Network security detection method, device and equipment and storage medium

By acquiring and analyzing the multi-dimensional characteristics of electronic devices, and using RASP detection and security detection to generate network attack chains, the problem of low reliability in network security detection is solved, and more efficient attack identification and response are achieved.

CN115811418BActive Publication Date: 2026-07-03AGRICULTURAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
AGRICULTURAL BANK OF CHINA
Filing Date
2022-11-15
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing technologies, the reliability of network security detection for electronic devices is low, especially in the case of memory Webshell attacks, where it is difficult to distinguish between business characteristics and memory Webshell characteristics, resulting in a high false positive rate.

Method used

By acquiring the operational characteristics, traffic characteristics, and host characteristics of electronic devices, RASP detection is performed on the operational characteristics, and security detection is performed by combining the traffic characteristics and host characteristics to generate a multi-dimensional network attack chain and determine the target security detection results.

Benefits of technology

It improves the reliability of network security detection, enables more accurate identification and response to network attacks, reduces false alarms, and enhances the security of electronic devices.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115811418B_ABST
    Figure CN115811418B_ABST
Patent Text Reader

Abstract

This application provides a network security detection method, apparatus, device, and storage medium. The method includes: acquiring the operating characteristics, traffic characteristics, and host characteristics of the electronic device; performing Application Runtime Self-Protection (RASP) detection on the operating characteristics to obtain at least one first sub-event; and performing security detection on the traffic characteristics and the host characteristics to obtain at least one second sub-event; determining at least one first network attack event based on the at least one first sub-event and the at least one second sub-event; and determining the target security detection result of the electronic device based on the at least one first network attack event. This improves the reliability of network security detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer security, and more particularly to a network security detection method, apparatus, device, and storage medium. Background Technology

[0002] Currently, hackers can attack electronic devices through memory webshells (memory backdoors). For example, a hacker can store a memory webshell in the memory of an electronic device and control the device through the memory webshell to achieve an attack.

[0003] Electronic devices can undergo security testing to avoid being attacked by memory-based webshells. In related technologies, electronic devices can perform security testing by acquiring the characteristics of a memory-based webshell and then performing feature detection in memory based on these characteristics to determine whether a memory-based webshell exists. However, in this process, because some business characteristics are quite similar to those of memory-based webshells in practical applications, there is a possibility that business characteristics might be mistakenly identified as those of a memory-based webshell, leading to low reliability of network security testing. Summary of the Invention

[0004] This application provides a network security detection method, apparatus, device, and storage medium to address the problem of low reliability in network security detection.

[0005] In a first aspect, embodiments of this application provide a network security detection method applied to electronic devices, the method comprising:

[0006] Obtain the operating characteristics, traffic characteristics, and host characteristics of the electronic device;

[0007] The runtime self-protection RASP detection is performed on the runtime characteristics to obtain at least one first sub-event, and the traffic characteristics and the host characteristics are security detected to obtain at least one second sub-event;

[0008] Based on the at least one first sub-event and the at least one second sub-event, at least one first network attack event is determined;

[0009] Based on the at least one first network attack event, determine the target security detection result of the electronic device.

[0010] In one possible implementation, determining at least one first network attack event based on the at least one first sub-event and the at least one second sub-event includes:

[0011] Obtain a first correspondence, which includes multiple network attack events and at least one sub-event corresponding to each network attack event;

[0012] The at least one first network attack event is determined based on the at least one first sub-event, the at least one second sub-event, and the first correspondence.

[0013] In one possible implementation, determining the at least one first network attack event based on the at least one first sub-event, the at least one second sub-event, and the first correspondence includes:

[0014] Based on the at least one first sub-event and the first correspondence, a second network attack event corresponding to each first sub-event is determined, wherein the at least one sub-event corresponding to the second network attack event includes the first sub-event;

[0015] Based on the at least one second sub-event and the first correspondence, a third network attack event corresponding to each second sub-event is determined, wherein the at least one sub-event corresponding to the third network attack event includes the second sub-event;

[0016] Determining the at least one first network attack event includes: a second network attack event corresponding to each first sub-event, and a third network attack event corresponding to each second sub-event.

[0017] In one possible implementation, determining the target security detection result of the electronic device based on the at least one first network attack event includes:

[0018] Determine the exact time of occurrence for each initial network attack event;

[0019] Based on the at least one first network attack event and the time of occurrence of each first network attack event, a first network attack chain corresponding to the electronic device is generated;

[0020] The target security detection result is determined based on the first network attack chain.

[0021] In one possible implementation, determining the target security detection result based on the first network attack chain includes:

[0022] Obtain a second correspondence, which includes multiple network attack chains and the security detection results corresponding to each network attack chain;

[0023] The target security detection result is determined based on the first network attack chain and the second correspondence.

