CN113162936B - Method and system for preventing abnormal dynamic analysis - Google Patents
Method and system for preventing abnormal dynamic analysis Download PDFInfo
- Publication number
- CN113162936B CN113162936B CN202110449948.5A CN202110449948A CN113162936B CN 113162936 B CN113162936 B CN 113162936B CN 202110449948 A CN202110449948 A CN 202110449948A CN 113162936 B CN113162936 B CN 113162936B
- Authority
- CN
- China
- Prior art keywords
- equipment
- software
- command
- operating system
- maintenance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a system for preventing abnormal dynamic analysis, which comprises the following steps: setting an interception command for an operating system, wherein the interception command is used for intercepting a display instruction, an addition, deletion, modification and check instruction, a transmission instruction, an access instruction and an interaction instruction in the running process; implanting an operating system provided with an interception command into the equipment; when the equipment is abnormally logged in, the interception command is executed; when the operation and maintenance processing is needed to be carried out on the equipment, the operation and maintenance software transmitted into the equipment is adopted to stop the interception command, the operation and maintenance operation on the equipment is realized, the operation and maintenance software is deleted after the operation and maintenance is finished, and the interception command is continuously executed. The invention intercepts the functions of displaying, adding, deleting, modifying, checking, transmitting, accessing, interacting instructions and the like in the dynamic operation process of the operating system, prevents further acquiring and analyzing system key data after abnormal login, and improves the dynamic operation safety capability of the system.
Description
Technical Field
The invention relates to the technical field of system safety, in particular to a method and a system for preventing abnormal dynamic analysis, which prevent the system from being analyzed abnormally in the dynamic operation process.
Background
The development of computer software and hardware has led to various convenient products entering thousands of households, and the development of technology has led to these products being basically provided with an operating system for running the relevant software developed by manufacturers.
Currently, the operating system itself and the software running on the operating system need to be protected from technical content analysis, however, the prior art has the following risks:
1. security issues and risks that software may have are not considered;
2. in order to ensure the operation and maintenance of the software, more tools are reserved for subsequent analysis;
3. the difficulty of processing the software by the shell adding and confusion technology is high, and the operation and maintenance of the software are influenced.
Therefore, software needs to be protected against the risks, and currently, software protection is mainly a static software analysis prevention technology, but when software is sold through the web or an entity, hackers often invade the system due to bugs of the software, and some software can even obtain the highest authority of the system, so that the static analysis prevention technology loses the protection capability.
Dynamic analysis is a technology for acquiring and analyzing system operation logic and operation data by interactive means such as system provided or additional debugging and injection processes in the dynamic operation process. Currently, a hacker usually analyzes an operating system or software running on the operating system by using dynamic analysis, so that the hacker can completely do any operation through the highest authority of the system or directly debug shelled software or software with confusion capability on the operating system in the device, and even modify the related configuration of the whole system, so as to be beneficial for the hacker to perform attack operation.
Disclosure of Invention
Aiming at the problem that the system is easy to be analyzed abnormally in the dynamic operation process in the prior art, the method and the system for preventing abnormal dynamic analysis are provided, so that key data of the system are prevented from being further acquired and analyzed after abnormal login, and the dynamic operation safety capability of the system is improved.
The specific technical scheme is as follows:
a method for preventing abnormal dynamic analysis, comprising the steps of:
setting an interception command for an operating system, wherein the interception command is used for intercepting a display instruction, an addition, deletion, modification and check instruction, a transmission instruction, an access instruction and an interaction instruction;
implanting an operating system provided with an interception command into equipment;
when the equipment is abnormally logged in, executing an interception command;
when the operation and maintenance processing is needed to be carried out on the equipment, the operation and maintenance software transmitted into the equipment is adopted to stop the interception command, the operation and maintenance operation on the equipment is realized, the operation and maintenance software is deleted after the operation and maintenance is finished, and the interception command is continuously executed.
Preferably, the method for preventing abnormal dynamic analysis, wherein after the device is abnormally logged in, at least one of the following steps is specifically included:
intercepting a display function of an operation interface by intercepting a display instruction by adopting an interception command;
intercepting the operation of transmitting the data by adopting an interception command through intercepting the transmission command;
intercepting an increase, deletion, modification and check instruction by adopting an interception command to intercept the operation of increasing, deleting, modifying and checking the data;
intercepting the interactive operation by adopting an interception command through intercepting the interactive instruction;
and intercepting the access of the unauthorized software by intercepting the access instruction by adopting an interception command.
Preferably, the method for preventing abnormal dynamic analysis, wherein the interactive instruction includes an interactive instruction of a touch screen, an interactive instruction of a device key and an interactive instruction of a peripheral device.
