerability risk, user risk, and threat intelligence risk in the suspected host, the alarm mechanism can be triggered, for example, the alarm level of the suspected host can be adjusted to medium advanced;

In this embodiment of the present application, after it is determined that there are four risks in the suspected host: asset risk, vulnerability risk, user risk, and threat intelligence risk, an alarm mechanism is triggered. For example, the alarm level of the suspected host can be adjusted to a very high level.

Step S800, based on the risk type, at least one classified repair strategy corresponding to the risk type is obtained from the security knowledge base, and the security knowledge base includes multiple risk types and classified repair strategies corresponding to the multiple risk types;

Among them, the security knowledge base is the ATT&CK technical knowledge base (Adversarial Tactics Techniques and Common Knowledge) stored in the target host. ATT&CK is a set of models and knowledge bases proposed by MITER to reflect the attack behavior of each attack life cycle, which is more observable A set of finer-grained and easier-to-share knowledge models and frameworks have been constructed, and through continuous accumulation, a set of cyber attacker behaviors jointly participated and maintained by the government, public service enterprises, private enterprises and academic institutions has been formed. Knowledge base to guide users in targeted detection, prevention and response efforts.

The security knowledge base includes technology, general knowledge, multiple risk types and classified repair strategies corresponding to multiple risk types. Therefore, if the risk type of the compromised host is determined, the classification repair strategy corresponding to the risk type can be searched from the security knowledge base. The classification repair strategy is the corresponding operation that needs to be performed for repairing the repair object, which may include multiple execution steps, and different execution steps may be the execution steps for the same operation object, or the execution steps for different operation objects. There is no limit to this. It should be noted here that the repair object can be, for example, a processor, a memory, an output module, an input module, a display module, an audio module, etc. When repairing the repair object, it can be a device, a driver, a program, Operation objects such as codes and other external devices that have an interactive relationship with the repair object perform corresponding operations to implement repair operations on the repair object.

Exemplarily, the classified repair strategies are, for example: wifi blocker, firewall linkage, agent linkage, email notification, SMS notification, automatic response blocking process, blocking network connection, blocking IP, blocking domain name, etc.

In one embodiment, as shown in FIG. 7, FIG. 7 is an optional method embodiment of obtaining a classified repair strategy corresponding to a risk type according to an exemplary embodiment of the present application. The method embodiment includes the following steps:

Step S801, obtaining a risk type label of at least one risk type;

Among them, there may be at least one risk data identified according to the above risk data identification model, and there may be multiple risk data. The multiple risk data may be the same type of risk data or different types of risk data. Then when identifying If the identified risk data are of the same type, the compromised host will have only one risk; similarly, if the identified risk data are of different types, the compromised host will have multiple risk. And because the risk data identified by the risk data identification model carries risk type labels, the risk type label of the risk type can be obtained directly according to the output result of the risk data identification model, thereby improving the efficiency of determining the compromised host. The risk type label may be represented by, for example, letters, numbers, symbols, etc., which is not limited in this application.

Step S802, according to the risk type label of the risk type, at least one classified repair policy corresponding to the risk type label is obtained from the security knowledge base, and the security knowledge base includes multiple risk type labels and multiple classified repair policies corresponding to each risk type label Strategy.

Wherein, since the security knowledge base includes the risk type tags corresponding to each risk type and the classification and repair strategies corresponding to each risk type tag, so based on the tags obtained above to implement the risk type of the host, it can be based on the tags from the security knowledge The classification repair strategy corresponding to the label is found in the library. In this way, the classification repair strategy can be determined faster, the efficiency of repairing the lost host can be further improved, more serious losses can be avoided, and the safe use of the network can be guaranteed.

Step S900, combining the classified repair strategies corresponding to the risk types according to the predetermined logical relationship to obtain the target repair strategy, and the predetermined logical relationship is used to represent the correlation between the classified repair strategies;

Among them, the predetermined logical relationship can be determined based on the correlation between the operation steps of the repair object targeted by each classification repair strategy, or can be determined based on the correlation between the steps of each classification repair strategy, for which this application Not limited.

