Search

CN-115643082-B - Method and device for determining collapse host and computer equipment

CN115643082BCN 115643082 BCN115643082 BCN 115643082BCN-115643082-B

Abstract

The embodiment of the application provides a method, a device and computer equipment for determining a collapse host, which are used for detecting malicious domain names of hosts to be detected based on different types of initial security data of the hosts to be detected, screening suspected hosts from the hosts to be detected, and further determining the collapse host from the suspected hosts according to the initial security data in the suspected hosts. The method for determining the collapse host provided by the application continuously determines the collapse host from the suspected hosts based on the initial security data in the suspected hosts on the basis of malicious domain name detection, thereby solving the problem that the accuracy of determining the collapse host is poor due to the fact that the collapse host is determined only by the malicious domain name detection method.

Inventors

  • Cui ju
  • ZHAO HUAN
  • GAO FENG
  • ZHANG ZHICHAO
  • WANG XIUJUAN

Assignees

  • 北京神州泰岳软件股份有限公司
  • 北京神州泰岳信息安全技术有限公司

Dates

Publication Date
20260512
Application Date
20221020

Claims (8)

  1. 1. A method for determining a failure host, the method comprising: Acquiring initial security data of each host to be detected, wherein the initial security data are data generated in the running process of the host to be detected, and the initial security data are basic information, asset data, asset running data, threat information, behavior log data or network flow data of the host to be detected which are accessed in real time; fusing the initial safety data based on a heterogeneous data fusion method to obtain target safety data; Inputting each domain name to be detected in the target security data into a detection model for detecting a malicious domain name, screening out suspected hosts from the hosts to be detected based on detection results, wherein each domain name to be detected of the suspected hosts comprises the malicious domain name, and the detection model is trained by a normal domain name and the malicious domain name; Determining a subsidence host from the suspected hosts based on the initial security data of the suspected hosts, wherein the determining the subsidence host from the suspected hosts based on the initial security data of the suspected hosts comprises: Performing risk data identification on the initial security data of the suspected host through a risk data identification risk model to obtain an identification result, wherein the risk data identification risk model is obtained based on neural network model training according to different types of risk data; If the identification result is that risk data is identified from initial safety data of the suspected host, the suspected host is determined to be the lost host, wherein the risk data comprises at least one of target asset data, vulnerability data, target user data and threat information data, the target asset data is asset data with a security level greater than a preset level, and the target user data is user data with preset operation authority; Acquiring risk data of the collapse host; Determining a risk type of the failing host based on risk data of the failing host; Based on the risk types, at least one classified repair strategy corresponding to the risk types is obtained from a safety knowledge base, wherein the safety knowledge base comprises a plurality of risk types and a plurality of classified repair strategies corresponding to the risk types; Combining the classified repair strategies corresponding to the risk types according to a preset logic relationship to obtain a target repair strategy, wherein the preset logic relationship is used for representing the relevance among the classified repair strategies; and repairing the collapse host based on the target repair strategy.
  2. 2. The method according to claim 1, wherein risk data of the failing host carries a risk type tag, and the obtaining, based on the risk type, at least one classified repair policy corresponding to the risk type from a secure knowledge base includes: acquiring a risk type label of at least one risk type; And acquiring at least one classified repair strategy corresponding to the risk type label from the safety knowledge base according to the risk type label of the risk type, wherein the safety knowledge base comprises a plurality of risk type labels and a plurality of classified repair strategies corresponding to the risk type labels.
  3. 3. The method according to claim 2, wherein the classification repair policy includes a plurality of execution steps, and the combining the classification repair policies corresponding to the risk types according to a predetermined logic relationship to obtain a target repair policy includes: Determining a plurality of operation objects from each of the classification repair policies, and performing a multi-entry label associated with each of the operation objects; the multi-item mark executing steps associated with the operation objects are ordered according to a target sequence, so that a plurality of combined repairing strategies are obtained, wherein the target sequence is the sequence meeting the continuity operation; And taking each combined repair strategy as the target repair strategy.
  4. 4. A method of determining according to any one of claims 1 to 3, wherein the fusing each of the initial security data based on the heterogeneous data fusing method to obtain the target security data includes: Fusing the initial safety data based on a heterogeneous data fusion method to obtain intermediate safety data; And carrying out standardization processing on the intermediate safety data to obtain the target safety data, wherein the standardization processing is used for limiting the data format and the expression form of the data content of the safety data.
  5. 5. A method of determining according to any one of claims 1-3, wherein the method further comprises: acquiring a network security event of the collapse host, wherein the network security event refers to an event of damage to a network, an information system and data caused by the collapse host; determining an attack path of the subsidence host based on the network security event; Determining a target object with an access relation with the collapse host from the attack path; The repairing the subsidence host based on the target repair policy includes: and sending the target repair strategy to the collapse host and the target object so that the collapse host and the target object execute corresponding repair operation based on the target repair strategy.
  6. 6. A method of determining as claimed in any one of claims 1 to 3, wherein the generation of the detection model comprises: Acquiring a plurality of normal domain names and a plurality of malicious domain names; Extracting characteristic information of each normal domain name and characteristic information of each malicious domain name, wherein the characteristic information comprises at least one of character randomness of the domain name, length of the character, proportion of vowels in the character, proportion of unique characters in the character and top-level domain name; And training the long-short-term memory neural network based on the characteristic information of each normal domain name and the characteristic information of each malicious domain name to obtain the detection model.
  7. 7. A device for determining a failure host, the device comprising: the system comprises an acquisition module, a detection module and a control module, wherein the acquisition module is used for acquiring initial safety data of each host to be detected, the initial safety data are data generated in the operation process of the host to be detected, and the initial safety data are basic information, asset data, asset operation data, threat information, behavior log data or network flow data of the host to be detected which are accessed in real time; the fusion module is used for fusing the initial safety data based on a heterogeneous data fusion method to obtain target safety data; the detection screening module is used for inputting all the domains to be detected in the target security data into a detection model for detecting malicious domains, screening suspected hosts from all the hosts to be detected based on detection results, wherein all the domains to be detected of the suspected hosts comprise the malicious domains, and the detection model is obtained by training a normal domain and the malicious domain; The determining module is configured to determine a collapse host from the suspected hosts based on the initial security data of the suspected hosts, where the determining the collapse host from the suspected hosts based on the initial security data of the suspected hosts includes: Performing risk data identification on the initial security data of the suspected host through a risk data identification risk model to obtain an identification result, wherein the risk data identification risk model is obtained based on neural network model training according to different types of risk data; If the identification result is that risk data is identified from initial safety data of the suspected host, the suspected host is determined to be the lost host, wherein the risk data comprises at least one of target asset data, vulnerability data, target user data and threat information data, the target asset data is asset data with a security level greater than a preset level, and the target user data is user data with preset operation authority; The method comprises the steps of acquiring risk data of a subsidence host, determining a risk type of the subsidence host based on the risk data of the subsidence host, acquiring at least one classified repair strategy corresponding to the risk type from a safety knowledge base based on the risk type, wherein the safety knowledge base comprises a plurality of risk types and a plurality of classified repair strategies corresponding to the risk types, combining the classified repair strategies corresponding to the risk types according to a preset logic relationship to obtain a target repair strategy, wherein the preset logic relationship is used for representing the relevance among the classified repair strategies, and repairing the subsidence host based on the target repair strategy.
  8. 8. A computer device, comprising: A processor; a memory for storing the processor-executable instructions; The processor is configured to read the executable instructions from the memory and execute the instructions to implement the method for determining a stuck host according to any one of claims 1 to 6.

