CN114064981A - Reverse shell process detection method and device, electronic equipment, computer storage medium and program product - Google Patents

Reverse shell process detection method and device, electronic equipment, computer storage medium and program product Download PDF

Info

Publication number
CN114064981A
CN114064981A CN202111360536.0A CN202111360536A CN114064981A CN 114064981 A CN114064981 A CN 114064981A CN 202111360536 A CN202111360536 A CN 202111360536A CN 114064981 A CN114064981 A CN 114064981A
Authority
CN
China
Prior art keywords
node
target
file descriptor
graph structure
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111360536.0A
Other languages
Chinese (zh)
Inventor
王贺
刘博彦
盛颖
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202111360536.0A priority Critical patent/CN114064981A/en
Publication of CN114064981A publication Critical patent/CN114064981A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a reverse shell process detection method and device, electronic equipment, a computer storage medium and a program product, wherein the method comprises the following steps: acquiring process information of a target process; generating a target directed graph based on the process information and the initialization graph structure; determining a state of a target loop in the target directed graph; and determining whether the target process is a reverse shell process or not according to the state of the target loop. By the technical scheme, the method and the device are beneficial to quickly identifying and detecting a large number of reverse shell processes, and the detection efficiency and accuracy of the reverse shell processes are improved.

Description

Reverse shell process detection method and device, electronic equipment, computer storage medium and program product
[ technical field ] A method for producing a semiconductor device
The present invention relates to the field of computer technologies, and in particular, to a reverse shell process detection method and apparatus, an electronic device, a computer storage medium, and a program product.
[ background of the invention ]
With the development of science and technology, the potential safety hazard of a computer is frequent, and a reverse shell also becomes one of the computers. Reverse shells work by sending their own shell to a particular user by a remote computer, and this feature is often used as an intrusion into the computer by an illegal object. In the related art, whether the target process is the reverse shell process or not can be judged by collecting the characteristics of the target process, but the judgment mode is single, and the detection accuracy is low.
Therefore, how to accurately and reliably detect the reverse shell process becomes a technical problem to be solved urgently at present.
[ summary of the invention ]
The embodiment of the invention provides a reverse shell process detection method and device, electronic equipment, a computer storage medium and a program product, and aims to solve the technical problem of insufficient reverse shell process detection accuracy in the related technology.
In a first aspect, an embodiment of the present invention provides a reverse shell process detection method, including: acquiring process information of a target process; generating a target directed graph based on the process information and the initialization graph structure; determining a state of a target loop in the target directed graph; and determining whether the target process is a reverse shell process or not according to the state of the target loop.
In the above embodiment of the present invention, optionally, the state of the target loop includes: the presence and absence of a target loop; the step of determining whether the target process is a reverse shell process according to the state of the target loop comprises the following steps: if the target directed graph has a target loop, judging whether the name of the target loop is related to the specified shell name; and if so, determining that the target process is a reverse shell process.
In the foregoing embodiment of the present invention, optionally, the step of generating a target directed graph based on the process information and the initialization graph structure includes: adding the process information to the initialization graph structure to obtain a middle graph structure; and performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the step of adding the process information to the initialization graph structure to obtain an intermediate graph structure includes: for each target process, if the mode value of the file descriptor in the target process pointing to the file is a pipeline type or a socket type, the target process is used as a node of the initialized graph structure, and the process information of the target process is set as the node attribute information of the node to obtain the intermediate graph structure.
In the foregoing embodiment of the present invention, optionally, the process information of the target process includes: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
In the above embodiment of the present invention, optionally, the step of performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph includes: and selecting a target node in the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and performing directed connection processing on the target node to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the step of performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph includes: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are different, establishing an edge for the first node and the second node when the file descriptor of the first node is standard input and the file descriptor of the second node is non-standard input and the inode numbers of the file descriptors in the first node and the second node pointing to files are the same; when the file descriptor of the first node is standard output or standard error, the index node numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output and nonstandard error, establishing an edge for the first node and the second node; wherein the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to another node that is normally entered by the value of the file descriptor.