[0024] In one possible implementation, RASP detection is performed on the runtime characteristics to obtain at least one first sub-event, including:

[0025] The at least one first sub-event is obtained by performing at least one of the following detections on the runtime characteristics: key API tracking detection, stack context detection, command execution detection, static feature detection, or memory analysis and download detection;

[0026] The first sub-event includes at least one of the following: suspected memory backdoor sub-event, suspicious command execution sub-event, suspected backdoor encrypted communication traffic sub-event, or vulnerability exploitation sub-event.

[0027] In one possible implementation, security detection is performed on the traffic characteristics and the host characteristics to obtain at least one second sub-event, including:

[0028] Perform at least one of the following detections on the traffic characteristics and the host characteristics to obtain the at least one second sub-event: boundary-side threat traffic characteristic detection or host virus detection;

[0029] The at least one second sub-event includes at least one of the following: a vulnerability exploitation sub-event or a file backdoor sub-event.

[0030] Secondly, embodiments of this application provide a network security detection device applied to electronic devices. The device includes: an acquisition module, a processing module, a first determination module, and a second determination module, wherein...

[0031] The acquisition module is used to acquire the operating characteristics, traffic characteristics, and host characteristics of the electronic device;

[0032] The processing module is used to perform application runtime self-protection (RASP) detection on the running characteristics to obtain at least one first sub-event, and to perform security detection on the traffic characteristics and the host characteristics to obtain at least one second sub-event.

[0033] The first determining module is configured to determine at least one first network attack event based on the at least one first sub-event and the at least one second sub-event;

[0034] The second determining module is used to determine the target security detection result of the electronic device based on the at least one first network attack event.

[0035] In one possible implementation, the first determining module is specifically used for:

[0036] Obtain a first correspondence, which includes multiple network attack events and at least one sub-event corresponding to each network attack event;

[0037] The at least one first network attack event is determined based on the at least one first sub-event, the at least one second sub-event, and the first correspondence.

[0038] In one possible implementation, the first determining module is specifically used for:

[0039] Based on the at least one first sub-event and the first correspondence, a second network attack event corresponding to each first sub-event is determined, wherein the at least one sub-event corresponding to the second network attack event includes the first sub-event;

[0040] Based on the at least one second sub-event and the first correspondence, a third network attack event corresponding to each second sub-event is determined, wherein the at least one sub-event corresponding to the third network attack event includes the second sub-event;

[0041] Determining the at least one first network attack event includes: a second network attack event corresponding to each first sub-event, and a third network attack event corresponding to each second sub-event.

[0042] In one possible implementation, the second determining module is specifically used for:

[0043] Determine the exact time of occurrence for each initial network attack event;

[0044] Based on the at least one first network attack event and the time of occurrence of each first network attack event, a first network attack chain corresponding to the electronic device is generated;

[0045] The target security detection result is determined based on the first network attack chain.

[0046] In one possible implementation, the second determining module is specifically used for:

[0047] Obtain a second correspondence, which includes multiple network attack chains and the security detection results corresponding to each network attack chain;

[0048] The target security detection result is determined based on the first network attack chain and the second correspondence.

[0049] In one possible implementation, the processing module is specifically used for:

[0050] The at least one first sub-event is obtained by performing at least one of the following detections on the runtime characteristics: key API tracking detection, stack context detection, command execution detection, static feature detection, or memory analysis and download detection;

[0051] The first sub-event includes at least one of the following: suspected memory backdoor sub-event, suspicious command execution sub-event, suspected backdoor encrypted communication traffic sub-event, or vulnerability exploitation sub-event.

[0052] In one possible implementation, the processing module is specifically used for:

[0053] Perform at least one of the following detections on the traffic characteristics and the host characteristics to obtain the at least one second sub-event: boundary-side threat traffic characteristic detection or host virus detection;

[0054] The at least one second sub-event includes at least one of the following: a vulnerability exploitation sub-event or a file backdoor sub-event.

[0055] Thirdly, this application provides an electronic device, including: a memory and a processor;

[0056] The memory stores computer-executed instructions;

[0057] The processor executes computer execution instructions stored in the memory, causing the processor to perform the network security detection method according to any one of the first aspects.

[0058] Fourthly, this application provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the network security detection method described in any of the first aspects.