In one embodiment, as shown in FIG. 8, FIG. 8 is an optional method embodiment for obtaining a target repair strategy shown in an exemplary embodiment of the present application. The method embodiment includes the following steps:

Step S9011, determining a plurality of operation objects and a plurality of target execution steps associated with each operation object from the classified restoration strategy;

Wherein, the classified restoration strategy includes multiple execution steps, and each execution step may be an operation step for one operation object, or may be an operation step for multiple operation objects. Then, multiple operation objects and multiple target execution steps associated with each operation object can be easily determined from the classified restoration strategy.

Step S9012, sort the multiple target execution steps associated with each operation object according to the target order to obtain multiple combined repair strategies, and the target order is the order that satisfies the continuous operation.

Wherein, in the embodiment of the present application, multiple target execution steps may be sorted according to whether the multiple target execution steps for each operation object meet the condition of continuous operation, so as to obtain a combined restoration strategy.

For example, if there are multiple classification repair strategies, the first step in the first classification repair strategy, the second step in the second classification repair strategy, and the third step in the third classification strategy are execution steps for routers, And there is a relationship of coherent operation, then the first step in the first classification restoration strategy, the second step in the second classification restoration strategy, and the third step in the third classification strategy can be used as a combined restoration strategy.

Step S9013, taking each combined restoration strategy as a target restoration strategy.

Wherein, based on the above determination process, three combined repair strategies are obtained, and these three combined repair strategies may be determined as the target repair strategy.

The target repair strategy determined in this way is highly operable and can also achieve the purpose of improving repair efficiency, thereby avoiding more serious losses of the enterprise and ensuring the safe use of the network of the enterprise.

It also needs to be explained here that the process of the target recovery strategy can be edited, and the emergency response to risks can be assisted by automatic means, which can deal with more practical application scenarios besides the automatic recovery of the lost host. Once the process of the target recovery strategy is configured, it will be automatically executed without human intervention, which can improve the response speed to risks. Once the host is confirmed to be a compromised host, it will be quickly and automatically repaired. The entire log record is convenient for management personnel to trace the source afterwards.

The target repair strategy obtained through the above method can repair all objects involved in the repair process at the same time, so as to improve the repair efficiency, thereby avoiding more serious losses of the enterprise and ensuring the safe use of the network of the enterprise.

Step S1000, recovering the crashed host based on the target recovery policy.

Wherein, the recovery operation for the failed host may be performed automatically by the target host according to the generated target recovery strategy.

Furthermore, after gaining control of the compromised host, the attacker will not only steal the data stored on the compromised host, but also use the compromised host as a springboard to continue attacking other hosts that have access relationships with the compromised host, causing other hosts to also Therefore, after determining the lost host, it is also necessary to determine other hosts that have access relationships with the lost host, so as to repair other hosts at the same time, so as to fully ensure the safe use of the enterprise network.

In one embodiment, as shown in FIG. 9, FIG. 9 is an optional method embodiment for determining other hosts (target objects) shown in an exemplary embodiment of the present application. The method embodiment includes the following steps:

Step S1001, obtaining the network security events of the compromised host, where the network security incident refers to the event of harming the network, information system and data caused by the compromised host;

Among them, network security incidents refer to incidents that cause harm to the network and information systems or the data in them due to human reasons, host software and hardware defects or failures, natural disasters, etc., and have a negative impact on society, which can be divided into harmful program incidents, network Attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic incidents and other incidents. In this application, it is aimed at the network security incident of the compromised host, that is, an incident that may cause damage to the network, information system, and data due to software and hardware defects or failures of the compromised host. The network security event of the compromised host comes from the initial security data, and further can be from the log data in the initial security data.

Step S1002, based on network security events, determine the attack path of the compromised host;

Wherein, based on the above-mentioned network security events obtained from the initial security data of the compromised host, the compromised host can restore the interaction process between the compromised host and other hosts based on time sequence, so as to obtain the attack path of the compromised host.

Step S1003, determine the target object that has an access relationship with the compromised host from the attack path.

Among them, the attack path includes the interaction between the compromised host and other hosts or objects, so the target object (that is, other hosts) that has an access relationship with the compromised host can be determined through the restored attack path. This access relationship includes the compromised host Actively accessing the relationship of the target object and/or the relationship of the target object accessing the compromised host.

Then, after the target object is determined by the above method, the compromised host and the target object can be repaired at the same time by the following method:

The target recovery policy is sent to the compromised host and the target object, so that the compromised host and the target object perform corresponding recovery operations based on the target recovery policy.

Finally, based on the target recovery strategy and the determined target object obtained in the embodiment of the present application, the recovery strategy related to the failed host in the target recovery strategy may be sent to the failed host, and the recovery strategy related to the target object in the target recovery strategy The repair policy is sent to the target object to instruct the compromised host and the target object to perform corresponding repair operations according to the steps of the repair strategy, so as to achieve the purpose of quickly repairing the compromised host and the target object, thereby avoiding more serious losses of the enterprise and ensuring the enterprise's security Use the net safely.

The embodiment of this application combines the backtracking analysis results of the lost host and the target asset information, etc., based on SOAR technology to flexibly formulate the target repair strategy for the lost host, execute the corresponding emergency response operation for the risk of the lost host, and deeply integrate risk identification and security protection equipment. , to realize the function of confirming the lost host and automatically repairing the lost host, ensuring the accuracy and precision of disposal while being efficient.

It should be understood that although the steps in the flow charts involved in the above embodiments are shown sequentially as indicated by the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and these steps can be executed in other orders. Moreover, at least some of the steps in the flow charts involved in the above embodiments may include multiple steps or stages, and these steps or stages are not necessarily executed at the same time, but may be executed at different times, The execution order of these steps or stages is not necessarily performed sequentially, but may be performed in turn or alternately with other steps or at least a part of steps or stages in other steps.

Based on the same inventive concept, an embodiment of the present application further provides a device for determining a failed host for implementing the method for determining a failed host mentioned above. The solution to the problem provided by this device is similar to the implementation described in the above method, so the specific limitations in the embodiment of the device for determining one or more crashed hosts provided below can refer to the determination of the crashed host above The limitation of the method will not be repeated here.

In one embodiment, as shown in FIG. 10 , an apparatus 2000 for determining a compromised host is provided, the processing apparatus includes: an acquisition processing module 2001, a fusion module 2002, a detection and screening module 2003, and a determination module 2004,

Obtaining a processing module 2001, configured to acquire initial security data of each host to be detected, where the initial security data is data generated during operation of the host to be detected;

A fusion module 2002, configured to fuse each initial security data based on a heterogeneous data fusion method to obtain target security data;

The detection and screening module 2003 is configured to input the domain names to be detected in the target security data into the detection model to detect malicious domain names, and screen out suspected hosts from each host to be detected based on the detection results, and among the domain names to be detected of the suspected hosts Including malicious domain names, the detection model is trained by normal domain names and malicious domain names;

The determination module 2004 is configured to determine the compromised host from the suspected hosts based on the initial security data of the suspected hosts.

In one embodiment, the determining module 2005 is specifically configured to determine that the suspected host is a compromised host if risk data exists in the initial security data of the suspected host, and the risk data includes target asset data, vulnerability data, target user data, and threat intelligence data In at least one of them, the target asset data is asset data whose confidentiality level is higher than a predetermined level, and the target user data is user data with a predetermined operation authority.

In one embodiment, the above-mentioned device further includes a repair module (not shown in the figure),

The repair module is used to obtain the risk data of the compromised host; determine the risk type of the compromised host based on the risk data of the compromised host; based on the risk type, obtain at least one classified repair strategy corresponding to the risk type from the security knowledge base, the security knowledge base includes Multiple risk types and multiple classified repair strategies corresponding to the multiple risk types; combine the classified repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy, and the predetermined logical relationship is used to represent the relationship between the classified repair strategies Correlation between; based on the target repair strategy to repair the crashed host.

In one embodiment, the repairing module is specifically configured to obtain a risk type label, and the label is used to mark different risk types; obtain at least one classified repair strategy corresponding to the risk type label from the security knowledge base, and the security knowledge The library includes labels corresponding to each risk type and multiple classified repair strategies corresponding to each label.

In one embodiment, the repair module is specifically further configured to determine a plurality of operation objects and a plurality of target execution steps associated with each operation object from each classified repair strategy; execute a plurality of targets associated with each operation object Steps are combined to obtain multiple combined repair strategies; each combined repair strategy is used as the target repair strategy.