In the above embodiment of the present invention, optionally, the step of performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph includes: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, under the condition that the file descriptor of the first node is in standard input and the file descriptor of the second node is in non-standard input, establishing an edge for the first node and the second node, wherein the direction of the edge is that one node of the first node and the second node, the value of which is in standard input, points to the other node, the value of which is in standard input, by the node, the value of which is in non-standard input, of the file descriptor.
In the above embodiment of the present invention, optionally, the step of performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph includes: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, if the file descriptor of the first node is a standard output or a standard error, and if the file descriptor of the second node is an abnormal output or an abnormal error, an edge is created for the first node and the second node, wherein the point of the edge is that one node of the first node and the second node, which has the value of the file descriptor, is an abnormal output and an abnormal error, points to the other node, which has the value of the file descriptor, is a standard output or a standard error.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting a reverse shell process, including: the process information acquisition unit is used for acquiring the process information of the target process; the target directed graph generating unit is used for generating a target directed graph based on the process information and the initialized graph structure; a loop state determination unit, configured to determine a state of a target loop in the target directed graph; and the reverse shell determining unit is used for determining whether the target process is a reverse shell process according to the state of the target loop.
In the above embodiment of the present invention, optionally, the state of the target loop includes: the presence and absence of a target loop; the reverse shell determination unit is configured to: and if the target directed graph has the target loop, judging whether the name of the target loop is related to the appointed shell name, and if so, determining that the target process is a reverse shell process.
In the foregoing embodiment of the present invention, optionally, the target directed graph generating unit includes: the intermediate graph structure generating unit is used for adding the process information into the initialization graph structure to obtain an intermediate graph structure; and the node connection unit is used for performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the intermediate graph structure generating unit is configured to: for each target process, if the mode value of the file descriptor in the target process pointing to the file is a pipeline type or a socket type, the target process is used as a node of the initialized graph structure, and the process information of the target process is set as the node attribute information of the node to obtain the intermediate graph structure.
In the foregoing embodiment of the present invention, optionally, the process information of the target process includes: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: and selecting a target node in the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and performing directed connection processing on the target node to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are different, establishing an edge for the first node and the second node when the file descriptor of the first node is standard input and the file descriptor of the second node is non-standard input and the inode numbers of the file descriptors in the first node and the second node pointing to files are the same; when the file descriptor of the first node is standard output or standard error, the index node numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output and nonstandard error, establishing an edge for the first node and the second node; wherein the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to another node that is normally entered by the value of the file descriptor.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, under the condition that the file descriptor of the first node is in standard input and the file descriptor of the second node is in non-standard input, establishing an edge for the first node and the second node, wherein the direction of the edge is that one node of the first node and the second node, the value of which is in standard input, points to the other node, the value of which is in standard input, by the node, the value of which is in non-standard input, of the file descriptor.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, if the file descriptor of the first node is a standard output or a standard error, and if the file descriptor of the second node is an abnormal output or an abnormal error, an edge is created for the first node and the second node, wherein the point of the edge is that one node of the first node and the second node, which has the value of the file descriptor, is an abnormal output and an abnormal error, points to the other node, which has the value of the file descriptor, is a standard output or a standard error.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the first aspects above.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium storing computer-executable instructions for performing the method flow of any one of the first aspect.
In a fifth aspect, an embodiment of the present invention provides a computer program product, which, when run on an electronic device, causes the electronic device to execute the method flow described in any one of the above first aspects.