[0059] This application provides a network security detection method, apparatus, device, and storage medium. After acquiring the operational characteristics, traffic characteristics, and host characteristics of an electronic device, it can perform Runtime Application Self-Protection (RASP) detection on the operational characteristics to obtain at least one first sub-event, and perform security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event. After obtaining a first correspondence, it can determine a second network attack event corresponding to each first sub-event based on the at least one first sub-event and the first correspondence, and determine a third network attack event corresponding to each second sub-event based on the at least one second sub-event and the first correspondence. After determining each first network attack event, it can generate a first network attack chain corresponding to the electronic device based on the at least one first network attack event and the event occurrence time of each first network attack event. Based on the first network attack chain and the second correspondence, the target security detection result can be determined. After acquiring the multi-dimensional characteristics of the electronic device, the multi-dimensional characteristics can be detected to reconstruct the first network attack chain. The first network attack chain can be combined with the feature weights to adjust the target security detection result, improving the reliability of network security detection. Attached Figure Description

[0060] Figure 1 A schematic diagram illustrating the application scenarios provided in the embodiments of this application;

[0061] Figure 2 A flowchart illustrating the network security detection method provided in this application embodiment;

[0062] Figure 3 A flowchart illustrating another network security detection method provided in this application embodiment;

[0063] Figure 4 This is a schematic diagram illustrating the network security detection process provided in an embodiment of this application.

[0064] Figure 5 This is a schematic diagram of the structure of a network security detection device provided in an embodiment of this application;

[0065] Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0066] Figure 1 This is a schematic diagram illustrating an application scenario provided in an embodiment of this application. Please refer to [link / reference]. Figure 1The attack device 101 and the target device 102 are included. The attack device 101 can send operation commands to the target device 102 through a memory Webshell to obtain control of the target device 102, so as to carry out a network attack on the target device 102.

[0067] Target device 102 can perform network security detection to determine whether the attacked device 101 is conducting a network attack. After the target device detects that the attacked device 101 is conducting a network attack, the target device 102 can issue an alarm, block a memory-based webshell, etc.

[0068] In related technologies, electronic devices can undergo security detection by acquiring the characteristics of a memory-based webshell, performing feature detection in memory based on these characteristics, and determining the presence of a memory-based webshell through the detection results. However, in this process, because some business characteristics are quite similar to those of a memory-based webshell in practical applications, there is a possibility that business characteristics might be mistakenly identified as those of a memory-based webshell, leading to low reliability of network security detection.

[0069] In this embodiment, the electronic device can acquire its operational characteristics, traffic characteristics, and host characteristics, and then perform RASP detection on the operational characteristics and security detection on the traffic and host characteristics to determine the target security detection result of the electronic device. By combining the multi-dimensional characteristics of the electronic device, multi-dimensional detection is performed, improving the reliability of network security detection.

[0070] The method described in this application will now be illustrated through specific embodiments. It should be noted that the following embodiments may exist independently or in combination with each other; identical or similar content will not be repeated in different embodiments.

[0071] Figure 2 This is a flowchart illustrating the network security detection method provided in an embodiment of this application. Please refer to... Figure 2 The method may include:

[0072] S201. Obtain the operating characteristics, traffic characteristics, and host characteristics of the electronic device.

[0073] The execution subject of this application embodiment can be an electronic device or a network security detection device installed in an electronic device. The network security detection device can be implemented by software or by a combination of software and hardware.

[0074] The electronic device can be the target device 102 in the application scenario.

[0075] Runtime characteristics refer to the characteristics generated when electronic devices perform business processing. Runtime characteristics can include features such as instrumentation features for key application programming interfaces (APIs), stack context features, command execution features, static features of memory-based webshells, and memory analysis and download features.

[0076] Traffic characteristics refer to the traffic features generated by electronic devices during communication. Traffic characteristics can include the traffic characteristics of Webshell communication.

[0077] Host characteristics can refer to the characteristics of executable files, deserialization, and other command execution classes in an electronic device. Host characteristics can include file webshell characteristics, deserialization characteristics, and other command execution class characteristics.

[0078] It can acquire the operating characteristics, traffic characteristics, and host characteristics of electronic devices in real time or periodically.

[0079] For example, the acquired operational characteristics, traffic characteristics, and host characteristics can be shown in Table 1.

[0080] Table 1

[0081] Operating characteristics Flow characteristics Host characteristics Operating Feature 1 Flow characteristic 1 Host Feature 1 Operating Feature 2 Flow characteristic 2 Host Feature 2 …… …… ……

[0082] S202. Perform RASP detection on the operation characteristics to obtain at least one first sub-event, and perform security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event.

[0083] RASP detection can include at least one of the following: key API tracking detection, stack context detection, command execution detection, static feature detection, or memory analysis and download detection.

[0084] At least one first sub-event may include at least one of the following: suspected memory Webshell sub-event, suspicious command execution sub-event, suspected Webshell encrypted communication traffic sub-event, or vulnerability exploitation sub-event.

[0085] Security detection may include at least one of the following: border-side threat traffic signature detection or host virus detection.

[0086] At least one second sub-event includes at least one of the following: an exploit sub-event or a file webshell sub-event.

[0087] RASP detection can be performed on the running features. If the running feature is found to be the same as the feature of any sub-event, then at least one first sub-event is obtained.

