CN111212035A - Host computer defect confirming and automatic repairing method and system based on same - Google Patents
Host computer defect confirming and automatic repairing method and system based on same Download PDFInfo
- Publication number
- CN111212035A CN111212035A CN201911319643.1A CN201911319643A CN111212035A CN 111212035 A CN111212035 A CN 111212035A CN 201911319643 A CN201911319643 A CN 201911319643A CN 111212035 A CN111212035 A CN 111212035A
- Authority
- CN
- China
- Prior art keywords
- engine
- coordination engine
- coordination
- response
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000007547 defect Effects 0.000 title claims description 13
- 230000004044 response Effects 0.000 claims abstract description 67
- 238000012544 monitoring process Methods 0.000 claims abstract description 28
- 230000008439 repair process Effects 0.000 claims abstract description 16
- 238000012790 confirmation Methods 0.000 claims abstract description 10
- 238000001914 filtration Methods 0.000 claims description 20
- 238000004891 communication Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 13
- 230000001960 triggered effect Effects 0.000 abstract description 7
- 230000008569 process Effects 0.000 abstract description 6
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 abstract description 5
- 239000003795 chemical substances by application Substances 0.000 description 34
- 238000001514 detection method Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 238000013515 script Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 230000014509 gene expression Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000004451 qualitative analysis Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a host computer sink-out confirmation and automatic repair method and a system based on the same, wherein a plurality of host computers are respectively provided with an agent engine and registered with a coordination engine, the coordination engine subscribes alarm information to APT equipment, formulates a linkage rule and issues a strategy to all corresponding agent engines, when the APT equipment detects the alarm information, an alarm event is triggered, the corresponding coordination engine issues the alarm event to the agent engine according to the linkage rule, and the agent engine executes a response strategy specified by the linkage rule and feeds back a result to the coordination engine. The process of the invention can be edited to deal with more practical application scenes except Trojan intrusion automatic repair, the agent engine can adapt to various rules for self-determination, the coordination engine can easily deal with service monitoring and management of tens of thousands of devices, the false alarm rate is reduced, the position of the lost host when the attack successfully occurs is positioned, the emergency repair is carried out on the lost host, and the system is repaired at the first time to avoid larger loss.
Description
Technical Field
The invention relates to the technical field of digital information transmission, such as telegraph communication, in particular to a host computer failure confirmation and automatic repair method and a system based on the same.
Background
In an intranet of a user, in order to protect the security of the network of the user, an APT protection device is often deployed in the network to monitor the overall security condition of the network, and the deployment mode is divided into an IPS mode and an IDS mode. Ids (intrusion detection systems) is an intrusion detection system that monitors the operation status of networks and systems according to a certain security policy, and finds out various attack attempts, attack behaviors or attack results as much as possible to ensure the confidentiality, integrity and availability of network system resources; the products basically mainly use bypass, are characterized by not blocking any network access, mainly provide reports and post supervision, and a small number of similar products also provide functions such as TCP blocking and the like, but are rarely used. An IPS (intrusion Prevention System) is an intrusion Prevention system, belongs to a sub-item of a network switch and is a special switch with an attack filtering function; it is generally deployed between firewalls and devices outside the network, relying on defense against detection of packets (examining packets coming into the network, determining the actual use of the packet, and then deciding whether to allow it to enter the network).
Generally, the IDS device is biased to attack detection, and has no ability to block access, and after detecting an attack, the IDS device may notify a network security administrator in a manner of a short message or a mail, and the IPS device may block network access to prevent further attacks from occurring after detecting an attack. However, these two devices can only discover the attack behavior and block it, often resulting in a false alarm due to mismatching rules, or because the network traffic does have corresponding dangerous characteristic behavior, but cannot determine whether the attack occurred successfully, if these information occur frequently, the true dangerous alarm may be submerged, thereby affecting the subjective judgment of the network administrator and causing unnecessary loss.
Anton Chuvakin by Gartner first created the term Endpoint Threat Detection and Response (ETDR) in 2013 for the first time, to define a tool to "detect and investigate suspicious activity (and its traces) on a host/Endpoint", and later commonly referred to as Endpoint Detection and Response (EDR), which is a relatively new Endpoint security solution, but is sometimes compared by the industry in terms of overall security functions with advanced Threat prevention (APT), because it also meets the need to continuously monitor and respond to advanced threats, one can even consider Endpoint Detection and Response to be an advanced form of Threat protection.