Through the technical scheme, aiming at the technical problem that the reverse shell process detection accuracy is not enough in the related technology, the creation of the target directed graph can be completed based on the process information of each target process and the initialized graph structure, the target directed graph integrates and connects the target processes with common characteristics, a large number of reverse shell processes can be identified and detected quickly, and the detection efficiency and accuracy of the reverse shell processes are improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 illustrates a flow diagram of a reverse shell process detection method according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a method of constructing a directed graph in accordance with one embodiment of the present invention;
FIG. 3 is a block diagram of an apparatus for reverse shell process detection according to one embodiment of the present invention;
FIG. 4 shows a block diagram of an electronic device according to an embodiment of the invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Example one
Fig. 1 shows a flowchart of a reverse shell process detection method according to an embodiment of the present invention.
As shown in fig. 1, a flow of a reverse shell process detection method according to an embodiment of the present invention includes:
step 102, acquiring process information of a target process.
The process information of the target process comprises: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
In particular, the process identifier may be described as PID _ t, the file descriptor may be described as FD _ t, the INode number (INode number) of the file descriptor pointing to the file may be described as INode _ t, and the mode value of the file descriptor pointing to the file may be described as: mode — t.
And 104, generating a target directed graph based on the process information and the initialization graph structure.
And constructing a target directed graph by taking each target process as a node in an initialization graph structure and combining process information of each target process as an edge establishing condition. In the target directed graph, nodes corresponding to target processes with common characteristics are connected to form a loop, so that the integration of the common characteristics of the target processes is realized, and the common characteristics are extracted from reverse shell processes in the target processes in the graph building process. In other words, the target directed graph integrates and connects target processes with common characteristics, which is beneficial to quickly identifying and detecting a large number of reverse shell processes.
And step 106, determining the state of the target loop in the target directed graph.
The states of the target loop include: if the target loop is in the state of no target loop, the loop with the reverse shell process can be further screened out from the target loop, and if the target loop is in the state of no target loop, the reverse shell process does not exist.
Thus, determining the state of the target loop in the target directed graph is helpful to further screen out loops with reverse shell processes.
The target loop searching algorithm can be selected as a depth-first algorithm, and can also be selected as a mode of obtaining a target loop after passing through a key-value data node of a directed graph.
And 108, determining whether the target process is a reverse shell process or not according to the state of the target loop.
Specifically, if a target loop exists in the target directed graph, whether the name of the target loop is related to a specified shell name is judged, and if yes, the target process is determined to be a reverse shell process.
And after obtaining the target loop, determining that the target loop is determined to be the reverse shell process under the condition that the process name of the target loop is detected to be the designated shell name.
According to the technical scheme, the target directed graph is established through the process information of each target process, the target processes with common characteristics are integrated and connected in the target directed graph, and the reverse shell processes are extracted and connected with the common characteristics, so that the rapid identification and detection of a large number of reverse shell processes are facilitated, the detection efficiency and accuracy of the reverse shell processes are improved, and the safety of the system is improved.
Example two
On the basis of the first embodiment, the method for constructing the directed graph according to one embodiment of the invention comprises the following steps:
step 202, adding the process information to the initialization graph structure to obtain a middle graph structure.
Firstly, each target process is required to be used as a node in an initialization graph structure, and process information of each target process is required to be used as node attribute information of the node to construct an intermediate graph structure.
Secondly, due to the large number of target processes, effective target processes need to be screened out as effective nodes. Specifically, for each target process, if the schema value of the file descriptor in the target process that points to the file is a pipeline type or a socket type, the target process is used as a node of the initialization graph structure. And setting the process information of the target process determined as the node attribute information of the node to obtain the intermediate graph structure.
Wherein, the mode value pointing to the file of the file descriptor can be detected by using the S _ ISFIFO macro and the S _ ISSOCK macro.
If the S _ ISFIFO macro detects that the return value is true, the mode value of the file descriptor pointing to the file is indicated as the pipeline type, and the target process of the file descriptor can be added into the initialization graph structure as a node.
If the return value detected by the S _ ISSOCK macro is true, the mode value of the file descriptor pointing to the file is of the socket type, and the target process of the file descriptor can be added into the initialization graph structure as a node.
And 204, performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
