CN119377947A

CN119377947A - A malicious program detection method and related device

Info

Publication number: CN119377947A
Application number: CN202411407534.6A
Authority: CN
Inventors: 殷伟; 卢佳顺
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2024-10-09
Filing date: 2024-10-09
Publication date: 2025-01-28

Abstract

The embodiment of the present invention discloses a malicious program detection method and related devices, which are used to obtain the traffic of a target process when accessing an intranet resource address and the traffic of a target process when accessing an extranet resource address by means of an SDP software-defined boundary client pre-installed in a terminal device, perform similarity matching based on the two-way traffic behavior of the target process to obtain a similarity index, and determine whether a malicious program is installed in the terminal device based on the similarity index, thereby improving the convenience and accuracy of detecting malicious programs.

Description

Malicious program detection method and related device

Technical Field

The present invention relates to the field of data security technologies, and in particular, to a method and an apparatus for detecting malicious programs.

Background

With the continuous development of information technology, the risk of data leakage is also increasing. Some hackers or malicious software can acquire sensitive data through network attack, data sniffing, social engineering and other modes, so that data leakage is caused.

In the prior art, when detecting malicious software or malicious programs, the malicious software or the malicious programs are generally detected based on schemes such as an internet address threat information technology, a malicious code feature library technology or a network traffic analysis technology, and the detection schemes are seriously dependent on a product information library, a feature library or a rule library when detecting the malicious software or the malicious programs, and the product information library, the feature library or the rule library only can detect known threats and has no detection capability on the newly-appearing malicious programs, so that the detection accuracy rate for the malicious programs is lower.

Disclosure of Invention

The embodiment of the invention provides a malicious program detection method and a related device, which are used for acquiring the flow of a target process at an access intranet resource address and the flow of the target process at an access extranet resource address by means of a software defined boundary (SDP, software DefinedPerimeter) client pre-installed in terminal equipment, carrying out similarity matching based on the bidirectional flow behavior of the target process to obtain a similarity index, and determining whether a malicious program is installed in the terminal equipment according to the similarity index, thereby improving the convenience and the accuracy of detecting the malicious program.

In a first aspect, the present application provides a method for detecting a malicious program, which is applied to a terminal device, where an SDP software defined boundary client is installed, the method includes:

If the operation of logging in the SDP client is detected, acquiring an intranet resource address configured in an SDP server by utilizing the SDP client;

The SDP client is utilized to acquire the flow of the target process accessing the intranet resource address, wherein the target process is any process installed in the terminal equipment;

The SDP client side is utilized to acquire the flow of the target process accessing the external network resource address;

Based on a preset flow similarity matching rule, performing similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process;

and determining whether a malicious program is installed in the terminal equipment according to the similarity index.

Optionally, the preset flow similarity matching rule includes an actual sending and actual receiving flow similarity matching rule;

based on the real sending and real receiving flow similarity matching rule, performing similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process, wherein the similarity index comprises the following steps:

in a first target time period, acquiring the intranet flow of the intranet resource address accessed by the target process in real time by utilizing the SDP client;

In the first target time period, acquiring the external network traffic of the external network resource address accessed by the target process in real time by utilizing the SDP client;

acquiring a plurality of first difference values between the inner network flow and the outer network flow at each statistical moment in the first target time period;

comparing the first difference values with a preset first difference value threshold value to determine a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed according to a comparison result;

the determining whether the terminal device installs the malicious program according to the similarity index comprises:

and if the similarity index exceeds a first preset threshold, determining that the terminal equipment is provided with the malicious program.

Optionally, the preset flow similarity matching rule includes a discontinuous transmit-receive flow similarity matching rule;

based on the intermittent transceiving flow similarity matching rule, performing similarity comparison on the intranet resource address flow accessed by the target process and the extranet resource address flow accessed by the target process, and determining a similarity index between the intranet resource address flow trend accessed by the target process and the extranet resource address flow trend accessed by the target process, wherein the similarity index comprises the following steps:

in a second target time period, the SDP client is utilized to acquire the internal network accumulated flow acquired by the target process in a plurality of first intermittent communication time periods with the internal network resource address, wherein the internal network accumulated flow is acquired in each first intermittent communication time period;

In the second target time period, the SDP client is utilized to acquire a plurality of second intermittent communication time periods of the target process and the external network resource address, and the acquired external network accumulated flow in each second intermittent communication time period is arranged adjacent to the first intermittent communication time period;

Acquiring a plurality of second difference values of the external network accumulated flow in each second intermittent communication time period and the internal network accumulated flow in each first intermittent communication time period;

comparing the plurality of second difference values with a preset second difference value threshold value respectively, so as to determine a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process according to a comparison result;

And if the similarity index exceeds a second preset threshold, determining that the terminal equipment is provided with the malicious program.

Optionally, the preset flow similarity matching rule includes an accumulated transceiving flow similarity matching rule;

Before the similarity comparison is performed on the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed by the target process based on the accumulated transceiving traffic similarity matching rule, the method further comprises:

And if the communication protocol of the target process and the intranet resource address is determined to be different from the communication protocol of the target process and the extranet resource address, triggering the similarity matching rule based on the accumulated transceiving flow to perform similarity comparison on the intranet resource address flow accessed by the target process and the extranet resource address flow accessed by the target process.

Optionally, based on the accumulated transceiving traffic similarity matching rule, performing similarity comparison on the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed by the target process, and determining a similarity index between the intranet resource address traffic trend accessed by the target process and the extranet resource address traffic trend accessed by the target process includes:

in a third target time period, acquiring the intranet accumulated flow of the target process in communication with the intranet resource address by utilizing the SDP client;

in the third target time period, the SDP client is utilized to acquire the accumulated flow of the target process in the external network communicated with the external network resource address;

Acquiring a third difference value between the magnitude of the internal network accumulated flow and the magnitude of the external network accumulated flow in a preset time interval in the third target time period, wherein the preset time interval is any time interval in the third target time period;

comparing the third difference value with a preset third difference value threshold value to determine a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed according to a comparison result;

and if the similarity index comprises that the third difference value is smaller than the preset third difference value threshold value, determining that the malicious program is installed in the terminal equipment.

Optionally, after determining whether a malicious program is installed in the terminal device according to the similarity index, the method further includes:

if the malicious program is determined to be installed in the terminal equipment, the malicious program is reported to the SDP server through the SDP client, wherein the SDP server is used for generating a security early warning event based on the malicious program.

Optionally, in addition to using the SDP client to obtain the intranet resource address configured in the SDP server, the method further includes:

the SDP client is utilized to acquire a security policy configured in an SDP server, wherein the security policy comprises at least one of locking user information, locking terminal equipment and blocking IP (Internet Protocol);

After determining that the terminal device has a malicious program installed therein, the method further includes:

Acquiring terminal equipment associated information of logging in the SDP client, wherein the terminal equipment associated information comprises user identity information, client identity information and source IP information of the target process accessing the intranet resource address;

And reporting the malicious program and the terminal equipment association information to the SDP server through the SDP client, wherein the SDP server is used for generating a security event based on the malicious program, the terminal equipment association information and the security policy.

acquiring a latest version of flow similarity matching rule configured in an SDP server by using the SDP client;

Before performing similarity comparison on the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed by the target process based on a preset traffic similarity matching rule, the method further comprises:

Judging whether the latest version of flow similarity matching rule is the same as the preset flow similarity matching rule;

If the flow similarity matching rules are different, updating the preset flow similarity matching rules into the latest version of flow similarity matching rules.

Optionally, before determining whether a malicious program is installed in the terminal device according to the similarity index, the method further includes:

in a fourth target time period, determining whether a suspected malicious program is installed in the terminal equipment according to the similarity index;

if a malicious program is installed in the terminal device according to the similarity index, the method includes:

And in a fifth target time period, determining whether a malicious program is installed in the terminal equipment according to the similarity index, wherein the fifth target time period is larger than the fourth target time period.

The method of the first aspect of the application may be implemented in practice using the content of the second aspect of the application.

A second aspect of an embodiment of the present application provides a terminal device, in which an SDP software defined boundary client terminal is installed, the terminal device including:

An obtaining unit, configured to obtain, if an operation of logging in an SDP client terminal is detected, an intranet resource address configured in an SDP server by using the SDP client terminal;

The acquiring unit is further configured to acquire, by using the SDP client, a flow of accessing, by a target process, the intranet resource address, where the target process is any process installed in the terminal device;

The acquiring unit is further configured to acquire, by using the SDP client, a flow of the target process accessing an external network resource address;

The determining unit is used for carrying out similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process based on a preset flow similarity matching rule, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process;

the determining unit is further configured to determine whether a malicious program is installed in the terminal device according to the similarity index.

