CN109785537A - A kind of safety protecting method and device of ATM machine - Google Patents
A kind of safety protecting method and device of ATM machine Download PDFInfo
- Publication number
- CN109785537A CN109785537A CN201811645526.XA CN201811645526A CN109785537A CN 109785537 A CN109785537 A CN 109785537A CN 201811645526 A CN201811645526 A CN 201811645526A CN 109785537 A CN109785537 A CN 109785537A
- Authority
- CN
- China
- Prior art keywords
- call stack
- operation behavior
- atm machine
- behavior
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 238000012544 monitoring process Methods 0.000 claims abstract description 33
- 230000006399 behavior Effects 0.000 claims description 219
- 230000008569 process Effects 0.000 claims description 39
- 238000004891 communication Methods 0.000 claims description 20
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000000903 blocking effect Effects 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000008859 change Effects 0.000 description 11
- 230000002159 abnormal effect Effects 0.000 description 7
- 230000008901 benefit Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000002574 poison Substances 0.000 description 1
- 231100000614 poison Toxicity 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses a kind of safety protecting method of ATM machine and devices, are related to field of information security technology, invent to solve the problems, such as that comprehensive protection cannot be done to ATM machine in the prior art.This method specifically includes that whether monitoring ATM machine generates operation behavior;Search the current call stack of the operation behavior;Judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;If it is judged that be it is no, then intercept the operation behavior.It is mainly used for the security protection of ATM machine.
Description
Technical field
The present invention relates to a kind of field of information security technology, more particularly to the safety protecting method and dress of a kind of ATM machine
It sets.
Background technique
With the fast development of financial industry, ATM machine has become an important channel of people's daily management cash,
Consequent is that more and more hackers start using ATM terminal as target of attack.ATM machine itself is also an operating system,
The operation interface of user, the software program actually run in the operating system are showed when using ATM machine.Due to ATM
The networks most of terminal all uses local area network, and the invasions such as traditional spam, website hung Trojan mode can not act on ATM end
End uses for the malicious attack majority of ATM terminal malicious code is implanted into ATM machine to terminal by usb mode at present
User swindles, or spreads virus to bank's Intranet by ATM machine and steal user information.
In the prior art, in order to protect the safety of ATM machine, when there is the operation of more new procedures in ATM machine, encrypted backup is original
Program and information, then create bait file then run more new procedures, further according to operation result judge more new procedures whether
In the presence of malice.This method can protect the safety of ATM machine, but the virus still suffered from around the prevention policies, cannot be to ATM
Machine does comprehensive protection.
Summary of the invention
In view of this, the present invention provides the safety protecting method and device of a kind of ATM machine, main purpose is to solve existing
The problem of comprehensive protection cannot be done to ATM machine in technology.
According to the present invention on one side, a kind of safety protecting method of ATM machine is provided, comprising:
Whether monitoring ATM machine generates operation behavior;
Search the current call stack of the operation behavior;
Judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
If it is judged that be it is no, then intercept the operation behavior.
Further, whether the monitoring ATM machine generates operation behavior, comprising:
If the external interface communicating operational data of the ATM machine, the operation data, the external interface packet are obtained
Include card recognition interface, key typing interface, USB interface and network interface;
According to the operation data, pending process is created;
Judge whether the pending process is the operation behavior, the operation behavior include transfer accounts, inquire, withdrawing the money,
Change password and payment;
If it is judged that being yes, it is determined that the ATM machine generates the operation behavior;
If it is judged that being no, it is determined that the ATM machine does not generate the operation behavior.
Further, after the determination ATM machine generates the operation behavior, the method also includes:
According to the pending process, the current call stack of the operation behavior is called.
Further, it is described judge the operation behavior it is corresponding prestore call stack and current call stack it is whether identical it
Before, the method also includes:
The behavior call stack table of comparisons is established, the behavior call stack table of comparisons is for saving all operation rows of the ATM machine
For with the corresponding relationship that prestores call stack.
In the behavior call stack table of comparisons, search that the operation behavior is corresponding to prestore call stack.
Further, described to judge whether the corresponding call stack that prestores of the operation behavior is identical as current call stack, packet
It includes:
The data structure of call stack Yu the current call stack is prestored described in parsing;
According to the data structure, call stack is prestored and the current call stack is by individual data position is relatively more described one by one
It is no identical;
If the comparison result of at least one data bit is not identical, it is determined that described to prestore call stack and the current calling
Stack is not identical.
Further, described if it is judged that be it is no, then intercept the operation behavior, comprising:
Stop executing the pending process.