Specifically, in the intermediate graph structure, node attribute information of a node corresponding to each target process, that is, the process information of the target process, may be selected from the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and the target node whose node attribute information satisfies the preset rule is subjected to directed connection processing, so as to obtain the target directed graph.
An implementation form of the preset rule is described below through the third embodiment, and of course, the preset rule may be flexibly set based on an actual reverse shell process detection requirement, including but not limited to the case given in the third embodiment.
EXAMPLE III
On the basis of the first embodiment and the second embodiment, as shown in fig. 2, the method for constructing the directed graph according to one embodiment of the present invention includes:
step 302, for each target process, adding the target process as a node into the initialization graph structure when the mode value of the file descriptor of the target process pointing to the file is a pipe type or a socket type.
Step 304, for any first node and any second node in the initialization graph structure, judging whether the process identifiers of the first node and the second node are different, if so, entering step 306, otherwise, entering step 310.
And the process identifier is used as an identification code of the process and is used for identifying the unique identity of the process, so that when the process identifiers of the first node and the second node are different, the first node and the second node can be determined to belong to different target processes, and otherwise, if the process identifiers of the first node and the second node are the same, the first node and the second node are data which belong to the same target process.
Step 306, establishing an edge for the first node and the second node when the file descriptor of the first node is input in a standard mode, the file descriptor of the second node is input in a non-standard mode, and the inode numbers of the file descriptors in the first node and the second node are the same.
Step 308, when the file descriptor of the first node is standard output or standard error, the inode numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output or nonstandard error, establishing an edge for the first node and the second node.
The file descriptor (file descriptor) is an index value pointing to a record table of the process open file maintained by the kernel for each process, and includes three types, namely standard input, standard output and standard error, and the values of the standard input, the standard output and the standard error are 0, 1 and 2 respectively.
If the inode numbers of the file descriptors in the first node and the second node are the same and the file descriptors in the first node and the second node are not consistent, it is indicated that the first node and the second node access the same pointed file in different target processes, and the first node and the second node have commonality.
In steps 306 and 308, the edge points to one node that is non-normatively entered by the values of the file descriptors in the first node and the second node to another node that is normatively entered by the values of the file descriptors in the first node and the second node, i.e., points to another node that is 0 by the file descriptors in the first node and the second node that are not 0.
Step 310, establishing an edge for the first node and the second node when the file descriptor of the first node is input in a standard mode and the file descriptor of the second node is input in a non-standard mode.
Wherein the edge points to one node whose value of the file descriptor is input non-normally in the first node and the second node to the other node whose value of the file descriptor is input normally, i.e., points to the other node whose value of the file descriptor is 0 in the first node and the second node by a node whose value of the file descriptor is not 0.
Step 312, establishing an edge for the first node and the second node when the file descriptor of the first node is standard output or standard error and the file descriptor of the second node is non-standard output or non-standard error.
Wherein the edge points to the other node whose value of the file descriptor is standard output or standard error from one of the first node and the second node where the value of the file descriptor is non-standard output and non-standard error, that is, the other node whose value of the file descriptor is 1 or 2 is pointed to by the node whose value of the file descriptor is not 1 and is not 2 in the first node and the second node.
For the case that the first node and the second node belong to the same target process, when the file descriptors of the first node and the second node are different, the first node and the second node have relevance and sequence, namely, have common characteristics, so that an edge can be established for the first node and the second node.
Therefore, the creation of the target directed graph is completed based on the process information and the initialized graph structure of each target process, the target processes with common characteristics are integrated and connected by the target directed graph, the rapid identification and detection of a large number of reverse shell processes are facilitated, and the detection efficiency and accuracy of the reverse shell processes are improved.
Fig. 3 is a block diagram illustrating an apparatus for reverse shell process detection according to an embodiment of the present invention.
As shown in fig. 3, an embodiment of the present invention provides an apparatus 400 for detecting a reverse shell process, including: a process information acquiring unit 402 configured to acquire process information of a target process; a target directed graph generating unit 404, configured to generate a target directed graph based on the process information and the initialized graph structure; a loop state determining unit 406, configured to determine a state of a target loop in the target directed graph; a reverse shell determining unit 408, configured to determine whether the target process is a reverse shell process according to the state of the target loop.