EDR enters the ten major technologies of Gartner in 2014, originally appeared to make up for the deficiency of the traditional terminal/endpoint management system (EPP), and now EDR is interfermeably fused with EPP, especially the EDR function is added in the newly released versions of various large EPP manufacturers; at present, an EDR (enhanced data radio) deployment mode based on cloud is gradually becoming a mainstream, and the concentration of cloud data provides a stronger detection and analysis function, and the detection capability is improved by integrating real-time data and using machine learning and other detection technologies at the back end.
The concept and application of SOC (secure operating center) has been in existence for many years, but in fact, SOC is not successfully applied, and is subject to scaling, and even the introduction of threat intelligence, big data, machine learning technology, and with the help of the trend of situation awareness, a new generation of SOC, or iscos (intelligent SOC), is beginning to emerge. In the SOC, the technology of the early blocking stage is the most mature, 90% of users can reach (by using products such as APT and WAF), but by the advanced response stage, only few users can reach, while most users are in the transition stage from discovery to response, and the typical problems include flooding by a large number of alarms, failure to confirm whether the host machine is lost and manual repair after the loss are needed, which far exceed the processing capability of the safety operator and have long processing period.
Disclosure of Invention
The invention solves the problems in the prior art and provides an optimized host computer defect confirming and automatic repairing method and a system based on the same.
The invention adopts the technical scheme that a host computer defect confirming and automatic repairing method comprises the following steps:
step 1: installing proxy engines for a plurality of hosts;
step 2: the agent engine is started and registered with the coordination engine;
and step 3: the coordination engine subscribes alarm information to the APT equipment, formulates a corresponding linkage rule and issues a strategy to all proxy engines registered in the current coordination engine;
and 4, step 4: continuously detecting APT equipment; when the APT equipment detects any alarm information subscribed by any coordination engine, the next step is carried out, otherwise, the step 4 is repeated;
and 5: the APT triggers an alarm event, and the corresponding coordination engine issues the alarm event to the proxy engine according to the linkage rule;
step 6: the agent engine executes the response strategy specified by the linkage rule and feeds back the result to the coordination engine.
Preferably, the agent engine comprises a file directory monitoring module, a text log collecting module, a database log collecting module, a filtering rule module and an emergency response module.
Preferably, in the step 3, issuing the policy to all the agent engines registered in the current coordination engine includes the following steps:
step 3.1: the coordination engine and the proxy engine establish a TCP link;
step 3.2: the coordination engine packages the data into a Json format and encrypts the data;
step 3.3: and transmitting the encrypted data to the proxy engine through a TCP link.
Preferably, the step 6 comprises the steps of:
step 6.1: the agent engine monitors the directory, collects the text logs and the database logs through the file directory monitoring module, the text log collecting module and the database log collecting module according to the issued linkage rules;
step 6.2: the file directory monitoring module transmits the monitoring information to the filtering rule module;
step 6.3: the filtering rule module matches the information with a preset filtering rule, if the matching is successful, the next step is carried out, otherwise, the step 6.5 is carried out;
step 6.4: triggering an emergency response, and executing a preset response strategy by an emergency response module;
step 6.5: and the emergency response module transmits the execution result back to the coordination engine.
Preferably, in step 6, the coordination engine notifies the administrator of the execution result.
Preferably, in the step 6, the effective time T for the agent engine to execute the response policy specified by the linkage rule is preset.
Preferably, the coordination engine comprises a receiving end, a responding end and a plurality of operating ends which are connected in sequence.
A host computer failure confirmation and automatic repair system adopting the host computer failure confirmation and automatic repair method comprises the following steps:
the coordination engine is used for being linked with the APT equipment, acquiring the alarm time issued by the APT equipment and issuing the alarm time to the proxy engine based on a preset response strategy;
and the agent engines are used for receiving the linkage rules issued by the coordination engine, monitoring the host computer based on the rules and feeding back the emergency response result to the coordination engine.