In one embodiment, the repair module is further configured to sort the multiple target execution steps associated with each operation object according to the target order to obtain multiple combined repair strategies, and the target order is the order that satisfies the continuous operation.

In one embodiment, the above-mentioned fusion module 2002 is also specifically used to fuse each initial security data based on the heterogeneous data fusion method to obtain intermediate security data; perform standardized processing on the intermediate security data to obtain target security data, and use It is used to limit the data format of security data and the expression form of data content.

In one embodiment, the above-mentioned determining module 2005 is also used to obtain network security events of the compromised host, and the network security incident refers to an event caused by the compromised host to cause harm to the network, information system, and data; based on the network security incident, determine the The attack path of the host; determine the target object that has access relationship with the compromised host from the attack path.

In one embodiment, the recovery module is further configured to send the target recovery policy to the compromised host and the target object, so that the compromised host and the target object perform corresponding recovery operations based on the target recovery policy.

In one embodiment, the above device further includes a training module (not shown in the figure).

The training module is used to obtain multiple normal domain names and multiple malicious domain names; extract feature information of each normal domain name and feature information of each malicious domain name, the feature information includes the character randomness of the domain name, the length of the character, and the number of vowels in the character ratio, the ratio of unique characters in the characters, and at least one of the top-level domain names; based on the feature information of each normal domain name and the feature information of each malicious domain name, the long-short-term memory neural network is trained to obtain a detection model.

Each module in the above-mentioned device for determining a compromised host can be realized in whole or in part by software, hardware or a combination thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.

In one embodiment, a computer device is provided, and the internal structure diagram of the computer device may be as shown in FIG. 11 . The computer device includes a processor, memory and a network interface connected by a system bus. Wherein, the processor of the computer device is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs and databases. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The database of the computer device is used to store security data and the like of each host to be detected. The network interface of the computer device is used to communicate with an external terminal via a network connection. When the computer program is executed by a processor, a method for determining a crashed host is realized.

Those skilled in the art can understand that the structure shown in Figure 11 is only a block diagram of a part of the structure related to the solution of this application, and does not constitute a limitation on the computer equipment on which the solution of this application is applied. The specific computer equipment can be More or fewer components than shown in the figures may be included, or some components may be combined, or have a different arrangement of components.

In one embodiment, a computer device is provided, including a memory and a processor, a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:

Obtain the initial security data of each host to be detected, the initial security data is the data generated during the operation of the host to be detected;

Based on the heterogeneous data fusion method, the initial safety data is fused to obtain the target safety data;

Input the domain names to be detected in the target security data into the detection model for malicious domain name detection, and screen out suspected hosts from each host to be detected based on the detection results. The domain names to be detected of the suspected hosts include malicious domain names. The detection model consists of Normal domain name and malicious domain name training;

Based on the initial security data of the suspected hosts, the compromised hosts are determined from the suspected hosts.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

If there is risk data in the initial security data of the suspected host, it is determined that the suspected host is a compromised host, and the risk data includes at least one of target asset data, vulnerability data, target user data, and threat intelligence data, and the target asset data has a confidentiality level greater than Predetermined level of asset data, target user data is user data with predetermined operation authority.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Obtain the risk data of the compromised host; determine the risk type of the compromised host based on the risk data of the compromised host; based on the risk type, obtain at least one classified repair strategy corresponding to the risk type from the security knowledge base, which includes multiple risk types and multiple classification repair strategies corresponding to multiple risk types; combining the classification repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy, and the predetermined logical relationship is used to represent the correlation between the classification repair strategies; Restoring the crashed host based on the target restoration strategy.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Obtain the label of the risk type, and the label is used to mark different risk types; obtain at least one classified repair strategy corresponding to the label of the risk type from the security knowledge base, and the security knowledge base includes the label corresponding to each risk type and each Multiple classification repair strategies corresponding to labels.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Determining multiple operation objects and multiple target execution steps associated with each operation object from each classification repair strategy; combining multiple target execution steps associated with each operation object to obtain multiple combined repair strategies; Combining repair strategies as target repair strategies.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Multiple target execution steps associated with each operation object are sorted according to the target sequence to obtain multiple combined repair strategies, and the target sequence is the sequence that satisfies the continuous operation.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Based on the heterogeneous data fusion method, the initial security data is fused to obtain the intermediate security data; the intermediate security data is standardized to obtain the target security data, and the standardized processing is used to limit the data format of the security data and the expression form of the data content.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Obtain the network security events of the lost host. Network security events refer to the events caused by the lost host that cause harm to the network, information system, and data; based on the network security events, determine the attack path of the lost host; The target object of the access relationship.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

