Terminal behavior alarm traceability analysis method, device, equipment and medium

Abstract

The invention discloses a terminal behavior alarm traceability analysis method, device and equipment and a medium, and the method comprises the steps: monitoring terminal behavior data, carrying out the real-time reading and analysis of the terminal behavior data, obtaining a behavior log, and storing the behavior log in a local database; taking predefined behavior characteristics as preset alarm rules to carry out matching collision with the behavior log to obtain a collision record result; performing automatic context traceability according to the alarm point of the collision record result to form a traceability chain, and automatically submitting the traceability chain to a data platform; and performing risk grade evaluation on the traceability chain through the data platform. Therefore, the data of the traceability chain is analyzed and processed, the risk level of the data is evaluated, powerful data support and judgment basis are provided for alarm behaviors, the event relevance and accuracy of risk alarm can be improved, behavior log records of the risk alarm events are obtained, the tedious processes of manual retrieval analysis, manual study and judgment and manual traceability are reduced, the detection rate is improved, and the false alarm rate is reduced.

Description

technical field [0001] The present invention relates to the field of communication technologies, in particular to a method, device, equipment and medium for source traceability and analysis of terminal behavior alarms. Background technique [0002] In the actual application scenarios of terminal security products, a large number of various high, medium and low risk alarms will be generated. When security workers need to make decisions on these single alarms, they may not be 100% sure whether the risk alarms are normal behaviors or real. Attack penetration behavior requires in-depth investigation and research with other products or artificial terminals, or a large number of alarms encountered are false positives. Excessive security alarms or false positives will bring risk alarm audit fatigue to security incident handling. [0003] At present, current technologies use malicious file rule features or Indicator Of Compromise (IOC) for real-time traceability. The traceability da...

AI Technical Summary

Problems solved by technology

[0002] In the actual application scenarios of terminal security products, a large number of various high, medium and low risk alarms will be generated. When security workers need to make decisions on these single alarms, they may not be 100% sure whether the risk alarms are normal behaviors or real. Attack and penetration behavior requires in-depth investigation and research in conjunction with other products or artificial terminals, or a large number of alarms encountered are false positives. Excessive security alarms or false positives bring risks to security incident handling Alarm audit fatigue

[0003] At present, current technologies use malicious file rule features or Indicator Of Compromise (IOC) for real-time traceability. The traceability data is reported as a single alarm. Re-trace or conduct a second full trace of a certain alarm or risk point

Images