[0088] For example, assuming that the running features include running feature 1, running feature 2 and running feature 3, if RASP detection is performed on the running features and it is found that running feature 1 has the same feature as sub-event 1 and running feature 2 has the same feature as sub-event 2, then the first sub-event is obtained as sub-event 1 and sub-event 2.

[0089] Security detection can be performed on traffic characteristics and host characteristics. If the traffic characteristics and host characteristics are the same as the characteristics of any sub-event, then at least one second sub-event is obtained.

[0090] For example, suppose the traffic characteristics include traffic characteristic 1 and traffic characteristic 2, and the host characteristics include host characteristic 1 and host characteristic 2. If security detection is performed on the traffic characteristics and host characteristics, and it is detected that traffic characteristic 1 has the same characteristics as sub-event 3, then the second sub-event is obtained as sub-event 3.

[0091] S203. Based on at least one first sub-event and at least one second sub-event, determine at least one first network attack event.

[0092] The first network attack event refers to the attack events at different stages during the network attack process of electronic devices. The first network attack event can include attack events that are preceded by memory Webshell activities, attack events that inject memory Webshells, and attack events that execute memory Webshells.

[0093] At least one first network attack event can be determined as follows: obtain a first correspondence, which includes multiple network attack events and at least one sub-event corresponding to each network attack event; determine at least one first network attack event based on at least one first sub-event, at least one second sub-event, and the first correspondence.

[0094] For example, assuming the first sub-event is sub-event 1 and the second sub-event is sub-event 2, and the first correspondence is that sub-event 1 corresponds to network attack event 1 and sub-event 2 corresponds to network attack event 2, then the first network attack event can be determined to be network attack event 1 and network attack event 2.

[0095] S204. Based on at least one first network attack event, determine the target security detection result of the electronic device.

[0096] The results of target security detection can include whether a memory webshell definitely exists, whether a memory webshell is highly likely to exist, and whether attack behavior exists.

[0097] The target security detection result of the electronic device can be determined as follows: determine the time of occurrence of each first network attack event; generate a first network attack chain corresponding to the electronic device based on at least one first network attack event and the time of occurrence of each first network attack event; determine the target security detection result based on the first network attack chain.

[0098] The first network attack events can be arranged in chronological order of their occurrence, from earliest to latest. Based on the order of these first attack events, the first network attack chain can be determined.

[0099] For example, suppose the first network attack events are network attack event 1 and network attack event 2, and the time of occurrence of network attack event 1 is earlier than the time of occurrence of network attack event 2, then the first network attack chain is: network attack event 1 and network attack event 2.

[0100] The network security detection method provided in this application, after acquiring the operational characteristics, traffic characteristics, and host characteristics of an electronic device, can perform RASP detection on the operational characteristics to obtain at least one first sub-event, and can perform security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event. Based on at least one first sub-event and at least one second sub-event, at least one first network attack event can be determined, and then the target security detection result of the electronic device can be determined. In the above process, after acquiring multi-dimensional characteristics of the electronic device, multi-dimensional detection of the electronic device is performed, and the target security detection result can be determined based on the obtained at least one network attack event, thereby improving the reliability of network security detection.

[0101] Below, in conjunction with Figure 3 The network security detection method shown in the embodiments of this application will be further described in detail.

[0102] Figure 3 This is a flowchart illustrating the network security detection method provided in an embodiment of this application. Please refer to... Figure 3 The method may include:

[0103] S301. Obtain the operating characteristics, traffic characteristics, and host characteristics of the electronic device.

[0104] The execution process of S301 can be found in the execution process of S201, and will not be repeated here.

[0105] S302. Perform RASP detection on the running characteristics to obtain at least one first sub-event.

[0106] At least one of the following detection methods can be performed on the runtime characteristics to obtain at least one first sub-event: key API instrumentation detection, stack context detection, command execution detection, static feature detection, or memory analysis and download detection.

[0107] Key API tracking detection can include input parameter feature detection and method call feature detection.

[0108] Stack context detection can include detecting preset keyword features of the stack context. Preset keywords may include defaultReadObject, getRuntime, and exec.

[0109] Command execution detection can include detecting the characteristics of the executed command and detecting the source characteristics of the executed command. The characteristics of the executed command can include the characteristics of clearing history and the characteristics of executing without leaving history.

[0110] Static feature detection can include class name feature detection in memory.

[0111] Memory analysis and download detection can include analyzing and detecting bytecode features.

[0112] Among them, at least one first sub-event may include at least one of the following: suspected memory Webshell sub-event, suspicious command execution sub-event, suspected Webshell encrypted communication traffic sub-event, or vulnerability exploitation sub-event.

[0113] S303. Perform security detection on traffic characteristics and host characteristics to obtain at least one second sub-event.

[0114] At least one of the following detections can be performed on traffic characteristics and host characteristics to obtain at least one second sub-event: boundary-side threat traffic characteristic detection or host virus detection.