Description

Method and device for determining collapse host and computer equipment Technical Field The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for determining a failure host, and a computer device. Background A decoyed host refers to a host that a network intrusion attacker gains control in some way. After the control right is obtained, the attacker may take the host as a springboard to continuously attack other hosts in the enterprise intranet, and also actively communicate with the IP or domain name designated by the network intrusion attacker, and transmit the security data stored thereon. In addition, the collapse host often has the characteristics of irregularity and high concealment, and many intrusion actions are difficult to identify or can not confirm whether the attack pair is successful. Therefore, the method needs to detect the collapse of each host and repair the collapse host in time, thereby guaranteeing the network use safety of enterprises. In the related art, the method for determining the host with the failure includes obtaining a domain name to be detected, and determining whether the domain name to be detected is a malicious domain name, if the domain name to be detected is a malicious domain name, directly determining the host with the domain name to be detected as the failure host. However, the above method of determining a stuck host is less accurate. Disclosure of Invention The embodiment of the application provides a method, a device and computer equipment for determining a collapse host, which can determine a suspected host from a host to be detected after detecting a malicious domain name of the host to be detected, further determine that the suspected host is the collapse host through initial security data in the suspected host, and solve the problem of low accuracy caused by determining whether the host is collapsed or not only through the malicious domain name detection. An embodiment of the present application provides a method for determining a failure host, where the method includes: acquiring initial safety data of each host to be detected, wherein the initial safety data are data generated in the running process of the host to be detected; fusing the initial safety data based on a heterogeneous data fusion method to obtain target safety data; Inputting each domain name to be detected in the target security data into a detection model for detecting a malicious domain name, screening out suspected hosts from the hosts to be detected based on detection results, wherein each domain name to be detected of the suspected hosts comprises the malicious domain name, and the detection model is trained by a normal domain name and the malicious domain name; And determining the collapse host from the suspected hosts based on the initial security data of the suspected hosts. A second aspect of an embodiment of the present application provides a device for determining a failure host, where the device includes: the acquisition module is used for acquiring initial safety data of each host to be detected, wherein the initial safety data are data generated in the running process of the host to be detected; the fusion module is used for fusing the initial safety data based on a heterogeneous data fusion method to obtain target safety data; the detection screening module is used for inputting all the domains to be detected in the target security data into a detection model for detecting malicious domains, screening suspected hosts from all the hosts to be detected based on detection results, wherein all the domains to be detected of the suspected hosts comprise the malicious domains, and the detection model is obtained by training a normal domain and the malicious domain; And the determining module is used for determining the collapse host from the suspected hosts based on the initial security data of the suspected hosts. A third aspect of the embodiment of the present application provides a computer device, including a processor and a memory for storing executable instructions of the processor, where the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method for determining a dip host provided in the first aspect of the embodiment of the present application. A fourth aspect of the embodiments of the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for determining a stuck host provided by the first aspect of the embodiments of the present application. A fifth aspect of the embodiments of the present application provides a computer program product, which includes a computer program, where the computer program is executed by a processor to implement the method for detecting a failure host provided in the first aspect of the embodiments of the