A third aspect of the embodiments of the present application provides a computer apparatus comprising a processor for implementing a method as described in the first aspect or any particular implementation of the first aspect of the embodiments of the present application when executing a computer program stored on a memory.

A fourth aspect of the embodiments of the present application provides a computer readable storage medium having stored thereon a computer program for carrying out the method described in the first aspect of the embodiments of the present application or any one of the specific implementations of the first aspect when the computer program is executed by a processor.

A fifth aspect of embodiments of the present application provides a computer program product having stored thereon a computer program/instruction which, when executed by a processor, is adapted to carry out the method described in the first aspect of embodiments of the present application or any specific implementation of the first aspect.

From the above technical solutions, the embodiment of the present invention has the following advantages:

In the embodiment of the application, if the operation of logging in the SDP client is detected, the SDP client is utilized to acquire the intranet resource address configured in the SDP server, the SDP client is utilized to acquire the flow of the target process accessing the intranet resource address, the SDP client is utilized to acquire the flow of the target process accessing the extranet resource address, the similarity comparison is carried out on the intranet resource address flow accessed by the target process and the extranet resource address flow accessed by the target process based on a preset flow similarity matching rule, the similarity index between the intranet resource address flow trend accessed by the target process and the extranet resource address flow trend accessed by the target process is determined, and whether the malicious program is installed in the terminal equipment is determined according to the similarity index.

Because the embodiment of the application is based on the similarity matching between the flow trend of the target process accessing the intranet resource address in the terminal equipment and the flow trend of the target process accessing the extranet resource address, the similarity index is obtained, and whether the malicious program is installed in the terminal equipment is determined according to the similarity index. According to the comparison method based on the bidirectional flow behavior characteristics, the behavior characteristics of bidirectional communication are not changed, so that the detection process of the bidirectional flow behavior characteristics is independent of updated rules no matter aiming at the prior malicious programs or the newly-appearing malicious programs, and compared with the method of relying on rule libraries in the prior art, the detection accuracy of the detection process of the malicious programs is higher.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a system architecture according to an embodiment of the present application;

fig. 2 is a schematic flow chart of a malicious program detection method according to an embodiment of the present application;

FIG. 3 is a schematic flow characteristic diagram according to an embodiment of the present application;

FIG. 4 is a schematic flow characteristic diagram according to an embodiment of the present application;

FIG. 5 is a schematic flow characteristic diagram according to an embodiment of the present application;

FIG. 6 is a schematic flow characteristic diagram according to an embodiment of the present application;

FIG. 7 is a schematic flow characteristic diagram according to an embodiment of the present application;

FIG. 8 is a schematic flow characteristic diagram according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

Before describing the method in further detail, objects and techniques that may be involved in embodiments of the present application will first be described.

1. Zero Trust (Zero Trust)

Zero trust is a network security concept of "never trust, always verify", i.e. based on the assumption that anyone, any device, any data is not trusted. Traditional network security models are typically built on the concept of a trusted network, i.e. an internal network is considered trusted and an external network is considered untrusted. In contrast, the zero trust model considers that there is a threat also inside the network and develops a "identity-centric, continuous trust assessment, dynamic access control" security framework that performs strict authentication, access control, real-time monitoring, etc. on any person, device, and system attempting to access the enterprise system prior to authorization. The mainstream technology realizes three types of software defined boundary SDP, unified identity management (IAM, identity andAccess Management) and micro isolation (MSG, micro Segmentation).

2. Software defined boundary SDP

Software defined boundary SDP is a network security framework that implements a zero trust concept that provides a more flexible and dynamic security model by shifting the focus of network access control from the network boundary to the applications and services themselves. SDP restricts users and devices accessing applications and services by defining a set of security policies and rules, and allows access to specific applications or services only after the user identity and device integrity are verified. SDP is thus closely related to the zero trust concept and can be seen as an implementation of a zero trust network security access control system. The SDP product is generally composed of three major components, an SDP control center and a proxy gateway (i.e., SDP server), an SDP connection initiating host (i.e., SDP client).

3. Remote control wooden horse

Remote Trojan, i.e., remote Trojan virus/process, is a program or malicious code used by a network attacker to remotely control a user (victim) terminal. The remote control Trojan sends a control program or malicious codes to the controlled user terminal, carries out illegal operations such as data stealing and network attack on the controlled terminal, and can also build a proxy channel on the controlled terminal so as to become a springboard machine for an attacker to access intranet resources. At present, two types of remote control Trojan are mainly available, namely (1) the remote control Trojan with independent processes exists on a user terminal, and (2) the no-process Trojan is used for inserting a section of malicious code into a trusted program (such as a browser) on the user terminal through a Dynamic Link Library (DLL) injection technology and the like, and has higher concealment compared with the remote control Trojan with the independent processes, wherein the remote control Trojan has no independent processes.

4. C & C (Commandand Control) server

The C & C server may be understood as the control end of the remote Trojan program, through which a hacker communicates and controls with the infected terminal device. The C & C server is typically used to issue instructions to the infected terminal devices, receive data sent by the infected terminal devices, and monitor and manage the infected terminal devices. An attacker can control a plurality of infected terminal devices through the C & C server and conduct attack activities by using the plurality of infected terminal devices.

Referring to fig. 1, fig. 1 is a schematic diagram of a system architecture provided in an embodiment of the present application, where the system architecture may include an attacker C & C server, a terminal device (i.e., a user terminal in fig. 1), an SDP server (i.e., an SDP server in fig. 1), and an intranet resource, where the terminal device may be installed with an SDP client, and further, the terminal device may be maliciously installed with a malicious program (e.g., a remote trojan process in fig. 1), the SDP server may include an SDP proxy gateway, an SDP control center, and the intranet resource may include various information technology resources and services for use by employees in an intranet, such as files and data storage, internal websites and applications, communication and collaboration tools, development and testing environments, network services and infrastructure, business applications and services, and storage backups (denoted by resources a, B, and C in fig. 1). The SDP server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing a cloud database, cloud services, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, a content distribution Network (CDN, contentDelivery Network), basic cloud computing services such as big data and an artificial intelligent platform. The terminal device may be a smart terminal such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a palm computer, a Mobile internet device (MID, mobile INTERNET DEVICE), a wearable device (e.g., a smart watch, a smart bracelet, etc.), a smart computer, a smart vehicle, etc. The SDP server and each terminal device can establish communication connection, and communication connection can also be established between each terminal device. The communication connection is not limited to a connection manner, and may be directly or indirectly connected through a wired communication manner, or may be directly or indirectly connected through a wireless communication manner, and the like, and may be specifically determined according to an actual application scenario, and the embodiment of the present application is not limited herein.

It should be understood that each terminal device as shown in fig. 1 may be installed with an SDP client, where the SDP client runs on each terminal device and may interact with the SDP server shown in fig. 1. Specifically, the intranet resources are proxy-accessed by the SDP server, that is, the access request to the intranet resources passes through the SDP server, so that the intranet resource addresses are configured in the SDP server. If the operation of logging in the SDP client is detected, the SDP proxy gateway communicates with the SDP control center, and the SDP control center completes configuration issuing, wherein the issued configuration content can include access authority and range, access time limit and condition, address list of intranet resources, encryption mode and security policy of configuration data transmission and the like for specifying different users or devices. And acquiring an intranet resource address issued by an SDP control center in the SDP server by using the SDP client, if a process on the terminal equipment needs to access enterprise intranet resources, monitoring and hijacking the flow of the intranet resource access requests by the SDP client installed on the terminal equipment, redirecting and transmitting the hijacked flow by the SDP client to the SDP server, and verifying and authorizing the request from the SDP client by the SDP server according to a predefined security policy and rule. The content of the verification may include the user identity, the terminal device information, and the requested target resource. If the verification is passed, the SDP proxy gateway accesses the enterprise intranet resources and acquires response data of the enterprise intranet resources, and the SDP server forwards the response data of the intranet resources to the SDP client. The SDP client receives the forwarded response data and then transmits the response data to the process of the terminal equipment, which accesses the enterprise intranet resources originally. Similarly, the SDP client may also monitor the traffic of the process accessing the internet through the user terminal.

It should be noted that, the method provided by the embodiment of the present application may be implemented at the terminal device side, or implemented by the terminal device and the SDP server together, specifically may be determined according to the actual application scenario, and the embodiment of the present application is not limited herein.