Further, described if it is judged that be it is no, then after intercepting the operation behavior, the method also includes:
Security risk data are obtained, the security risk data include the operation behavior, the pending process and institute
State transmission data;
Delete the security risk data.
According to the present invention on the other hand, a kind of safety device of ATM machine is provided, comprising:
Monitoring module, for monitoring whether ATM machine generates operation behavior;
Searching module, for searching the current call stack of the operation behavior;
Judgment module, for judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
Blocking module, be used for if it is judged that be it is no, then intercept the operation behavior.
According to another aspect of the invention, a kind of storage medium is provided, at least one is stored in the storage medium can
It executes instruction, the executable instruction makes processor execute the corresponding operation of safety protecting method such as above-mentioned ATM machine.
In accordance with a further aspect of the present invention, a kind of computer equipment is provided, comprising: processor, memory, communication interface
And communication bus, the processor, the memory and the communication interface complete mutual lead to by the communication bus
Letter;
For the memory for storing an at least executable instruction, it is above-mentioned that the executable instruction executes the processor
The corresponding operation of the safety protecting method of ATM machine.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
The present invention provides a kind of safety protecting method of ATM machine and devices, by monitoring whether ATM machine generates behaviour first
Make behavior, then the current call stack of search operation behavior, then judges that operation behavior is corresponding and prestore call stack and current calling
Whether stack is identical, finally intercepts operation behavior if not identical.Compared with prior art, the embodiment of the present invention can be according to behaviour
The current call stack for making behavior judges whether to intercept operation behavior, be judged before operation behavior execution, to realize to ATM
The full protection of machine.It is abnormal if it is current call stack, then can generate memory spilling, attacker can be overflowed using memory
Attack ATM machine causes program crashing, monitors call stack information, and identification causes the operation behavior of ATM machine collapse, to realize to ATM
The effective protection of machine.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of safety protecting method flow chart of ATM machine provided in an embodiment of the present invention;
Fig. 2 shows the safety protecting method flow charts of another ATM machine provided in an embodiment of the present invention;
Fig. 3 shows a kind of safety device composition block diagram of ATM machine provided in an embodiment of the present invention;
Fig. 4 shows the safety device composition block diagram of another ATM machine provided in an embodiment of the present invention;
Fig. 5 shows a kind of structural schematic diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of safety protecting methods of ATM machine, as shown in Figure 1, this method comprises:
101, whether monitoring ATM machine generates operation behavior.
Operation behavior, refer to user using ATM machine be by the operation of the hardware typing interface typing of operation interface, and
ATM machine maintenance personnel controls the operation of ATM machine by USB interface or network interface.If ATM machine generates operation behavior, that
ATM machine there is the risk attacked, so needing to monitor whether ATM machine generates operation behavior.It, can be with during monitoring
It is identified using the interface setting Interface status in typing operation behavior, if generating operation behavior, Interface status mark occurs
Change, when monitor Interface status mark change when, can determine ATM machine generate operation behavior.During monitoring, also
Mechanism of information feedback can be used, if each interface of monitoring carries out data transmission, feedback interface change information, with monitoring
Whether ATM machine generates operation behavior.
102, the current call stack of search operation behavior.
Operation behavior in the process of implementation, no matter data information, still execute instruction and require to transfer from memory, this this
Category information is maintained in corresponding call stack.The current call stack of search operation behavior refers to that the operation behavior is actually being held
Which information in memory needed to obtain during row.This step is only executing operation behavior before executing operation behavior
The whether risky full protection being just able to achieve to ATM machine of operation behavior is judged before.If in the process for executing operation behavior
In judged, it is possible to the operation behavior has begun attack ATM machine, to ATM machine even banking system cause damages.
103, judging operation behavior, whether corresponding to prestore call stack identical as current call stack.
Call stack is prestored, is the position for the memory sequence that operation behavior should be transferred.Operation behavior and prestore call stack
Corresponding relationship only changes after ATM machine carries out system debug, is arranged in the interface program operation in ATM machine, will not
With number of operations, operating environment variation and change.If the current call stack of operation behavior is different from call stack is prestored,
Illustrate that the operation behavior is abnormal operation behavior.
104, if it is judged that be it is no, then intercept operation behavior.
After ATM machine receives operation behavior, correspondence is made according to the operation behavior according to general processing mode ATM machine
Response, that is, execute the operation behavior.When operation behavior is corresponding prestores call stack and current call stack difference, in order to
It avoids ATM machine since memory spilling is attacked, then intercepts operation behavior.Operation behavior is intercepted, that is, pause executes the operation
Behavior.After pause executes the operation behavior, the monitoring client that the situation is sent to ATM machine in a manner of alarming can be set, it can
To stop response of the ATM machine to all operation behaviors, it can be set and show abnormal operation on ATM machine interface, to prompt to monitor
There may be risks using the ATM machine by end or user.
