About secDetector
Overview
secDetector is an intrusion detection system designed for OSs. It provides intrusion detection and response for critical information infrastructure and reduces development costs while enhancing detection and response for third-party security tools. Based on ATT&CK attack patterns, secDetector provides real-time blocking and flexible responses in addition to a high volume of security primitives.
secDetector can be used in three modes:
- Enabled by system users to generate alarms for and handle abnormal events.
- Integrated with security awareness services to collect system information for analysis of complex security threats (such as APTs) and real-time blocking of critical events.
- Used to build accurate, efficient, and timely intrusion detection and response capabilities based on the extensible framework under secondary development of security practitioners or security awareness service providers.
Software Architecture
||==APP===================================================================||
|| ||
|| ---------------------------- ||
|| | SDK | ||
|| ---------------------------- ||
|| /^\ ||
||==================================|=====================================||
|
|
|
||==OBSERVER========================|=====================================||
|| | ||
|| ---------------------------- ||
|| | service | ||
|| ---------------------------- ||
|| /^\ ||
||==================================|=====================================||
|
||==DRIVER================================================================||
|| ||
|| ---------------------------- ||
|| | 8 types of cases | ||
|| ---------------------------- ||
|| ||
||------------------------------------------------------------------------||
|| core ||
|| ------------- ---------------- ---------------- ----------------- ||
|| | hook unit | | collect unit | | analyze unit | | response unit | ||
|| ------------- ---------------- ---------------- ----------------- ||
|| ||
||========================================================================||
secDetector consists of four parts: SDK, service, cases, and core.
SDK
The SDK is provided as a user-mode dynamic link library (DLL) deployed in the security awareness services that requires secDetector. The SDK communicates with the service to complete related operations (such as subscription, unsubscription, and message reading). The exception information provided by secDetector is defined as different cases. The security awareness services can subscribe to the cases as required.
service
The service is a user-mode service application. It manages and maintains the subscriptions of security awareness services and maintains the case running statuses. On a unified environment, it gathers and forwards the information collected by the core and cases to different security awareness services, and manages and forwards the configurations and management requirements of the security awareness services on the cases and core. Because multiple security awareness services may require the same case, the service finds and registers the intersection of cases of all security awareness services.
Cases
The cases correspond to a series of exception detection probes, which are in different forms. For example, each probe for detecting kernel exceptions is available in a kernel module (.ko file). A case represents a probe, which usually covers a type of exceptions or exception events. For example, the process probes are for creation, exit, and property modification events of all processes, whereas the memory modification probes collect information such as the kernel module list and security switches. A probe may monitor multiple events, but the monitoring logic may not be deployed in the same execution flow. Workflows are introduced to represent the scope of a probe in the same execution flow, whereby a probe contains one or more workflows. For example, the process probe manages the creation and property modification in different workflows.
Core
The core is the base framework for case management, and provides common functional units required by workflows. The kernel exception detection framework is carried by a kernel module (.ko file), in which a case can register itself with or deregister itself from the core. The core also provides specific interaction APIs to handle external dynamic requests. A workflow consists of four types of functional units: event generator, information collector, event analyzer, and response unit.
The cases and core are combined to be drivers, which provide the bottom-layer system-level implementation of secDetector functions.
The drivers are classified into kerneldriver and usrdriver. The kerneldriver is deployed in the kernel space as a kernel module. The usrdriver is deployed in the user space as a module in the service. Logically, the usrdriver is under the service. However, to reduce the communication cost, the usrdriver is directly integrated into the service program.
Capabilities and Features
Detection Capability
Feature | Status | Description |
---|---|---|
Detection framework | Implemented | Unified, flexible, scalable, and efficient detection framework that supports different types of triggering, collection, analysis, and response units. |
Process management probes | Implemented | Monitor process events such as creation, exit, and metadata modification. |
File operation probes | Implemented | Monitor file events such as creation, deletion, read/write, and attribute modification. |
Program behavior probes (API calls) | Implemented | Monitor critical program behavior such as anonymous pipe creation, command execution, and ptrace system invoking. |
Memory modification probes (on critical kernel data) | Implemented | Monitor critical kernel data such as the kernel module list and hardware security function switches. |
Response Capability
Feature | Status | Description |
---|---|---|
Response framework | Implemented | Unified, flexible, and scalable response framework that supports different types of response units. |
Alarm reporting | Implemented | Response unit that reports exceptions. |
Service Capability
Feature | Status | Description |
---|---|---|
Communication framework | Implemented | Applications use gRPC to communicate with the service. The functions are encapsulated in the dynamic library of the SDK. |
Subscription management | Implemented | Applications can subscribe once and use secDetector for a long time to obtain information. secDetector manages the applications and distributes information about subscribed topics. |
Configuration delivery | Implemented | The service can configure specific detection and blocking features in parameters to implement functions such as filtering and adjustment. Currently, it is not open to applications. |
Instant detection | Implemented | secDetector provides real-time, accurate, and first-hand information. |