[0115] Border-side threat traffic signature detection can include detecting the characteristics of newly added URLs in encrypted communications and the traffic signatures of Java deserialization vulnerability exploits.

[0116] Host virus detection can include command execution signature detection and file webshell detection.

[0117] Among them, at least one second sub-event includes at least one of the following: exploit sub-event or file webshell sub-event.

[0118] By performing key API tracking detection, stack context detection, and memory analysis and download detection on electronic devices, any one of the following characteristics—key API call features, stack context anomaly features, or static Webshell features in memory—can yield a suspected memory Webshell sub-event.

[0119] By performing command execution detection on electronic devices, any detected command execution feature can yield a suspicious command execution sub-event.

[0120] By performing boundary-side threat traffic signature detection on electronic devices, any boundary-side threat traffic signature detected can yield suspected Webshell encrypted communication traffic sub-events and vulnerability exploitation sub-events.

[0121] By performing stack context inspection on electronic devices, any detected stack context feature can lead to a vulnerability exploit sub-event.

[0122] When performing host virus detection on electronic devices, detecting any host virus signature can generate a file Webshell sub-event.

[0123] S304. Obtain the first correspondence.

[0124] The first correspondence may include multiple network attack events and at least one sub-event corresponding to each network attack event.

[0125] For example, the first correspondence can be shown in Table 2.

[0126] Table 2

[0127] Cyberattack subevent Network attack incident A Sub-event 1, sub-event 2 Cyberattack Incident B Sub-event 2, sub-event 3, sub-event 4 Network attack incident C Sub-event 1, sub-event 5 …… ……

[0128] S305. Based on at least one first sub-event and a first correspondence, determine the second network attack event corresponding to each first sub-event.

[0129] The first sub-event may be included in at least one sub-event corresponding to the second network attack event.

[0130] For any first sub-event, the corresponding second network attack event can be queried in the first correspondence.

[0131] For example, assuming the first sub-event is sub-event 1, and the first object relationship is shown in Table 2, then the network attack events corresponding to sub-event 1 can be found in Table 2, including network attack event A and network attack event C.

[0132] S306. Based on the correspondence between at least one second sub-event and the first, determine the third network attack event corresponding to each second sub-event.

[0133] The third network attack event may include at least one sub-event, which may include the second sub-event.

[0134] For any second sub-event, the corresponding third network attack event can be queried in the first correspondence.

[0135] For example, assuming the second sub-event is sub-event 2, and the first object relationship is shown in Table 2, then the network attack events corresponding to sub-event 2 can be found in Table 2, including network attack event A and network attack event B.

[0136] S307. Determining at least one first network attack event includes: a second network attack event corresponding to each first sub-event, and a third network attack event corresponding to each second sub-event.

[0137] For example, assuming the first sub-event is sub-event 1, the second sub-event is sub-event 3 and sub-event 5, the first correspondence can be shown in Table 2. The second network attack event corresponding to the first sub-event is network attack event A, and the third network attack event corresponding to the second sub-event is network attack event B and network attack event C. Then the first network attack event includes network attack event A, network attack event B and network attack event C.

[0138] S308. Determine the time of occurrence of each first network attack event.

[0139] For any given first network attack event, the time of occurrence of the first network attack event can be determined as follows: determine at least one sub-event corresponding to the first network attack event, determine the occurrence time of each sub-event, and determine the earliest occurrence time of the sub-events as the occurrence time of the first network attack event.

[0140] For example, suppose the first network attack event corresponds to three sub-events, and the occurrence times of these three sub-events and each sub-event's sub-events are shown in Table 3:

[0141] Table 3

[0142] subevent Sub-event occurrence time Sub event 1 t1 Sub event 2 t2 Sub event 3 t3

[0143] Please refer to Table 3. If time t1 is earlier than time t2 and time t3, then the time of occurrence of the first network attack event is determined to be t1.

[0144] S309. Generate a first network attack chain corresponding to the electronic device based on at least one first network attack event and the time of occurrence of each first network attack event.

[0145] The first network attack chain can be determined as follows: sort at least one first network attack event according to the order of its occurrence from earliest to latest, and determine the sorted at least one first network attack event as the first network attack chain.

[0146] For example, suppose there are at least three first network attack events, and the three first network attack events and the time of occurrence of each network are shown in Table 4:

[0147] Table 4

[0148] First cyberattack incident When the incident occurred Cyberattack Incident 1 8:00 Cyberattack Incident 2 8:18 Cyberattack Incident 3 8:12

[0149] Please refer to Table 4. According to the order of the events from earliest to latest, the order of the three first network attack events is: network attack event 1, network attack event 3, and network attack event 2. Therefore, the first network attack chain can be determined as: network attack event 1, network attack event 3, and network attack event 2.

[0150] S310, Obtain the second correspondence.