Be if it is judging result it is yes, execute the operation behavior.If operation behavior prestores call stack and current tune
It is identical with stack, then illustrate that the operation behavior has that a possibility that threat is smaller to ATM machine, can execute the operation behavior.
It should be noted that step 101 involved in the embodiment of the present invention can be embedded in existing to 104 corresponding devices
In some ATM machine, to realize the security protection of ATM machine.
The present invention provides a kind of safety protecting methods of ATM machine, by monitoring whether ATM machine generates operation row first
For, the then current call stack of search operation behavior, then judge that the corresponding call stack and current call stack of prestoring of operation behavior is
It is no identical, finally operation behavior is intercepted if not identical.Compared with prior art, the embodiment of the present invention can go according to operation
For current call stack judge whether intercept operation behavior, operation behavior execution before judged, with realize to ATM machine
Full protection.It is abnormal if it is current call stack, then can generate memory spilling, attacker can utilize memory flooding
ATM machine causes program crashing, monitors call stack information, and identification causes the operation behavior of ATM machine collapse, to realize to ATM machine
Effective protection.
The embodiment of the invention provides the safety protecting methods of another ATM machine, as shown in Fig. 2, this method comprises:
201, whether monitoring ATM machine generates operation behavior.
Operation behavior refers to that ATM machine response user or equipment debugging person pass through the transmission data of interface, to realize
ATM machine or the card for being inserted into ATM machine are operated.It monitors whether to generate operation behavior, specifically include: if ATM machine
External interface communicating operational data, then obtain operation data, and external interface includes card recognition interface, key typing interface, USB
Interface and network interface;According to transmission data, pending process is created;Judge whether pending process is operation behavior, operates
Behavior includes transferring accounts, inquiring, withdrawing the money, changing password and payment;If it is judged that being yes, it is determined that ATM machine generates operation row
For;If it is judged that being no, it is determined that ATM machine does not generate operation behavior.
External interface is the interaction channel for referring to connection ATM machine and user or equipment debugging person's progress data interaction, outside
Portion's interface includes card recognition interface, key typing interface, USB interface and network interface.In external interface, supervision mechanism is set
Or timing inquiry mechanism, with judge ATM machine external interface whether communicating operational data.If communicating operational data obtains
Extract operation data.Operation data refers to that ATM machine is able to respond the operation data, carries out the data of certain operation behavior.According to behaviour
Make data, create pending process, then judges whether pending process is operation behavior.The process that AMT machine is able to respond has very
It is more, but be not each process be all that data in operation behavior, such as ATM machine are synchronous with financial monitoring network.According to
Executive process, the current call stack of call operation behavior.Only process is just related to the calling of memory sequence, all to generate wait hold
After line program, using the current call stack of call operation behavior, prepare for the subsequent protection to ATM machine.
202, according to pending process, the current call stack of call operation behavior.
203, the current call stack of search operation behavior.
Current call stack is to execute operation behavior actually to need storage location using memory sequence.Some ATM diseases
Poison, can disguise oneself as oneself benign operation behavior, and actually call calling in memory sequence not corresponding with operation behavior.At this
In it is emphasized that do not execute operation behavior in this step.
204, the behavior call stack table of comparisons is established.
The behavior call stack table of comparisons is for saving all operation behaviors of ATM machine and prestoring the corresponding relationship of call stack.It is opening
When dynamic ATM machine, for all operation behaviors configure its it is corresponding prestore call stack, operation behavior and to prestore call stack be an a pair
The relationship answered.It can be used within 24 hours since ATM machine is generally, so unless to encounter failure, power-off, illegal invasion etc. non-
Normal situation ATM machine uses the identical behavior call stack table of comparisons.Start ATM machine, including restarts ATM machine and directly open
Dynamic ATM machine.The behavior call stack table of comparisons, can regard the environmental variance in operating system as, as operating system environment configures
Change and change.The storage mode and storage location of the behavior call stack table of comparisons are not limited in embodiments of the present invention
It is fixed, it can be not specifically limited for any position in local system, the embodiment of the present invention.
205, in the behavior call stack table of comparisons, search operation behavior is corresponding to prestore call stack.
In search procedure, it can be searched according to the code for arbitrarily capableing of unique identification operation behavior.About at this
The fast searching method being able to use in step, what be can be adapted to can use in this step.
206, judging operation behavior, whether corresponding to prestore call stack identical as current call stack.