In the related technology, the malicious program can be identified through the safety monitoring technology, so that the invasion and damage of the malicious program to the system can be timely discovered and prevented, and the safety of the system and data is ensured. Current techniques for identifying malicious programs may include:

(1) The Internet address threat information technology comprises the steps that products such as a firewall deployed at an Internet outlet, antivirus software on terminal equipment and the like can monitor Internet addresses accessed by the terminal equipment and match with malicious address libraries in threat information libraries, if the products can be matched, the terminal equipment is proved to be in attempt to connect with a server of an attacker, and remote control Trojan horses possibly exist;

(2) The malicious code feature library technology comprises the steps that products such as antivirus software deployed on terminal equipment, detection and response (EDR, endpoint Detection and Response) of the terminal and the like can detect file content and scanning program codes on the terminal equipment and compare the file content and the scanning program codes with the malicious code feature library of the terminal equipment, and if higher similarity exists, the condition that remote control Trojan horse possibly exists is indicated;

(3) The network flow analysis technology is that products such as a firewall deployed in a customer intranet and a network WEB application firewall can detect a flow packet of a terminal device accessing intranet service assets and match the flow packet with a security rule base, and if the flow packet is matched, the condition that the terminal device tries to attack the intranet service assets is indicated, and remote control Trojan horses possibly exist.

The technical schemes of safety monitoring such as the internet address threat information technology, the malicious code feature library technology, the network flow analysis technology and the like are seriously dependent on the richness of the product information library/feature library/rule library, and if the product information library/feature library/rule library is not updated in time, the condition of missing the threat exists. In addition, the intelligence library/feature library/rule library can only detect known threats, and for the newly appeared attacker server address information, trojan software and the like, without detection capability, even if the rule matching threshold is lowered to capture more threats, a large amount of false alarm information can be generated. Meanwhile, after the traditional security product is based on network IP positioning threat, security specialists are still required to reversely check specific users and terminals through the IP, the disposal timeliness is insufficient, and the attack and defense countermeasure unequal security situation is further aggravated.

Therefore, the embodiment of the application provides a malicious program detection method and a related device, which can carry out similarity matching on the basis of the flow trend of the target process accessing the intranet resource address in the terminal equipment and the flow trend of the target process accessing the extranet resource address without depending on updated rules, thereby realizing accurate detection of the malicious program.

Various embodiments of the present application are described in further detail below with reference to the accompanying drawings.

Referring to fig. 2, an embodiment of a method for detecting a malicious program according to the present application includes the following steps:

Step S201, if the operation of logging in the SDP client is detected, the SDP client is utilized to acquire the intranet resource address configured in the SDP server.

The SDP client is installed on the terminal equipment, can execute security detection on the terminal equipment, especially various processes of the terminal equipment, and simultaneously reports the security detection to the SDP control center for security policy management. In practical application, if it is detected that the user performs the login operation of the SDP client terminal on the terminal (e.g., inputs a user name and a password and successfully logs in), the SDP client terminal uses the random ID generated by the SDP client terminal, the terminal information of the SDP client terminal, the user information (input user name and password) and the SDP control center of the SDP server to perform authority verification, and after the verification is successful, the SDP control center generates a unique identity for the SDP client terminal and returns a verification success message to the SDP client terminal. The unique identity generated here is also used for access requests initiated in subsequent end user online cycles. The end user is online, and a virtual communication channel is established between the SDP client and the SDP server. As can be appreciated from the foregoing description, the SDP server has been configured with an intranet resource address (e.g., a server address, a database address, etc. inside the enterprise), and the SDP client requests to obtain the intranet resource address configured in the SDP server, and the SDP control center in the SDP server responds to the request and sends the intranet resource address to the SDP client.

Step S202, the SDP client is utilized to obtain the flow of the target process accessing the intranet resource address.

And step 203, acquiring the flow of the target process accessing the external network resource address by using the SDP client.

The SDP client terminal monitors all running processes on the terminal device, and the target process is a specific process to be monitored currently, and the target process is any process installed in the terminal device, and may be any application program or service, for example, a database service, an application program capable of performing file transmission, and the like. In practical applications, the SDP client may be set with monitoring rules or use traffic hijacking and interception policies to identify and monitor the target process. Specifically, the SDP client may hijack network traffic generated by the target process through a network driver installed on the terminal or by using a network monitoring interface provided by an operating system. The SDP client can intercept all communication traffic initiated by the target process accessing the intranet resource address, which can be the address of a server, a database, a file server and the like in the enterprise internal network. The SDP client records details of these communication flows including, but not limited to, packet size, frequency of transmission, source address, destination address, port number, and communication protocol. After the SDP client collects the detailed information of the communication traffic, the detailed information is classified, stored and marked as intranet traffic. The SDP client may also intercept all traffic initiated by the target process accessing the foreign network resource address. The extranet resource address may be a server in an enterprise external network, a cloud service, a public internet or a third party cloud service platform, etc. Similar to intranet traffic monitoring, the SDP client records detailed information of the communication traffic accessing the extranet, and stores and marks the detailed information as extranet traffic in a classified manner.

It should be noted that the order of execution of the steps S202 and S203 is not limited, and may be performed simultaneously, as the case may be.

Step S204, based on a preset flow similarity matching rule, performing similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process.

The preset flow similarity matching rule is used for judging the similarity between two or more flow samples. The SDP client classifies all collected communication traffic according to the intranet and the extranet, so that the intranet resource address traffic and the extranet resource address traffic accessed by the target process can be compared in similarity based on a preset traffic similarity matching rule. These characteristics include packet size and type, time interval, data transmission frequency, communication protocol and port number, source and destination IP addresses of traffic, etc., and the similarity comparison of intranet and extranet traffic is performed according to the characteristics/detailed information of these traffic. In the similarity comparison process, the flow characteristics are analyzed, and the similarity index between two or more flow samples is judged.

The method for determining the similarity index between the intranet resource address flow trend and the extranet resource address flow trend can be to determine the similarity index by using a mode of calculating a flow ratio, cosine similarity, pearson correlation coefficient, standardized difference value and the like between the intranet resource address flow and the extranet resource address flow. Specifically, the flow ratio may be a ratio of the intranet flow and the extranet flow calculated at each time, for example, flow ratio=magnitude of intranet flow/magnitude of extranet flow. The cosine similarity is calculated by calculating dot product of the intranet flow and the extranet flow, calculating module length of the intranet flow and the extranet flow, and calculating cosine similarity between the intranet flow and the extranet flow by using a cosine similarity formula. The method for calculating the cosine similarity, the pearson correlation coefficient and the normalized difference is the prior art, and is not described herein.

Further, the number of the similar intranet resource address traffic and the similar extranet resource address traffic in a specific time or time period may be counted through time sequence analysis, for example, the difference between the intranet traffic and the extranet traffic in each time/time period is calculated, and the number of the statistical difference smaller than a preset difference threshold is counted and used as a similarity index. In addition, the difference value between the internal network flow and the external network flow in a certain time period can be calculated, and the difference value between the internal network flow and the external network flow in the time period can be used as a similarity index.

Step S205, determining whether a malicious program is installed in the terminal equipment according to the similarity index.

For example, the intranet resource address traffic and the extranet resource address traffic of the target process a may be compared in similarity, if the calculated traffic ratio, cosine similarity, pearson correlation coefficient, and standardized difference value exceed a preset threshold, or the number of differences between the intranet traffic and the extranet traffic is smaller than the preset difference threshold and exceeds the preset threshold, or the difference between the intranet traffic and the extranet traffic is smaller than the preset threshold, the intranet traffic sample and the extranet traffic sample subjected to similarity comparison may be considered to have higher similarity, and the target process a may be considered to be in synchronous data, or some data leakage risk may exist. It should be noted that the malicious program does not have to initiate the target process a accessing the intranet and the extranet, but may be a malicious process performing malicious activities through legal network access rights and communication channels of the infected or controlled normal target process a.

In this way, by using the preset flow similarity matching rule, the flow generated when the target process accesses the internal and external network resources is compared and analyzed to determine the similarity index between the internal network flow and the external network flow, and whether the malicious program is installed in the terminal equipment is determined according to the similarity index, so that potential security threat can be identified under the condition of not depending on the rule base. Compared with the prior art, the flow similarity matching method has the advantages that the flow similarity matching method uses the known malicious behavior feature library or signature library for comparison, can analyze flow data in real time, can timely detect unknown threats, and is relatively small in system resource consumption and relatively simple and convenient to deploy compared with an artificial intelligent model which needs a large amount of training data.