Preferably, the method for preventing abnormal dynamic analysis, wherein the operation and maintenance processing is performed on the device, specifically includes the following steps:
when the operation and maintenance processing of the equipment is needed, the external interface is adopted to carry out non-user login on the equipment;
the equipment intercepts non-user login and issues an authorization request to a user to acquire return information of the user;
when the returned information is authorization information, continuing to execute non-user login;
transmitting operation and maintenance software to the equipment by adopting an external interface, and stopping intercepting the command after the equipment acquires the trusted operation and maintenance software by adopting a preset learning strategy;
and carrying out operation and maintenance operation on the equipment by using trusted operation and maintenance software, and deleting the operation and maintenance software after the operation and maintenance operation on the equipment is finished, so that the equipment continues to execute the interception command according to the deletion action.
Preferably, the method for preventing abnormal dynamic analysis, wherein the abnormal login is that the abnormal login person enters the device by using abnormal authorization.
Preferably, the method for preventing abnormal dynamic analysis is applied to a trusted system; the method also comprises the following steps:
creating an authentication method for authenticating the trust tag according to a trusted hierarchy;
implanting the identification method and the interception command into an operating system, and implanting the operating system implanted with the identification method and the interception command into equipment;
setting a trust label for software to be authenticated in a trusted system;
implanting software to be identified into a device implanted with an operating system;
and operating the equipment implanted with the operating system, wherein the operating system acquires an authentication file for authenticating the trust label, so that the operating system authenticates the software to be authenticated implanted into the equipment according to the authentication file by adopting an authentication method, and executes the software to be authenticated when the authentication result is successful.
Preferably, the method for preventing abnormal dynamic analysis, wherein the identification method specifically comprises:
and in a trusted system, intercepting key functions of an operating system to perform software operation analysis and third-party analysis on software to be identified so as to obtain an analysis result, so that the operating system identifies the software to be identified implanted into the equipment according to the analysis result and the identification file.
Preferably, the method for preventing abnormal dynamic analysis, wherein the specific step of obtaining the authentication file for authenticating the trust tag includes:
and the operating system identifies the software to be identified through a built-in trusted system according to the identification method.
There is also provided a system for preventing abnormal dynamic analysis, comprising the steps of:
the interception command setting module is used for setting an interception command for the operating system, wherein the interception command is used for intercepting a display command, an addition, deletion, modification and retrieval command, a transmission command, an access command and an interaction command;
the implantation module is used for implanting the operating system provided with the interception command into equipment;
the interception module executes an interception command when the equipment is abnormally logged in;
and the operation and maintenance module is used for stopping the interception command by adopting the operation and maintenance software transmitted into the equipment when the equipment needs to be operated and maintained, realizing the operation and maintenance operation on the equipment, deleting the operation and maintenance software after the operation and maintenance are finished, and continuously executing the interception command.
There is also provided an electronic device comprising a processor and a memory for storing processor-executable instructions which, when executed by the processor, implement the steps of any of the methods described above.
The technical scheme has the following advantages or beneficial effects:
when an interception command is adopted to abnormally log in equipment by an abnormal logger (the abnormal logger can be a hacker) in the dynamic running process of the system, a display instruction, an adding and deleting modification instruction, a transmission instruction, an access instruction and an interaction instruction in the running process of the operating system are intercepted, so that the hacker and the like are prevented from breaking through the software limit of various external services or entering the operating system in a physical mode, and the operating system, the software and the services are further analyzed; therefore, the operating system and the software are protected after the system is abnormally logged in, and the dynamic operation safety capability of the operating system is improved;
the method comprises the steps of preventing hackers from analyzing file directories of dependence or configuration and the like related to software running by an operating system through intercepting commands;
intercepting the display function of the operating system through an interception command, so that a hacker cannot check an access link, a desktop position, a software address and the like of software;
intercepting the interactive instruction through the interception command, so that a hacker cannot analyze file directories by using the interactive instruction on dependence or configuration and the like related to software running by an operating system;
through the operation, the dynamic operation safety capability of the operating system is further improved.
The method for preventing abnormal dynamic analysis is adopted to avoid the hacker from breaking through the software limitation of various external services or further analyzing the operating system, the software and the services after entering the operating system in a physical mode, so that the hacker is prevented from further acquiring and analyzing key data of the system after logging in the system abnormally, and the dynamic operation safety capability of the system is further improved;
the ability to prevent abnormal dynamic analysis is accomplished by a trusted third party verification system in combination with the operating system and the software itself, wherein the third party verification system may be a device operator (i.e. a manufacturer of the device), and wherein the software to be authenticated may be provided by the device operator;
the operating condition of the operating system can be prevented from being analyzed after a hacker abnormally enters the system by creating a trusted system, an authentication method, a trust label and the like, but the operating system can provide an interactive instruction for a user to realize the analysis of the file directory of the dependence or configuration and the like related to the software which is operated by the system, and an interception command is adopted to prevent the hacker from analyzing the file directory of the dependence or configuration and the like related to the software which is operated by the system after the hacker abnormally enters the system.