In the judgment process, in order to guarantee the accuracy of judgement, can be used such as under type: parsing prestores call stack and current
The data structure of call stack;According to data structure, compares one by one by individual data position and whether prestore call stack and current call stack
It is identical;If the comparison result of at least one data bit is not identical, it is determined that prestore call stack and current call stack is not identical.
Data structure includes that the types of variables for prestoring call stack and current call stack, storage mode, stacking are popped rule etc.
Deng wherein including static storage and two kinds of dynamic memory in storage mode.The corresponding comparison of one data bit, one data bit is pre-
It deposits call stack and whether current call stack is identical.For dynamic memory mode, it is subject to the corresponding relationship of actual data content, no
It can be subject to the corresponding relationship of storage location.When relatively, if there is the different situation of comparison result, it is determined that prestore tune
It is not identical with stack and current call stack.It, can be after this step executes completion, with next step in order to guarantee the reliability of judgement
Meanwhile it executing and rejudging mechanism.
207, if it is judged that be it is no, then intercept operation behavior.
Operation behavior is intercepted, that is, pause executes the operation behavior.In order to further guarantee the safety of ATM machine,
It can directly stop executing the corresponding pending process of operation behavior, the comprehensive operation behavior correlation for stopping judging result and being no
All pending processes, with reduce ATM machine protection careless omission.
208, security risk data are obtained.
Security risk data refer to all data that may bring security risk in operation behavior for ATM machine, including operation
Behavior, pending process and transmission data.Start with from judging result, is successively obtained from bottom to top layer, it can also be raw from ATM machine
Start at the position of operation behavior, is successively obtained from top layer to bottom.The traversal method that needs to use in acquisition process, quickly
Traversal method, in embodiments of the present invention without limitation.
209, security risk data are deleted.
Security risk data are directly deleted in order to eliminate the security risk of ATM machine.Security risk data in order to prevent simultaneously
Influence to ATM machine can be saved using isolation, search again, do the modes such as system again, to further increase ATM machine
Security protection ability.
The security protection of ATM machine is to ensure that the interests of user and bank both sides are not encroached on, it is possible to walk this
Rapid priority is set as highest, that is to say, that if reaching the entry condition of this step, directly initiates this step.
The present invention provides a kind of safety protecting methods of ATM machine, by monitoring whether ATM machine generates operation row first
For, the then current call stack of search operation behavior, then judge that the corresponding call stack and current call stack of prestoring of operation behavior is
It is no identical, finally operation behavior is intercepted if not identical.Compared with prior art, the embodiment of the present invention can go according to operation
For current call stack judge whether intercept operation behavior, operation behavior execution before judged, with realize to ATM machine
Full protection.It is abnormal if it is current call stack, then can generate memory spilling, attacker can utilize memory flooding
ATM machine causes program crashing, monitors call stack information, and identification causes the operation behavior of ATM machine collapse, to realize to ATM machine
Effective protection.
Further, as the realization to method shown in above-mentioned Fig. 1, the embodiment of the invention provides a kind of peaces of ATM machine
Full protection is set, as shown in figure 3, the device includes:
Monitoring module 31, for monitoring whether ATM machine generates operation behavior;
Searching module 32, for searching the current call stack of the operation behavior;
Judgment module 33, for judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
Blocking module 34, be used for if it is judged that be it is no, then intercept the operation behavior.
The present invention provides a kind of safety devices of ATM machine, by monitoring whether ATM machine generates operation row first
For, the then current call stack of search operation behavior, then judge that the corresponding call stack and current call stack of prestoring of operation behavior is
It is no identical, finally operation behavior is intercepted if not identical.Compared with prior art, the embodiment of the present invention can go according to operation
For current call stack judge whether intercept operation behavior, operation behavior execution before judged, with realize to ATM machine
Full protection.It is abnormal if it is current call stack, then can generate memory spilling, attacker can utilize memory flooding
ATM machine causes program crashing, monitors call stack information, and identification causes the operation behavior of ATM machine collapse, to realize to ATM machine
Effective protection.
Further, as the realization to method shown in above-mentioned Fig. 2, the embodiment of the invention provides another ATM machine
Safety device, as shown in figure 4, the device includes:
Monitoring module 41, for monitoring whether ATM machine generates operation behavior;
Searching module 42, for searching the current call stack of the operation behavior;
Judgment module 43, for judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
Blocking module 44, be used for if it is judged that be it is no, then intercept the operation behavior.
