Long-Term Supported Versions

    Innovation Versions

      About secDetector

      Overview

      secDetector is an intrusion detection system designed for OSs. It provides intrusion detection and response for critical information infrastructure and reduces development costs while enhancing detection and response for third-party security tools. Based on ATT&CK attack patterns, secDetector provides real-time blocking and flexible responses in addition to a high volume of security primitives.

      secDetector can be used in three modes:

      1. Enabled by system users to generate alarms for and handle abnormal events.
      2. Integrated with security awareness services to collect system information for analysis of complex security threats (such as APTs) and real-time blocking of critical events.
      3. Used to build accurate, efficient, and timely intrusion detection and response capabilities based on the extensible framework under secondary development of security practitioners or security awareness service providers.

      Software Architecture

      ||==APP===================================================================||
      ||                                                                        ||
      ||                     ----------------------------                       ||
      ||                     |           SDK            |                       ||
      ||                     ----------------------------                       ||
      ||                                 /^\                                    ||
      ||==================================|=====================================||
                                          |
                                          |
                                          |
      ||==OBSERVER========================|=====================================||
      ||                                  |                                     ||
      ||                     ----------------------------                       ||
      ||                     |         service          |                       ||
      ||                     ----------------------------                       ||
      ||                                 /^\                                    ||
      ||==================================|=====================================||
                                          |
      ||==DRIVER================================================================||
      ||                                                                        ||
      ||                     ----------------------------                       ||
      ||                     |     8 types of cases     |                       ||
      ||                     ----------------------------                       ||
      ||                                                                        ||
      ||------------------------------------------------------------------------||
      ||                                core                                    ||
      ||  -------------  ----------------  ----------------  -----------------  ||
      ||  | hook unit |  | collect unit |  | analyze unit |  | response unit |  ||
      ||  -------------  ----------------  ----------------  -----------------  ||
      ||                                                                        ||
      ||========================================================================||
      

      secDetector consists of four parts: SDK, service, cases, and core.

      • SDK

        The SDK is provided as a user-mode dynamic link library (DLL) deployed in the security awareness services that requires secDetector. The SDK communicates with the service to complete related operations (such as subscription, unsubscription, and message reading). The exception information provided by secDetector is defined as different cases. The security awareness services can subscribe to the cases as required.

      • service

        The service is a user-mode service application. It manages and maintains the subscriptions of security awareness services and maintains the case running statuses. On a unified environment, it gathers and forwards the information collected by the core and cases to different security awareness services, and manages and forwards the configurations and management requirements of the security awareness services on the cases and core. Because multiple security awareness services may require the same case, the service finds and registers the intersection of cases of all security awareness services.

      • Cases

        The cases correspond to a series of exception detection probes, which are in different forms. For example, each probe for detecting kernel exceptions is available in a kernel module (.ko file). A case represents a probe, which usually covers a type of exceptions or exception events. For example, the process probes are for creation, exit, and property modification events of all processes, whereas the memory modification probes collect information such as the kernel module list and security switches. A probe may monitor multiple events, but the monitoring logic may not be deployed in the same execution flow. Workflows are introduced to represent the scope of a probe in the same execution flow, whereby a probe contains one or more workflows. For example, the process probe manages the creation and property modification in different workflows.

      • Core

        The core is the base framework for case management, and provides common functional units required by workflows. The kernel exception detection framework is carried by a kernel module (.ko file), in which a case can register itself with or deregister itself from the core. The core also provides specific interaction APIs to handle external dynamic requests. A workflow consists of four types of functional units: event generator, information collector, event analyzer, and response unit.

      The cases and core are combined to be drivers, which provide the bottom-layer system-level implementation of secDetector functions.

      The drivers are classified into kerneldriver and usrdriver. The kerneldriver is deployed in the kernel space as a kernel module. The usrdriver is deployed in the user space as a module in the service. Logically, the usrdriver is under the service. However, to reduce the communication cost, the usrdriver is directly integrated into the service program.

      Capabilities and Features

      Detection Capability

      FeatureStatusDescription
      Detection frameworkImplementedUnified, flexible, scalable, and efficient detection framework that supports different types of triggering, collection, analysis, and response units.
      Process management probesImplementedMonitor process events such as creation, exit, and metadata modification.
      File operation probesImplementedMonitor file events such as creation, deletion, read/write, and attribute modification.
      Program behavior probes (API calls)ImplementedMonitor critical program behavior such as anonymous pipe creation, command execution, and ptrace system invoking.
      Memory modification probes (on critical kernel data)ImplementedMonitor critical kernel data such as the kernel module list and hardware security function switches.

      Response Capability

      FeatureStatusDescription
      Response frameworkImplementedUnified, flexible, and scalable response framework that supports different types of response units.
      Alarm reportingImplementedResponse unit that reports exceptions.

      Service Capability

      FeatureStatusDescription
      Communication frameworkImplementedApplications use gRPC to communicate with the service. The functions are encapsulated in the dynamic library of the SDK.
      Subscription managementImplementedApplications can subscribe once and use secDetector for a long time to obtain information. secDetector manages the applications and distributes information about subscribed topics.
      Configuration deliveryImplementedThe service can configure specific detection and blocking features in parameters to implement functions such as filtering and adjustment. Currently, it is not open to applications.
      Instant detectionImplementedsecDetector provides real-time, accurate, and first-hand information.

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份