Drawings
Embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings. The drawings are, however, to be regarded as illustrative and explanatory only and are not restrictive of the scope of the invention.
FIG. 1 is a flowchart illustrating a first embodiment of a method for preventing abnormal dynamic analysis according to the present invention;
FIG. 2 is a flowchart of operation and maintenance processing according to a first embodiment of the method for preventing abnormal dynamic analysis of the present invention
FIG. 3 is a flowchart illustrating a second embodiment of a method for abnormal dynamic analysis prevention according to the present invention;
FIG. 4 is a flowchart illustrating a second method for preventing abnormal dynamic analysis according to a second embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
The invention is further described with reference to the following drawings and specific examples, which are not intended to be limiting.
The first embodiment is as follows:
the invention includes a method for preventing abnormal dynamic analysis, as shown in fig. 1, comprising the steps of:
s1, setting an interception command for intercepting a display function, increasing, deleting, modifying and transmitting capacity, accessing capacity and an interactive instruction for an operating system;
s2, implanting an operating system provided with an interception command into equipment;
s3, when the equipment is abnormally logged in, intercepting a display function of an operating system by adopting an interception command, and increasing, deleting, modifying, checking and transmitting capacity, access capacity and an interactive instruction;
and S4, when the operation and maintenance processing is required to be carried out on the equipment, the operation and maintenance software transmitted into the equipment is adopted to stop the interception command, the operation and maintenance operation on the equipment is realized, the operation and maintenance software is deleted after the operation and maintenance is finished, and the interception command is continuously executed.
In the above embodiment, when an interception command is used for abnormally logging in the device by an abnormal logger (the abnormal logger may be a hacker), the interception command is used for intercepting a display command, an addition/deletion change command, a transmission command, an access command and an interaction command in the operating process of the operating system, so as to prevent the hacker and the like from breaking through various software restrictions on external services or entering the operating system through a physical manner, and then further analyzing the operating system, the software and the services; therefore, the protection effect on the operating system and the software after the system is abnormally logged in is realized, and the dynamic operation safety capability of the operating system is further improved.
Wherein, the abnormal login is to enter the device by adopting abnormal authorization.
In the above embodiment, after a hacker is prevented from logging in the system abnormally by intercepting a command, the capabilities of adding, deleting, modifying, checking and transmitting all file system data of the operating system, and dynamically running the software also include the capability of analyzing the disk/file system and the running software itself/running data, and the dependency or configuration related to the data.
It should be noted that the above steps in the present application may be performed sequentially, as shown in fig. 1, and in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in the present specification. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Further, in the above embodiment, after the device is abnormally logged in, at least one of the following steps is specifically included:
intercepting a display function of an operation interface by intercepting a display instruction by adopting an interception command;
intercepting the operation of transmitting the data by adopting an interception command through intercepting a transmission instruction, thereby preventing a hacker from acquiring and analyzing key data of the system through a transmission function after abnormal login; further improving the dynamic operation safety of the operating system;
intercepting, increasing, deleting, modifying and checking instructions by adopting an interception command to intercept the operation of increasing, deleting, modifying and checking the data, so that a hacker can obtain and analyze the key data of the system by an increasing, deleting, modifying and checking function after abnormal login is prevented; further improving the dynamic operation safety of the operating system;
intercepting interaction operation by intercepting the interaction instruction by adopting an interception command, so that a hacker can acquire and analyze system key data through the interaction instruction after preventing abnormal login; further improving the dynamic operation safety of the operating system;
intercepting access of unauthorized software by adopting an interception command through intercepting an access instruction, so as to prevent hackers from acquiring and analyzing system key data through the access instruction after abnormal login; further improve the dynamic operation safety of the operating system.
As a preferred embodiment, the display function may be an entry link, desktop location and address of file system data, etc.
After a hacker enters the operating system, the display function of the operating system is intercepted due to the interception command of the application intercepting the display instruction, so that the hacker cannot check or see the access link, desktop position, address and the like of wrong file system data, and the hacker is prevented from acquiring and analyzing system key data through the display function after abnormal login; further improving the dynamic operation safety capability of the operating system.
For example, when an abnormal logger uses abnormal authorization to enter the device, the desktop is provided with shortcuts corresponding to various file system data, and when an abnormal logger uses abnormal authorization to enter the device, it is assumed that a hacker enters the operating system at this time, the desktop may be blank at this time, and there is no shortcut corresponding to any file system data.
Further, in the above embodiment, the interactive instruction includes an interactive instruction of a touch screen, an interactive instruction of a device key, and an interactive instruction of a peripheral device.