Preferably, the coordination engine comprises:
the receiving end is used for receiving the IO event and triggering a new communication channel;
the response end is used for responding to a new event corresponding to the communication channel newly established by the receiving end and distributing the new event in the form of the event;
and the operation terminals are used for receiving the corresponding events distributed by the response terminals, reading in the communication channels, finishing event service processing and writing out the communication channels.
Preferably, the new event includes connection setup ready, read ready, write ready.
The invention provides an optimized host computer sink-loss confirmation and automatic repair method and a system based on the method, wherein a plurality of host computers are respectively provided with agent engines and are registered to a coordination engine, the coordination engine subscribes alarm information to APT equipment, a corresponding linkage rule is formulated, a strategy is issued to all corresponding agent engines, when the APT equipment detects any alarm information subscribed by any coordination engine, an alarm event is triggered, the corresponding coordination engine issues the alarm event to the agent engines according to the linkage rule, the agent engines execute a response strategy specified by the linkage rule, and a result is fed back to the coordination engine.
In the invention, the EDR makes up the defect of isolation of APT protective equipment on the boundary on the terminal, can find problems on an end point or a network, and then carries out plugging on the network or the end point, and the point and the surface are combined; the system and the method have the advantages that massive threat information is processed in an integrated mode, a user can customize response processing logic by himself, the labor force can be released and optimized through flow configuration, safety construction is conducted through early warning, defense, detection and response capabilities which are continuously evolved, time and energy spent in safety operation and maintenance are reduced, more and more complex network threat information and event quantity under a new situation are met, and the problems of low integration degree of an equipment isolation technology, a new and different network safety policy and the like are solved.
The invention has the beneficial effects that:
(1) through an automatic event arranging response mechanism, the process can be edited, and more practical application scenes except Trojan horse invasion automatic repair can be dealt with;
(2) the proxy engine is used as a rule execution unit and can adapt to various rule self-decisions, such as script execution, network control, service control and the like;
(3) the coordination engine is developed based on a thread model of a response end, and can easily deal with service monitoring and management of tens of thousands of devices;
(4) the method has the advantages that the false alarm rate of the traditional equipment is reduced in a linkage mode of the EDR monitoring terminal and the APT equipment, the position of the lost host can be located when attack successfully occurs through the linkage rule, and the lost host can be emergently repaired according to the preset emergency processing scheme corresponding to the rule, so that the system is repaired in the first time, and larger loss is avoided.
Drawings
FIG. 1 is a flow chart of the present invention;
fig. 2 is a schematic diagram of the system structure of the present invention, wherein arrows indicate the direction of information transmission.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a host computer defect confirmation and automatic repair method, which analyzes whether certain attack behavior exists in a network by utilizing flow information acquired by an APT device, analyzes a target address of a Trojan horse by utilizing a flow capture packet, is provided with an EDR monitoring terminal on a host computer of the target device, acquires log information of the target host device in real time by the EDR, extracts key information in the log information, keeps linkage with the APT device, and triggers a linkage rule to perform user warning and defect repair operation if the log or a file directory has a file name.
In the invention, the linkage rule is core content, is developed based on SOAR thought, is a set of a series of strategies based on network transmission and local control, integrates threat identification of APT and terminal safety protection depth of EDR together, and realizes the functions of host defect confirmation and automatic repair after host defect.
In the present invention, the SOAR comprises the following steps:
1) and (4) alarm acceptance: classifying and prioritizing alarms, which may be performed automatically with preprocessing scripts;
2) and (3) qualitative analysis: judging the authenticity of the threat, confirming the nature of the threat and the intention of an attacker, and mainly based on threat information and sandbox technology;
3) quantitative analysis: investigation and evidence collection, backtracking attack scenes, and evaluating the severity, influence and scope of threats. May be based on endpoint detection and response, network traffic analysis, and remote detection and response (MDR);
4) responding: and executing a response strategy according to the response script, so that product linkage can be realized, and the response script can be automatically executed.
The method comprises the following steps.
Step 1: proxy engines are installed for several hosts.
The agent engine comprises a file directory monitoring module, a text log acquisition module, a database log acquisition module, a filtering rule module and an emergency response module.