Further, the monitoring module 41, comprising:
Acquiring unit 411, if the external interface communicating operational data for the ATM machine, obtains the operand
According to the external interface includes card recognition interface, key typing interface, USB interface and network interface;
Creating unit 412, for creating pending process according to the operation data;
Judging unit 413, for judging whether the pending process is the operation behavior, the operation behavior includes
It transfers accounts, inquire, withdraw the money, change password and payment;
Determination unit 414, for if it is judged that being yes, it is determined that the ATM machine generates the operation behavior;
The determination unit 414 is also used to if it is judged that being no, it is determined that the ATM machine does not generate the operation
Behavior.
Further, described device further include:
Calling module 45, after generating the operation behavior for the determination ATM machine, according to it is described it is pending into
Journey calls the current call stack of the operation behavior.
Further, described device further include:
Establish module 46, for it is described judge the operation behavior it is corresponding prestore call stack and current call stack whether phase
With before, the behavior call stack table of comparisons is established, the behavior call stack table of comparisons is for saving all operation behaviors of the ATM machine
With the corresponding relationship for prestoring call stack.
Searching module 47, for searching in the behavior call stack table of comparisons, the operation behavior is corresponding to prestore tune
Use stack.
Further, the judgment module 43, comprising:
Resolution unit 431, for parsing the data structure for prestoring call stack Yu the current call stack;
Comparing unit 432, for according to the data structure, by individual data position one by one relatively it is described prestore call stack and
Whether the current call stack is identical;
Determination unit 433, if the comparison result at least one data bit is not identical, it is determined that described to prestore calling
Stack and the current call stack be not identical.
Further, the blocking module 44, is used for:
Stop executing the pending process.
Further, described device further include:
Obtain module 48, for it is described if it is judged that be it is no, then after intercepting the operation behavior, obtain safe hidden
Suffer from data, the security risk data include the operation behavior, the pending process and the transmission data;
Removing module 49, for deleting the security risk data.
The present invention provides a kind of safety devices of ATM machine, by monitoring whether ATM machine generates operation row first
For, the then current call stack of search operation behavior, then judge that the corresponding call stack and current call stack of prestoring of operation behavior is
It is no identical, finally operation behavior is intercepted if not identical.Compared with prior art, the embodiment of the present invention can go according to operation
For current call stack judge whether intercept operation behavior, operation behavior execution before judged, with realize to ATM machine
Full protection.It is abnormal if it is current call stack, then can generate memory spilling, attacker can utilize memory flooding
ATM machine causes program crashing, monitors call stack information, and identification causes the operation behavior of ATM machine collapse, to realize to ATM machine
Effective protection.
A kind of storage medium is provided according to an embodiment of the present invention, and it is executable that the storage medium is stored at least one
The safety protecting method of the ATM machine in above-mentioned any means embodiment can be performed in instruction, the computer executable instructions.
Fig. 5 shows a kind of structural schematic diagram of the computer equipment provided according to an embodiment of the present invention, the present invention
Specific embodiment does not limit the specific implementation of computer equipment.
As shown in figure 5, the computer equipment may include: processor (processor) 502, communication interface
(Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein: processor 502, communication interface 504 and memory 506 complete mutual lead to by communication bus 508
Letter.
Communication interface 504, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 502 can specifically execute in the safety protecting method embodiment of above-mentioned ATM machine for executing program 510
Correlation step.
Specifically, program 510 may include program code, which includes computer operation instruction.
Processor 502 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that computer equipment includes can be same type of processor, such as one or more CPU;?
It can be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for storing program 510.Memory 506 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 executes following operation:
Whether monitoring ATM machine generates operation behavior;
Search the current call stack of the operation behavior;
Judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
If it is judged that be it is no, then intercept the operation behavior.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with general
Computing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formed
Network on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored
It is performed by computing device in the storage device, and in some cases, it can be to be different from shown in sequence execution herein
Out or description the step of, perhaps they are fabricated to each integrated circuit modules or by them multiple modules or
Step is fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and softwares to combine.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all include within protection scope of the present invention.
The embodiment of the invention provides following technical schemes:
A1, a kind of safety protecting method of ATM machine, comprising:
Whether monitoring ATM machine generates operation behavior;
Search the current call stack of the operation behavior;
Judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
If it is judged that be it is no, then intercept the operation behavior.
Whether A2, method as described in a1, the monitoring ATM machine generate operation behavior, comprising:
If the external interface communicating operational data of the ATM machine, the operation data, the external interface packet are obtained
Include card recognition interface, key typing interface, USB interface and network interface;
According to the operation data, pending process is created;
Judge whether the pending process is the operation behavior, the operation behavior include transfer accounts, inquire, withdrawing the money,
Change password and payment;
If it is judged that being yes, it is determined that the ATM machine generates the operation behavior;
If it is judged that being no, it is determined that the ATM machine does not generate the operation behavior.
