Host security monitoring platform
Qingteng-ABT is a terminal safety monitoring product jointly launched by Qingteng cloud security and ABT. Using the original methods such as characteristic anchor point, behavior mode and relational model, it can monitor the hacking behavior from the three dimensions of process, host and network, and discover the effective intrusion of the hackers in the first time and make response, minimizing the loss to the enterprise.
Characteristic anchor point
There are various ways of hacking, but the common purpose is to steal valuable core data assets. To access the core assets, some path is the only way to hackers. Ocne marking with characteristic anchor points on these paths and monitoring the system backdoor (Rootkit, bootkit, etc.), Webshell, file integrity (file content or permissions changes) and change of system permissions, an alarm will be triggered when hackers touch the anchor point.。
Some behaviors of the hackers are very typical. Qingteng cloud security and ABT, based on years of professional security experience, established the hacking behavior model, including the sub-process production of process, rebound shell, abnormal login, local privilege escalation, shell audit, read and write of system sensitive files and port monitoring, then it carries out continuous monitoring through the pattern matching method.
In a relatively stable service system, the process access relationship between the hosts is relatively fixed. Hackers often have unusual access to some hosts in the data stealing step by step. Through machine learning, it can build the access relationship model between different service roles and carry out continuous monitoring, once found abnormal visits, it will alarm.
Machine learning technology based on behavior recognition
Qingteng intrusion detection system will conduct multi-dimensional learning of behavioral data, after a period of time, it can establish a "normal" behavior model, over time, the system will continue to learn, automatically assess and improve the accuracy of the model, and identify the real abnormal behavior, so as to maximize the automation while achieving the lowest rate of wrong report.