About secDetector

Overview

secDetector is an intrusion detection system designed for OSs. It provides intrusion detection and response for critical information infrastructure and reduces development costs while enhancing detection and response for third-party security tools. Based on ATT&CK attack patterns, secDetector provides real-time blocking and flexible responses in addition to a high volume of security primitives.

secDetector can be used in three modes:

Enabled by system users to generate alarms for and handle abnormal events.
Integrated with security awareness services to collect system information for analysis of complex security threats (such as APTs) and real-time blocking of critical events.
Used to build accurate, efficient, and timely intrusion detection and response capabilities based on the extensible framework under secondary development of security practitioners or security awareness service providers.

Software Architecture

||==APP===================================================================||
||                                                                        ||
||                     ----------------------------                       ||
||                     |           SDK            |                       ||
||                     ----------------------------                       ||
||                                 /^\                                    ||
||==================================|=====================================||
                                    |
                                    |
                                    |
||==OBSERVER========================|=====================================||
||                                  |                                     ||
||                     ----------------------------                       ||
||                     |         service          |                       ||
||                     ----------------------------                       ||
||                                 /^\                                    ||
||==================================|=====================================||
                                    |
||==DRIVER================================================================||
||                                                                        ||
||                     ----------------------------                       ||
||                     |     8 types of cases     |                       ||
||                     ----------------------------                       ||
||                                                                        ||
||------------------------------------------------------------------------||
||                                core                                    ||
||  -------------  ----------------  ----------------  -----------------  ||
||  | hook unit |  | collect unit |  | analyze unit |  | response unit |  ||
||  -------------  ----------------  ----------------  -----------------  ||
||                                                                        ||
||========================================================================||

secDetector consists of four parts: SDK, service, cases, and core.

SDK
The SDK is provided as a user-mode dynamic link library (DLL) deployed in the security awareness services that requires secDetector. The SDK communicates with the service to complete related operations (such as subscription, unsubscription, and message reading). The exception information provided by secDetector is defined as different cases. The security awareness services can subscribe to the cases as required.
service
The service is a user-mode service application. It manages and maintains the subscriptions of security awareness services and maintains the case running statuses. On a unified environment, it gathers and forwards the information collected by the core and cases to different security awareness services, and manages and forwards the configurations and management requirements of the security awareness services on the cases and core. Because multiple security awareness services may require the same case, the service finds and registers the intersection of cases of all security awareness services.
Cases
The cases correspond to a series of exception detection probes, which are in different forms. For example, each probe for detecting kernel exceptions is available in a kernel module (.ko file). A case represents a probe, which usually covers a type of exceptions or exception events. For example, the process probes are for creation, exit, and property modification events of all processes, whereas the memory modification probes collect information such as the kernel module list and security switches. A probe may monitor multiple events, but the monitoring logic may not be deployed in the same execution flow. Workflows are introduced to represent the scope of a probe in the same execution flow, whereby a probe contains one or more workflows. For example, the process probe manages the creation and property modification in different workflows.
Core
The core is the base framework for case management, and provides common functional units required by workflows. The kernel exception detection framework is carried by a kernel module (.ko file), in which a case can register itself with or deregister itself from the core. The core also provides specific interaction APIs to handle external dynamic requests. A workflow consists of four types of functional units: event generator, information collector, event analyzer, and response unit.

The cases and core are combined to be drivers, which provide the bottom-layer system-level implementation of secDetector functions.

The drivers are classified into kerneldriver and usrdriver. The kerneldriver is deployed in the kernel space as a kernel module. The usrdriver is deployed in the user space as a module in the service. Logically, the usrdriver is under the service. However, to reduce the communication cost, the usrdriver is directly integrated into the service program.

Capabilities and Features

Detection Capability

Feature	Status	Description
Detection framework	Implemented	Unified, flexible, scalable, and efficient detection framework that supports different types of triggering, collection, analysis, and response units.
Process management probes	Implemented	Monitor process events such as creation, exit, and metadata modification.
File operation probes	Implemented	Monitor file events such as creation, deletion, read/write, and attribute modification.
Program behavior probes (API calls)	Implemented	Monitor critical program behavior such as anonymous pipe creation, command execution, and ptrace system invoking.
Memory modification probes (on critical kernel data)	Implemented	Monitor critical kernel data such as the kernel module list and hardware security function switches.

Response Capability

Feature	Status	Description
Response framework	Implemented	Unified, flexible, and scalable response framework that supports different types of response units.
Alarm reporting	Implemented	Response unit that reports exceptions.

Service Capability

Feature	Status	Description
Communication framework	Implemented	Applications use gRPC to communicate with the service. The functions are encapsulated in the dynamic library of the SDK.
Subscription management	Implemented	Applications can subscribe once and use secDetector for a long time to obtain information. secDetector manages the applications and distributes information about subscribed topics.
Configuration delivery	Implemented	The service can configure specific detection and blocking features in parameters to implement functions such as filtering and adjustment. Currently, it is not open to applications.
Instant detection	Implemented	secDetector provides real-time, accurate, and first-hand information.

Bug Catching

Buggy Content

Bug Description

Submit As Issue

It's a little complicated....

I'd like to ask someone.

Just a small problem.

I can fix it online!

Bug Type

Specifications and Common Mistakes

● Misspellings or punctuation mistakes;

● Incorrect links, empty cells, or wrong formats;

● Chinese characters in English context;

● Minor inconsistencies between the UI and descriptions;

● Low writing fluency that does not affect understanding;

● Incorrect version numbers, including software package names and version numbers on the UI.

Usability

● Incorrect or missing key steps;

● Missing prerequisites or precautions;

● Ambiguous figures, tables, or texts;

● Unclear logic, such as missing classifications, items, and steps.

Correctness

● Technical principles, function descriptions, or specifications inconsistent with those of the software;

● Incorrect schematic or architecture diagrams;

● Incorrect commands or command parameters;

● Incorrect code;

● Commands inconsistent with the functions;

● Wrong screenshots.

Risk Warnings

● Lack of risk warnings for operations that may damage the system or important data.

Content Compliance

● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

● Copyright infringement.

We may contact you through email in regard to the bug fixing solution. You will also be notified through email if you win any prize during the activity.

How satisfied are you with this document

Not satisfied at all

Very satisfied

By submitting the contents, you fully understand and agree to the terms of the openEuler Privacy Statement.

Submit

Click to create an issue. An issue template will be automatically generated based on your feedback.