As a preferred embodiment, the peripheral devices may be a mouse and a keyboard.
For example, the interactive instruction is a keyboard shortcut instruction, in the linux operating system, when the device normally logs in, the keyboard tab key is an instruction capable of completing checking of a file directory and a file of the operating system, and when the device is abnormally logged in, assuming that a hacker enters the operating system at the time, the hacker cannot complete the instruction capable of checking of the file directory and the file of the operating system by using the keyboard tab key at the time.
As a preferred embodiment, the interception command for intercepting the interaction instruction can be realized by intercepting a key function associated with the interaction instruction in the operating system.
In the above embodiments, the use of the interactive instructions is inhibited by intercepting key functions in the operating system that are associated with the interactive instructions.
Further, in the foregoing embodiment, as shown in fig. 2, step S4 specifically includes:
step S41, when the operation and maintenance processing of the equipment is needed, the external interface is adopted to carry out non-user login on the equipment;
step S42, the equipment intercepts non-user login and issues an authorization request to the user to acquire the return information of the user;
when the returned information is authorization information, continuing to execute non-user login;
s43, transmitting operation and maintenance software to the equipment by adopting an external interface, and stopping intercepting the command after the equipment acquires the trusted operation and maintenance software by adopting a preset learning strategy;
and S44, performing operation and maintenance operation on the equipment by using trusted operation and maintenance software, and deleting the operation and maintenance software after the operation and maintenance operation on the equipment is completed, so that the equipment continues to execute the interception command according to the deletion action.
It should be noted that, when the operation and maintenance processing is performed on the equipment, the equipment is in a normal state;
in the above embodiment, when the operation and maintenance processing needs to be performed on the device, at this time, the third party authentication system needs to be involved, the third party authentication system may perform non-user login on the device by using an external interface (where the external interface may include a hardware device or a software interface that is provided by the device and can be used for logging in the operating system, for example, ssh, interface software, a serial port, and the like), at this time, the device intercepts a login request of the third party authentication system that performs non-user login, and prompts the behavior of the non-user login to the user through the user interface, so as to obtain the return information of the user for indicating the authorization condition, when the return information is authorization information that authorizes the non-user login, the non-user login of the third party authentication system is continuously performed, and when the return information is rejection information that denies authorization, the device stops the non-user login operation of the third party authentication system;
when the returned information is authorization information authorizing the non-user login, the non-user login of the third-party verification system is continuously executed, the equipment is operated, the equipment records the operation executed by the third-party verification system, and the record is stored, so that the subsequent user can conveniently inquire or print a record paper report of the operation execution;
the third party verification system transmits trusted operation and maintenance software to the equipment through the external interface, wherein the transmission-in and transmission-out action of the third party verification system needs to verify whether the transmission-in and transmission-out action is consistent with the execution operation, and whether the transmission-in and transmission-out operation is continuously executed is judged according to the verification result;
subsequently, the third party verifies that the system starts to perform operation and maintenance operation, and the equipment can learn whether the operation and maintenance operation is credible, wherein the equipment learns to judge whether the operation and maintenance operation is normal or not, and the method provided here is as follows: sensitive areas of non-user data of the operating equipment are released by the equipment, so that the equipment can view system processes, program stacks and the like, the operations are normally intercepted by a trust system, at the moment, if learning is finished and normal operation and maintenance operations are judged, the equipment can cancel an interception command, namely, an interactive instruction at the moment can be executed;
and after the operation and maintenance operation of the equipment is finished, the third party verification system deletes the operation and maintenance software, so that the equipment continues to execute the interception command according to the deletion action, and sends an operation and maintenance completion instruction to the user.
It should be noted that, the operation and maintenance software is temporarily generated by a trusted system, so that the use time limit of the operation and maintenance software can be set, even if the operation and maintenance software is forgotten to be deleted, the equipment can determine the operation and maintenance software exceeding the use time limit as the untrusted operation and maintenance software by using a preset learning strategy, and the equipment does not execute the operation and maintenance software;
and deleting the operation and maintenance software when the operation and maintenance software for performing operation and maintenance operation exceeds the use time limit.
