CN-115733633-B - Detection method and system, and storage medium

Abstract

The embodiment of the application discloses a detection method, a detection system, a storage medium and a detection system, wherein the detection system acquires log information of a host, analyzes and processes the log information based on a threat information library and a first analysis model to acquire an initial failure result of the host, the first analysis model is used for detecting unknown risks, the second analysis model is used for analyzing and processing the initial failure result to acquire a target failure result, the second analysis model is used for verifying the failure result, the failure rate and the false failure rate of the failure host can be reduced, and the disposal efficiency of the failure host is effectively improved.

Inventors

• WANG WEIJIE
• CHANG JIAYUE
• YUAN YONG
• LU YINBING
• ZHOU XUYING
• QIAN CHENG

Assignees

• 中移（杭州）信息技术有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260505

Application Date

20210827

Claims (8)

1. 1. A method of detection, the method comprising: acquiring log information of a host; Analyzing and processing the log information based on a threat information library and a first analysis model to obtain an initial collapse result of the host, wherein the first analysis model is used for detecting unknown risks, and comprises a model for identifying domain names of a DGA family rule for a domain name system log, determining the number of duplicate removal of a visiting DGA domain name based on the identified domain names and comparing the number of duplicate removal with a preset numerical range; Analyzing and processing the initial collapse result based on a second analysis model to obtain a target collapse result; the method comprises the steps of obtaining an initial failure result, determining a failure host and failure reasons by using a second analysis model, wherein the second analysis model is used for verifying the initial failure result and determining the failure host and the failure reasons, and comprises a failure matching rule table and a preset calculation model, wherein the failure matching rule table is used for representing the occurrence probability of preset threat classification under each rule and the failure trust degree corresponding to each rule; The analyzing and processing the initial collapse result based on the second analyzing model to obtain a target collapse result comprises the following steps: acquiring behavior characteristics in the initial collapse result; If the behavior characteristics accord with at least two rules in the sag matching rule table, determining rule matching results corresponding to the behavior characteristics according to the behavior characteristics and the sag matching rule table; and calculating the rule matching result based on the preset calculation model to obtain the target collapse result.
2. 2. The method of claim 1, wherein the analyzing the initial sag results based on the second analysis model further comprises, prior to obtaining a target sag result: acquiring behavior characteristic data of the collapse host according to the historical data set; determining a behavior decision table of the collapse host based on the behavior feature data; And obtaining the second analysis model according to the behavior decision table.
3. 3. The method of claim 2, wherein the obtaining the second analytical model from the behavioral decision table comprises: performing reduction processing on the behavior decision table to obtain a reduced behavior decision table; Determining a collapse matching rule table according to the reduced behavior decision table and a preset threat classification, wherein the collapse matching rule table is used for determining the occurrence probability of the preset threat classification in each rule and the collapse trust degree corresponding to each rule; And obtaining the second analysis model based on the collapse matching rule table and a preset calculation model.
4. 4. The method according to claim 1, wherein if the behavior feature meets one rule in the sag matching rule table, the matching process is performed with the second analysis model according to the behavior feature, so as to obtain the target sag result, including: And obtaining the target sag result according to the behavior characteristics and the sag matching rule table.
5. 5. The method of claim 1, wherein the analyzing the log information based on the threat intelligence library and the first analysis model to obtain the initial collapse result of the host comprises: Comparing the threat information library with the log information to obtain a first collapse result; Identifying threat information in the log information by using the first analysis model to obtain a threat identification result, and obtaining a second collapse result according to the threat identification result; And determining the initial collapse result according to the first collapse result and the second collapse result.
6. 6. A detection system, characterized in that it comprises an acquisition unit and an analysis unit, The acquisition unit is used for acquiring log information of the host; the analysis unit is used for analyzing and processing the log information based on a threat information library and a first analysis model to obtain an initial collapse result of the host, wherein the first analysis model is used for detecting unknown risks, and analyzing and processing the initial collapse result based on a second analysis model to obtain a target collapse result; the analysis unit is further used for acquiring behavior characteristics in the initial collapse result; the analysis unit is further used for determining a rule matching result corresponding to the behavior feature according to the behavior feature and the sag matching rule table if the behavior feature accords with at least two rules in the sag matching rule table; The detection system further comprises: the first analysis model comprises a model for identifying the domain name of the DGA family rule of the domain name system log, determining the duplication removal number of the access DGA domain name based on the identified domain name and comparing the duplication removal number with a preset numerical range; the method comprises the steps of obtaining an initial failure result, determining a failure host and failure reasons by using a second analysis model, wherein the second analysis model is used for verifying the initial failure result and determining the failure host and the failure reasons, the second analysis model comprises a failure matching rule table and a preset calculation model, and the failure matching rule table is used for representing the occurrence probability of preset threat classification under each rule and the failure trust degree corresponding to each rule.
7. 7. A detection system, characterized in that it further comprises a processor, a memory storing instructions executable by said processor, which instructions, when executed by said processor, implement the method according to any of claims 1-5.
8. 8. A computer readable storage medium having stored thereon a program for use in a detection system, the program, when executed by a processor, implementing a method according to any of claims 1-5.

Description

Detection method and system, and storage medium Technical Field The present invention relates to the field of network security technologies, and in particular, to a detection method and system, and a storage medium. Background The detection of the sinking host refers to detecting the network flow, log and other information of the host, and finding out the host infected with Trojan horse virus, namely the sinking host, so as to timely clear potential safety hazards to ensure the safety of the host. In the prior art, the host with risk is found by comparing related data of the host with a threat information library, and then the host with risk is subjected to risk investigation to determine the problem of causing the collapse, so that the known risk can be detected only according to the threat information library based on the existing detection method, the problem of causing the failure of reporting the unknown risk can not be detected, meanwhile, the number of detected hosts is higher, the false alarm rate of the existing detection method is higher, the failure of effectively analyzing the host with the failure can not be effectively analyzed, and the disposal efficiency of the host with the failure is lower. Disclosure of Invention The embodiment of the application provides a detection method and system, and a storage medium, which can reduce the rate of missing report and false report of a lost host, and effectively improve the disposal efficiency of the lost host. The technical scheme of the embodiment of the application is realized as follows: in a first aspect, an embodiment of the present application provides a detection method, where the method includes: acquiring log information of a host; Analyzing and processing the log information based on a threat information library and a first analysis model to obtain an initial collapse result of the host, wherein the first analysis model is used for detecting unknown risks; And analyzing and processing the initial collapse result based on a second analysis model to obtain a target collapse result, wherein the second analysis model is used for verifying the collapse result. In a second aspect, embodiments of the present application provide a detection system, the detection system comprising an acquisition unit and an analysis unit, The acquisition unit is used for acquiring log information of the host; The analysis unit is used for analyzing and processing the log information based on a threat information library and a first analysis model to obtain an initial collapse result of the host, wherein the first analysis model is used for detecting unknown risks, and analyzing and processing the initial collapse result based on a second analysis model to obtain a target collapse result, and the second analysis model is used for verifying the collapse result. In a third aspect, an embodiment of the present application provides a detection system, the detection system further comprising a processor, a memory storing instructions executable by the processor, the instructions, when executed by the processor, implementing a detection method as described above. In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a program for use in a detection system, the program, when executed by a processor, implementing a detection method as described above. The embodiment of the application provides a detection method, a detection system, a storage medium and a detection system, wherein the detection system acquires log information of a host, analyzes and processes the log information based on a threat information base and a first analysis model to acquire an initial collapse result of the host, the first analysis model is used for detecting unknown risks, and analyzes and processes the initial collapse result based on a second analysis model to acquire a target collapse result, and the second analysis model is used for verifying the collapse result. Drawings Fig. 1 is a schematic diagram of an implementation flow of a detection method according to an embodiment of the present application; fig. 2 is a schematic diagram of a second implementation flow of the detection method according to the embodiment of the present application; fig. 3 is a schematic diagram of a third implementation flow of the detection method according to the embodiment of the present application; Fig. 4 is a schematic diagram of an implementation flow of a detection method according to an embodiment of the present application; fig. 5 is a schematic diagram of an implementation flow of a detection method according to an embodiment of the present application; fig. 6 is a schematic diagram of an implementation flow of a detection method according to an embodiment of the present application; fig. 7 is a schematic diagram seventh of an implementation flow of a detection method according to an embodiment of the present application; FIG. 8 is a sche