In the above embodiment of the present invention, optionally, the state of the target loop includes: the presence and absence of a target loop; the reverse shell determination unit 408 is configured to: and if the target directed graph has the target loop, judging whether the name of the target loop is related to the appointed shell name, and if so, determining that the target process is a reverse shell process.
In the foregoing embodiment of the present invention, optionally, the target directed graph generating unit 404 includes: the intermediate graph structure generating unit is used for adding the process information into the initialization graph structure to obtain an intermediate graph structure; and the node connection unit is used for performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the intermediate graph structure generating unit is configured to: for each target process, if the mode value of the file descriptor in the target process pointing to the file is a pipeline type or a socket type, the target process is used as a node of the initialized graph structure, and the process information of the target process is set as the node attribute information of the node to obtain the intermediate graph structure.
In the foregoing embodiment of the present invention, optionally, the process information of the target process includes: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: and selecting a target node in the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and performing directed connection processing on the target node to obtain the target directed graph.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are different, establishing an edge for the first node and the second node when the file descriptor of the first node is standard input and the file descriptor of the second node is non-standard input and the inode numbers of the file descriptors in the first node and the second node pointing to files are the same; when the file descriptor of the first node is standard output or standard error, the index node numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output and nonstandard error, establishing an edge for the first node and the second node; wherein the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to another node that is normally entered by the value of the file descriptor.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, under the condition that the file descriptor of the first node is in standard input and the file descriptor of the second node is in non-standard input, establishing an edge for the first node and the second node, wherein the direction of the edge is that one node of the first node and the second node, the value of which is in standard input, points to the other node, the value of which is in standard input, by the node, the value of which is in non-standard input, of the file descriptor.
In the above embodiment of the present invention, optionally, the node connecting unit is configured to: for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, if the file descriptor of the first node is a standard output or a standard error, and if the file descriptor of the second node is an abnormal output or an abnormal error, an edge is created for the first node and the second node, wherein the point of the edge is that one node of the first node and the second node, which has the value of the file descriptor, is an abnormal output and an abnormal error, points to the other node, which has the value of the file descriptor, is a standard output or a standard error.
The reverse shell process detection apparatus 300 uses the scheme described in any of the above embodiments, and therefore, has all the technical effects described above, and is not described herein again.
FIG. 4 shows a block diagram of an electronic device according to an embodiment of the invention.
As shown in FIG. 4, an electronic device 500 of one embodiment of the invention includes at least one memory 502; and a processor 504 communicatively coupled to the at least one memory 502; wherein the memory stores instructions executable by the at least one processor 504, the instructions being configured to perform the scheme described in any of the above embodiments. Therefore, the electronic device 500 has the same technical effects as any of the above embodiments, and will not be described herein again.
The electronic device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
In addition, an embodiment of the present invention provides a computer storage medium, which stores computer-executable instructions for executing the method flow described in any of the above embodiments.
Furthermore, an embodiment of the present invention provides a computer program product, which, when run on an electronic device, causes the electronic device to execute the method flow described in any one of the above first aspects.
The technical scheme of the invention is described in detail in combination with the drawings, and the creation of the target directed graph is completed based on the process information and the initialized graph structure of each target process, and the target directed graph integrates and connects the target processes with common characteristics, so that the rapid identification and detection of a large number of reverse shell processes are facilitated, and the detection efficiency and accuracy of the reverse shell processes are improved.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that although the terms first, second, etc. may be used to describe nodes in embodiments of the present invention, these nodes should not be limited by these terms. These terms are only used to distinguish one node from another. For example, a first node may also be referred to as a second node, and similarly, a second node may also be referred to as a first node, without departing from the scope of embodiments of the present invention.
The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer-readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (21)

1. A reverse shell process detection method is characterized by comprising the following steps:
acquiring process information of a target process;
generating a target directed graph based on the process information and the initialization graph structure;
determining a state of a target loop in the target directed graph;
and determining whether the target process is a reverse shell process or not according to the state of the target loop.
2. The method of claim 1,
the states of the target loop include: the presence and absence of a target loop;
the step of determining whether the target process is a reverse shell process according to the state of the target loop comprises the following steps:
if the target directed graph has a target loop, judging whether the name of the target loop is related to the specified shell name;
and if so, determining that the target process is a reverse shell process.
3. The method according to claim 1 or 2, wherein the step of generating a target directed graph based on the process information and an initialization graph structure comprises:
adding the process information to the initialization graph structure to obtain a middle graph structure;
and performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
4. The method of claim 3, wherein the step of adding the process information to the initialization graph structure to obtain an intermediate graph structure comprises:
for each target process, if the mode value of the file descriptor in the target process pointing to the file is a pipeline type or a socket type, the target process is used as a node of the initialized graph structure, and the process information of the target process is set as the node attribute information of the node to obtain the intermediate graph structure.
5. The method of claim 4,
the process information of the target process comprises: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
6. The method according to claim 5, wherein the step of performing a directed connection process on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph comprises:
and selecting a target node in the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and performing directed connection processing on the target node to obtain the target directed graph.
7. The method according to claim 6, wherein the step of performing a directed connection process on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph comprises:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are different,
establishing an edge for the first node and the second node when the file descriptor of the first node is standard input and the file descriptor of the second node is non-standard input and the inode numbers of the file descriptors in the first node and the second node pointing to files are the same;
when the file descriptor of the first node is standard output or standard error, the index node numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output and nonstandard error, establishing an edge for the first node and the second node;
wherein the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to another node that is normally entered by the value of the file descriptor.
8. The method according to claim 6, wherein the step of performing a directed connection process on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph comprises:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same,
establishing an edge for the first node and the second node if the file descriptor of the first node is a standard entry and the file descriptor of the second node is a non-standard entry, wherein,
the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to the other node that is normally entered by the value of the file descriptor.
9. The method according to claim 6, wherein the step of performing a directed connection process on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph comprises:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same,
establishing an edge for the first node and the second node if the file descriptor of the first node is a standard output or a standard error and the file descriptor of the second node is a non-standard output and a non-standard error, wherein,
the edge points to one node of the first node and the second node where the value of the file descriptor is a standard output or a standard error.
10. An apparatus for detecting a reverse shell process, comprising:
the process information acquisition unit is used for acquiring the process information of the target process;
the target directed graph generating unit is used for generating a target directed graph based on the process information and the initialized graph structure;
a loop state determination unit, configured to determine a state of a target loop in the target directed graph;
and the reverse shell determining unit is used for determining whether the target process is a reverse shell process according to the state of the target loop.
11. The apparatus of claim 10, wherein the state of the target loop comprises: the presence and absence of a target loop;
the reverse shell determination unit is configured to:
and if the target directed graph has the target loop, judging whether the name of the target loop is related to the appointed shell name, and if so, determining that the target process is a reverse shell process.
12. The apparatus according to claim 10 or 11, wherein the target directed graph generating unit comprises:
the intermediate graph structure generating unit is used for adding the process information into the initialization graph structure to obtain an intermediate graph structure;
and the node connection unit is used for performing directed connection processing on the nodes of the intermediate graph structure according to a preset rule to obtain the target directed graph.
13. The apparatus of claim 12, wherein the intermediate graph structure generating unit is configured to:
for each target process, if the mode value of the file descriptor in the target process pointing to the file is a pipeline type or a socket type, the target process is used as a node of the initialized graph structure, and the process information of the target process is set as the node attribute information of the node to obtain the intermediate graph structure.
14. The apparatus of claim 13,
the process information of the target process comprises: a process identifier of the target process, a value of a file descriptor in the target process, an inode number of the file descriptor pointing to a file, and a mode value of the file descriptor pointing to a file.
15. The apparatus of claim 14, wherein the node connection unit is configured to:
and selecting a target node in the intermediate graph structure based on the node attribute information of each node in the intermediate graph structure and the preset rule, and performing directed connection processing on the target node to obtain the target directed graph.
16. The apparatus of claim 15, wherein the node connection unit is configured to:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are different, establishing an edge for the first node and the second node when the file descriptor of the first node is standard input and the file descriptor of the second node is non-standard input and the inode numbers of the file descriptors in the first node and the second node pointing to files are the same; when the file descriptor of the first node is standard output or standard error, the index node numbers of the file descriptors in the first node and the second node pointing to files are the same, and the file descriptor of the second node is nonstandard output and nonstandard error, establishing an edge for the first node and the second node; wherein the edge points to one node that is not normally entered by the value of the file descriptor in the first node and the second node to another node that is normally entered by the value of the file descriptor.
17. The apparatus of claim 15, wherein the node connection unit is configured to:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, under the condition that the file descriptor of the first node is in standard input and the file descriptor of the second node is in non-standard input, establishing an edge for the first node and the second node, wherein the direction of the edge is that one node of the first node and the second node, the value of which is in standard input, points to the other node, the value of which is in standard input, by the node, the value of which is in non-standard input, of the file descriptor.
18. The apparatus of claim 15, wherein the node connecting unit is configured to:
for any first node and any second node in the intermediate graph structure, if the process identifiers of the first node and the second node are the same, if the file descriptor of the first node is a standard output or a standard error, and if the file descriptor of the second node is an abnormal output or an abnormal error, an edge is created for the first node and the second node, wherein the point of the edge is that one node of the first node and the second node, which has the value of the file descriptor, is an abnormal output and an abnormal error, points to the other node, which has the value of the file descriptor, is a standard output or a standard error.
19. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 9.
20. A computer storage medium having stored thereon computer-executable instructions for performing the method flow of any of claims 1-9.
21. A computer program product, characterized in that it causes an electronic device to perform the method flow of any of claims 1 to 9 when it is run on the electronic device.
CN202111360536.0A 2021-11-17 2021-11-17 Reverse shell process detection method and device, electronic equipment, computer storage medium and program product Pending CN114064981A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111360536.0A CN114064981A (en) 2021-11-17 2021-11-17 Reverse shell process detection method and device, electronic equipment, computer storage medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111360536.0A CN114064981A (en) 2021-11-17 2021-11-17 Reverse shell process detection method and device, electronic equipment, computer storage medium and program product

Publications (1)

Publication Number Publication Date
CN114064981A true CN114064981A (en) 2022-02-18

Family

ID=80273319

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111360536.0A Pending CN114064981A (en) 2021-11-17 2021-11-17 Reverse shell process detection method and device, electronic equipment, computer storage medium and program product

Country Status (1)

Country Link
CN (1) CN114064981A (en)

Similar Documents

Publication Publication Date Title
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
WO2017045443A1 (en) Image retrieval method and system
CN114398521B (en) Device type determining method and data processing system for acquiring abnormal device
CN109670304B (en) Malicious code family attribute identification method and device and electronic equipment
CN110652728B (en) Game resource management method and device, electronic equipment and storage medium
CN103902543A (en) Database inquiry method and device and database system
CN111027065B (en) Leucavirus identification method and device, electronic equipment and storage medium
CN114338102B (en) Security detection method, security detection device, electronic equipment and storage medium
CN109376157B (en) Data integration method and device
US20170161322A1 (en) Method and electronic device for searching resource
CN104850782A (en) Method and device for matching virus characteristics
CN111932076A (en) Rule configuration and release method and device and computing equipment
CN114064981A (en) Reverse shell process detection method and device, electronic equipment, computer storage medium and program product
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN113220949B (en) Construction method and device of private data identification system
CN112992152B (en) Individual-soldier voiceprint recognition system and method, storage medium and electronic equipment
CN111027071B (en) Threat program full-behavior association analysis method and device
CN114064695A (en) Asset information screening method and device, electronic equipment and storage medium
US20170263068A1 (en) Method for generating counting events and electronic device
CN116263770A (en) Method, device, terminal equipment and medium for storing business data based on database
CN113987489A (en) Method and device for detecting unknown threat of network, electronic equipment and storage medium
CN112464103B (en) Service processing method, device, server and storage medium
CN111966919A (en) Event message processing method, device and equipment
CN108491316A (en) A kind of blog management method, device and electronic equipment
CN115038089B (en) Multi-terminal data monitoring and collecting method based on information extraction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination