CN116389122A - An attack detection method, device, medium and machine based on abnormal state - Google Patents

Abstract

The invention discloses an attack detection method, device, medium and machine based on abnormal state. The attack detection method of the invention is as follows: firstly, capturing an attack defect description text from the internet, then analyzing the attack defect description text to obtain an attack state migration information set, monitoring the behavior of a machine executing an operating system and an application program, judging whether the machine has an abnormal state according to whether a behavior result is consistent with the attack state information in the state migration information set, and giving out an early warning of the abnormal state when the abnormal state occurs. The invention judges whether the attack exists or not by monitoring the migration among the attack states, has high judgment accuracy, and basically does not generate the false alarm problem. In addition, the invention can track and download the current attack behaviors, attack means and defects of utilized software vulnerabilities in real time, so that the machine attack model pattern book is kept up to date, and the machine can timely cope with the new attack means.

Description

An attack detection method, device, medium and machine based on abnormal state

technical field

The present invention relates to computer security technology.

Background technique

With the popularization of the Internet, a large number of devices are connected to the network and use cloud resources, making online services more convenient, but this also brings more threats of cyber attacks to user privacy and business operations. In the current network environment, passive defense technologies such as traditional antivirus software can no longer meet the needs of network security, especially in recent years, attackers have increasingly launched APT (Advanced Persistent Threat, Advanced Persistent Threat) attacks against specific targets. many. Due to the high degree of participation of the attackers, APT attacks have the characteristics of long duration of attack process, high concealment, and quick mutation. Therefore, it is very challenging to deal with APT attacks. Therefore, active defense measures have emerged to deal with various network attacks. Active defense includes strengthening network security management, improving network security prevention capabilities, and establishing a sound security monitoring and early warning mechanism. In contrast, passive defense is more about responding to cyber threats as they arise. Therefore, active defense has become an essential means to deal with network threats, which can more effectively reduce the network security risks of enterprises and individuals.

Attack detection is an essential part of active defense. At present, attack detection technologies are mainly divided into two categories: rule-based attack detection and anomaly location-based attack detection. Rule-based attack detection uses predefined rules to identify and block known attacks. The advantage of this method is that it can quickly and accurately detect known attacks, but it lacks effective defense against unknown attacks. Attack detection based on anomaly location is to identify unknown attacks by establishing a normal network behavior model and discovering abnormal behaviors in network behavior. The advantage of this approach is that it can effectively identify unknown attacks, but it is also prone to false positives. The existing work lacks the organic combination of the advantages of the two schemes, and cannot complete the collaborative work to maximize the accuracy and efficiency of attack detection.

Contents of the invention

The problem to be solved by the invention is to improve the accuracy of attack detection.

In order to solve the above problems, the scheme adopted by the present invention is as follows:

A kind of attack detection method based on abnormal state according to the present invention, comprises the following steps:

Step S1: Obtain the attack defect description text;

Step S2: After parsing the attack defect description text, a set of attack state transition information is obtained;

The attack state transition information includes a first set of attack state information and a second set of attack state information; both the first set of attack state information and the second set of attack state information are sets of the attack state information;

Attack status information consists of associated actions and action objects;

Step S3: Merge the attack state information in each attack state transition information set into the global attack state transition information set one by one by merging the same matching between the attack state information;

Step S4: Monitor the behavior of the machine executing the operating system and application programs, and judge whether the machine is in an abnormal state according to whether the behavior result is consistent with the attack state information in the global attack state transition information set, and send an abnormal state notification when an abnormal state occurs early warning;

Described step S2 comprises the following steps:

Step S21: According to the preset regular expression and the domain-specific entity noun table, mark the entity nouns on the attack defect description text;

Step S22: divide the attack defect description text into short sentences, then decompose the short sentence according to the marked entity name to obtain the subject, predicate and object, and obtain the short sentence node information, and according to the dependency relationship vocabulary As well as the context of short sentences, the dependency relationship between short sentences is extracted, so as to obtain the node migration relationship between the short sentence node information corresponding to short sentences;

Step S23: through similarity and inclusive matching between short sentence node information, merge short sentence node information with the same semantics or inclusive relationship, and adjust the merged node migration relationship;

Step S24: Map the attack state information according to the subject, predicate and object of the short sentence node information, and construct the corresponding attack state transition information according to the node migration relationship of the short sentence node information corresponding to the attack state information; the short sentence node information is mapped into When attacking state information, if the short sentence node information cannot be mapped into attack state information, delete the corresponding short sentence node information, modify the node migration relationship according to the node migration relationship, and construct the attack state migration information based on the modified node migration relationship .

