CN-122027279-A - Cloud computing service network safe operation situation awareness detection method

Abstract

The invention provides a cloud computing service network safe operation situation awareness detection method, which comprises the steps of controlling distributed state probes of all service nodes of a cloud environment to be in a dormant monitoring mode, intercepting metadata and filtering to generate state snapshot data, receiving snapshots by a cross-domain inquiry engine, constructing a plurality of snapshots with logic association as event pairs to be checked based on fuzzy matching of weak association rules, calculating cooperative suspicion, generating an activation token containing task descriptors when evidence obtaining activation conditions are met, responding to the token control probes to switch to an activation evidence obtaining mode, executing deep acquisition to generate an evidence packet, analyzing the content of the evidence packet to conduct closed-loop verification and outputting a result, and adjusting importance coefficients or parameters of the rules according to the result. The method solves the problems of high system resource overhead and high analysis response delay caused by continuous deep monitoring for identifying cross-service attacks in the cloud computing environment.

Inventors

• WANG JIA

Assignees

• 北京上珵信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260210

Claims (10)

1. 1. The cloud computing service network safe operation situation awareness detection method is characterized by comprising the following steps of: controlling distributed state probes deployed at all service nodes of a target cloud environment to be in a dormant monitoring mode, intercepting metadata events and performing filtering processing to generate state snapshot data; The cross-domain inquiry engine receives state snapshot data, performs logic pattern matching based on a preset weak association rule, and constructs a plurality of state snapshot data with logic association as event pairs to be checked; Calculating the cooperative suspicion of the event pair to be tested, and generating an activation token containing a evidence obtaining task descriptor when the cooperative suspicion meets a preset evidence obtaining activation condition; responding to the activation token, controlling the target distributed state probe to switch to an activation evidence obtaining mode, executing a depth data acquisition task, and generating a depth evidence obtaining evidence packet; analyzing content data in the deep evidence collection evidence packet, performing closed-loop verification on the event pair to be verified, and outputting a verification result; And according to the verification result, adjusting the global importance coefficient of the weak association rule or the calculation parameter of the cooperative suspicion degree.
2. 2. The method for detecting the security operation situation awareness of a cloud computing service network according to claim 1, wherein the method is characterized in that a distributed state probe deployed at each service node of a target cloud environment is controlled to be in a sleep monitoring mode, metadata events are intercepted and filtered, and state snapshot data are generated, and the method comprises the following steps: intercepting metadata events which do not contain specific data loads through a driving module mounted to an operating system kernel; Analyzing the metadata event, extracting the subject identifier, the object identifier and the timestamp information, discarding the network data packet payload and writing the file into the byte stream; and packaging the extracted subject identification, object identification and timestamp information into structured state snapshot data, and streaming the structured state snapshot data to a cross-domain challenge engine.
3. 3. The cloud computing service network security operation situation awareness detection method according to claim 1, wherein the cross-domain challenge engine receives state snapshot data, performs logic pattern matching based on a preset weak association rule, and constructs a plurality of state snapshot data with logic association as a pair of events to be tested, and comprises the following steps: placing the received state snapshot data into a sliding window buffer area based on time; Loading a weak association rule, and identifying a plurality of state snapshot data which occur in a preset time window of different service nodes in a sliding window buffer zone and satisfy a logic relationship defined by the rule by a subject identifier or an object identifier; and aggregating the plurality of state snapshot data meeting the weak association rule, and assembling the state snapshot data into the to-be-tested event pairs marked with the triggering rule ID.
4. 4. The cloud computing service network security operation situation awareness detection method according to claim 1, wherein the method is characterized in that the cooperative suspicion degree of a to-be-tested event pair is calculated, and when the cooperative suspicion degree meets a preset evidence obtaining activation condition, an activation token containing an evidence obtaining task descriptor is generated, and the method comprises the following steps: calculating the time proximity, main authority span and operation rareness of each event in the pair of events to be tested; Weighting and summing the time proximity, the main body authority span and the operation rareness to obtain quantized cooperative suspicion; Judging whether the cooperative suspicion is higher than a preset activation threshold and lower than a preset alarm threshold; If yes, an activation token aiming at the target distributed state probe is generated, and an encryption signature and a evidence obtaining task descriptor defining the type and the collection time length of data to be collected are embedded in the activation token.
5. 5. The cloud computing service network security operation situation awareness detection method according to claim 1, wherein the control target distributed state probe is switched to an active evidence obtaining mode in response to an activation token, a deep data acquisition task is executed, and a deep evidence obtaining evidence package is generated, comprising the following steps: The distributed state probe receives and decrypts the verification activation token, and switches from the sleep monitoring mode to the activation evidence obtaining mode in a mode of lifting the scheduling priority of the process operating system and applying for a special memory buffer area; analyzing the evidence obtaining task descriptor, and locking a specific system process, a network session or a memory area as an evidence obtaining target; And completely capturing the original data of the evidence obtaining target according to the evidence obtaining task descriptor, writing the original data into a memory buffer area, and packaging the original data and associated metadata after the acquisition duration is finished to generate a deep evidence obtaining evidence package.
6. 6. The cloud computing service network security operation situation awareness detection method according to claim 1, wherein the control target distributed state probe is switched to an active evidence obtaining mode in response to an activation token, a deep data acquisition task is executed, and a deep evidence obtaining evidence package is generated, comprising the following steps: the distributed state probe marks the deep evidence collection package and the corresponding activation token ID in a correlated manner and returns the deep evidence collection package and the corresponding activation token ID; Unpacking the deep evidence obtaining evidence package by the cross-domain inquiry engine, and extracting the substantial content data in the evidence package; Checking whether the event under test has a malicious logic association to the mid-cross-domain operation based on the substantial content data; if the malicious logic association is confirmed, confirming the event pair to be tested as an attack step, updating a time sequence attack map and outputting a safety alarm.
7. 7. The cloud computing service network security operation situation awareness detection method according to claim 1, wherein the method is characterized in that according to the verification result, the calculation parameters of the global importance coefficient or the cooperative suspicion degree of the weak association rule are adjusted, and comprises the following steps: if the verification result confirms that the event pair to be verified is a real attack, extracting the weak association corresponding to the event pair The ID of the rule and the global importance coefficient of the rule corresponding to the ID is improved in a weak association rule base; If the verification result confirms that the event pair to be verified is false report, taking the characteristics of the event pair as a negative sample; Updating the historical behavioral baseline model based on the negative samples to reduce operational rarity scores in the same scenario, or to correct risk factors when calculating subject permission spans.
8. 8. The method for detecting the security operation situation awareness of a cloud computing service network according to claim 5, further comprising, after generating the deep evidence collection package: the distributed state probe transmits the deep evidence obtaining evidence packet back to the cross-domain inquiry engine; the distributed state probe empties the memory buffer area, unloads the deep acquisition functional module and releases system resources, and automatically rolls back to the sleep monitoring mode.
9. 9. The method for detecting the security operation situation awareness of a cloud computing service network according to claim 2, wherein the metadata event includes a process creation signal indicating a process life cycle change, a network connection establishment signal indicating a network communication intention, and API call header information indicating an inter-application interaction.
10. 10. The method for detecting the perception of the safe running situation of the cloud computing service network according to claim 4, wherein in the step of calculating the cooperative suspicion of the event pairs to be tested: the calculation of the temporal proximity is based on an exponential decay model of the time difference between events; calculating the authority span of the subject, namely inquiring the identity and accessing the management information base, and calculating the difference value between the authority level required by the object and the current authority level of the subject; The calculation of the operation rareness is carried out by inquiring a historical behavior baseline model, and based on an inverse document frequency algorithm, the logarithmic value of the ratio of the total historical event quantity to the occurrence frequency of the to-be-tested event pair mode in a historical statistical period is calculated, and the operation rareness is inversely related to the occurrence frequency.

Description

Cloud computing service network safe operation situation awareness detection method Technical Field The invention belongs to the technical field of network information security, and relates to a cloud computing service network security operation situation awareness detection method. Background Service nodes in the current cloud computing environment are dynamically deployed in various forms, and the nodes form a distributed architecture through interface and protocol interaction. Attackers often penetrate using cross-service and multi-step collaborative approaches, such behavior is often characterized by low frequency and low data volume. The traditional security monitoring system is limited to a single service node or network boundary, has defects in correlation analysis of weak abnormal signals scattered in different subjects and long time spans, and is easy to cause missing report of advanced threat. To address the above-mentioned security challenges, the prior art generally employs a solution for building a unified security information and event management platform. According to the scheme, agent programs are deployed in all service nodes, massive telemetry data including system logs, network full-flow and interface call details are continuously collected, and the data are transmitted to a big data analysis platform in a centralized mode. The analysis platform performs post-hoc analysis and backtracking on the data by using preset rules or models, and attempts to find potential attack chains from the data, and the core logic of the analysis platform is to support reconstruction of attack events by collecting as much original data as possible. However, the above-mentioned continuous depth data acquisition scheme has limitations in practical applications. Continuous deep data acquisition on the service node can generate continuous computing and read-write resource overhead, which may affect the normal operation of service applications. Real-time transmission of massive raw data can occupy a lot of network bandwidth, and stress the network infrastructure. Meanwhile, the central platform has higher requirements on calculation and storage resources for processing and storing huge-scale data, so that long delay is easy to exist between the occurrence of events and the output of detection results, and the timeliness of threat response is reduced. Disclosure of Invention In order to solve the problems, the invention provides a cloud computing service network safe operation situation awareness detection method. A cloud computing service network security operation situation awareness detection method comprises the following steps: controlling distributed state probes deployed at all service nodes of a target cloud environment to be in a dormant monitoring mode, intercepting metadata events and performing filtering processing to generate state snapshot data; The cross-domain inquiry engine receives state snapshot data, performs logic pattern matching based on a preset weak association rule, and constructs a plurality of state snapshot data with logic association as event pairs to be checked; Calculating the cooperative suspicion of the event pair to be tested, and generating an activation token containing a evidence obtaining task descriptor when the cooperative suspicion meets a preset evidence obtaining activation condition; responding to the activation token, controlling the target distributed state probe to switch to an activation evidence obtaining mode, executing a depth data acquisition task, and generating a depth evidence obtaining evidence packet; analyzing content data in the deep evidence collection evidence packet, performing closed-loop verification on the event pair to be verified, and outputting a verification result; And according to the verification result, adjusting the global importance coefficient of the weak association rule or the calculation parameter of the cooperative suspicion degree. Preferably, a distributed state probe deployed at each service node of a target cloud environment is controlled to be in a sleep monitoring mode, metadata events are intercepted and filtered, and state snapshot data are generated, comprising the following steps: intercepting metadata events which do not contain specific data loads through a driving module mounted to an operating system kernel; Analyzing the metadata event, extracting the subject identifier, the object identifier and the timestamp information, discarding the network data packet payload and writing the file into the byte stream; and packaging the extracted subject identification, object identification and timestamp information into structured state snapshot data, and streaming the structured state snapshot data to a cross-domain challenge engine. Preferably, the cross-domain challenge engine receives state snapshot data, performs logic pattern matching based on a preset weak association rule, and constructs a plurality of state snapshot data