In the invention, an Agent engine, namely an Agent engine, is a monitoring terminal installed on host equipment, is developed by adopting Golang language, and has the characteristics of high performance and less occupied resources; when the Agent is started, the Agent registers and reports the node state to the coordination engine, so that cluster management is facilitated.
In the invention, a file directory monitoring module of an agent engine monitors file changes of a directory in real time by using fsnotify, such as creation, modification, renaming and the like; the text log acquisition module and the database log acquisition module rely on the file monitoring function of directory monitoring, and when a file changes, a file reading command is triggered to continue reading from the number of lines read last time.
In the invention, directory monitoring and log collection generate Event information, and a Map data structure is maintained in the Event information and comprises information such as file names, operation actions, occurrence time, original logs and the like.
In the invention, the filtering rules in the filtering rule module are issued by a coordination engine and generally consist of regular expressions and JSEL expressions; the JSEL is an inverse wave-blue-based structure, adopts a simple expression interpretation engine of JS operation rules, and is also a JSON analysis engine. The filtering rule is applied to Event information generated by monitoring and log collection, key information is extracted through a regular expression, a JSEL expression is used for making condition judgment, and if the condition is true, an emergency response process is triggered.
In the invention, the emergency response in the emergency response module comprises modules of ACL control, executable script and the like, and when the filtering rule is triggered, the preset emergency response strategy is executed immediately; compared with ACL control, the executable script is customized by a user, and can set response operation after the filtering rule is triggered, such as file deletion, service stop and the like.
Step 2: and the agent engine is started and registers with the coordination engine.
The coordination engine comprises a receiving end, a response end and a plurality of operation ends which are connected in sequence.
In the invention, the coordination engine is a coordination system deployed together with or independently from the APT equipment, has SOAR (secure organization and automatic response) function, can be linked with the APT equipment and subscribe the alarm information of the APT, such as subscribing SQL injection alarm event, and the user can set the alarm to be monitored and the corresponding response strategy through the SOAR module, such as the access request of the corresponding configuration ACL strategy refusing event source address, and sends the strategy to Agent.
In the invention, the SOAR system is referred for linkage rule design, the SOA and the IR module are covered, the SOA and the IR module are in orbit with the international standard, and the learning cost of users is reduced.
In the invention, because the network flow is likely to be huge, the Agent engine and the coordination engine realize the real-time linkage capability under the condition of thousands of nodes through a Reactor mode based on Java NIO, namely a receiving end, a response end and a plurality of operation ends which are connected in sequence are arranged.
In the present invention,
and step 3: the coordination engine subscribes the alarm information to the APT equipment, formulates a corresponding linkage rule and issues the strategy to all the proxy engines registered in the current coordination engine.
In step 3, issuing the policy to all the agent engines registered in the current coordination engine includes the following steps:
step 3.1: the coordination engine and the proxy engine establish a TCP link;
step 3.2: the coordination engine packages the data into a Json format and encrypts the data;
step 3.3: and transmitting the encrypted data to the proxy engine through a TCP link.
In the present invention, step 3.2 is encrypted by the RC4 algorithm.
And 4, step 4: continuously detecting APT equipment; and (4) when the APT equipment detects any alarm information subscribed by any coordination engine, carrying out the next step, and otherwise, repeating the step (4).
And 5: and triggering an alarm event by the APT, and sending the alarm event to the proxy engine by the corresponding coordination engine according to the linkage rule.
Step 6: the agent engine executes the response strategy specified by the linkage rule and feeds back the result to the coordination engine.
The step 6 comprises the following steps:
step 6.1: the agent engine monitors the directory, collects the text logs and the database logs through the file directory monitoring module, the text log collecting module and the database log collecting module according to the issued linkage rules;
step 6.2: the file directory monitoring module transmits the monitoring information to the filtering rule module;
step 6.3: the filtering rule module matches the information with a preset filtering rule, if the matching is successful, the next step is carried out, otherwise, the step 6.5 is carried out;
step 6.4: triggering an emergency response, and executing a preset response strategy by an emergency response module;
step 6.5: and the emergency response module transmits the execution result back to the coordination engine.
In step 6, the coordination engine notifies the administrator of the execution result.
In step 6, the effective time T for the proxy engine to execute the response policy specified by the linkage rule is preset.