The second embodiment:
a method for preventing abnormal dynamic analysis, applied to a third party verification system and applied to a trusted infrastructure, the method for preventing abnormal dynamic analysis comprises the following steps, as shown in fig. 3-4:
a1, constructing a trusted system, and creating an authentication method for authenticating a trusted tag according to the trusted system;
step A2, setting an interception command for the operating system, wherein the interception command is used for intercepting a display command, an adding and deleting command, a transmission command, an access command and an interaction command;
step A3, implanting the identification method and the interception command into an operating system, and implanting the operating system implanted with the identification method and the interception command into equipment;
step A4, setting a trust label for software to be authenticated in a trusted system;
step A5, implanting software to be identified into equipment implanted with an operating system;
step A6, operating the equipment implanted with the operating system, wherein the operating system acquires an authentication file for authenticating the trust label, so that the operating system authenticates the software to be authenticated implanted into the equipment according to the authentication file by adopting an authentication method, and executes the software to be authenticated when the authentication result is successful;
it should be noted that, the above steps except for setting the interception command and implanting the interception command can effectively prevent a hacker (illegal access behavior) from analyzing the operation condition of the operating system after entering the system, but cannot prevent the hacker from analyzing the file directory for the dependence or configuration related to the software being operated by the system; therefore, the command needs to be intercepted to prevent hackers from further acquiring and analyzing the key data of the system after abnormally logging in the system; how to use the interception command specifically includes the following steps:
step A7, when the equipment is abnormally logged in, executing an interception command;
and step A8, when operation and maintenance processing needs to be carried out on the equipment, non-user login is carried out on the equipment by adopting an external interface, operation and maintenance software is transmitted into the equipment after the non-user login is completed according to authorization information obtained by the equipment, the operation and maintenance operation on the equipment is realized by adopting the operation and maintenance software to stop intercepting commands, the operation and maintenance software is deleted after the operation and maintenance is completed, and the intercepting commands are continuously executed.
In the above embodiment, the method for preventing abnormal dynamic analysis is adopted to prevent hackers from breaking through software limitations of various external services or further analyzing the operating system, the software and the services after entering the operating system through a physical mode, so that a protection effect on the operating system and the software is achieved, and the security of the operating system and the software is further improved.
In the above embodiment, the capability of performing the abnormal dynamic analysis on the software is accomplished by combining the operating system and the software itself through a trusted third party verification system, where the third party verification system may be an equipment operator (i.e. a manufacturer of the equipment), and where the software to be authenticated may be provided by the equipment operator.
In the above embodiment, the running condition of the operating system can be analyzed after a hacker enters the system by creating a trusted system, an authentication method, a trust tag and the like, but because the operating system provides an interactive instruction for a user to analyze a file directory related to the dependence or configuration and the like of software running in the system, an interception command is adopted to prevent the hacker from further acquiring and analyzing key data of the system after logging in the system abnormally, and further the dynamic running safety capability of the system is improved.
Further, in the above embodiment, the authentication method specifically includes:
and in a trusted system, performing software operation analysis and third-party analysis on the identification software to obtain an analysis result, so that the operating system identifies the software to be identified, which is implanted into the equipment, according to the analysis result and the identification file.
In the above embodiment, the device in which the operating system is implanted is run, and the operating system provided on the device is run at the same time;
the operating system acquires an authentication file for authenticating the trust label;
the third party verification system performs software operation analysis and third party analysis on the authentication software in the established trusted system to obtain an analysis result;
and the operating system identifies the software to be identified implanted into the equipment according to the analysis result and the identification file, executes the software to be identified when the identification result is successful, and refuses to execute the current software to be identified when the identification result is failed.
Further, in the above embodiments, the trusted hierarchy is a general certificate trust hierarchy.
In the above embodiment, the trusted hierarchy may be created by a third party verification system, and the third party verification system may be at least one of a device operator and a software operator, where the device operator may also be the software operator at the same time.
In the above embodiment, the trusted hierarchy may be a general certificate trusted hierarchy or a trusted hierarchy customized by a third party verification system.
In the embodiment, the trusted system has the capability of setting the trust tag for the software to be authenticated, so that the third party verification system sets the trust tag for the software to be authenticated in the trusted system.
As a preferred embodiment, the specific step of obtaining an authentication file for authenticating the trust tag includes:
and the operating system is remotely connected with the trusted system according to the authentication method to acquire the authentication file.
In the above embodiment, the device in which the operating system is implanted is run, and the operating system provided on the device is run at the same time;
the operating system is remotely connected with a trusted system established by a third party verification system in a secure transmission mode according to a built-in authentication method to acquire an authentication file for authenticating the trust label; the authentication file is acquired remotely, so that the authentication file can be automatically updated.
As a preferred embodiment, the specific step of obtaining an authentication file for authenticating the trust tag includes:
the authentication file is implanted into the equipment, and the operating system directly acquires the authentication file from the equipment, so that the authentication file is acquired in a wireless environment.
The special case may include that the trusted infrastructure implanted in the device fails, and at this time, the update of the trusted infrastructure is involved, which is not described herein again.
As a specific implementation manner, taking an operating system as a Linux system as an example, and taking a third-party verification system as an equipment operator as an example;
the equipment operator establishes a set of trusted system by self, the trusted system is secret to the outside, the trusted system has the capability of setting the trust label for the Linux file (the Linux file is the software to be identified), and meanwhile, the external capability of identifying the authenticity of the trust label is given.