Further, according to the attack detection method based on the abnormal state of the present invention, the issuing of the abnormal state early warning in the step S4 includes recording the abnormal state through a log, reporting the abnormal state through the network, and sending the abnormal state to the defense processing module.

Further, according to the attack detection method based on abnormal state of the present invention, in the step S1, track the attack behavior report, attack means report and software vulnerability defect report of the specified website, when a new attack behavior report, attack means report or When reporting a software vulnerability defect, capture the text content of the attack behavior report, attack method report, or software vulnerability defect report as the attack defect description text.

A kind of attack detection device based on abnormal state according to the present invention, comprises following module:

The module M1 is used to: obtain the attack defect description text;

Module M2, configured to: obtain a set of attack state transition information after parsing the attack defect description text;

The attack state transition information includes a first set of attack state information and a second set of attack state information; both the first set of attack state information and the second set of attack state information are sets of the attack state information;

Attack status information consists of associated actions and action objects;

The module M3 is configured to: merge the attack state information in each attack state transition information set into the global attack state transition information set one by one by merging the same matching between the attack state information;

Module M4, used to: monitor the behavior of the machine executing the operating system and application program, and judge whether the machine is in an abnormal state according to whether the behavior result is consistent with the attack state information in the global attack state transition information set, and send a message when an abnormal state occurs Early warning of abnormal state;

The module M2 includes the following modules:

The module M21 is configured to: mark entity nouns on the attack defect description text according to a preset regular expression and a domain-specific entity noun table;

Module M22 is used to: divide the attack defect description text into short sentences, and then decompose the short sentence according to the marked entity name to obtain the subject, predicate and object, and obtain the node information of the short sentence, and according to the dependent The relational vocabulary and the context of short sentences extract the dependency relationship between short sentences, so as to obtain the node migration relationship between the short sentence node information corresponding to short sentences;

The module M23 is used to: combine short sentence node information with the same semantics or containment relationship through similarity and inclusive matching between short sentence node information, and adjust the merged node migration relationship;

Module M24, used to: perform attack state information mapping according to the subject, predicate and object of the short sentence node information, and construct corresponding attack state transition information according to the node migration relationship of the short sentence node information corresponding to the attack state information; the short sentence node When the information is mapped into attack state information, if the short sentence node information cannot be mapped into attack state information, delete the corresponding short sentence node information, modify the node migration relationship according to the node migration relationship, and build an attack based on the modified node migration relationship State transition information.

Further, according to the attack detection device based on the abnormal state of the present invention, the issuing of the abnormal state early warning in the module M4 includes recording the abnormal state through a log, reporting the abnormal state through the network, and sending the abnormal state to the defense processing module.

Further, according to the abnormal state-based attack detection device of the present invention, the module M1 is used to: track the attack behavior report, attack means report and software vulnerability defect report of the designated website, when a new attack behavior report, attack means report or When reporting a software vulnerability defect, capture the text content of the attack behavior report, attack method report, or software vulnerability defect report as the attack defect description text.

A medium according to the present invention; the medium stores a program instruction set that can be read by a machine; it is characterized in that when the program instruction set stored in the medium is read and executed by a machine, the above-mentioned An attack detection method based on abnormal state.

A machine according to the present invention; the machine includes a processor and a memory; a program instruction set is stored in the memory; it is characterized in that when the program instruction set stored in the memory is loaded and executed by the processor The above-mentioned attack detection method based on abnormal state can be realized.

Technical effect of the present invention is as follows:

In the traditional method, the monitoring attack itself is prone to false alarms, but the present invention monitors the migration between attack states, and its accuracy is much higher, and the problem of false alarms basically does not occur.

The present invention can track and download current attacking behaviors, attacking means and exploited software loopholes and defects in real time, so that the machine attacking model diagram samples can be kept up-to-date, so that new attacking means can be dealt with in time.

Description of drawings

FIG. 1 is a flowchart of an attack detection method according to an embodiment of the present invention.

Fig. 2 is a structural schematic diagram of a machine embodiment of the present invention.

Implementation

The present invention will be described in further detail below in conjunction with the accompanying drawings.

FIG. 2 illustrates a machine 100 . The machine 100 is specifically an electronic device, including a processor 101 , a memory 102 and a communication unit 103 . The processor 101 connects the memory 101 and the communication unit 103 . The processor 101 is usually a general-purpose computer processor capable of executing computer program instructions, and the memory 101 is usually a medium that cannot be lost after power off, including but not limited to disks, tapes, flash memory, etc. The medium is also the medium mentioned above in the present invention. Memory 101 is typically used to store sets of computer program instructions and data. The processor 101 realizes its corresponding automation functions by loading the program instruction set stored in the memory 102 , especially connects to the network 300 through the communication unit 103 , and interacts with other machines connected to the network 300 . Specifically in this embodiment, the processor 101 implements the attack detection method based on abnormal state referred to in the present invention by loading and executing the program instruction set stored in the memory 102 . This method is mainly used to detect attacks from other machines on the network 300 , and then perform defensive processing after detecting the attacks, so as to protect the security of the machine 100 . The present invention is limited to the detection of the attack, and the defensive processing after the attack is detected is not the scope of the present invention, so there is no need to repeat it.

Referring to FIG. 1 , the attack detection method based on abnormal state in this embodiment includes the step of attack defect text grabbing, the step of text attack state diagramming, the step of merging attack state diagrams, and the step of machine behavior state monitoring.

The attack defect text capture step, specifically, captures the text describing the attack defect. Corresponding to the aforementioned step S1, the attack defect description text is acquired. The attack defect description text in step S1 is the text describing the attack defect, which is divided into attack behavior description text, attack means description text and software vulnerability defect description text. The acquisition in step S1 indicates that the attack defect description text is the input of the subsequent steps of the present invention.

The description text of the attack defect comes from the information published by other machines on the network 300 through web pages. According to different sources, attack defect description text is usually divided into attack behavior description text, attack method description text and software vulnerability defect description text.

The description text of the attack behavior is the relevant process and some details of the attack disclosed by various national security departments or security-related enterprises and laboratories through the analysis of the network security threats observed by themselves. For example, the following paragraph about the Log4Shell attack behavior example description comes from by the Cybersecurity and Infrastructure Security Agency (CISA).

“The threat actors using IP 104.223.34.98 gained initial access to Victim 2's production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threators gained access , CISA observed the actors using PowerShell scripts to callout to 109.248.150.13 via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download and execute a malicious file from 1 09.248.150.13. The activity started from IP address 104.155.149.103, which appears to be part of the actors' C2 infrastructure."

The attack method description text is the analysis and summary report of the attack methods disclosed by some security organizations, which comes from the attack strategies and attack method libraries maintained by these security organizations, such as MITER's ATT&CK framework and CAPEC (Common Attack Pattern Enumerations and Classifications) library. The attack method description text discloses, for example, the strategy/technique adopted by the attack behavior, the software defects and software vulnerabilities that the attack behavior needs to exploit, the attack capability and purpose of the attack behavior, and the description of the preconditions that the attack behavior needs to meet , a description of the case and implementation process related to the attack. For example, the following attack method example is described as the description of "T1059.001: Command and Scripting Interpreter: PowerShell" attack method in the ATT&CK framework.

“Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based aggressive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI)."

Software vulnerability defect description text, which is the text describing software vulnerabilities and defects, comes from vulnerability and defect libraries built and maintained by authoritative security organizations, such as MITER's CVE (Common Vulnerabilities & Exposures) vulnerability library and CWE (Common Weakness Enumeration) defects library. The CVE vulnerability database contains publicly disclosed vulnerability information around the world, and each vulnerability has a unique identifier, which is convenient for tracking and managing vulnerabilities. The common types of defects in software and systems identified after analyzing the root causes of each vulnerability will be included in the CWE defect library. The software vulnerability defect description text includes the vulnerability description, vulnerability impact, product name, manufacturer and other information. The following exemplary software vulnerability description text is a description of the CVE-2021-44228 Log4J arbitrary code execution vulnerability:

"Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other J NDIrelated endpoints. An attacker who can control log messages or log messageparameters can execute arbitrary code loaded from LDAP servers when messagelookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2 .12.2, 2.12. 3, and2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.”

In a simple implementation mode, the attack defect description text can be directly used as the input of the present invention. At this time, the attack defect description text is usually manually downloaded and arranged on a related website as the input of this embodiment. Those skilled in the art understand that, on the one hand, the attack defect description text comes from a public website, and on the other hand, the machine 100 is connected to the network through the communication unit 103, and those skilled in the art can easily think of automatic downloading on related websites by means of a web crawler. Specifically in this embodiment, the aforementioned crawling refers to downloading and extracting valid text content from a website. Specifically, it is to track the attack behavior report, attack method report and software vulnerability defect report of the specified website. When a new attack behavior report, attack method report or software vulnerability defect report is tracked, the attack behavior report, attack method report, and attack method report are captured. The text content of the report or software vulnerability defect report is used as the attack defect description text. Here, the attack behavior report, attack method report and software vulnerability defect report of the designated website are tracked. There are new attack behavior reports, attack method reports, or software vulnerability defect reports. In addition, the crawling here includes two steps: the first step is to download webpage content from the website; the second step is to extract valid text content from the downloaded webpage content. The first step, downloading web content from a website, is familiar to those skilled in the art. The second step needs to be based on the corresponding HTML text format of different websites. Generally, each website has a fixed HTML text format for the attack behavior report, attack means report or software vulnerability defect report it publishes. Therefore, in actual implementation, it is only necessary to extract valid text content according to the fixed HTML text format, which is not difficult for those skilled in the art, and will not be repeated here.

The step of text attack state diagram, in simple terms, is to analyze the text of the aforementioned attack defect description text to construct an attack model diagram. In this step, the processing process is the same for the description text of the attack behavior, the description text of the attack means and the description text of the software vulnerability defect. Specifically, in this embodiment, that is, the aforementioned step S2, the set of attack state transition information is obtained after parsing the attack defect description text. The attack state transition information includes a first set of attack state information and a second set of attack state information. Both the first attack state information set and the second attack state information set are sets of attack state information. The attack status information is used to indicate the status of the machine under attack. It should be pointed out that the collection of attack state transition information here is the data representation of the attack model diagram. The attack model graph is a directed graph composed of nodes and directed edges. In the attack model diagram, the nodes correspond to the attack state information, and the directed edges are represented by the first attack state information set and the second attack state information set of the attack state transition information. That is to say, there can be multiple start nodes and multiple end nodes of directed edges in the attack model graph, where the attack state information corresponding to the start nodes is defined in the first attack state information set, and the end nodes correspond to The attack status information of is defined in the second attack status information set. In a more practical implementation process, the attack state information in the first attack state information set and the second attack state information set are represented by attack state identification codes, and the complete attack state information is stored in a corresponding attack state information set middle.

In this embodiment, the text attack state graphic step specifically includes the following steps:

Step S21: According to the preset regular expression and the domain-specific entity noun table, mark the entity nouns on the attack defect description text;

Step S22: divide the attack defect description text into short sentences, then decompose the short sentence according to the marked entity name to obtain the subject, predicate and object, and obtain the short sentence node information, and according to the dependency relationship vocabulary As well as the context of short sentences, the dependency relationship between short sentences is extracted, so as to obtain the node migration relationship between the short sentence node information corresponding to short sentences;

Step S23: through similarity and inclusive matching between short sentence node information, merge short sentence node information with the same semantics or inclusive relationship, and adjust the merged node migration relationship;

Step S24: Map the attack state information according to the subject, predicate and object of the short sentence node information, and construct the corresponding attack state transition information according to the node migration relationship of the short sentence node information corresponding to the attack state information; the short sentence node information is mapped into When attacking state information, if the short sentence node information cannot be mapped into attack state information, delete the corresponding short sentence node information, modify the node migration relationship according to the node migration relationship, and construct the attack state migration information based on the modified node migration relationship .

In step S21, the preset regular expressions include but are not limited to, for example: URL link regular expressions, HOST host regular expressions, IP address regular expressions, Email mailbox regular expressions, Windows registry regular expressions, file names Regular expression, file or folder path regular expression. The domain-specific entity noun table is a collection of domain-specific entity nouns obtained by extracting nouns from the domain-specific vocabulary database. To facilitate retrieval, domain-specific entity noun lists are usually sorted. For example, in the aforementioned description example of Log4Shell attack behavior from CISA, entity nouns that can be marked include: "actor", "104.223.34.98", "access", "victim", "productenvironment", "Log4Shell", "VMware Horizon " ,"CISA" , "PowerShell script" ,"109.248.150.13" , "104.155.149.103" , "Hypertext Transfer Protocol" , "C2infrastructure".

Step S22 can be decomposed into the following three steps: short sentence clauses, subject-predicate-object decomposition, and node migration relationship construction. Taking the aforementioned description of Log4Shell attack behavior from CISA as an example, the short sentence clause and subject-predicate-object decomposition are performed to obtain the following short sentence node information:

sn1_1: [Subject: "actor", predicate: "gained", object: "initial access"], corresponding phrase: Thethreat actors using IP 104.223.34.98 gained initial access to Victim 2's production environment in late January 2022, or earlier .;

sn1_2: [Subject: "actor", predicate: "obtain", object: "access"], corresponding phrase: Theseactors likely obtained access;

sn1_3: [Subject: "actor", predicate: "exploit", object: "Log4Shellin an unpatchedVMware Horizon server"], corresponding phrase: by exploiting Log4Shell in an unpatchedVMware Horizon server;

sn1_4: [Subject: "actor", predicate: "gain", object: "access"], corresponding phrase: after the threat actors gained access;

sn1_5: [Subject: "actor", predicate: "use", object: "PowerShell script"], corresponding phrase: theactors using PowerShell scripts;

sn1_6: [Subject: "actor", predicate: "callout to", object: "109.248.150.13"], corresponding phrase: to callout to 109.248.150.13;

sn1_7: [subject: "", predicate: "", object: "Hypertext Transfer Protocol (HTTP) "], corresponding phrase: viaHypertext Transfer Protocol (HTTP);

sn1_8: [Subject: "actor", predicate: "retrieve", object: "additional PowerShellscripts"], corresponding phrase: retrieve additional PowerShell scripts;

sn1_9: [Subject: "actor", predicate: "download and execute", object: "malicious file from 109.248.150.13"], corresponding phrase: the actors attempt to download and execute malicious file from 109.248.150.13;

sn1_10: [Subject: "activity", predicate: "started from", object: "IPaddress104.155.149.103"], corresponding phrase: The activity started from IP address104.155.149.103;

sn1_11: [subject: "", predicate: "", object: "part of the actors' C2infrastructure"], corresponding phrase: appears to be part of the actors' C2infrastructure;

The above sn1_1~sn1_11 are respectively used to represent information of 11 short sentence nodes. The above short sentence clauses are obtained based on the matching of dependent relational words in units of long sentences (period endings). For example, in the above example, the short sentence These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizonserver. can be divided into two clauses, sn1_2 and sn1_3, by the dependency word "by". In this embodiment, the dependency vocabulary includes, for example, the following words:

be caused by , be arise from, be arise out , be rise of, be triggeredby , be induced by , be the cause of , be affected by , be effect on , causeof … is … , reason of … is … , by , [ v]…to[v]… , by reason that … is…, the reason for … is … , be cause for , be trigger of , if … then … ,hence , therefore , thus , therefore , accordingly , consequently , in this way, that is why , cause , allow , trigger , affect , induce , reveal , lead to , bring about , appear to , bring on , give rise to , increase , result in , sothat to , have effect on , in order to , for the purpose of , after , because, as a result of , due to , owning to , in view of , as a consequence of, onaccount of , derive from , as long as, for this reason that , for the reason that , because of , since , through , stem from , result from , thanks to ,in consequence of , in that , on the ground that, as, via , begin , end ,....

In the above short sentence node information:

According to the short sentence: These actors likely obtained access and the short sentence: by exploitingLog4Shell in an unpatched VMware Horizon server, the dependency word by is used to construct the node migration relationship: sn1_3->sn1_2;

According to the short sentence: after the threat actors gained access and the short sentence: the actors using PowerShell scripts, the dependency relationship word after builds the node migration relationship: sn1_4->sn1_5

According to the phrase: the actors using PowerShell scripts and the phrase: to callout to109.248.150.13 in the dependency word to.v, build the node migration relationship: sn1_5>sn1_6;

According to the short sentence: to callout to 109.248.150.13 and the short sentence: the dependency word via in viaHypertext TransferProtocol (HTTP), the node migration relationship is constructed: sn1_7>sn1_6;

According to the short sentence: to callout to 109.248.150.13 and the short sentence: to retrieve additional PowerShell scripts in the dependency word to, build the node migration relationship: sn1_6>sn1_8;

According to the short sentence: The activity started from IP address 104.155.149.103 and the definition of the dependency word appears to in the short sentence appears to be part of the actors’ C2 infrastructure, the node migration relationship is constructed: sn1_10->sn1_11;

Combined with the context of short sentences in the text, the final node migration relationship is as follows:

sn1_3->sn1_2

sn1_4->sn1_5

sn1_5->sn1_6

sn1_7>sn1_6

sn1_6->sn1_8

sn1_10->sn1_11

sn1_1->sn1_2

sn1_2->sn1_5

sn1_8->sn1_9

sn1_9->sn1_11

It should be pointed out that, compared with the above-mentioned dependency relationship constructed based on the dependency relationship vocabulary, the above-mentioned dependency relationship constructed based on the contextual relationship of the text is a weak dependency relationship, while the dependency relationship constructed based on the dependency relationship vocabulary is a strong dependency relationship .

In step S23, when comparing whether the short sentence node information is similar, usually the modifiers and qualifiers of the subject predicate and the object can be deleted to determine whether the meanings of the subject predicate and the object are similar, and if they are similar, the semantics are the same. For example, short sentence node information sn1_1: [Subject: "actor", predicate: "gain", object: "initial access"] removes the restriction of "intial" from the object in the object to get new short sentence node information sn1_1_V2: [Subject : "actor", predicate: "gain", object: "access"], the predicate "gain" and the predicate: "obtain" in sn1_2 have essentially the same semantics, and the subject and object are also the same. Therefore, the phrase node information sn1_1 and sn1_2 and sn1_4 are the same. In addition, the containment relationship is also involved here. For example, "malicious file" in the phrase node information sn1_9 contains "PowerShellscript" in the phrase node information sn1_8, and the predicates "retrieve" and "download and execute" have similar meanings. Therefore, the phrase Sentence node information sn1_8 can be absorbed by short sentence node information sn1_9.

Thus, the remarked phrase node information after deletion, limitation, modification and merging in step S23 is simplified as follows:

sn2_1: [subject: "actor", predicate: "obtain", object: "access"];

sn2_2: [subject: "actor", predicate: "exploit", object: "Log4Shell"];

sn2_3: [subject: "actor", predicate: "use", object: "PowerShell script"];

sn2_4: [subject: "actor", predicate: "callout to", object: "109.248.150.13"];

sn2_5: [subject: "", predicate: "", object: "Hypertext Transfer Protocol (HTTP)"];

sn2_6: [subject: "actor", predicate: "download and execute", object: "PowerShellscript or other malicious file"];

sn2_7: [subject: "activity", predicate: "started from", object: "IP address104.155.149.103"];

sn2_8: [subject: "", predicate: "", object: "part of the actors' C2 infrastructure"];

The corresponding adjusted migration relationship is as follows:

sn2_2->sn2_1

sn2_1->sn2_3

sn2_3->sn2_4

sn2_5>sn2_4

sn2_4->sn2_6

sn2_7->sn2_8

sn2_6->sn2_8

In step S24, the attack status information is the status of the machine being attacked, so the attack status information is related to the behavior of the machine itself. The main body of short sentence node information action is generally the attacker. Therefore, it is necessary to map the attacker's behavior to the native behavior. For example, in the aforementioned short sentence node information sn2_4, [subject: "actor", predicate: "callout to", object: "109.248.150.13"], actor callout to109.248.150.13, corresponding to the local machine, is equivalent to the local The machine machine is connected to the 109.248.150.13 network. For the machine, the behavior of the attacker is relatively fixed, such as connecting to the network, creating files, modifying files, executing files or scripts, and so on. In addition, since the action subject of the short sentence node information is the attacker, its behavior may not be mapped to a certain attack state, for example, the short sentence node information sn2_1[subject: "actor", predicate: "obtain", object: "access" ], its behavior actor obtain access is completely a description of the attacker itself, and cannot be mapped to an attack state, so it needs to be deleted. Among the short sentence node information sn2_1 to sn2_8 in the preceding example, the short sentence node information sn2_1 and sn2_2 cannot correspond to the state of a certain machine under attack and need to be deleted. After deletion, the remarked short sentence node information is as follows:

sn3_1: [subject: "actor", predicate: "use", object: "PowerShell script"];

sn3_2: [subject: "actor", predicate: "callout to", object: "109.248.150.13"];

sn3_3: [subject: "", predicate: "", object: "Hypertext Transfer Protocol (HTTP)"];

sn3_4: [subject: "actor", predicate: "download and execute", object: "PowerShellscript or other malicious file"];

sn3_5: [subject: "activity", predicate: "started from", object: "IP address104.155.149.103"];

sn3_6: [subject: "", predicate: "", object: "part of the actors' C2 infrastructure"];

The corresponding adjusted migration relationship is as follows:

sn3_1->sn3_2

sn3_3>sn3_2

sn3_2->sn3_4

sn3_5->sn3_6

sn3_4->sn3_6

The above short sentence node information is mapped to the attack status information as follows:

sn3_1=>mn_1: [associated action: "Excute", action object: "PowerShell script"];

sn3_2=>mn_2: [associated action: "NetConnectTo", action object: "109.248.150.13"]

sn3_3=>mn_3: [associated action: "NetConnectBy", action object: "Hypertext TransferProtocol (HTTP)"]

sn3_4=>mn_4: [associated action: "CreateFile", action object: "unknown file"];

sn3_5=>mn_5: [associated action: "NetConnectFrom", action object: "104.155.149.103"];

sn3_6=>mn_6: [associated action: "NetConnectBy", action object: "C2(Connect&Control, C&C)"];

The corresponding attack state transition information is as follows:

[mn_1, mn_3]->mn_2

mn_2->mn_4

[mn_5,mn_4]->mn_6

The attack state map merging step, that is, the aforementioned step S3, merges the attack state information in each attack state transition information set into the global attack state transition information set one by one through the combination of the same matching between the attack state information. As mentioned earlier, the attack state transition information set represents an attack model graph. The global attack state transition information set is a global attack model diagram. During the processing of the aforementioned step S2, an attack model diagram can be obtained for each attack defect description text. In order to improve the incorporation of the global attack state transition information set, in this embodiment, the attack state transition information sets corresponding to the currently obtained attack defect description texts are usually combined first to form a temporary attack model diagram representing the whole An attack state transition information set, and then merge the attack state transition information set with the global attack state transition information set. The same matching between the attack state information is to compare whether the associated action and the action object are the same. In addition, for the convenience of processing, the attack state transition information set is usually only the attack state identification code of the attack state information included in the attack state transition information. Complete attack state information is stored in a corresponding attack state information set. Therefore, when merging in this step, the corresponding attack state information sets are first merged, and then the corresponding attack state transition information is merged according to the attack state identification code returned after the attack state information in the attack state information set is merged.

In addition, for further monitoring, the attack status information usually also includes information such as defects corresponding to the attack. For example, in the foregoing example, the attack status information may further include the corresponding defect identifier Log4Shell. In addition, the defect identification of the attack state information is usually a set.

The machine behavior state monitoring step, that is, the aforementioned step S4, monitors the behavior of the machine executing the operating system and application programs, and judges whether the machine is in an abnormal state according to whether the behavior result is consistent with the attack state information in the global attack state transition information set. When the status is abnormal, an early warning is issued. The consistency judgment between the behavior result and the attack state information is to match the associated actions and action objects in the attack state information. The action can be the action object of NetConnectTo, which indicates that an abnormal state has occurred.

In the present invention, issuing an early warning of an abnormal state is a superordinate concept, and issuing an early warning of an abnormal state usually includes, for example, recording the abnormal state through a log, reporting the abnormal state through the network, and sending the abnormal state to the defense processing module. In this embodiment, usually the abnormal state whose behavior result is consistent with the attack state information will only output the abnormal state to the log, and when the state transition matches the situation, it will be considered as an attack and an alarm will be issued. The state transition conforms to the situation that the behavior results of two or more program behaviors before and after are respectively consistent with the first attack state information and the second attack state information of a certain attack state transition information. Here, the sending of an alarm in this embodiment specifically refers to reporting the abnormal state through the network and simultaneously sending the abnormal state to the defense processing module. In this case, the abnormal state indicates a state in which behavior results of a plurality of program behaviors are consistent with a plurality of pieces of attack state information.

It should be pointed out that the consistency judgment of the attack state information in the present invention is not aimed at the behavior being executed by the application program. This is the difference between the present invention and traditional attack monitoring. Traditional attack monitoring is to monitor the attack behavior itself. For example, when an application program establishes a connection, the traditional attack monitoring will detect it, but the attack status monitoring in the present invention will not detect it. When the application program connection is established, it will be attacked by the present invention. State monitoring, this is because the method based on the present invention needs to monitor not only a certain behavior state, but also the transition between states.

In addition, it should be noted that the modules referred to above in the present invention are virtual devices corresponding to the steps in the method, and will not be repeated here.

Claims (8)

1. An attack detection method based on abnormal state, is characterized in that, comprises the steps: Step S1: Obtain the attack defect description text; Step S2: After parsing the attack defect description text, a set of attack state transition information is obtained; The attack state transition information includes a first set of attack state information and a second set of attack state information; both the first set of attack state information and the second set of attack state information are sets of the attack state information; Attack status information consists of associated actions and action objects; Step S3: Merge the attack state information in each attack state transition information set into the global attack state transition information set one by one by merging the same matching between the attack state information; Step S4: Monitor the behavior of the machine executing the operating system and application programs, and judge whether the machine is in an abnormal state according to whether the behavior result is consistent with the attack state information in the global attack state transition information set, and send an abnormal state notification when an abnormal state occurs early warning; Described step S2 comprises the following steps: Step S21: According to the preset regular expression and the domain-specific entity noun table, mark the entity nouns on the attack defect description text; Step S22: divide the attack defect description text into short sentences, then decompose the short sentence according to the marked entity name to obtain the subject, predicate and object, and obtain the short sentence node information, and according to the dependency relationship vocabulary As well as the context of short sentences, the dependency relationship between short sentences is extracted, so as to obtain the node migration relationship between the short sentence node information corresponding to short sentences; Step S23: through similarity and inclusive matching between short sentence node information, merge short sentence node information with the same semantics or inclusive relationship, and adjust the merged node migration relationship; Step S24: Map the attack state information according to the subject, predicate and object of the short sentence node information, and construct the corresponding attack state transition information according to the node migration relationship of the short sentence node information corresponding to the attack state information; the short sentence node information is mapped into When attacking state information, if the short sentence node information cannot be mapped into attack state information, delete the corresponding short sentence node information, modify the node migration relationship according to the node migration relationship, and construct the attack state migration information based on the modified node migration relationship . 2. The attack detection method based on abnormal state according to claim 1, characterized in that, in the step S4, issuing an abnormal state early warning includes recording the abnormal state through a log, reporting the abnormal state through the network, and sending the abnormal state to the defense processing module. 3. The attack detection method based on abnormal state according to claim 1, characterized in that, in the step S1, track the attack behavior report, attack means report and software vulnerability defect report of the designated website, when a new attack is tracked In the case of behavior report, attack method report or software vulnerability defect report, grab the text content of the attack behavior report, attack method report or software vulnerability defect report as the attack defect description text. 4. An attack detection device based on an abnormal state, comprising the following modules: The module M1 is used to: obtain the attack defect description text; Module M2, configured to: obtain a set of attack state transition information after parsing the attack defect description text; The attack state transition information includes a first set of attack state information and a second set of attack state information; both the first set of attack state information and the second set of attack state information are sets of the attack state information; Attack status information consists of associated actions and action objects; The module M3 is configured to: merge the attack state information in each attack state transition information set into the global attack state transition information set one by one by merging the same matching between the attack state information; Module M4, used to: monitor the behavior of the machine executing the operating system and application program, and judge whether the machine is in an abnormal state according to whether the behavior result is consistent with the attack state information in the global attack state transition information set, and send a message when an abnormal state occurs Early warning of abnormal state; The module M2 includes the following modules: The module M21 is configured to: mark entity nouns on the attack defect description text according to a preset regular expression and a domain-specific entity noun table; Module M22 is used to: divide the attack defect description text into short sentences, and then decompose the short sentence according to the marked entity name to obtain the subject, predicate and object, and obtain the node information of the short sentence, and according to the dependent The relational vocabulary and the context of short sentences extract the dependency relationship between short sentences, so as to obtain the node migration relationship between the short sentence node information corresponding to short sentences; The module M23 is used to: combine short sentence node information with the same semantics or containment relationship through similarity and inclusive matching between short sentence node information, and adjust the merged node migration relationship; Module M24, used to: perform attack state information mapping according to the subject, predicate and object of the short sentence node information, and construct corresponding attack state transition information according to the node migration relationship of the short sentence node information corresponding to the attack state information; the short sentence node When the information is mapped into attack state information, if the short sentence node information cannot be mapped into attack state information, delete the corresponding short sentence node information, modify the node migration relationship according to the node migration relationship, and build an attack based on the modified node migration relationship State transition information. 5. The attack detection device based on abnormal state according to claim 4, characterized in that, the abnormal state warning issued in the module M4 includes logging the abnormal state, reporting the abnormal state through the network and sending the abnormal state to the defense processing module. 6. The attack detection device based on abnormal state according to claim 4, characterized in that, the module M1 is used to: track the attack behavior report, attack means report and software vulnerability defect report of the designated website, when a new attack is tracked In the case of behavior report, attack method report or software vulnerability defect report, grab the text content of the attack behavior report, attack method report or software vulnerability defect report as the attack defect description text. 7. A medium; the medium stores a program instruction set that can be read by a machine; it is characterized in that, when the program instruction set stored in the medium is read and executed by a machine, it can realize the process according to claims 1 to 3. Any one of the attack detection methods based on abnormal state. 8. A machine; the machine includes a processor and a memory; a program instruction set is stored in the memory; it is characterized in that, when the program instruction set stored in the memory is loaded and executed by the processor, it can realize The attack detection method based on abnormal state according to any one of claims 1 to 3.

Images