The target recovery policy is sent to the compromised host and the target object, so that the compromised host and the target object perform corresponding recovery operations based on the target recovery policy.

In one embodiment, the following steps are also implemented when the processor executes the computer program:

Obtain multiple normal domain names and multiple malicious domain names; extract feature information of each normal domain name and feature information of each malicious domain name, feature information includes character randomness of the domain name, character length, proportion of vowels in characters, and uniqueness among characters The proportion of characters and at least one of the top-level domain names; based on the feature information of each normal domain name and the feature information of each malicious domain name, the long-short-term memory neural network is trained to obtain a detection model.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:

Obtain the initial security data of each host to be detected, the initial security data is the data generated during the operation of the host to be detected;

Based on the heterogeneous data fusion method, the initial safety data is fused to obtain the target safety data;

Input the domain names to be detected in the target security data into the detection model for malicious domain name detection, and screen out suspected hosts from each host to be detected based on the detection results. The domain names to be detected of the suspected hosts include malicious domain names. The detection model consists of Normal domain name and malicious domain name training;

Based on the initial security data of the suspected hosts, the compromised hosts are determined from the suspected hosts.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

If there is risk data in the initial security data of the suspected host, it is determined that the suspected host is a compromised host, and the risk data includes at least one of target asset data, vulnerability data, target user data, and threat intelligence data, and the target asset data has a confidentiality level greater than Predetermined level of asset data, target user data is user data with predetermined operation authority.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the risk data of the compromised host; determine the risk type of the compromised host based on the risk data of the compromised host; based on the risk type, obtain at least one classified repair strategy corresponding to the risk type from the security knowledge base, which includes multiple risk types and multiple classification repair strategies corresponding to multiple risk types; combining the classification repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy, and the predetermined logical relationship is used to represent the correlation between the classification repair strategies; Restoring the crashed host based on the target restoration strategy.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the label of the risk type, and the label is used to mark different risk types; obtain at least one classified repair strategy corresponding to the label of the risk type from the security knowledge base, and the security knowledge base includes the label corresponding to each risk type and each Multiple classification repair strategies corresponding to labels.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Determining multiple operation objects and multiple target execution steps associated with each operation object from each classification repair strategy; combining multiple target execution steps associated with each operation object to obtain multiple combined repair strategies; Combining repair strategies as target repair strategies.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Multiple target execution steps associated with each operation object are sorted according to the target sequence to obtain multiple combined repair strategies, and the target sequence is the sequence that satisfies the continuous operation.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Based on the heterogeneous data fusion method, the initial security data is fused to obtain the intermediate security data; the intermediate security data is standardized to obtain the target security data, and the standardized processing is used to limit the data format of the security data and the expression form of the data content.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the network security events of the lost host. Network security events refer to the events caused by the lost host that cause harm to the network, information system, and data; based on the network security events, determine the attack path of the lost host; The target object of the access relationship.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

The target recovery policy is sent to the compromised host and the target object, so that the compromised host and the target object perform corresponding recovery operations based on the target recovery policy.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain multiple normal domain names and multiple malicious domain names; extract feature information of each normal domain name and feature information of each malicious domain name, feature information includes character randomness of the domain name, character length, proportion of vowels in characters, and uniqueness among characters The proportion of characters and at least one of the top-level domain names; based on the feature information of each normal domain name and the feature information of each malicious domain name, the long-short-term memory neural network is trained to obtain a detection model.

In one embodiment, a computer program product is provided, comprising a computer program, which, when executed by a processor, implements the following steps:

Obtain the initial security data of each host to be detected, the initial security data is the data generated during the operation of the host to be detected;

Based on the heterogeneous data fusion method, the initial safety data is fused to obtain the target safety data;

Input the domain names to be detected in the target security data into the detection model for malicious domain name detection, and screen out suspected hosts from each host to be detected based on the detection results. The domain names to be detected of the suspected hosts include malicious domain names. The detection model consists of Normal domain name and malicious domain name training;

Based on the initial security data of the suspected hosts, the compromised hosts are determined from the suspected hosts.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

If there is risk data in the initial security data of the suspected host, it is determined that the suspected host is a compromised host, and the risk data includes at least one of target asset data, vulnerability data, target user data, and threat intelligence data, and the target asset data has a confidentiality level greater than Predetermined level of asset data, target user data is user data with predetermined operation authority.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the risk data of the compromised host; determine the risk type of the compromised host based on the risk data of the compromised host; based on the risk type, obtain at least one classified repair strategy corresponding to the risk type from the security knowledge base, which includes multiple risk types and multiple classification repair strategies corresponding to multiple risk types; combining the classification repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy, and the predetermined logical relationship is used to represent the correlation between the classification repair strategies; Restoring the crashed host based on the target restoration strategy.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the labels of risk types, which are used to mark different risk types; obtain the classification and repair strategies corresponding to the labels of risk types from the security knowledge base, which includes the labels corresponding to each risk type and the corresponding classification repair strategy.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the label of the risk type, and the label is used to mark different risk types; obtain at least one classified repair strategy corresponding to the label of the risk type from the security knowledge base, and the security knowledge base includes the label corresponding to each risk type and each Multiple classification repair strategies corresponding to labels.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Multiple target execution steps associated with each operation object are sorted according to the target sequence to obtain multiple combined repair strategies, and the target sequence is the sequence that satisfies the continuous operation.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Based on the heterogeneous data fusion method, the initial security data is fused to obtain the intermediate security data; the intermediate security data is standardized to obtain the target security data, and the standardized processing is used to limit the data format of the security data and the expression form of the data content.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain the network security events of the lost host. Network security events refer to the events caused by the lost host that cause harm to the network, information system, and data; based on the network security events, determine the attack path of the lost host; The target object of the access relationship.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

The target recovery policy is sent to the compromised host and the target object, so that the compromised host and the target object perform corresponding recovery operations based on the target recovery policy.

In one embodiment, when the computer program is executed by the processor, the following steps are also implemented:

Obtain multiple normal domain names and multiple malicious domain names; extract feature information of each normal domain name and feature information of each malicious domain name, feature information includes character randomness of the domain name, character length, proportion of vowels in characters, and uniqueness among characters The proportion of characters and at least one of the top-level domain names; based on the feature information of each normal domain name and the feature information of each malicious domain name, the long-short-term memory neural network is trained to obtain a detection model.

It is easy to understand that, on the basis of several embodiments provided by this application, those skilled in the art can combine, split, reorganize, etc. the embodiments of this application to obtain other embodiments, and these embodiments do not exceed the scope of this application. protected range.

The above specific implementation manners have further described the purpose, technical solutions and beneficial effects of the embodiments of the present application in detail. It should be understood that the above is only the specific implementation manners of the embodiments of the present application, and is not intended to limit the implementation of the present application. For the scope of protection of the examples, any modifications, equivalent replacements, improvements, etc. made on the basis of the technical solutions of the embodiments of the present application shall be included in the scope of protection of the embodiments of the present application.

Claims (10)

1. A method for determining a lost host, the method comprising:

acquiring initial security data of each host to be detected, wherein the initial security data is data generated in the running process of the host to be detected;

fusing each initial safety data based on a heterogeneous data fusion method to obtain target safety data;

inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, and screening out suspected hosts from each host to be detected based on a detection result, wherein each domain name to be detected of the suspected hosts comprises the malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

and determining a lost host from the suspected hosts based on the initial security data of the suspected hosts.

2. The method of claim 1, wherein the determining a failed host from the suspected hosts based on the initial security data of the suspected hosts comprises:

performing risk data identification on the initial safety data of the suspected host through a risk data identification risk model to obtain an identification result, wherein the risk data identification risk model is obtained by training based on a neural network model according to different types of risk data;

if the identification result is that dangerous data are identified from the initial safety data of the suspected host, determining the suspected host as a lost host; the risk data comprises at least one of target asset data, vulnerability data, target user data and threat intelligence data, the target asset data is asset data with a security level larger than a preset level, and the target user data is user data with a preset operation authority.

3. The method of determining according to claim 2, further comprising:

acquiring risk data of the lost host;

determining a risk type of the lost host based on the risk data of the lost host;

based on the risk types, at least one classification repair strategy corresponding to the risk types is obtained from a security knowledge base, wherein the security knowledge base comprises a plurality of risk types and a plurality of classification repair strategies corresponding to the risk types;

combining the classified repair strategies corresponding to the risk types according to a preset logical relationship to obtain a target repair strategy, wherein the preset logical relationship is used for representing the relevance between the classified repair strategies;

and repairing the lost host based on the target repairing strategy.

4. The determination method according to claim 3, wherein the risk data of the failed host carries a risk type tag, and the obtaining, based on the risk type, at least one classification repair policy corresponding to the risk type from a security knowledge base includes:

obtaining a risk type label of at least one risk type;

and acquiring at least one classified repair strategy corresponding to the risk type label from the security knowledge base according to the risk type label of the risk type, wherein the security knowledge base comprises a plurality of risk type labels and a plurality of classified repair strategies corresponding to the risk type labels.

5. The method according to claim 4, wherein the classification repair strategy includes a plurality of execution steps, and the step of combining the classification repair strategies corresponding to the risk types according to a predetermined logical relationship to obtain a target repair strategy includes:

determining a plurality of operation objects and a plurality of target execution steps associated with the operation objects from the classification repair strategies;

sequencing a plurality of target execution steps associated with each operation object according to a target sequence to obtain a plurality of combined repair strategies, wherein the target sequence is a sequence meeting continuous operation;

and taking each combined repair strategy as the target repair strategy.

6. The method for determining according to any one of claims 1-5, wherein the fusing each initial security data based on a heterogeneous data fusion method to obtain target security data comprises:

fusing each initial safety data based on a heterogeneous data fusion method to obtain intermediate safety data;

and standardizing the intermediate security data to obtain the target security data, wherein the standardized processing is used for limiting the data format of the security data and the representation form of the data content.

7. The determination method according to any one of claims 1 to 5, characterized in that the method further comprises:

acquiring a network security event of the lost host, wherein the network security event refers to an event that a network, an information system and data are damaged caused by the lost host;

determining an attack path of the lost host based on the network security event;

determining a target object having an access relation with the lost host from the attack path;

the repairing the lost host based on the target repair policy comprises:

and sending the target repair strategy to the lost host and the target object so as to enable the lost host and the target object to execute corresponding repair operation based on the target repair strategy.

8. The determination method according to any one of claims 1 to 6, wherein the generation process of the detection model includes:

acquiring a plurality of normal domain names and a plurality of malicious domain names;

extracting feature information of each normal domain name and feature information of each malicious domain name, wherein the feature information comprises at least one of character randomness of the domain names, lengths of characters, proportions of vowels in the characters, proportions of unique characters in the characters and top-level domain names;

and training the long-term and short-term memory neural network based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name to obtain the detection model.

9. An apparatus for determining a failed host, the apparatus comprising:

the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring initial security data of each host to be detected, and the initial security data is data generated in the running process of the host to be detected;

the fusion module is used for fusing the initial security data based on a heterogeneous data fusion method to obtain target security data;

the detection screening module is used for inputting each domain name to be detected in the target safety data into a detection model for malicious domain name detection, screening suspected hosts from each host to be detected based on a detection result, wherein each domain name to be detected of each suspected host comprises the malicious domain name, and the detection model is obtained by training a normal domain name and the malicious domain name;

and the determining module is used for determining the failed host from the suspected hosts based on the initial security data of the suspected hosts.

10. A computer device, comprising:

a processor;

a memory for storing the processor-executable instructions;

the processor is used for reading the executable instructions from the memory and executing the instructions to realize the determination method of the lost host according to any one of claims 1 to 8.

Images