The equipment operator can plant a Linux operating system into equipment when producing the equipment, and the following steps are executed:
implanting the identification method into a Linux operating system, wherein the identification method is independently implanted into the Linux operating system in a ko mode;
it should be noted that, at this step, the present embodiment can effectively prevent a hacker from analyzing the operation condition of the system after performing the Linux operating system, but cannot prevent the hacker from analyzing the software being operated by the Linux operating system;
aiming at the problems, the Linux operating system can be continuously added with an interception command for intercepting and displaying, increasing, deleting, modifying, checking and transmitting capacity, accessing capacity and an interactive instruction, so that the interception and unauthorized software in the actual running process according to the implanted identification method can be realized, wherein the interception command can automatically identify whether the current interactive instruction needs to be intercepted or not;
implanting the Linux operating system provided with the interception command into equipment;
when equipment operators infuse self-developed or general Linux software (such as cat, ls and the like) into equipment, the software is required to be sent into a trusted system, a trust label is set for the software to be identified, and the steps can be realized through forms of interface connection and the like;
it should be noted that, the three steps of embedding the authentication method into the operating system and embedding the interception command into the operating system for the trust tag of the software device to be authenticated can be simultaneously completed in the compiling process;
then, the equipment leaves the factory and is started, so that a Linux operating system runs, the Linux operating system is remotely connected with a trusted system in a secure transmission mode according to a built-in authentication method, and the authentication file is acquired, wherein the authentication file can be built in the equipment in a network-free environment but needs to be replaced under a special condition or replaced at regular time;
then, the operating system adopts an identification method and utilizes the identification file to identify the software to be identified, and when the identification result is identification failure, the operating system refuses to execute the current software to be identified and judges to restart the equipment; when the identification result is successful, executing the software to be identified, and continuously identifying the next identification software until the identification of all the identification software is completed, and when the identification of all the software to be identified is completed, determining that the equipment is completely started to normally serve the outside;
when a hacker logs in the equipment abnormally, intercepting the display instruction, the adding, deleting, modifying and checking instruction, the transmission instruction, the access instruction and the function corresponding to the interactive instruction of the operating system by adopting an intercepting command;
when operation and maintenance processing is required to be carried out on the equipment, intervention of an equipment operator is required, the equipment operator adopts an external interface to carry out non-user login on the equipment, at the moment, the equipment can intercept a login request of the equipment operator carrying out non-user login, and prompt the behavior of the non-user login to a user through a user interface, so that return information of the user for representing an authorization condition is obtained, when the return information is authorization information for authorizing the non-user login, the non-user login of the equipment operator is continuously executed, and when the return information is a rejection letter for rejecting authorization, the equipment stops the non-user login operation of the equipment operator;
when the returned information is authorization information authorizing the non-user login, the non-user login of the equipment operator is continuously executed, the equipment is operated, the equipment records the operation executed by the equipment operator, and the record is stored, so that the subsequent user can conveniently inquire or print a record paper report of the operation executed;
the equipment operator transmits trusted operation and maintenance software to the equipment through the external interface, wherein the transmission-in and transmission-out action needs to verify whether the operation is consistent with the execution operation, and whether the transmission-in and transmission-out operation is continuously executed is judged according to the verification result;
then, the equipment operator starts operation and maintenance operation, and the equipment learns whether the operation and maintenance operation is reliable or not, wherein the equipment learns to judge whether the operation and maintenance operation is normal or not, and the detailed description is omitted herein; and performing operation and maintenance operation on the equipment by using trusted operation and maintenance software, and deleting the operation and maintenance software by the equipment operator after the operation and maintenance operation on the equipment is completed, so that the equipment continues to execute an interception command according to the deletion action, and sends an operation and maintenance completion instruction to the user.
There is also provided a system for preventing abnormal dynamic analysis, comprising the steps of:
the interception command setting module is used for setting an interception command for the operating system, wherein the interception command is used for intercepting a display command, an addition, deletion, modification and retrieval command, a transmission command, an access command and an interaction command;
the implantation module is used for implanting the operating system provided with the interception command into equipment;
the interception module adopts an interception command when the equipment is abnormally logged in;
and the operation and maintenance module adopts the operation and maintenance software transmitted into the equipment to stop the interception command when the operation and maintenance processing of the equipment is required, so as to realize the operation and maintenance of the equipment, delete the operation and maintenance software after the operation and maintenance is finished, and continuously execute the interception command.
The specific implementation of the system for preventing abnormal dynamic analysis by a computer according to the present invention is substantially the same as the embodiments of the method for preventing abnormal dynamic analysis, and will not be described herein again.
There is also provided an electronic device comprising a processor and a memory for storing processor-executable instructions which, when executed by the processor, implement the steps of any of the methods described above.
The specific implementation of the electronic device of the present invention is substantially the same as the embodiments of the above-mentioned abnormal dynamic analysis prevention method, and will not be described herein again.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.
Claims (9)
1. A method for preventing abnormal dynamic analysis, comprising the steps of:
setting an interception command for an operating system, wherein the interception command is used for intercepting a display instruction, an addition, deletion, modification and search instruction, a transmission instruction, an access instruction and an interaction instruction;
implanting an operating system provided with the interception command into equipment;
when the equipment is abnormally logged in, executing the interception command;
when the operation and maintenance processing is required to be carried out on the equipment, a non-user login is carried out on the equipment by adopting an external interface;
the equipment intercepts the non-user login and issues an authorization request to the user so as to acquire the return information of the user;
when the returned information is the authorization information, the non-user login is continuously executed;
the external interface is adopted to transmit operation and maintenance software to the equipment, and the equipment stops the interception command after acquiring the trustable operation and maintenance software by adopting a preset learning strategy;
and carrying out operation and maintenance operation on the equipment by adopting the trusted operation and maintenance software, and deleting the operation and maintenance software after the operation and maintenance operation on the equipment is finished, so that the equipment continues to execute the interception command according to the deletion action.
2. The method for preventing abnormal dynamic analysis according to claim 1, wherein after the device is abnormally logged in, at least one of the following steps is specifically included:
intercepting a display function of an operation interface by intercepting the display instruction by adopting the interception command;
intercepting the operation of transmitting data by intercepting the transmission instruction by adopting the interception command;
intercepting the operation of increasing, deleting, modifying and searching data by intercepting the increasing, deleting, modifying and searching instruction by adopting the interception command;
intercepting the interactive operation by intercepting the interactive instruction by adopting the interception command;
and intercepting the access of the unauthorized software by intercepting the access instruction by adopting the interception command.
3. The method for preventing abnormal dynamic analysis according to claim 1 or 2, wherein the interactive instruction comprises an interactive instruction of a touch screen, an interactive instruction of a device key and an interactive instruction of a peripheral device.
4. The method for preventing abnormal dynamic analysis according to claim 1, wherein the abnormal login is an abnormal login user who uses abnormal authorization to enter the device.
5. The method for preventing abnormal dynamic analysis according to claim 1, wherein the method is applied in a trusted hierarchy; the method also comprises the following steps:
creating an authentication method for authenticating the trust label according to the trusted system;
implanting the identification method and the interception command into an operating system, and implanting the operating system implanted with the identification method and the interception command into equipment;
setting a trust label for software to be authenticated in the trusted system;
implanting the software to be authenticated into a device implanted with an operating system;
and operating the equipment implanted with the operating system, wherein the operating system acquires an authentication file for authenticating the trust tag, so that the operating system authenticates the software to be authenticated implanted into the equipment according to the authentication file by adopting the authentication method, and executes the software to be authenticated when the authentication result is successful.
6. The method for preventing abnormal dynamic analysis according to claim 5, wherein the identification method specifically comprises:
and in the trusted system, intercepting a key function of an operating system to perform software operation analysis and third-party analysis on the software to be identified so as to obtain an analysis result, so that the operating system identifies the software to be identified implanted into equipment according to the analysis result and the identification file.
7. The method for preventing abnormal dynamic analysis according to claim 5, wherein the step of obtaining an authentication file for authenticating the trust tag comprises:
and the operating system acquires an authentication file through the trusted system according to a built-in authentication method so as to authenticate the software to be authenticated.
8. A system for preventing abnormal dynamic analysis, comprising the steps of:
the interception command setting module is used for setting an interception command for the operating system, wherein the interception command is used for intercepting a display command, an addition, deletion, modification and search command, a transmission command, an access command and an interaction command;
the implantation module is used for implanting the operating system provided with the interception command into equipment;
the interception module executes the interception command when the equipment is abnormally logged in;
the operation and maintenance module is used for performing non-user login on the equipment by adopting an external interface when the equipment needs to be subjected to operation and maintenance processing;
the equipment intercepts the non-user login and issues an authorization request to the user so as to acquire the return information of the user;
when the returned information is authorization information, the non-user login is continuously executed;
the external interface is adopted to transmit operation and maintenance software to the equipment, and the equipment stops the interception command after acquiring the trustable operation and maintenance software by adopting a preset learning strategy;
and carrying out operation and maintenance operation on the equipment by adopting the trusted operation and maintenance software, and deleting the operation and maintenance software after the operation and maintenance operation on the equipment is finished, so that the equipment continues to execute the interception command according to the deletion action.
9. An electronic device comprising a processor and a memory for storing processor-executable instructions which, when executed by the processor, implement the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110449948.5A CN113162936B (en) | 2021-04-25 | 2021-04-25 | Method and system for preventing abnormal dynamic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110449948.5A CN113162936B (en) | 2021-04-25 | 2021-04-25 | Method and system for preventing abnormal dynamic analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113162936A CN113162936A (en) | 2021-07-23 |
| CN113162936B true CN113162936B (en) | 2023-04-07 |
Family
ID=76870512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110449948.5A Active CN113162936B (en) | 2021-04-25 | 2021-04-25 | Method and system for preventing abnormal dynamic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113162936B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116418587B (en) * | 2023-04-19 | 2024-04-30 | 中国电子科技集团公司第三十研究所 | Data cross-domain switching behavior audit trail method and data cross-domain switching system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5925126A (en) * | 1997-03-18 | 1999-07-20 | Memco Software, Ltd. | Method for security shield implementation in computer system's software |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| JP2020190862A (en) * | 2019-05-21 | 2020-11-26 | キヤノン株式会社 | Information processing system and control method thereof |
| CN112187747A (en) * | 2020-09-15 | 2021-01-05 | 中信银行股份有限公司 | Remote container login method and device and electronic equipment |
| CN112699372A (en) * | 2019-10-22 | 2021-04-23 | 中国电信股份有限公司 | Vulnerability processing method and device and computer readable storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102982281B (en) * | 2012-11-09 | 2016-03-30 | 北京奇虎科技有限公司 | Program state testing method and system |
| CN103198255B (en) * | 2013-04-03 | 2015-06-24 | 武汉大学 | Method and system for monitoring and intercepting sensitive behaviour of Android software |
| CN106911511B (en) * | 2017-03-10 | 2019-09-13 | 网宿科技股份有限公司 | A kind of means of defence and system of CDN client source station |
| CN107844700A (en) * | 2017-11-28 | 2018-03-27 | 郑州云海信息技术有限公司 | A kind of method and system of intelligent protection operating system user account |
| CN111723361A (en) * | 2019-03-21 | 2020-09-29 | 北京京东尚科信息技术有限公司 | Malicious user interception method and system |
| CN110135151B (en) * | 2019-05-23 | 2020-12-01 | 北京计算机技术及应用研究所 | Trusted computing implementation system and method based on matching of LSM and system call interception |
-
2021
- 2021-04-25 CN CN202110449948.5A patent/CN113162936B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5925126A (en) * | 1997-03-18 | 1999-07-20 | Memco Software, Ltd. | Method for security shield implementation in computer system's software |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| JP2020190862A (en) * | 2019-05-21 | 2020-11-26 | キヤノン株式会社 | Information processing system and control method thereof |
| CN112699372A (en) * | 2019-10-22 | 2021-04-23 | 中国电信股份有限公司 | Vulnerability processing method and device and computer readable storage medium |
| CN112187747A (en) * | 2020-09-15 | 2021-01-05 | 中信银行股份有限公司 | Remote container login method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113162936A (en) | 2021-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11093258B2 (en) | Method for trusted booting of PLC based on measurement mechanism | |
| KR101176646B1 (en) | System and method for protected operating system boot using state validation | |
| Parno et al. | Bootstrapping trust in modern computers | |
| US7921454B2 (en) | System and method for user password protection | |
| EP0443423B1 (en) | Method and apparatus for executing trusted-path commands | |
| EP3259697B1 (en) | Mining sandboxes | |
| US8863290B2 (en) | Methods and devices for improving the reliability of communication between an aircraft and a remote system | |
| US10078754B1 (en) | Volume cryptographic key management | |
| US20070266444A1 (en) | Method and System for Securing Data Stored in a Storage Device | |
| CN103038745A (en) | Extending an integrity measurement | |
| US20060053492A1 (en) | Software tracking protection system | |
| CN110188547B (en) | Trusted encryption system and method | |
| US9665711B1 (en) | Managing and classifying states | |
| CN113162936B (en) | Method and system for preventing abnormal dynamic analysis | |
| CN115310084A (en) | Tamper-proof data protection method and system | |
| KR101306569B1 (en) | System of controlling of digital doorlock for mobile device using secure operating system and method thereof | |
| CN108573153B (en) | Vehicle-mounted operating system and using method thereof | |
| KR100571695B1 (en) | Hacking protect method of keyboard, mouse and image | |
| CN111259405A (en) | Computer safety coefficient based on artificial intelligence | |
| Msgna et al. | Secure application execution in mobile devices | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| KR20220097037A (en) | Data leak prevention system | |
| CN113794718A (en) | Security authentication method and security authentication device for multiple application systems | |
| CN111709054A (en) | Privacy space information access control method and device and computer equipment | |
| CN111506893A (en) | External equipment management method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |