Privileged account threat alarm method based on behaviors

Abstract

The invention discloses a privileged account threat alarm method based on behaviors. The method comprises the following steps: managing a terminal IP address and a port for sending log data to a privileged account threat detection system, periodically detecting whether the communication is normal or not, counting and counting the normal communication ratio of the terminals and the privileged account threat alarm system according to IP addresses, and counting the uploaded data volume of each terminal and the overall received data volume of the privileged account threat alarm system in real time; processing the received terminal log data; generating a threat alarm strategy; and outputting the alarm terminal information, the alarm content and the threat condition of the privileged account asa report, associating a built-in mail gateway and a short message gateway, and sending summary alarm information to a related person in charge in time. According to the method, the false alarm rate isextremely low, deployment and configuration are simple, the alarm strategy is generated by subdividing the change condition of the privileged account in various attack behaviors, and the situation that the real attack behavior cannot be early warned due to insufficient identification of files such as attack messages and virus Trojans is avoided.

Description

technical field [0001] The invention relates to the field of threat detection and analysis of privileged accounts, in particular to a behavior-based threat warning method for privileged accounts. Background technique [0002] In various attack events of information security, the intruder's attack process is basically consistent with the famous "Lockheed-Martin kill chain" process. The attack process can be summarized as follows: reconnaissance and detection, weapon construction, payload delivery, Exploitation, implantation, command and control, and ultimately the goal. The current network security protection measures are basically deployed and implemented around each link of the kill chain, hoping to detect or prevent such attacks in advance. After a relatively complete set of security solutions and security devices are deployed, most security attacks can be blocked, but at the same time it brings new problems. [0003] 1. All kinds of security equipment and security analy...

AI Technical Summary

Problems solved by technology

[0003] 1. There are a lot of alarm information provided by various security devices and security analysis software and hardware, and the false alarm rate is high. Wrong alarms will consume a lot of energy of security operation and maintenance personnel

[0004] 2. Gateway-type blocking devices and terminal anti-virus software mainly rely on the existing security signature database to identify attack events, but cannot identify payload bypassing or encryption-type and zero-day vulnerability-type attack events, resulting in attacks that have achieved their goals but not yet be found

[0005] 3. The data sources of the self-owned security protection center are complex, and data collection may be limited by the difficulties in deployment and analysis caused by huge data volume, data encryption, incomplete system interfaces, and too many types of data that cannot be processed.

[0006] 4. The daily attention and protection of the entire attack process makes the security protection work lose focus and struggle to cope

Images