A3, as described in A2 method, after the determination ATM machine generates the operation behavior, the method is also wrapped
It includes:
According to the pending process, the current call stack of the operation behavior is called.
A4, method as described in a1, it is described to judge that the corresponding call stack and current call stack of prestoring of the operation behavior is
It is no it is identical before, the method also includes:
The behavior call stack table of comparisons is established, the behavior call stack table of comparisons is for saving all operation rows of the ATM machine
For with the corresponding relationship that prestores call stack.
In the behavior call stack table of comparisons, search that the operation behavior is corresponding to prestore call stack.
A5, method as described in a1 are stated and are judged that the operation behavior is corresponding and whether prestore call stack and current call stack
It is identical, comprising:
The data structure of call stack Yu the current call stack is prestored described in parsing;
According to the data structure, call stack is prestored and the current call stack is by individual data position is relatively more described one by one
It is no identical;
If the comparison result of at least one data bit is not identical, it is determined that described to prestore call stack and the current calling
Stack is not identical.
A6, as described in A2 method, it is described if it is judged that be it is no, then intercept the operation behavior, comprising:
Stop executing the pending process.
A7, as described in A2 method, it is described if it is judged that be it is no, then after intercepting the operation behavior, the side
Method further include:
Security risk data are obtained, the security risk data include the operation behavior, the pending process and institute
State transmission data;
Delete the security risk data.
B8, a kind of safety device of ATM machine, comprising:
Monitoring module, for monitoring whether ATM machine generates operation behavior;
Searching module, for searching the current call stack of the operation behavior;
Judgment module, for judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
Blocking module, be used for if it is judged that be it is no, then intercept the operation behavior.
B9, the device as described in B8, the monitoring module, comprising:
Acquiring unit, if the external interface communicating operational data for the ATM machine, obtains the operation data,
The external interface includes card recognition interface, key typing interface, USB interface and network interface;
Creating unit, for creating pending process according to the operation data;
Judging unit, for judging whether the pending process is the operation behavior, the operation behavior includes turning
Account, inquiry, withdrawal, change password and payment;
Determination unit, for if it is judged that being yes, it is determined that the ATM machine generates the operation behavior;
The determination unit is also used to if it is judged that being no, it is determined that the ATM machine does not generate the operation row
For.
B10, the device as described in B9, described device further include:
Calling module, after generating the operation behavior for the determination ATM machine, according to it is described it is pending into
Journey calls the current call stack of the operation behavior.
B11, the device as described in B8, described device further include:
Module is established, the operation behavior is judged for described whether corresponding to prestore call stack identical as current call stack
Before, establish the behavior call stack table of comparisons, the behavior call stack table of comparisons for save all operation behaviors of the ATM machine with
Prestore the corresponding relationship of call stack.
Searching module, for searching in the behavior call stack table of comparisons, the operation behavior is corresponding to prestore calling
Stack.
B12, the device as described in B8, the judgment module, comprising:
Resolution unit, for parsing the data structure for prestoring call stack Yu the current call stack;
Comparing unit, for prestoring call stack and institute by individual data position is relatively more described one by one according to the data structure
Whether identical state current call stack;
Determination unit, if the comparison result at least one data bit is not identical, it is determined that described to prestore call stack
It is not identical as the current call stack.
B13, the device as described in claim B9, which is characterized in that the blocking module is used for:
Stop executing the pending process.
B14, the device as described in B9, described device further include:
Obtain module, for it is described if it is judged that be it is no, then after intercepting the operation behavior, acquisition security risk
Data, the security risk data include the operation behavior, the pending process and the transmission data;
Removing module, for deleting the security risk data.
C15, a kind of storage medium are stored with an at least executable instruction, the executable instruction in the storage medium
The corresponding operation of safety protecting method for the ATM machine for executing processor as described in any one of A1-A7.
D16, a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor,
The memory and the communication interface complete mutual communication by the communication bus;
The memory executes the processor such as storing an at least executable instruction, the executable instruction
The corresponding operation of the safety protecting method of ATM machine described in any one of A1-A7.
Claims (10)
1. a kind of safety protecting method of ATM machine characterized by comprising
Whether monitoring ATM machine generates operation behavior;
Search the current call stack of the operation behavior;
Judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
If it is judged that be it is no, then intercept the operation behavior.