[0151] The second correspondence can include multiple network attack chains and the security detection results corresponding to each network attack chain.

[0152] For example, the second correspondence can be shown in Table 5.

[0153] Table 5

[0154] Multiple network attack chains Safety inspection results Event A, Event B, Event C An in-memory webshell must exist. Event A, Event B There is a high probability that an in-memory webshell exists. Event A, Event C Webshell is highly likely to exist. Event B, Event C There is a high probability that an in-memory webshell exists. Event A Attack behavior exists Event B Attack behavior exists Event C Attack behavior exists

[0155] S311. Determine the target security detection result based on the first network attack chain and the second correspondence.

[0156] The target security detection result can be found in the second correspondence based on the first network attack chain.

[0157] For example, assuming the first network attack chain consists of events A, B, and C, then it can be determined that the target security outcome is that a memory-based webshell definitely exists.

[0158] Optionally, the actions to be performed by the electronic device can be determined based on the target security detection results.

[0159] The actions to be performed can include issuing an alarm or blocking an action.

[0160] Optionally, if the target security check results indicate that a memory-based webshell definitely exists, the actions to be performed by the electronic device can be determined based on the overall weight of the first network attack chain.

[0161] The overall weight of the first network attack chain can be determined by multiplying the weight of the sub-event corresponding to the first network attack event with the weight of the first network attack chain.

[0162] For example, suppose the first sub-event is sub-event 1 and sub-event 5, the second sub-event is sub-event 3, the weight of sub-event 1 is 3, the weight of sub-event 2 is 2, the weight of sub-event 5 is 1, the first network attack chain is event A, event B and event C, and the weight of the first network attack chain is 8. Then the overall weight of the network attack chain is 48.

[0163] Optionally, if the overall weight of the first network attack chain is greater than or equal to a preset threshold, the electronic device will perform a blocking action.

[0164] Optionally, if the overall weight of the first network attack chain is less than a preset threshold, the electronic device will perform an alarm action.

[0165] Optionally, if the target security check results indicate that there is a high probability of a memory webshell and that there is attack behavior, the electronic device will perform an alarm action.

[0166] The network security detection method provided in this application, after acquiring the operational characteristics, traffic characteristics, and host characteristics of an electronic device, can perform RASP detection on the operational characteristics to obtain at least one first sub-event, and perform security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event. After obtaining a first correspondence, a second network attack event corresponding to each first sub-event can be determined based on the at least one first sub-event and the first correspondence, and a third network attack event corresponding to each second sub-event can be determined based on the at least one second sub-event and the first correspondence. After determining each first network attack event, a first network attack chain corresponding to the electronic device can be generated based on the at least one first network attack event and the event occurrence time of each first network attack event. The target security detection result can be determined based on the first network attack chain and the second correspondence. In the above process, after acquiring the multi-dimensional characteristics of the electronic device, the multi-dimensional characteristics can be detected, the first network attack chain can be reconstructed, and the target security detection result can be adjusted by combining the weights of the features in the first network attack chain, thereby improving the reliability of network security detection.

[0167] Figure 4 This is a schematic diagram illustrating the network security detection process provided in an embodiment of this application. Please refer to... Figure 4 In practical applications, after obtaining the operating characteristics, traffic characteristics, and host characteristics of electronic devices, the operating characteristics can be processed through RASP detection to determine the first sub-event. RASP detection includes key API point detection, stack context detection, command execution detection, static feature detection, and memory analysis and download.

[0168] Security detection can be used to process traffic and host characteristics to identify the second sub-event. Security detection includes traffic characteristic detection and host virus / Trojan monitoring.

[0169] The first network attack event can be determined based on the first and second sub-events. The first network attack event includes network attack event A, network attack event B, and network attack event C. Sub-events include a file-based webshell sub-event, a vulnerability exploitation sub-event, a suspected memory-based webshell sub-event, a suspected webshell encrypted communication traffic sub-event, and a suspicious command sub-event. Network attack event A is determined based on the file-based webshell and vulnerability exploitation sub-events; network attack event B is determined based on the suspected memory-based webshell sub-event; and network attack event C is determined based on the suspected webshell encrypted communication traffic sub-event and the suspicious command sub-event.

[0170] Based on the identification of the first network attack event, the first network attack chain is defined as: network attack event A, network attack event B, and network attack event C. The corresponding target security detection results can be determined based on this first network attack chain. The security detection results include executing alert actions and executing blocking actions.

[0171] Figure 5 This is a schematic diagram of the structure of a network security detection device 10 provided in an embodiment of this disclosure. Please refer to... Figure 5 The network security detection device may include an acquisition module 11, a processing module 12, a first determination module 13, and a second determination module 14, wherein...

[0172] The acquisition module 11 is used to acquire the operating characteristics, traffic characteristics, and host characteristics of the electronic device;

[0173] The processing module 12 is used to perform RASP detection on the running characteristics to obtain at least one first sub-event, and to perform security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event;

[0174] The first determining module 13 is used to determine at least one first network attack event based on at least one first sub-event and at least one second sub-event;

[0175] The second determining module 14 is used to determine the target security detection result of the electronic device based on at least one first network attack event.

[0176] The network security detection device provided in this application embodiment can execute the technical solution shown in the above method embodiment. Its implementation principle and beneficial effects are similar, and will not be repeated here.

[0177] In one possible implementation, the first determining module 13 is specifically used for:

[0178] Obtain the first correspondence, which includes multiple network attack events and at least one sub-event corresponding to each network attack event;

[0179] At least one first network attack event is determined based on at least one first sub-event, at least one second sub-event, and a first correspondence.

[0180] In one possible implementation, the first determining module 13 is specifically used for:

[0181] Based on at least one first sub-event and a first correspondence, determine the second network attack event corresponding to each first sub-event, wherein the first sub-event corresponding to the second network attack event includes the first sub-event;

[0182] Based on at least one second sub-event and the first correspondence, a third network attack event corresponding to each second sub-event is determined, wherein the at least one sub-event corresponding to the third network attack event includes the second sub-event;

[0183] Identifying at least one first network attack event includes: a second network attack event corresponding to each first sub-event, and a third network attack event corresponding to each second sub-event.

[0184] In one possible implementation, the second determining module 14 is specifically used for:

[0185] Determine the exact time of occurrence for each initial network attack event;

[0186] Based on at least one first network attack event and the time of occurrence of each first network attack event, a first network attack chain corresponding to the electronic device is generated;

[0187] The target security detection result is determined based on the first network attack chain.

[0188] In one possible implementation, the second determining module 14 is specifically used for:

[0189] Obtain the second correspondence, which includes multiple network attack chains and the security detection results corresponding to each network attack chain;

[0190] The target security detection result is determined based on the first network attack chain and the second correspondence.

[0191] In one possible implementation, the processing module 12 is specifically used for:

[0192] Perform at least one of the following detections on the runtime characteristics to obtain at least one first sub-event: key API instrumentation detection, stack context detection, command execution detection, static feature detection, or memory analysis and download detection;

[0193] Among them, at least one first sub-event includes at least one of the following: suspected memory backdoor sub-event, suspicious command execution sub-event, suspected backdoor encrypted communication traffic sub-event, or vulnerability exploitation sub-event.

[0194] In one possible implementation, the processing module 12 is specifically used for:

[0195] Perform at least one of the following detections on traffic characteristics and host characteristics to obtain at least one second sub-event: boundary-side threat traffic characteristic detection or host virus detection;

[0196] Among them, at least one second sub-event includes at least one of the following: a vulnerability exploit sub-event or a file backdoor sub-event.

[0197] The network security detection device provided in this application embodiment can execute the technical solution shown in the above method embodiment. Its implementation principle and beneficial effects are similar, and will not be repeated here.

[0198] This application provides a schematic diagram of the structure of an electronic device. Please refer to [link / reference]. Figure 6 The electronic device 20 may include a processor 21 and a memory 22. Exemplarily, the processor 21 and the memory 22 are interconnected via a bus 23.

[0199] Memory 22 stores instructions executed by the computer;

[0200] The processor 21 executes computer execution instructions stored in the memory 22, causing the processor 21 to perform the network security detection method as shown in the above method embodiment.

[0201] Accordingly, embodiments of this application provide a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the network security detection method of the above-described method embodiments.

[0202] Accordingly, embodiments of this application may also provide a computer program product, including a computer program, which, when executed by a processor, can implement the network security detection method shown in the above method embodiments.

[0203] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0204] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0205] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0206] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0207] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0208] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0209] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0210] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.

[0211] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.

Claims

1. A network security detection method, characterized in that, Applied to electronic devices, the method includes: The operation characteristics, traffic characteristics, and host characteristics of the electronic device are obtained. The operation characteristics include key application programming interface (API) embedding characteristics, stack context characteristics, command execution characteristics, static characteristics of memory Webshell, and memory analysis and download characteristics. The traffic characteristics include the characteristics of newly added URLs for encrypted communication and the traffic characteristics of Java deserialization vulnerability exploitation. The host characteristics include file Webshell characteristics, deserialization characteristics, and command execution class characteristics. The system performs Runtime Self-Protection (RASP) detection on the aforementioned runtime characteristics to obtain at least one first sub-event. It also performs security detection on the traffic characteristics and host characteristics to obtain at least one second sub-event, including: performing critical API tracking detection, stack context detection, and memory analysis and download detection; detecting any of the following characteristics—critical API call characteristics, stack context anomaly characteristics, or static Webshell characteristics in memory—to obtain a suspected memory Webshell sub-event; performing command execution detection; detecting any command execution characteristic to obtain a suspicious command execution sub-event; performing boundary-side threat traffic characteristic detection; detecting any boundary-side threat traffic characteristic to obtain a suspected Webshell encrypted communication traffic sub-event and a vulnerability exploitation sub-event; performing stack context detection; detecting any stack context characteristic to obtain a vulnerability exploitation sub-event; and performing host virus detection; detecting any host virus characteristic to obtain a file Webshell sub-event. Obtain a first correspondence, which includes multiple network attack events and at least one sub-event corresponding to each network attack event; determine the at least one first network attack event based on the at least one first sub-event, the at least one second sub-event, and the first correspondence, wherein the first network attack event includes attack events that precede memory Webshell activities, attack events that inject memory Webshell, and attack events that execute memory Webshell. Arrange the at least one first network attack event in chronological order of occurrence, and determine the first network attack chain based on the order of the first attack events. Obtain the second correspondence, which includes multiple network attack chains and the security detection results corresponding to each network attack chain; find the target security detection results in the second correspondence based on the first network attack chain, which include whether a memory Webshell definitely exists, whether a memory Webshell is highly likely to exist, and whether there is attack behavior.

2. The method according to claim 1, characterized in that, Determining the at least one first network attack event based on the at least one first sub-event, the at least one second sub-event, and the first correspondence includes: Based on the at least one first sub-event and the first correspondence, a second network attack event corresponding to each first sub-event is determined, wherein the at least one sub-event corresponding to the second network attack event includes the first sub-event; Based on the at least one second sub-event and the first correspondence, a third network attack event corresponding to each second sub-event is determined, wherein the at least one sub-event corresponding to the third network attack event includes the second sub-event; Determining the at least one first network attack event includes: a second network attack event corresponding to each first sub-event, and a third network attack event corresponding to each second sub-event.

3. The method according to claim 1 or 2, characterized in that, Based on the at least one first network attack event, arranged in chronological order of occurrence, a first network attack chain is determined according to the order of the first attack events, including: Determine the exact time of occurrence for each initial network attack event; A first network attack chain corresponding to the electronic device is generated based on the at least one first network attack event and the time of occurrence of each first network attack event.

4. A network security detection device, characterized in that, Applied to electronic devices, the device includes: an acquisition module, a processing module, a first determination module, and a second determination module, wherein, The acquisition module is used to acquire the operating characteristics, traffic characteristics, and host characteristics of the electronic device. The operating characteristics include key application programming interface (API) embedding characteristics, stack context characteristics, command execution characteristics, memory Webshell static characteristics, and memory analysis and download characteristics. The traffic characteristics include the characteristics of newly added URLs for encrypted communication and the traffic characteristics of Java deserialization vulnerability exploitation. The host characteristics include file Webshell characteristics, deserialization characteristics, and command execution class characteristics. The processing module is used to perform application runtime self-protection (RASP) detection on the runtime characteristics to obtain at least one first sub-event, and to perform security detection on the traffic characteristics and the host characteristics to obtain at least one second sub-event, including: performing key API embedding detection, stack context detection, and memory analysis and download detection, detecting any of the following characteristics: key API call characteristics, stack context anomaly characteristics, or static Webshell characteristics in memory, to obtain a suspected memory Webshell sub-event; performing command execution detection, detecting any command execution characteristic, to obtain a suspicious command execution sub-event; performing boundary-side threat traffic characteristic detection, detecting any boundary-side threat traffic characteristic, to obtain a suspected Webshell encrypted communication traffic sub-event and a vulnerability exploitation sub-event; performing stack context detection, detecting any stack context characteristic, to obtain a vulnerability exploitation sub-event; and performing host virus detection, detecting any host virus characteristic, to obtain a file Webshell sub-event. The first determining module is used to: obtain a first correspondence, the first correspondence including multiple network attack events and at least one sub-event corresponding to each network attack event; determine the at least one first network attack event based on the at least one first sub-event, the at least one second sub-event and the first correspondence; wherein, the first network attack event refers to attack events at different stages during the process of an electronic device being attacked by a network attack, and the first network attack event includes attack events of pre-memory Webshell activities, attack events of injecting a memory Webshell, and attack events of executing a memory Webshell; The second determining module is used to: arrange the at least one first network attack event in chronological order of occurrence, and determine the first network attack chain based on the order of the first attack events; obtain a second correspondence, which includes multiple network attack chains and the security detection result corresponding to each network attack chain; and search for the target security detection result in the second correspondence based on the first network attack chain, whereby the target security detection result includes the existence of a memory Webshell, the high probability of the existence of a memory Webshell, and the presence of attack behavior.

5. An electronic device, characterized in that, include: Memory and processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory, causing the processor to perform the network security detection method as described in any one of claims 1 to 3.

6. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the network security detection method according to any one of claims 1 to 3.