The embodiment of the application is based on the similarity matching between the flow trend of the target process accessing the intranet resource address in the terminal equipment and the flow trend of the target process accessing the extranet resource address to obtain a similarity index, and according to the similarity index, whether the terminal equipment is provided with a malicious program is determined. According to the comparison method based on the bidirectional flow behavior characteristics, the behavior characteristics of bidirectional communication are not changed, so that the detection process of the bidirectional flow behavior characteristics is independent of updated rules no matter aiming at the prior malicious programs or the newly-appearing malicious programs, and compared with the method of relying on rule libraries in the prior art, the detection accuracy of the detection process of the malicious programs is higher.

It should be noted that, in order to adapt to the changes of the network environment and the application architecture in time, the method can cope with novel threats and attack techniques, besides acquiring the intranet resource address configured in the SDP server by using the SDP client, the method further comprises acquiring the latest version of flow similarity matching rule configured in the SDP server by using the SDP client;

Because of the update of the intranet resource address or the introduction of a new extranet service, the network environment and the application architecture may change frequently, so that the latest version of traffic similarity matching rules configured in the SDP server needs to be acquired by using the SDP client. By acquiring the latest version of flow similarity matching rule, a more refined similarity matching rule can be obtained, and normal behaviors and potential malicious activities can be further effectively distinguished.

In the specific embodiment, before the similarity comparison is carried out on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process based on the preset flow similarity matching rule, the method further comprises the steps of judging whether the latest version of flow similarity matching rule is the same as the preset flow similarity matching rule or not, and if the latest version of flow similarity matching rule is different from the preset flow similarity matching rule, updating the preset flow similarity matching rule into the latest version of flow similarity matching rule.

Before flow similarity comparison, the used flow similarity matching rule needs to be ensured to be consistent with the latest version of flow similarity matching rule, so that the system can be ensured to more effectively and accurately identify potential malicious activities when detecting the access behavior of the target process, the safety protection effect is improved, and the reliability and adaptability of malicious program detection in a complex and dynamic network environment are ensured.

The application provides another specific embodiment of a malicious program detection method, which comprises the following operation steps:

Step S301, if the operation of logging in the SDP client is detected, the SDP client is utilized to acquire the intranet resource address configured in the SDP server.

Step S302, the SDP client side is utilized to obtain the flow of the target process accessing the intranet resource address.

Step S303, the SDP client is utilized to obtain the flow of the target process accessing the external network resource address.

Step S304, based on a preset flow similarity matching rule, performing similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process.

Step S305, determining whether a malicious program is installed in the terminal equipment according to the similarity index.

Step S306, if it is determined that the terminal device installs the malicious program, the malicious program is reported to the SDP server through the SDP client.

Specifically, the SDP client may report detected malicious program information (e.g., program name, process ID, malicious behavior descriptions, etc.) to the SDP server. The SDP server generates security precaution events (e.g., recording event details, sending notifications to security administrators, triggering automatic execution of security policies or defensive measures, etc.) based on the reported malicious programs and malicious program information. The SDP server can intensively collect and manage security events reported by all terminal devices, can help the SDP server to perform deeper analysis, identify more complex attack modes or advanced persistence threats, and help update the latest version of flow similarity matching rules in time, thereby realizing more efficient, comprehensive and accurate malicious program detection and security protection.

It should be noted that, the operations of steps S301 to S305 are similar to those of steps S201 to S205, and detailed descriptions thereof are omitted. The sequence of execution of step S302 and step S303 is not limited, and may be executed simultaneously, as the case may be.

In some embodiments, the implementation of step S304 may include any of the following ways:

The method comprises the steps of firstly, obtaining a preset flow similarity matching rule, based on the actual receiving flow similarity matching rule, carrying out similarity comparison on the internal network resource address flow accessed by a target process and the external network resource address flow accessed by the target process, determining similarity indexes between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process, wherein the similarity indexes comprise that the internal network flow size of the internal network resource address accessed by the target process is obtained in real time by an SDP client in a first target time period, the external network flow size of the external network resource address accessed by the target process is obtained in real time by the SDP client in the first target time period, obtaining a plurality of first difference values between the internal network flow size and the external network flow size in each statistical moment in the first target time period, comparing the plurality of first difference values with a preset first difference value threshold, and determining similarity indexes between the internal network resource address flow trend accessed by the target process and the external network resource address flow according to comparison results, and determining whether the similarity indexes are malicious indexes in a terminal device according to the similarity indexes, and if the malicious indexes are installed in the terminal device.

According to the foregoing description, after the SDP client receives the intranet resource data forwarded by the SDP server, the SDP client transmits the intranet resource data to a process of accessing the intranet resource in advance in the terminal device. Therefore, the malicious program can immediately initiate a request for accessing the intranet after receiving the access request of the attacker, the SDP client can hijack the flow for accessing the intranet and forward the flow to the SDP server for proxy access, and the flow can be immediately transmitted to the external network for being transmitted back to the attacker after acquiring the data from the intranet, and the process is extremely short and can be regarded as an action of actual transmission and actual reception. Therefore, through using the real sending and real receiving flow similarity matching rule of the first mode, the SDP client is utilized to acquire the intranet flow size of the intranet resource address accessed by the target process in the first target time period in real time, and the SDP client is utilized to acquire the extranet flow size of the extranet resource address accessed by the target process in the same time period in real time, a first difference value between the intranet flow size and the extranet flow size at each statistical moment is calculated, the calculated first difference value is compared with a preset first difference value threshold, and a similarity index between the intranet resource address flow trend accessed by the target process and the accessed extranet resource address flow trend is determined.

For example, referring to fig. 3, the abscissa of fig. 3 represents a time sequence with a time step of 1, the ordinate represents a traffic size, and for convenience of explanation, the time step may be in seconds, the traffic size may be in kilobytes KB in fig. 3, an orange solid line represents traffic received from an intranet, and a blue solid line represents traffic transmitted to an extranet. The first target time period includes time 21 to time 25, and the SDP client obtains the internet traffic size data of each statistic time of the target process in the first target time period as follows:

the internal network flow is [ time 21:32.5KB, time 22:1KB, time 23:7.3KB, time 24:25KB, and time 5:44KB ].

The external network flow is [ time 21:33.5KB, time 22:1.2KB, time 23:7.35KB, time 24:25KB, and time 25:44.6KB ].

The first difference between the inner network traffic size and the outer network traffic size at each statistical time is calculated as [ time 21:1KB, time 22:0.2KB, time 23:0.05KB, time 24:0KB, and time 5:0.6KB ].

If the preset first difference threshold is 5KB, the first differences of the first target time periods, that is, the moments 21-25, are smaller than the preset first difference threshold, and it can be determined that the similarity exists between the intranet resource address flow trend accessed by the target process and the extranet resource address flow trend accessed by the target process.

Specifically, in one possible implementation manner, the number of the first difference values between the inner network traffic and the outer network traffic, which are smaller than a preset first difference value threshold, may be counted as the similarity index, and if the number of the counted first difference values, which are smaller than the preset first difference value threshold, exceeds the first preset threshold, it is determined that the malicious program is installed in the terminal device. For example, if the first preset threshold is 3 and the number of the first difference between the internal network traffic size and the external network traffic size in the first target time period, that is, in the time 21-time 25, is less than the preset first difference threshold and is 5, it is determined that the malicious program is installed in the terminal device.

In another possible implementation manner, a similarity index (such as a flow ratio, a cosine similarity, a pearson correlation coefficient, a standardized difference value, etc.) may be calculated according to the size of the accessed intranet resource address flow and the size of the accessed extranet resource address flow at each statistical moment, where, for example, the calculated cosine similarity is 0.997, the first preset threshold is 0.85, and if the similarity index exceeds the first preset threshold, it is determined that a malicious program is installed in the terminal device.

The second mode is that the preset flow similarity matching rule comprises a discontinuous receiving and transmitting flow similarity matching rule; based on intermittent transceiving flow similarity matching rules, performing similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow accessed by the target process, determining similarity indexes between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process, wherein the similarity indexes comprise that in a second target period, the SDP client is used for acquiring a plurality of second differences of the internal network accumulated flow sizes of the target process in a plurality of first intermittent communication periods with the internal network resource address, the second difference is acquired in the second target period, the SDP client is used for acquiring a plurality of second intermittent communication periods of the target process with the external network resource address, the second intermittent communication periods are adjacent to the first intermittent communication periods, the external network accumulated flow sizes in the second intermittent communication periods are acquired from the SDP client and are respectively compared with the preset internal network accumulated flow sizes in the first intermittent communication periods, and if the similarity indexes of the target process with the external network resource address exceeds a preset threshold value are compared, and if the malicious indexes in a malicious terminal access to a malicious terminal is determined.