In the invention, a rule configuration interface is developed by vue 2.0.0, and the interface dragging and dynamic addition of processing nodes are supported, for example, a first node is used for subscribing SQL injection alarm events, a second node is added for responding a rule of 'configuring ACL policy to reject access requests of event source addresses', a third node is an Agent for executing an Agent unit 'Agent for matching event target IP', and a fourth node is a notification.
In the invention, the linkage rule is preset, and the rule starts to collect data after being issued to the agent engine.
In the invention, the notification comprises the alarm notification by configuring a mail, a short message or an API interface mode, and the coordination engine executes a corresponding program according to the selected alarm mode to complete the output of the alarm, thereby forming a flow closed loop of host failure confirmation and automatic repair.
In the invention, the effective time is customized, and the influence caused by misoperation possibly caused by false alarm is reduced to the minimum.
The invention also relates to a host computer defect confirming and automatic repairing system adopting the host computer defect confirming and automatic repairing method, which comprises the following steps:
the coordination engine is used for being linked with the APT equipment, acquiring the alarm time issued by the APT equipment and issuing the alarm time to the proxy engine based on a preset response strategy;
and the agent engines are used for receiving the linkage rules issued by the coordination engine, monitoring the host computer based on the rules and feeding back the emergency response result to the coordination engine.
The coordination engine includes:
the receiving end is used for receiving the IO event and triggering a new communication channel;
the response end is used for responding to a new event corresponding to the communication channel newly established by the receiving end and distributing the new event in the form of the event;
the new events include connection setup ready, read ready, write ready.
And the operation terminals are used for receiving the corresponding events distributed by the response terminals, reading in the communication channels, finishing event service processing and writing out the communication channels.
In the invention, a receiving end, namely an Acceptor, is responsible for registering IO events of Agents, IPS or IDS and the like, only when an IO actual read-write request occurs, a communication channel (channel) is newly established for the IO request, and the communication channel is notified to a Reactor module.
In the invention, a response end, namely a Reactor, is responsible for responding to the IO event, and when a new event is detected, the new event is sent to a corresponding Handler for processing.
In the invention, an operation end, namely a Handler, binds the operation end with an event, is responsible for processing the event, finishes reading in the channel, and is responsible for writing a result out of the channel after finishing processing the service logic.
In the present invention, an embodiment is given:
the wannary virus is outbreaked in the internet recently, and a user needs to establish a linkage rule through the platform for the network security of the user;
and (3) configuring rules: configuring a coordination engine to subscribe Trojan file alarms of APT equipment, wherein the mode is directory monitoring, the filtering rule is file name matching ($ { filename } = = "$ {1 }" & & & $ { type } = = = viruses), because the influence of the viruses is severe, the emergency response rule is set to be deleted immediately, the execution receipt is set to be notified to a user mailbox, and after clicking and storing, the coordination engine issues the rule to all Agents;
and (3) service execution: the method comprises the steps that an APT device detects wannacry viruses and variants thereof through file characteristics and a sandbox, immediately triggers an alarm event containing a virus file name (word.doc), a coordination engine receives the alarm event, triggers a configuration rule and sends the file name to all proxy engines, the proxy engines monitor directory changes in real time, once a file with the same name is found to be created, the file is immediately deleted based on a filtering rule ($ { file } = = word.doc "& & $ { type } = Virus"), and an execution result is generated and sent back to the coordination engine;
the coordination engine informs the network management personnel of the execution result in the form of an email according to a preset rule;
the above processes are automatically executed once being configured, and personnel intervention is not needed, so that the emergency response speed of the threat is improved, the host is confirmed to be lost and is quickly and automatically repaired, and the whole process is recorded, so that the post management personnel can conveniently track and trace the source.
The invention respectively installs agent engines for a plurality of hosts and registers the hosts with the coordination engines, the coordination engines subscribe the alarm information to the APT equipment, the corresponding linkage rules are formulated, the strategies are issued to all the corresponding agent engines, when the APT equipment detects any alarm information subscribed by any coordination engine, the alarm event is triggered, the corresponding coordination engines issue the alarm event to the agent engines according to the linkage rules, the agent engines execute the response strategies specified by the linkage rules, and the results are fed back to the coordination engines.
In the invention, the EDR makes up the defect of isolation of APT protective equipment on the boundary on the terminal, can find problems on an end point or a network, and then carries out plugging on the network or the end point, and the point and the surface are combined; the system and the method have the advantages that massive threat information is processed in an integrated mode, a user can customize response processing logic by himself, the labor force can be released and optimized through flow configuration, safety construction is conducted through early warning, defense, detection and response capabilities which are continuously evolved, time and energy spent in safety operation and maintenance are reduced, more and more complex network threat information and event quantity under a new situation are met, and the problems of low integration degree of an equipment isolation technology, a new and different network safety policy and the like are solved.
The method has the advantages that through the automatic arrangement of the event response mechanism, the process can be edited, and more practical application scenes except Trojan invasion automatic repair can be dealt with; the proxy engine is used as a rule execution unit and can adapt to various rule self-decisions, such as script execution, network control, service control and the like; the coordination engine is developed based on a thread model of a response end, and can easily deal with service monitoring and management of tens of thousands of devices; the method has the advantages that the false alarm rate of the traditional equipment is reduced in a linkage mode of the EDR monitoring terminal and the APT equipment, the position of the lost host can be located when attack successfully occurs through the linkage rule, and the lost host can be emergently repaired according to the preset emergency processing scheme corresponding to the rule, so that the system is repaired in the first time, and larger loss is avoided.
Claims (10)
1. A host computer defect confirming and automatic repairing method is characterized in that: the method comprises the following steps:
step 1: installing proxy engines for a plurality of hosts;
step 2: the agent engine is started and registered with the coordination engine;
and step 3: the coordination engine subscribes alarm information to the APT equipment, formulates a corresponding linkage rule and issues a strategy to all proxy engines registered in the current coordination engine;
and 4, step 4: continuously detecting APT equipment; when the APT equipment detects any alarm information subscribed by any coordination engine, the next step is carried out, otherwise, the step 4 is repeated;
and 5: the APT triggers an alarm event, and the corresponding coordination engine issues the alarm event to the proxy engine according to the linkage rule;
step 6: the agent engine executes the response strategy specified by the linkage rule and feeds back the result to the coordination engine.
2. The method according to claim 1, wherein the method comprises the steps of: the agent engine comprises a file directory monitoring module, a text log acquisition module, a database log acquisition module, a filtering rule module and an emergency response module.
3. The method according to claim 1, wherein the method comprises the steps of: in step 3, issuing the policy to all the agent engines registered in the current coordination engine includes the following steps:
step 3.1: the coordination engine and the proxy engine establish a TCP link;
step 3.2: the coordination engine packages the data into a Json format and encrypts the data;
step 3.3: and transmitting the encrypted data to the proxy engine through a TCP link.
4. The method according to claim 2, wherein the method comprises the following steps: the step 6 comprises the following steps:
step 6.1: the agent engine monitors the directory, collects the text logs and the database logs through the file directory monitoring module, the text log collecting module and the database log collecting module according to the issued linkage rules;
step 6.2: the file directory monitoring module transmits the monitoring information to the filtering rule module;
step 6.3: the filtering rule module matches the information with a preset filtering rule, if the matching is successful, the next step is carried out, otherwise, the step 6.5 is carried out;
step 6.4: triggering an emergency response, and executing a preset response strategy by an emergency response module;
step 6.5: and the emergency response module transmits the execution result back to the coordination engine.
5. The method according to claim 1, wherein the method comprises the steps of: in step 6, the coordination engine notifies the administrator of the execution result.
6. The method according to claim 1, wherein the method comprises the steps of: in step 6, the effective time T for the proxy engine to execute the response policy specified by the linkage rule is preset.
7. The method according to claim 1, wherein the method comprises the steps of: the coordination engine comprises a receiving end, a response end and a plurality of operation ends which are connected in sequence.
8. A host computer failure confirmation and automatic repair system using the host computer failure confirmation and automatic repair method according to any one of claims 1 to 7, characterized in that: the system comprises:
the coordination engine is used for being linked with the APT equipment, acquiring the alarm time issued by the APT equipment and issuing the alarm time to the proxy engine based on a preset response strategy;
and the agent engines are used for receiving the linkage rules issued by the coordination engine, monitoring the host computer based on the rules and feeding back the emergency response result to the coordination engine.
9. The system of claim 8, wherein the system further comprises: the coordination engine includes:
the receiving end is used for receiving the IO event and triggering a new communication channel;
the response end is used for responding to a new event corresponding to the communication channel newly established by the receiving end and distributing the new event in the form of the event;
and the operation terminals are used for receiving the corresponding events distributed by the response terminals, reading in the communication channels, finishing event service processing and writing out the communication channels.
10. The system of claim 9, wherein the system further comprises: the new events include connection setup ready, read ready, write ready.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911319643.1A CN111212035A (en) | 2019-12-19 | 2019-12-19 | Host computer defect confirming and automatic repairing method and system based on same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911319643.1A CN111212035A (en) | 2019-12-19 | 2019-12-19 | Host computer defect confirming and automatic repairing method and system based on same |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111212035A true CN111212035A (en) | 2020-05-29 |
Family
ID=70787077
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911319643.1A Pending CN111212035A (en) | 2019-12-19 | 2019-12-19 | Host computer defect confirming and automatic repairing method and system based on same |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111212035A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111831275A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for arranging micro-scene script |
| CN113067835A (en) * | 2021-04-14 | 2021-07-02 | 华能国际电力股份有限公司 | Integrated self-adaptive collapse index processing system |
| CN114024775A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Host computer defect detection method and system based on EDR and NDR |
| CN114050937A (en) * | 2021-11-18 | 2022-02-15 | 北京天融信网络安全技术有限公司 | Processing method and device for mailbox service unavailability, electronic equipment and storage medium |
| CN114070629A (en) * | 2021-11-16 | 2022-02-18 | 南京南瑞信息通信科技有限公司 | Safety arrangement and automatic response method, device and system for APT (advanced persistent threat) attack |
| CN118890373A (en) * | 2024-07-02 | 2024-11-01 | 浪潮云信息技术股份公司 | A method for linking IoT devices based on rule engine |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list-based cloud host active defense implementation method |
| CN105262777A (en) * | 2015-11-13 | 2016-01-20 | 北京奇虎科技有限公司 | Local area network (LAN)-based security detection method and device |
| CN106779485A (en) * | 2017-01-17 | 2017-05-31 | 武汉阳光荣信息智慧科技有限公司 | Total management system and data processing method based on SOA framework |
| CN106899601A (en) * | 2017-03-10 | 2017-06-27 | 北京华清信安科技有限公司 | Network attack defence installation and method based on cloud and local platform |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| US20180316708A1 (en) * | 2017-04-26 | 2018-11-01 | Cylance Inc. | Endpoint Detection and Response System with Endpoint-based Artifact Storage |
| CN108924086A (en) * | 2018-05-28 | 2018-11-30 | 南瑞集团有限公司 | A kind of host information acquisition method based on TSM Security Agent |
| US20190260785A1 (en) * | 2018-02-20 | 2019-08-22 | Darktrace Limited | Endpoint agent and system |
| US20190379699A1 (en) * | 2018-06-07 | 2019-12-12 | Unifyvault LLC | Systems and methods for blockchain security data intelligence |
-
2019
- 2019-12-19 CN CN201911319643.1A patent/CN111212035A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list-based cloud host active defense implementation method |
| CN105262777A (en) * | 2015-11-13 | 2016-01-20 | 北京奇虎科技有限公司 | Local area network (LAN)-based security detection method and device |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| CN106779485A (en) * | 2017-01-17 | 2017-05-31 | 武汉阳光荣信息智慧科技有限公司 | Total management system and data processing method based on SOA framework |
| CN106899601A (en) * | 2017-03-10 | 2017-06-27 | 北京华清信安科技有限公司 | Network attack defence installation and method based on cloud and local platform |
| US20180316708A1 (en) * | 2017-04-26 | 2018-11-01 | Cylance Inc. | Endpoint Detection and Response System with Endpoint-based Artifact Storage |
| US20190260785A1 (en) * | 2018-02-20 | 2019-08-22 | Darktrace Limited | Endpoint agent and system |
| CN108924086A (en) * | 2018-05-28 | 2018-11-30 | 南瑞集团有限公司 | A kind of host information acquisition method based on TSM Security Agent |
| US20190379699A1 (en) * | 2018-06-07 | 2019-12-12 | Unifyvault LLC | Systems and methods for blockchain security data intelligence |
Non-Patent Citations (3)
| Title |
|---|
| FB客服: "由"严防死守"到"应急响应",XDR应对不断演化的数字威胁", 《HTTPS://WWW.FREEBUF.COM/FEVENTS/203166.HTML》 * |
| 智会社: "从SOAR说起,亚信安全XDR如何治理高级威胁", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/52246691》 * |
| 绿盟科技: "基于SOAR的安全运营之道", 《HTTP://SAFE.IT168.COM/A2019/1115/6089/000006089400.SHTML》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111831275A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for arranging micro-scene script |
| CN111831275B (en) * | 2020-07-14 | 2023-06-30 | 绿盟科技集团股份有限公司 | Method, server, medium and computer equipment for arranging micro-scene script |
| CN113067835A (en) * | 2021-04-14 | 2021-07-02 | 华能国际电力股份有限公司 | Integrated self-adaptive collapse index processing system |
| CN113067835B (en) * | 2021-04-14 | 2022-07-15 | 华能国际电力股份有限公司 | An Integrated Adaptive Loss Index Processing System |
| CN114070629A (en) * | 2021-11-16 | 2022-02-18 | 南京南瑞信息通信科技有限公司 | Safety arrangement and automatic response method, device and system for APT (advanced persistent threat) attack |
| CN114070629B (en) * | 2021-11-16 | 2023-10-20 | 南京南瑞信息通信科技有限公司 | Security orchestration and automated response methods, devices and systems for APT attacks |
| CN114050937A (en) * | 2021-11-18 | 2022-02-15 | 北京天融信网络安全技术有限公司 | Processing method and device for mailbox service unavailability, electronic equipment and storage medium |
| CN114050937B (en) * | 2021-11-18 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Mailbox service unavailability processing method and device, electronic equipment and storage medium |
| CN114024775A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Host computer defect detection method and system based on EDR and NDR |
| CN118890373A (en) * | 2024-07-02 | 2024-11-01 | 浪潮云信息技术股份公司 | A method for linking IoT devices based on rule engine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111212035A (en) | Host computer defect confirming and automatic repairing method and system based on same | |
| CN113901450B (en) | Industrial host terminal safety protection system | |
| US20250286906A1 (en) | Active defense system and method for unknown threat | |
| CN106650436B (en) | A security detection method and device based on local area network | |
| CN114143064B (en) | A multi-source network security alarm event tracing and automatic handling method and device | |
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| CN110300100A (en) | The association analysis method and system of log audit | |
| CN112134877A (en) | Network threat detection method, device, equipment and storage medium | |
| KR20040101490A (en) | Detecting and countering malicious code in enterprise networks | |
| CN114257403B (en) | False alarm detection method, equipment and readable storage medium | |
| CN110049015B (en) | Network Security Situational Awareness System | |
| CN114625074A (en) | Safety protection system and method for DCS (distributed control System) of thermal power generating unit | |
| CN110365709B (en) | Device for sensing unknown network attack behavior based on upstream probe | |
| CN112839031A (en) | Industrial control network security protection system and method | |
| CN107809321B (en) | Method for realizing safety risk evaluation and alarm generation | |
| KR101174635B1 (en) | The automated defense system for the malicious code and the method thereof | |
| CN110365714B (en) | Host intrusion detection method, device, equipment and computer storage medium | |
| CN114050937B (en) | Mailbox service unavailability processing method and device, electronic equipment and storage medium | |
| CN117201044A (en) | Industrial Internet safety protection system and method | |
| CN113591072A (en) | Attack event processing method, device, equipment and storage medium | |
| CN119182613A (en) | A method, device, equipment and medium for real-time intrusion detection on cloud platforms | |
| CN116886361A (en) | Automatic response method and system based on safety big data analysis platform | |
| CN112685214B (en) | Method for analyzing poisoning machine and alarming through log collection | |
| CN118869282B (en) | Abnormal behavior detection method and device, electronic equipment and storage medium | |
| CN119830273A (en) | Event detection method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200529 |
|
| RJ01 | Rejection of invention patent application after publication |