2. the method as described in claim 1, which is characterized in that whether the monitoring ATM machine generates operation behavior, comprising:
If the external interface communicating operational data of the ATM machine, the operation data is obtained, the external interface includes card
Piece identifies interface, key typing interface, USB interface and network interface;
According to the operation data, pending process is created;
Judge whether the pending process is the operation behavior, and the operation behavior includes transferring accounts, inquiring, withdrawing the money, changing
Password and payment;
If it is judged that being yes, it is determined that the ATM machine generates the operation behavior;
If it is judged that being no, it is determined that the ATM machine does not generate the operation behavior.
3. method according to claim 2, which is characterized in that after the determination ATM machine generates the operation behavior,
The method also includes:
According to the pending process, the current call stack of the operation behavior is called.
4. the method as described in claim 1, which is characterized in that the judgement operation behavior is corresponding prestore call stack with
Before whether current call stack is identical, the method also includes:
Establish the behavior call stack table of comparisons, the behavior call stack table of comparisons for save all operation behaviors of the ATM machine with
Prestore the corresponding relationship of call stack.
In the behavior call stack table of comparisons, search that the operation behavior is corresponding to prestore call stack.
5. the method as described in claim 1, which is characterized in that the judgement operation behavior is corresponding prestore call stack with
Whether current call stack is identical, comprising:
The data structure of call stack Yu the current call stack is prestored described in parsing;
According to the data structure, by individual data position one by one relatively it is described prestore call stack and the current call stack whether phase
Together;
If the comparison result of at least one data bit is not identical, it is determined that described to prestore call stack and the current call stack not
It is identical.
6. method according to claim 2, which is characterized in that it is described if it is judged that be it is no, then intercept operation row
For, comprising:
Stop executing the pending process.
7. method according to claim 2, which is characterized in that it is described if it is judged that be it is no, then intercept operation row
For later, the method also includes:
Security risk data are obtained, the security risk data include the operation behavior, the pending process and the biography
Transmission of data;
Delete the security risk data.
8. a kind of safety device of ATM machine characterized by comprising
Monitoring module, for monitoring whether ATM machine generates operation behavior;
Searching module, for searching the current call stack of the operation behavior;
Judgment module, for judging the operation behavior, whether corresponding to prestore call stack identical as current call stack;
Blocking module, be used for if it is judged that be it is no, then intercept the operation behavior.
9. a kind of storage medium, it is stored with an at least executable instruction in the storage medium, the executable instruction makes to handle
Device executes the corresponding operation of safety protecting method such as ATM machine of any of claims 1-7.
10. a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor described are deposited
Reservoir and the communication interface complete mutual communication by the communication bus;
The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction
Ask the corresponding operation of the safety protecting method of ATM machine described in any one of 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645526.XA CN109785537B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for ATM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645526.XA CN109785537B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for ATM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109785537A true CN109785537A (en) | 2019-05-21 |
| CN109785537B CN109785537B (en) | 2022-09-30 |
Family
ID=66499633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811645526.XA Active CN109785537B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for ATM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109785537B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220374222A1 (en) * | 2021-05-24 | 2022-11-24 | Capital One Services, Llc | Systems and methods for updating automatic teller machines |
| US11804111B1 (en) | 2022-04-27 | 2023-10-31 | Capital One Services, Llc | Systems and methods for management of automatic teller machines |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102509048A (en) * | 2011-11-14 | 2012-06-20 | 西安电子科技大学 | Method for preventing illegal transferring of interruption procedures of operating system |
| CN103870767A (en) * | 2014-03-19 | 2014-06-18 | 四川大学 | Stack frame content protection method based on ebp (extended base pointer) structure |
| CN104751051A (en) * | 2013-12-31 | 2015-07-01 | 贝壳网际(北京)安全技术有限公司 | Method, device and mobile terminal for identifying malicious advertisements |