It should be understood that, the malicious program may first cache the access request of the attacker on the local side of the terminal device, when the number of requests reaches a certain number or exceeds a time threshold, a link is established with the intranet (i.e. the intranet access request is initiated), and after the data is acquired from the intranet, the malicious program may also first cache the access request on the local side, and when the acquired data reaches a certain number or exceeds the time threshold, the data is sent to the external network and returned to the attacker. The method comprises the steps of obtaining the internal network accumulated flow obtained by a target process in a plurality of first intermittent communication time periods with internal network resource addresses by using an SDP client in a second target time period, obtaining the external network accumulated flow obtained by the target process and the external network resource addresses by using the SDP client in a plurality of second intermittent communication time periods with the external network resource addresses in the second target time period, obtaining the external network accumulated flow in each second intermittent communication time period, obtaining a plurality of second difference values of the internal network accumulated flow in each second intermittent communication time period and the internal network accumulated flow in each first intermittent communication time period, comparing the second difference values with a preset second difference value threshold, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the accessed external network resource address flow trend.

Referring to fig. 4 to 7, the abscissa in fig. 4 to 7 represents a time sequence of time steps of 1, the ordinate represents a traffic size, and for convenience of explanation, the time steps in fig. 4 to 7 may be in seconds, the traffic size may be in kilobytes KB, an orange solid line represents traffic received from an intranet, and a blue solid line represents traffic transmitted to an extranet. Intermittent communication refers to communication activities that are not continuous over a period of time, but rather have intermittent interruptions or intervals. Communication activity during such periods may be manifested as significant pauses or intervals in the transmission and reception of data packets, rather than continuous traffic. The first intermittent communication time period may be understood as a time period from a time point when the intranet resource is received by the intranet to a time point when the intranet resource is stopped by the intranet, and similarly, the second intermittent communication time period may be understood as a time period when the intranet resource is transmitted to the external network, that is, a time period from a time point when the intranet resource is transmitted to the external network by the intranet to a time point before the time point when the intranet resource is stopped to the external network by the intranet.

As shown in fig. 4, it can be understood that, after the number of intranet resources received by the target process reaches a certain number, the intranet resources are immediately sent to the extranet and transmitted back to the attacker. In particular, referring to fig. 4, the flow rate from time 0 to time 15 is changed from the flow rate from the intranet to the flow rate from time 15 to time 20 is changed from the flow rate from time 20 to time 25 is changed from the flow rate from the intranet to time 25 to time 30, and so on. Illustratively, time 0-15, time 20-25, and time 30-35 are different first intermittent communication periods, and similarly, time 15-20, time 25-30, and time 35-40 are different second intermittent communication periods. And according to the difference value between the internal network accumulated flow obtained in the time 0-time 15 and the external network accumulated flow obtained in the time 15-time 20, obtaining another second difference value, and so on, obtaining a plurality of second difference values of the external network accumulated flow in each second intermittent communication time period and the internal network accumulated flow in each first intermittent communication time period, comparing the plurality of second difference values with a preset second difference value threshold value respectively, and determining a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process.

It should be noted that, the target process may further send the obtained intranet resources to the extranet and transmit the obtained intranet resources back to the attacker after the number of received intranet resources exceeds a certain time threshold. Referring to fig. 5, the target process receives resources from the intranet at time 0-time 15, and the flow does not change after time 15, which indicates that the currently received intranet resources have reached a certain amount, the target process may choose to buffer the obtained intranet resources locally, and after exceeding a time threshold (e.g. 5 times), the target process sends the obtained intranet resources to the extranet and returns the obtained intranet resources to the attacker. Illustratively, time 0-15, time 20-25, and time 30-35 are different first intermittent communication periods, and similarly, time 20-25, time 35-40, and time 50-55 are different second intermittent communication periods. The method includes the steps of obtaining a first difference value by performing difference operation according to the internal network accumulated flow obtained in the time 0-time 15 and the external network accumulated flow obtained in the time 20-time 25, obtaining another first difference value by performing difference operation according to the internal network accumulated flow obtained in the time 20-time 25 and the external network accumulated flow obtained in the time 35-time 40, obtaining a plurality of first difference values of the external network accumulated flow in each first intermittent communication time period and the internal network accumulated flow in each second intermittent communication time period, comparing the first difference values with a preset first difference value threshold, and determining a similarity index between the internal network resource address flow trend accessed by a target process and the external network resource address flow trend accessed by the target process.

Further, the time or rate of the intranet resource received by the target process may be different from the time or rate of sending the obtained intranet resource to the external network, but the size of the intranet accumulated flow is similar to the size of the extranet accumulated flow in the time of sending the obtained intranet resource to the external network in the time of receiving the intranet resource. Referring to fig. 6, the malicious program receives the resource from the intranet at time 0-time 20, and completes the operation of sending the intranet resource to the extranet at time 20-time 25. Illustratively, time 0-time 20, time 25-time 35, and time 40-time 50 are different first intermittent communication periods, and similarly, time 20-time 25, time 35-time 40, and time 50-time 55 are different second intermittent communication periods. The method includes the steps of obtaining a first difference value by performing difference operation according to the internal network accumulated flow obtained in time 0-time 20 and the external network accumulated flow obtained in time 20-25, obtaining another first difference value by performing difference operation according to the internal network accumulated flow obtained in time 25-time 35 and the external network accumulated flow obtained in time 35-time 40, obtaining a plurality of first difference values of the internal network accumulated flow in each first intermittent communication time period and the external network accumulated flow in each second intermittent communication time period, comparing the first difference values with a preset first difference value threshold, and determining a similarity index between the internal network resource address flow trend accessed by a target process and the external network resource address flow trend accessed by the target process.

In addition, the target process may send the intranet resource to the external network after receiving the intranet resource for more than a certain time, except for the difference between the time of receiving the intranet resource and the time of sending the intranet resource to the external network. Referring to fig. 7, the target process receives resources from the intranet at time 0-time 20, and the flow does not change after time 20, which means that the currently received intranet resources reach a certain amount, the target process may choose to buffer locally first, and after exceeding a time threshold (e.g. 5 times), the target process sends the obtained intranet resources to the external network within time 25-time 30 and returns the obtained intranet resources to the attacker. Illustratively, time 0-20, time 25-35, and time 40-55 are different first intermittent communication periods, and similarly, time 25-30, time 40-45, and time 55-60 are different second intermittent communication periods. The method includes the steps of obtaining a first difference value by performing difference operation according to the internal network accumulated flow obtained in time 0-time 20 and the external network accumulated flow obtained in time 25-time 30, obtaining another first difference value by performing difference operation according to the internal network accumulated flow obtained in time 25-time 35 and the external network accumulated flow obtained in time 40-time 45, obtaining a plurality of first difference values of the internal network accumulated flow in each second intermittent communication time period and the internal network accumulated flow in each first intermittent communication time period, comparing the first difference values with preset first difference value thresholds, and determining a similarity index between the internal network resource address flow trend accessed by a target process and the external network resource address flow trend accessed by the target process.

Based on the second embodiment of the foregoing manner, if the plurality of second differences are smaller than the preset second difference threshold, it may be determined that the internal network resource address flow trend visited by the target process is wholly similar to the external network resource address flow trend visited by the target process.

Specifically, in one possible implementation manner, the number of the plurality of second differences smaller than the preset second difference threshold may be counted as the similarity index, and if the number of the plurality of counted second differences smaller than the preset second difference threshold exceeds the second preset threshold, it is determined that the malicious program is installed in the terminal device. For example, if the second preset threshold is 3 and the number of the plurality of second differences is less than the preset second difference threshold is 5, it is determined that the malicious program is installed in the terminal device.

In another possible implementation, the similarity index (e.g., flow ratio, cosine similarity, pearson correlation coefficient, normalized difference value, etc.) may be calculated based on the size of the intranet cumulative flow during each first intermittent communication period and the size of the extranet cumulative flow during each second intermittent communication period that is adjacent to the first intermittent communication period. For example, the calculated cosine similarity is 0.997, the second preset threshold is 0.85, and if the similarity index exceeds the second preset threshold, it is determined that the terminal device installs the malicious program.

Besides the communication rule of the hidden flow characteristic provided by the first mode and the second mode, the target process can also finish the operation of sending the intranet resource to the external network by using a communication protocol different from that when receiving the intranet resource, so that the flow of the internal and external networks is irregular, and the first mode and the second mode are difficult to detect. Illustratively, upon receiving an intranet resource, the target process uses the hypertext transfer Protocol (HTTP, hypertextTransfer Protocol), and upon sending the intranet resource to the extranet, the target process switches to using the message queue telemetry transport Protocol (MQTT, message Queuing TelemetryTransport). In the scene, the similarity matching rule of the receiving and transmitting flow can be accumulated in a third mode, and the similarity of the accessed intranet resource address flow and the accessed extranet resource address flow can be determined by continuously observing and comparing the total amount of the intranet and extranet flow within a specified time range.

Therefore, in the specific embodiment, the preset flow similarity matching rule comprises an accumulated transceiving flow similarity matching rule, and before the intranet resource address flow accessed by the target process and the extranet resource address flow accessed by the target process are compared in similarity based on the accumulated transceiving flow similarity matching rule, the method further comprises the step of triggering the intranet resource address flow accessed by the target process and the extranet resource address flow to be compared in similarity based on the accumulated transceiving flow similarity matching rule if the communication protocol of the target process and the intranet resource address is determined to be different from the communication protocol of the target process and the extranet resource address.

Further, based on an accumulated transceiving flow similarity matching rule, performing similarity comparison on the intranet resource address flow accessed by the target process and the extranet resource address flow accessed by the target process, determining a similarity index between the intranet resource address flow trend accessed by the target process and the extranet resource address flow trend accessed by the target process, wherein the similarity index between the intranet resource address flow trend accessed by the target process and the extranet resource address flow trend accessed by the target process is determined by utilizing the SDP client in a third target time period, the intranet accumulated flow of the target process in the extranet resource address communication by utilizing the SDP client in the third target time period is obtained, a third difference value between the intranet accumulated flow and the extranet accumulated flow in a preset time period in the third target time period is obtained, the preset time period is any time period in the third target time period, the third difference value is compared with a preset third difference value threshold, and the similarity index between the intranet resource address flow trend accessed by the target process and the accessed by the target process is determined according to a comparison result, whether a malicious program is installed in the terminal equipment is determined according to the similarity index, and the malicious program is determined if the malicious program is included in the terminal equipment.

For example, referring to fig. 8, the abscissa of fig. 8 represents a time series of time steps of 1, the ordinate represents traffic sizes, and for convenience of explanation, the time steps may be in seconds, the traffic sizes may be in multi-bytes KB in units of fig. 8, orange solid lines represent traffic received from an intranet, and blue solid lines represent traffic sent to an extranet. For example, the third target time period may be time 1-13, the preset time interval may be time 1-8, and the third difference between the flow change size (i.e. the intranet accumulated flow size) that may be received from the intranet and the flow change size (i.e. the extranet accumulated flow size) sent to the extranet between time 1-8 is calculated and compared with the preset third difference threshold.

In one possible implementation manner, the similarity index includes a similarity comparison result that the third difference value is smaller than a preset third difference value threshold, that is, "the third difference value is smaller than the preset third difference value threshold", as a similarity index, and the similarity index is used for determining that the internal network resource address flow trend accessed by the target process is similar to the external network resource address flow trend accessed by the target process, and finally determining that the malicious program is installed in the terminal device.

In another possible implementation manner, the similarity index (such as the flow ratio, cosine similarity, pearson correlation coefficient, normalized difference value, etc.) may be calculated according to the inner network accumulated flow size and the outer network accumulated flow size within the preset time interval in the third target time period. For example, the calculated cosine similarity is 0.997, the third preset threshold is 0.85, and if the similarity index exceeds the third preset threshold, it is determined that the malicious program is installed in the terminal device.

It should be noted that the "time" mentioned in the embodiments of the present application may be understood as the time of the network traffic, specifically at some specific point in time. For example, the time unit may be a specific time unit, such as seconds, minutes, hours, etc., which is specifically determined by the time interval for monitoring the flow, and the embodiment of the present application is not limited thereto. In addition, in each of the first to third embodiments, there is an operation of calculating a difference between the intranet flow and the extranet flow, and in a possible embodiment, calculating a difference between the intranet flow and the extranet flow may also be calculating an absolute value of a difference between the intranet flow and the extranet flow, and performing similarity comparison by using the absolute value of the difference.

In the above embodiments, for convenience of explanation, fig. 3 to 8 illustrate, by taking "orange solid line" as traffic received from the intranet (i.e., intranet traffic), blue solid line as traffic sent to the extranet (i.e., extranet traffic), and time step unit as seconds, and unit of traffic size as kilobyte KB ", which is not a limitation of the present application. In other embodiments, different colors or lines may be used to represent traffic received from the intranet or transmitted from the extranet according to specific requirements, different time step units may be used, such as minutes, hours, etc., and different traffic size units may be used, such as bytes, megabytes, MB, etc., which embodiments of the present application are not limited in this regard. In addition, in order to reduce noise in the intranet flow data and the extranet flow data, so that the change trend of the intranet flow and the extranet flow is more obvious, the original extranet flow data is often subjected to function fitting by using polynomial fitting, linear regression and other methods, so that corresponding fitting values are obtained after moving average and exponential smoothing are carried out on a plurality of data points, and the overall trend of the intranet flow data and the extranet flow data is described through the fitting values.

In practical applications, the flow characteristic diagrams of the flow variation trend shown in fig. 3-8 can be displayed on a monitoring instrument panel of a network administrator or developer, or displayed on a monitoring screen of a security operation center (SOC, security Operations Center), or integrated into an enterprise-level management platform interface or monitoring system, so that related personnel can monitor, manage and optimize network resources better, and can recognize and respond to abnormal situations quickly.

In consideration of that corresponding countermeasures are configured after the malicious program is determined, the method comprises the steps of acquiring a security policy configured in an SDP server by the SDP client, wherein the security policy comprises at least one of locking user information, locking terminal equipment and blocking IP, in addition to acquiring an intranet resource address configured in the SDP server by the SDP client;

The security policy is obtained and applied in order to quickly and efficiently take defensive measures when a malicious program is detected. In the foregoing specification, it is mentioned that these security policies are preconfigured in the SDP server and may be specifically set according to the security requirements and policies of the enterprise. It will be appreciated that locking user information is to prevent infected users from continuing to access sensitive resources, locking terminal devices is to isolate infected devices from continuing to propagate threats in the network, and blocking IP, i.e. blocking IP addresses, is to prevent all network requests from specified IP addresses from further spreading of external attacks or internal infections. Further, the security policies may include traffic hijacking and intercepting policies (e.g., limiting the type of hijacked traffic, intercepting specific uniform resource locators (URLs, uniform Resource Locator), IP addresses, or domain name access requests), short message authentication (verifying user identities by sending one-time passcodes through short messages, etc.), blasting authentication (performing temporary or permanent locking of accounts after multiple failed login attempts, or requiring entry of passcodes, or increasing the delay time of the next attempt, or adding the IP address with multiple failed login attempts to a blacklist, preventing further access attempts), user-level authorization authentication (ensuring that users can only access the resources allowed by their roles), etc.

In a specific embodiment, after the malicious program is installed in the terminal equipment, the method further comprises the steps of obtaining terminal equipment associated information of a login SDP client, wherein the terminal equipment associated information comprises user identity information, client identity information and source IP information of a target process for accessing an intranet resource address, and reporting the malicious program and the terminal equipment associated information to an SDP server through the SDP client, wherein the SDP server is used for generating a security event based on the malicious program, the terminal equipment associated information and a security policy.

After the existence of the malicious program is determined, the associated information of the terminal equipment is acquired to more accurately locate the infected user and equipment, so that the threat can be processed in a targeted manner. And reporting the associated information of the malicious program and the terminal equipment to an SDP server, wherein the SDP server generates a security event by utilizing the information, and the security manager can conveniently check and respond to abnormal conditions by generating the security event.

In order to further confirm that false alarm is reduced and the detection accuracy is improved, before determining whether the malicious program is installed in the terminal equipment according to the similarity index, the method further comprises determining whether the suspected malicious program is installed in the terminal equipment according to the similarity index in a fourth target time period, and if so, determining whether the malicious program is installed in the terminal equipment according to the similarity index, wherein the fifth target time period is larger than the fourth target time period.

Specifically, generally, before detecting the similarity between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process, a fourth target time period (for example, within 5 minutes) is set, the malicious program detection method provided by the embodiment of the application is executed in the fourth target time period to obtain a similarity index, and whether a suspected malicious program is installed in the terminal device is determined according to the similarity index obtained in the fourth target time period. If yes, determining that a suspected malicious program is installed in the terminal equipment, and further setting a longer fifth target time period (for example, within 30 minutes). And in the fifth target time period, executing the malicious program detection method provided by the embodiment of the application to obtain the similarity index, and determining that the malicious program is installed in the terminal equipment according to the similarity index obtained in the fifth target time period.

The method can effectively detect and confirm the malicious programs in the terminal equipment by combining the short-time and long-time flow trend analysis through the preliminary detection and the further confirmation. Thus, the potential threat can be rapidly screened out by staged detection, false alarms are reduced, and the detection accuracy is improved.

Referring to fig. 9, an embodiment of the present application provides a specific example of a terminal device, in which an SDP software defined boundary client is installed, the terminal device including:

an obtaining unit 901, configured to obtain, if an operation of logging in an SDP client is detected, an intranet resource address configured in an SDP server by using the SDP client;

the obtaining unit 901 is further configured to obtain, by using the SDP client, a flow of accessing, by a target process to the intranet resource address, where the target process is any process installed in the terminal device;

The acquiring unit 901 is further configured to acquire, by using the SDP client, a flow of the target process accessing an external network resource address;

The determining unit 902 is configured to perform similarity comparison on the internal network resource address traffic accessed by the target process and the external network resource address traffic accessed by the target process based on a preset traffic similarity matching rule, and determine a similarity index between the internal network resource address traffic trend accessed by the target process and the external network resource address traffic trend accessed by the target process;

The determining unit 902 is further configured to determine whether a malicious program is installed in the terminal device according to the similarity index.

In an embodiment, the obtaining unit 901 is further configured to obtain, in real time, an intranet flow size of an intranet resource address accessed by the target process by using the SDP client terminal in a first target period;

The obtaining unit 901 is further configured to obtain, in real time, an extranet traffic size of an extranet resource address accessed by the target process using the SDP client terminal in the first target time period;

The obtaining unit 901 is further configured to obtain a plurality of first differences between the inner network traffic size and the outer network traffic size at each statistical time in the first target time period;

the determining unit 902 is further configured to compare the plurality of first differences with a preset first difference threshold, so as to determine, according to a comparison result, a similarity index between the internal network resource address traffic trend visited by the target process and the external network resource address traffic trend visited by the target process;

the determining unit 902 is further configured to determine that a malicious program is installed in the terminal device if the similarity indicator exceeds a first preset threshold.

In an embodiment, the obtaining unit 901 is further configured to obtain, in a second target period of time, an intranet accumulated flow obtained by the target process in a plurality of first intermittent communication periods of time with the intranet resource address by using the SDP client terminal, where the intranet accumulated flow is obtained in each first intermittent communication period of time;

The obtaining unit 901 is further configured to obtain, in the second target period, a plurality of second intermittent communication periods of the target process and the external network resource address by using the SDP client, where the second intermittent communication periods are set adjacent to the first intermittent communication period, and the obtained external network cumulative traffic in each second intermittent communication period;

The acquiring unit 901 is further configured to acquire a plurality of second differences between the magnitude of the accumulated flow of the external network in each second intermittent communication time period and the magnitude of the accumulated flow of the internal network in each first intermittent communication time period;

the determining unit 902 is further configured to compare the plurality of second differences with a preset second difference threshold, so as to determine, according to a comparison result, a similarity index between the internal network resource address flow trend accessed by the target process and the external network resource address flow trend accessed by the target process;

the determining unit 902 is further configured to determine that a malicious program is installed in the terminal device if the similarity indicator exceeds a second preset threshold.

In one embodiment, the terminal device further comprises a triggering unit;

And the triggering unit is used for triggering the step of carrying out similarity comparison on the internal network resource address flow accessed by the target process and the external network resource address flow based on the accumulated transceiving flow similarity matching rule if the communication protocol of the target process and the internal network resource address is determined to be different from the communication protocol of the target process and the external network resource address.

In an embodiment, the obtaining unit 901 is further configured to obtain, in a third target period, an intranet accumulated flow of the target process in communication with the intranet resource address by using the SDP client;

the obtaining unit 901 is further configured to obtain, in the third target period, an external network accumulated traffic size of the target process in communication with the external network resource address by using the SDP client terminal;

the obtaining unit 901 is further configured to obtain a third difference value between the size of the internal network accumulated flow and the size of the external network accumulated flow in a preset time interval in the third target time period, where the preset time interval is any time interval in the third target time period;

The determining unit 902 is further configured to compare the third difference value with a preset third difference value threshold, so as to determine, according to a comparison result, a similarity index between the internal network resource address traffic trend visited by the target process and the external network resource address traffic trend visited by the target process;

The determining unit 902 is further configured to determine that a malicious program is installed in the terminal device if the similarity indicator includes that the third difference value is smaller than the preset third difference threshold value.

In one embodiment, the terminal device further comprises a reporting unit;

And the reporting unit is used for reporting the malicious program to the SDP server through the SDP client if the malicious program is determined to be installed in the terminal equipment, wherein the SDP server is used for generating a security early warning event based on the malicious program.

In an embodiment, the obtaining unit 901 is further configured to obtain, by using the SDP client, a security policy configured in an SDP server, where the security policy includes at least one of locking user information, locking terminal equipment, and blocking IP;

The acquiring unit 901 is further configured to acquire terminal device association information for logging in the SDP client, where the terminal device association information includes user identity information, client identity information, and source IP information of the target process accessing the intranet resource address;

And the reporting unit is further configured to report the malicious program and the terminal equipment association information to the SDP server through the SDP client terminal, where the SDP server is configured to generate a security event based on the malicious program, the terminal equipment association information and the security policy.

In one embodiment, the terminal device further comprises a judging unit and an updating unit;

The acquiring unit 901 is further configured to acquire a latest version of flow similarity matching rule configured in an SDP server by using the SDP client;

The judging unit is used for judging whether the latest version of flow similarity matching rule is the same as the preset flow similarity matching rule;

and the updating unit is used for updating the preset flow similarity matching rule into the latest flow similarity matching rule if the flow similarity matching rules are different.

In an embodiment, the determining unit 902 is further configured to determine, in a fourth target period of time, whether a suspected malicious program is installed in the terminal device according to the similarity indicator;

The determining unit 902 is further configured to determine, in a fifth target period of time, whether a malicious program is installed in the terminal device according to the similarity indicator, where the fifth target period of time is greater than the fourth target period of time.

In the embodiment of the present application, the operations performed by each unit of the terminal device are similar to those described in the foregoing first aspect or any one of the specific method embodiments of the first aspect, and are not described herein in detail. Of course, the specific implementation of the operations of the first aspect of the present application may also be implemented with reference to the related description of the second aspect.

The terminal device in the embodiment of the present application is described above from the point of view of the modularized functional entity, and the computer device in the embodiment of the present application is described below from the point of view of hardware processing:

referring to fig. 10, an embodiment of the present application provides a specific example of a computer apparatus including a processor for implementing the method described in the first aspect of the embodiment of the present application or any specific implementation manner of the first aspect, when executing a computer program stored on a memory.

It will be appreciated that when the processor in the above-described computer apparatus executes the computer program, the functions of each unit in the corresponding embodiments of each apparatus may also be implemented, which is not described herein. Illustratively, a computer program may be split into one or more modules/units, which are stored in memory and executed by a processor to accomplish the present application. One or more of the modules/units may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program in the terminal device. For example, the computer program may be divided into units in the above-described terminal devices, each unit may realize a specific function as described in the above-described corresponding terminal device.

The computer device may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, and the like. Computer devices may include, but are not limited to, processors, memory. It will be appreciated by those skilled in the art that the processor, memory, etc. are merely examples of computer apparatus and are not limiting of computer apparatus, and may include more or fewer components, or may combine certain components, or different components, e.g., a computer apparatus may also include an input-output device, a network access device, a bus, etc.

The Processor may be a central processing unit (CPU, central ProcessingUnit), but may also be other general purpose processors, digital signal processors (DSP, digital Signal processors), application Specific Integrated Circuits (ASICs), off-the-shelf programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being a control center of the computer device, and the various interfaces and lines connecting the various parts of the overall computer device.

The memory may be used to store computer programs and/or modules, and the processor implements various functions of the computer device by running or executing the computer programs and/or modules stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area which may store an operating system, an application program required for at least one function, and the like, and a storage data area which may store data created according to the use of the terminal, and the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMC, smart Media Card), secure Digital (SD) card, flash memory card (FLASH CARD), at least one disk storage device, flash memory device, or other volatile solid-state storage device.

The present application also provides a computer readable storage medium for implementing the functions of a terminal device, on which a computer program is stored which, when executed by a processor, can be used to implement the method described in the first aspect of the embodiment or any specific implementation manner of the first aspect of the present application.

Embodiments of the present application also provide a computer program product having stored thereon a computer program/instruction which, when executed by a processor, is adapted to carry out the method described in the first aspect of the embodiments of the present application or any specific implementation of the first aspect.

The terms first, second, third, fourth and the like in the description and in the claims and in the above drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that, in various embodiments of the present invention, the sequence number of each step is not meant to indicate the order of execution, and the order of execution of each step should be determined by its functions and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.

In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes various media capable of storing program codes, such as a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, randomAccess Memory), a magnetic disk, or an optical disk.

While the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that the foregoing embodiments may be modified or equivalents may be substituted for some of the features thereof, and that the modifications or substitutions do not depart from the spirit and scope of the embodiments of the invention.

Claims

1. A malicious program detection method, characterized in that it is applied to a terminal device, wherein the terminal device is installed with an SDP software-defined boundary client, and the method comprises:

If an operation of logging into the SDP client is detected, the SDP client is used to obtain the intranet resource address configured in the SDP server;

Using the SDP client to obtain traffic of a target process accessing the intranet resource address, the target process being any process installed in the terminal device;

Using the SDP client to obtain the traffic of the target process accessing the external network resource address;

Based on the preset traffic similarity matching rules, a similarity comparison is performed on the traffic of the intranet resource address accessed by the target process and the traffic of the external network resource address accessed, and a similarity index between the traffic trend of the intranet resource address accessed by the target process and the traffic trend of the external network resource address accessed is determined;

According to the similarity index, it is determined whether a malicious program is installed in the terminal device.

2. The method according to claim 1 is characterized in that the preset traffic similarity matching rule includes a similarity matching rule of actual sent and received traffic;

Based on the similarity matching rule of the actual sent and received traffic, a similarity comparison is performed on the traffic of the intranet resource address accessed by the target process and the traffic of the external network resource address accessed, and a similarity index between the traffic trend of the intranet resource address accessed by the target process and the traffic trend of the external network resource address accessed is determined, including:

In the first target time period, using the SDP client to obtain in real time the size of the intranet traffic of the intranet resource address accessed by the target process;

During the first target time period, using the SDP client to obtain in real time the size of the external network traffic of the external network resource address accessed by the target process;

Acquire a plurality of first differences between the size of the intranet traffic and the size of the extranet traffic at each statistical moment within the first target time period;

Comparing the multiple first difference values with a preset first difference threshold value, so as to determine a similarity index between a traffic trend of an intranet resource address accessed by the target process and a traffic trend of an extranet resource address accessed by the target process according to the comparison result;

The determining, based on the similarity index, whether a malicious program is installed in the terminal device includes:

If the similarity index exceeds a first preset threshold, it is determined that a malicious program is installed in the terminal device.

3. The method according to claim 1 is characterized in that the preset traffic similarity matching rule includes an intermittent sending and receiving traffic similarity matching rule;

Based on the intermittent receiving and sending traffic similarity matching rule, a similarity comparison is performed on the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed, and a similarity index between the intranet resource address traffic trend accessed by the target process and the extranet resource address traffic trend accessed is determined, including:

In the second target time period, using the SDP client to obtain the cumulative intranet traffic size obtained by the target process in each of the first intermittent communication time periods with the intranet resource address during multiple first intermittent communication time periods;

In the second target time period, using the SDP client to obtain the cumulative external network traffic size obtained in each second intermittent communication time period in multiple second intermittent communication time periods between the target process and the external network resource address, wherein the second intermittent communication time period is set adjacent to the first intermittent communication time period;

Acquire multiple second differences between the cumulative external network traffic size in each second intermittent communication time period and the cumulative internal network traffic size in each first intermittent communication time period;

Compare the multiple second difference values with the preset second difference threshold value respectively, so as to determine the similarity index between the traffic trend of the intranet resource address accessed by the target process and the traffic trend of the extranet resource address accessed according to the comparison result;

If the similarity index exceeds a second preset threshold, it is determined that a malicious program is installed in the terminal device.

4. The method according to claim 1 is characterized in that the preset traffic similarity matching rule includes a cumulative sending and receiving traffic similarity matching rule;

Before performing a similarity comparison between the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed based on the cumulative sending and receiving traffic similarity matching rule, the method further includes:

If it is determined that the communication protocol between the target process and the intranet resource address is different from the communication protocol between the target process and the external network resource address, the step of performing a similarity comparison between the intranet resource address traffic accessed by the target process and the external network resource address traffic accessed based on the cumulative similarity matching rule of the received and sent traffic is triggered.

5. The method according to claim 4 is characterized in that, based on the similarity matching rule of the accumulated sending and receiving traffic, the similarity comparison is performed on the traffic of the intranet resource address accessed by the target process and the traffic of the external network resource address accessed, and the similarity index between the traffic trend of the intranet resource address accessed by the target process and the traffic trend of the external network resource address accessed is determined, including:

In a third target time period, using the SDP client to obtain the cumulative intranet traffic size of the target process in communicating with the intranet resource address;

During the third target time period, using the SDP client to obtain the external network cumulative traffic size of the target process in communicating with the external network resource address;

Obtaining a third difference between the cumulative flow size of the intranet and the cumulative flow size of the extranet within a preset time interval in the third target time period, wherein the preset time interval is any time interval within the third target time period;

Comparing the third difference with a preset third difference threshold value, to determine a similarity index between a traffic trend of an intranet resource address accessed by the target process and a traffic trend of an extranet resource address accessed by the target process according to the comparison result;

If the similarity index includes that the third difference is smaller than the preset third difference threshold, it is determined that a malicious program is installed in the terminal device.

6. The method according to claim 1, characterized in that after determining whether a malicious program is installed in the terminal device according to the similarity index, the method further comprises:

If it is determined that a malicious program is installed in the terminal device, the malicious program is reported to the SDP server through the SDP client, wherein the SDP server is used to generate a security warning event based on the malicious program.

7. The method according to claim 1, characterized in that, in addition to using the SDP client to obtain the intranet resource address configured in the SDP server, the method further comprises:

Using the SDP client to obtain a security policy configured in the SDP server, the security policy including at least one of locking user information, locking terminal devices, and blocking IP;

After determining that a malicious program is installed in the terminal device, the method further includes:

Acquire the terminal device association information for logging into the SDP client, wherein the terminal device association information includes user identity information, client identity information, and source IP information of the target process accessing the intranet resource address;

The malicious program and the terminal device association information are reported to the SDP server through the SDP client, wherein the SDP server is used to generate a security event based on the malicious program, the terminal device association information and the security policy.

8. The method according to claim 1, characterized in that, in addition to using the SDP client to obtain the intranet resource address configured in the SDP server, the method further comprises:

Using the SDP client to obtain the latest version of the traffic similarity matching rule configured in the SDP server;

Before performing a similarity comparison between the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed based on a preset traffic similarity matching rule, the method further includes:

Determine whether the latest version of the traffic similarity matching rule is the same as the preset traffic similarity matching rule;

If they are not the same, the preset traffic similarity matching rule is updated to the latest version of the traffic similarity matching rule.

9. The method according to any one of claims 1 to 8, characterized in that before determining whether a malicious program is installed in the terminal device according to the similarity index, the method further comprises:

During a fourth target time period, determining, based on the similarity index, whether a suspected malicious program is installed in the terminal device;

If determining whether a malicious program is installed in the terminal device according to the similarity index includes:

In a fifth target time period, it is determined whether a malicious program is installed in the terminal device according to the similarity index, wherein the fifth target time period is greater than the fourth target time period.

10. A terminal device, characterized in that an SDP software-defined edge client is installed in the terminal device, and the terminal device comprises:

An acquisition unit, configured to acquire an intranet resource address configured in an SDP server by using the SDP client if an operation of logging into the SDP client is detected;

The acquisition unit is further used to use the SDP client to acquire the traffic of the target process accessing the intranet resource address, where the target process is any process installed in the terminal device;

The acquisition unit is further used to use the SDP client to acquire the traffic of the target process accessing the external network resource address;

A determination unit, configured to perform a similarity comparison on the intranet resource address traffic accessed by the target process and the extranet resource address traffic accessed based on a preset traffic similarity matching rule, and determine a similarity index between the intranet resource address traffic trend accessed by the target process and the extranet resource address traffic trend accessed;

The determination unit is further configured to determine whether a malicious program is installed in the terminal device according to the similarity index.

11. A computer device, comprising a processor, wherein the processor is used to implement the malicious program detection method according to any one of claims 1 to 9 when executing a computer program stored in a memory.

12. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, it is used to implement the malicious program detection method according to any one of claims 1 to 9.

13. A computer program product having a computer program/instruction stored thereon, wherein when the computer program/instruction is executed by a processor, it is used to implement the malicious program detection method according to any one of claims 1 to 9.