| CN105224864A (en) * | 2015-11-04 | 2016-01-06 | 中国科学院计算技术研究所 | A kind of progress of work method of randomization and system resisting code reuse attack |
| CN105426752A (en) * | 2015-11-24 | 2016-03-23 | 无锡江南计算技术研究所 | Buffer region overflow protection method |
| CN106164872A (en) * | 2014-04-18 | 2016-11-23 | 高通股份有限公司 | Hardware based storehouse control information is protected |
| CN107045605A (en) * | 2016-02-05 | 2017-08-15 | 中兴通讯股份有限公司 | A kind of real-time metrics method and device |
| CN108090362A (en) * | 2017-02-08 | 2018-05-29 | 哈尔滨安天科技股份有限公司 | A kind of newer safety protecting method of ATM programs and system |
| US20180285559A1 (en) * | 2017-03-28 | 2018-10-04 | Rodrigo Branco | Stack pivot detection systems and methods |
| CN109033821A (en) * | 2018-07-12 | 2018-12-18 | 郑州云海信息技术有限公司 | A kind of Stack Smashing Protection System and method |
-
2018
- 2018-12-29 CN CN201811645526.XA patent/CN109785537B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102509048A (en) * | 2011-11-14 | 2012-06-20 | 西安电子科技大学 | Method for preventing illegal transferring of interruption procedures of operating system |
| CN104751051A (en) * | 2013-12-31 | 2015-07-01 | 贝壳网际(北京)安全技术有限公司 | Method, device and mobile terminal for identifying malicious advertisements |
| CN103870767A (en) * | 2014-03-19 | 2014-06-18 | 四川大学 | Stack frame content protection method based on ebp (extended base pointer) structure |
| CN106164872A (en) * | 2014-04-18 | 2016-11-23 | 高通股份有限公司 | Hardware based storehouse control information is protected |
| CN105224864A (en) * | 2015-11-04 | 2016-01-06 | 中国科学院计算技术研究所 | A kind of progress of work method of randomization and system resisting code reuse attack |
| CN105426752A (en) * | 2015-11-24 | 2016-03-23 | 无锡江南计算技术研究所 | Buffer region overflow protection method |
| CN107045605A (en) * | 2016-02-05 | 2017-08-15 | 中兴通讯股份有限公司 | A kind of real-time metrics method and device |
| CN108090362A (en) * | 2017-02-08 | 2018-05-29 | 哈尔滨安天科技股份有限公司 | A kind of newer safety protecting method of ATM programs and system |
| US20180285559A1 (en) * | 2017-03-28 | 2018-10-04 | Rodrigo Branco | Stack pivot detection systems and methods |
| CN109033821A (en) * | 2018-07-12 | 2018-12-18 | 郑州云海信息技术有限公司 | A kind of Stack Smashing Protection System and method |
Non-Patent Citations (1)
| Title |
|---|
| 许罗德: "《银行卡风险管理》", 30 November 2013, 中国金融出版社 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220374222A1 (en) * | 2021-05-24 | 2022-11-24 | Capital One Services, Llc | Systems and methods for updating automatic teller machines |
| US11720339B2 (en) * | 2021-05-24 | 2023-08-08 | Capital One Services, Llc | Systems and methods for updating automatic teller machines |
| US20230333840A1 (en) * | 2021-05-24 | 2023-10-19 | Capital One Services, Llc | Systems and methods for updating automatic teller machines |
| US11804111B1 (en) | 2022-04-27 | 2023-10-31 | Capital One Services, Llc | Systems and methods for management of automatic teller machines |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109785537B (en) | 2022-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102181185B1 (en) | System and method for providing secure network connection to devices | |
| US20190166147A1 (en) | Secure computing environment | |
| EP3295359B1 (en) | Detection of sql injection attacks | |
| EP3365828B1 (en) | Methods for data loss prevention from malicious applications and targeted persistent threats | |
| US7818800B1 (en) | Method, system, and computer program product for blocking malicious program behaviors | |
| US9954872B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| KR102368170B1 (en) | Automated runtime detection of malware | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| US7743260B2 (en) | Firewall+storage apparatus, method and system | |
| US8127412B2 (en) | Network context triggers for activating virtualized computer applications | |
| US20070266444A1 (en) | Method and System for Securing Data Stored in a Storage Device | |
| US9071600B2 (en) | Phishing and online fraud prevention | |
| US20130061323A1 (en) | System and method for protecting against malware utilizing key loggers | |
| CN108595982B (en) | Secure computing architecture method and device based on multi-container separation processing | |
| JP2019527877A (en) | Automatic distribution of PLC virtual patches and security context | |
| US9245118B2 (en) | Methods for identifying key logging activities with a portable device and devices thereof | |
| ES2937143T3 (en) | Procedure for monitoring and protecting access to an online service | |
| JP2019057167A (en) | Computer program, device and determining method | |
| CN109785537A (en) | A kind of safety protecting method and device of ATM machine | |
| CN110765470A (en) | Method and device for realizing safety keyboard, computer equipment and storage medium | |
| US8978150B1 (en) | Data recovery service with automated identification and response to compromised user credentials | |
| Kono et al. | An unknown malware detection using execution registry access | |
| CN109558730B (en) | Safety protection method and device for browser | |
| WO2015178002A1 (en) | Information processing device, information processing system, and communication history analysis method | |
| CA2691129A1 (en) | Activex object method and computer program system for protecting against crimeware key stroke loggers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |