WO2021046811A1 - 一种攻击行为的判定方法、装置及计算机存储介质 - Google Patents

一种攻击行为的判定方法、装置及计算机存储介质 Download PDF

Info

Publication number
WO2021046811A1
WO2021046811A1 PCT/CN2019/105747 CN2019105747W WO2021046811A1 WO 2021046811 A1 WO2021046811 A1 WO 2021046811A1 CN 2019105747 W CN2019105747 W CN 2019105747W WO 2021046811 A1 WO2021046811 A1 WO 2021046811A1
Authority
WO
WIPO (PCT)
Prior art keywords
specified operation
instruction execution
actual
execution logic
logic sequence
Prior art date
Application number
PCT/CN2019/105747
Other languages
English (en)
French (fr)
Inventor
徐贵斌
Original Assignee
奇安信安全技术(珠海)有限公司
奇安信科技集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 奇安信安全技术(珠海)有限公司, 奇安信科技集团股份有限公司 filed Critical 奇安信安全技术(珠海)有限公司
Priority to PCT/CN2019/105747 priority Critical patent/WO2021046811A1/zh
Priority to CN201980094807.7A priority patent/CN113632432B/zh
Publication of WO2021046811A1 publication Critical patent/WO2021046811A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to the field of information network security, in particular to a method, a device, a computer storage medium and a computing device for determining an attack behavior.
  • APT Advanced Persistent Threat
  • Advanced Persistent Threat is a cyber attack and intrusion launched by hackers for the purpose of stealing core information against customers. It is a long-planned "malicious business espionage threat.” This kind of behavior is often after long-term management and planning, and has a high degree of concealment.
  • the attack method of APT is to conceal oneself and steal data from a specific target in a long-term, planned and organized manner. This act of stealing information and collecting information in the digital space is a kind of "cyber espionage" behavior.
  • APT attacks usually do not have a clear target.
  • An APT attack usually has a clear target in advance, and the system that is not the target will not be attacked even if there are loopholes. And has a clear purpose of attack, mainly based on stealing. After the attack is successful, it does not work immediately, but hides it. When certain conditions are met, or the target object appears, it will quickly attack to complete the intended purpose.
  • APT attacks usually use exclusive private vulnerabilities and write exclusive private attack codes.
  • the vulnerabilities and codes will not spread on a large scale. Basically, it is difficult for security companies to obtain samples, and it is also difficult to pass “features”. "Matching" means to discover APT attacks.
  • APT attacks are usually in a hidden state, and there will not be too many additional behaviors before obtaining instructions to initiate a formal attack or before the attack target appears. It is also difficult for security software to detect APT attacks through "behavior identification”.
  • APT attacks are usually initiated by countries or organizations. They have abundant available resources and can implement various effective protections. They can hide themselves in normal software and hardware codes and wait for opportunities to act silently.
  • the Stuxnet virus which was once a sensation, fully demonstrated the concealment, harm, and difficulty of APT attacks.
  • the target of the Stuxnet virus attack is clear: a nuclear plant in a certain country.
  • the attack cycle is very long: first infect the system maintenance contractor of the nuclear plant, and wait latently, until the infected device enters the isolation network of its real target "nuclear plant", and then spreads horizontally, infects the industrial control system, and destroys Nuclear industry facilities lasted one year before and after.
  • the present invention is proposed to provide a method, device, computer storage medium and computing device for determining attack behaviors that overcome the above-mentioned problems or at least partially solve the above-mentioned problems, which can effectively discover various attack behaviors.
  • a method for judging attack behavior including:
  • the designated operation includes an operation on a key file or a key location.
  • monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
  • monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
  • monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
  • the specified operation is captured during the actual execution of the specified operation, and the actual instruction execution logic sequence of the specified operation is obtained.
  • the preset instruction execution logic sequence of the specified operation is collected in the following manner:
  • the preset instructions of the specified operation are collected to execute the logic sequence.
  • the preset instruction execution logic sequence of the specified operation is collected in the following manner:
  • an apparatus for judging attack behavior including:
  • the monitoring module is adapted to monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation;
  • the comparison module is adapted to compare the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
  • the determination module is adapted to determine that an attack is occurring if the actual instruction execution logic sequence of the designated operation is inconsistent with the preset instruction execution logic sequence of the designated operation.
  • the designated operation includes an operation on a key file or a key location.
  • the monitoring module is further adapted to: monitor the actual flow of the code executed by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit; In the information, the actual instruction execution logic sequence of the specified operation is extracted.
  • the monitoring module is further adapted to: apply to the platform or the operating system to monitor the actual flow of the code executed by the central processing unit, record and save the relevant information of the branch instructions actually executed by the central processing unit;
  • the applied capability extracts the actual instruction execution logic sequence of the specified operation from the relevant information of the branch instruction.
  • the monitoring module is further adapted to: set a hook for monitoring the actual execution of the specified operation; use the set hook to capture the specified operation during the actual execution of the specified operation, Obtain the actual instruction execution logic sequence of the specified operation.
  • the device further includes:
  • the first collection module is adapted to collect the preset instruction execution logic sequence of the specified operation in a trusted environment.
  • the device further includes:
  • the second collection module is adapted to collect multiple instruction execution logic sequences involved in the actual execution process of the specified operation in a single computer; based on the multiple instruction execution logic sequences, determine the preset value of the specified operation Instruction execution logic sequence;
  • a computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to execute the foregoing The method of judging aggressive behavior.
  • a computing device including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device Perform the above-mentioned aggressive behavior determination method.
  • the embodiment of the present invention breaks away from the level of "code features and behaviors", innovatively based on the level of the instruction execution logic sequence, and combines the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. In comparison, when the comparison is inconsistent, it is determined that the attack is occurring, and various attack behaviors can be found effectively.
  • the embodiment of the present invention can monitor the actual execution status of the designated operation of the key file or the key position in a targeted manner, and obtain the actual instruction execution logic sequence for the designated operation of the key file or the key position.
  • the actual instruction execution logic sequence of the designated operation of the file or key position is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination and discover the attack in time. , In order to take corresponding protective measures.
  • Figure 1 shows the execution logic diagram of a complete program
  • Figure 2 shows a flow chart of a method for judging an attack according to an embodiment of the present invention
  • Fig. 3 shows a flowchart of a method for judging an attack according to another embodiment of the present invention
  • Figure 4 shows a flow chart of instruction execution according to another embodiment of the present invention.
  • FIG. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention.
  • Fig. 6 shows a structural diagram of a device for judging an attacking behavior according to another embodiment of the present invention.
  • the code is composed of a set of predefined instructions.
  • call call; mov: move; cmp: compare; jnz: logical jump according to the comparison result.
  • This code is fixed from beginning to end and is the execution logic. There will be no change. Unless this code is changed, the logic will not change.
  • Figure 1 is a diagram of the execution logic of a complete program. It can be seen from Figure 1 that the execution logic of the entire program is composed of countless "conditional judgments" and "branch". Different branches are executed according to different conditions. Form an execution link.
  • Fig. 2 shows a flowchart of a method for judging an attack according to an embodiment of the present invention. As shown in Figure 2, the method may include the following steps S201 to S203:
  • Step S201 monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation
  • Step S202 comparing the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation
  • step S203 if the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation, it is determined that an attack is occurring.
  • the embodiment of the present invention is innovatively based on the level of the instruction execution logic sequence, and compares the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring. Effectively discover all kinds of attacks.
  • the above-mentioned designated operation may be various sensitive operations on key files or key locations.
  • the key file here may be a file that is more important to enterprises or individual users, or a file that is more important to the system, etc., which is not limited in the embodiment of the present invention.
  • the key location here may be a system directory, a key disk area, etc., which is not limited in the embodiment of the present invention. Attackers attack these key files or key locations to achieve the purpose of stealing data and obtaining permissions.
  • the embodiment of the present invention can monitor the actual execution situation of the designated operation of the key file or key position in a targeted manner, obtain the actual instruction execution logic sequence for the key file or the designated operation of the key position, and then target the key file or key position.
  • the actual instruction execution logic sequence of the designated operation of the location is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination, and discover the attack in time, so as to take Corresponding protection means.
  • step S201 the actual execution of the specified operation is monitored, and the actual instruction execution logic sequence of the specified operation is obtained.
  • the embodiment of the present invention provides optional solutions such as using existing monitoring capabilities or setting monitoring, which will be described in detail below. Introduction.
  • the actual flow of the code execution by the central processing unit can be monitored, and the relevant information of the branch instructions actually executed by the central processing unit can be recorded and saved; then the information of the specified operation can be extracted from the relevant information of the saved branch instructions.
  • the actual instruction executes the logical sequence.
  • chip manufacturers, hardware manufacturers, or operating system manufacturers can also integrate instruction execution sequence monitoring into the system.
  • Embodiments of the present invention can apply for corresponding capabilities. Based on the applied capabilities, obtain relevant information about branch instructions, and then obtain information from branch instructions. The actual instruction execution logic sequence of the specified operation is extracted from the relevant information.
  • the preset instruction execution logic sequence of the specified operation mentioned in step S202 above is the instruction execution logic sequence of the specified operation in the normal operation scenario, which can be specifically collected in the following manner.
  • the first way is to collect preset instructions for specified operations to execute logic sequences in a trusted environment.
  • the trusted environment here may be a factory system environment or a legally digitally signed system environment of a regular company, etc.
  • the embodiment of the present invention may select a trusted environment according to actual needs, and there is no limitation on this.
  • Manner 2 In a single computer, collect multiple instruction execution logic sequences involved in the actual execution of the specified operation; based on the multiple instruction execution logic sequences, determine the preset instruction execution logic sequence of the specified operation.
  • the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
  • Mode three among multiple computers, collect one or more instruction execution logic sequences involved in the actual execution of the specified operation of each computer; execute logic sequences based on one or more instructions corresponding to each computer to determine the specified operation
  • the preset instructions execute the logic sequence.
  • the instruction execution logic sequences generated during the actual execution of the specified operation are all sequence P, then the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
  • the above methods 2 and 3 are based on the principle of "for the same program or the same piece of code, under the premise that all conditions are consistent, you will get exactly the same execution chain". Under normal operation scenarios, no matter what The same instruction sequence with the same condition is collected multiple times in a single computer, or the same instruction sequence with the same condition is distributed in multiple computers. The collected instruction sequence should be the same. If there is a difference, it may only be Anomalies exist, such as: HOOK points with APT attack codes, etc.
  • the purpose of the APT attacker is to steal all the file data with the word "secret”, then when designing the working logic, it is nothing more than reading and judging the file after the file is created successfully. Whether the title has the words "confidential”, if so, then pass it back, if not, ignore it.
  • steps S301 to S303 can be used to discover attack behavior.
  • step S301 the actual execution of the file operation is monitored, and the actual instruction execution logic sequence of the file operation is obtained.
  • the file operation can specifically be an operation on a "secret" file.
  • step S302 the actual instruction execution logic sequence of the file operation is compared with the preset instruction execution logic sequence of the file operation.
  • step S303 if the actual instruction execution logic sequence of the file operation is inconsistent with the preset instruction execution logic sequence of the file operation, it is determined that the APT attack behavior is occurring.
  • step S301 can be returned to continue to monitor the actual execution of the file operation.
  • Stuxnet virus launched an APT attack on a nuclear plant in a certain country, it used a Windows operating system shortcut analysis vulnerability (vulnerability number: MS10-046). Its utilization principle and instruction execution process are shown in Figure 4 below.
  • LoadLibrary is called to load the specified DLL/CPL file.
  • the first three execution logics 1, 2, and 3 are normal shortcut parsing logic, because the flag bit is always non-zero under normal circumstances.
  • file operations not only file operations, but any other operations, the present invention can be used to judge the instruction execution logic sequence to discover the existence of abnormal logic caused by the APT attack.
  • BIOS Basic Input Output System
  • hardware firmware For example, during the system startup phase, the codes in the BIOS (Basic Input Output System) and hardware firmware are collected for normal instruction logic. If there is malicious code in it, it will do evil when it meets certain conditions (such as specific Time), when it starts to do evil, its logic will inevitably change, and it will be discovered by the comparison of the instruction execution logic sequence.
  • the embodiment of the present invention takes the discovery of APT attacks as an example, it is just that APT attacks are more difficult to detect than ordinary attacks, but it does not mean that the present invention can only detect APT attacks, which still has a good effect on ordinary attacks.
  • the present invention has nothing to do with platforms (such as Intel, AMD, ARM, etc.), and has nothing to do with operating systems (such as Windows ⁇ Linux, etc.), and can be applied to any platform and system.
  • platforms such as Intel, AMD, ARM, etc.
  • operating systems such as Windows ⁇ Linux, etc.
  • an embodiment of the present invention also provides a device for judging attack behavior.
  • Fig. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention.
  • the device may include a monitoring module 510, a comparison module 520, and a determination module 530.
  • the monitoring module 510 is adapted to monitor the actual execution of the specified operation and obtain the actual instruction execution logic sequence of the specified operation;
  • the comparison module 520 coupled with the monitoring module 510, is adapted to compare the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
  • the determination module 530 coupled with the comparison module 520, is adapted to determine that an attack is occurring if the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation.
  • the designated operation includes an operation on a key file or a key location.
  • the monitoring module 510 is further adapted to: monitor the actual flow of the code executed by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit; In the related information of the instruction, extract the actual instruction execution logic sequence of the specified operation.
  • the monitoring module 510 is further adapted to: apply to the platform or operating system to monitor the actual flow of the CPU executing code, record and save the relevant branch instructions actually executed by the CPU Information capability: Based on the applied capability, extract the actual instruction execution logic sequence of the specified operation from the relevant information of the branch instruction.
  • the monitoring module 510 is further adapted to: set a hook for monitoring the actual execution of the specified operation; use the set hook to capture the specified operation during the actual execution of the specified operation, and obtain The actual instruction execution logic sequence of the specified operation.
  • the device for determining the attack behavior shown in FIG. 5 above may further include:
  • the first collection module 610 is coupled with the comparison module 520, and is adapted to collect a predetermined instruction execution logic sequence of a specified operation in a trusted environment.
  • the device for determining the attack behavior shown in FIG. 5 above may further include:
  • the second collection module 620 coupled with the comparison module 520, is adapted to collect multiple instruction execution logic sequences involved in the actual execution process of the specified operation in a single computer; determine the execution logic sequence of the specified operation based on the multiple instruction execution logic sequences Preset instruction execution logic sequence;
  • the embodiments of the present invention also provide a computer storage medium, the computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to perform the aforementioned attack determination method .
  • an embodiment of the present invention also provides a computing device, including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device is caused to perform the determination of the aforementioned attack behavior method.
  • the functional units in the various embodiments of the present invention may be physically independent of each other, or two or more functional units may be integrated together, or all functional units may be integrated in one processing unit.
  • the above-mentioned integrated functional unit can be implemented in the form of hardware, or in the form of software or firmware.
  • the integrated functional unit is implemented in the form of software and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present invention is essentially or all or part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium and includes a number of instructions to make a computer
  • a computing device for example, a personal computer, a server, or a network device, etc.
  • the aforementioned storage media include: U disk, mobile hard disk, read only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes.
  • all or part of the steps of the foregoing method embodiments may be implemented by a program instructing related hardware (computing devices such as a personal computer, a server, or a network device), and the program instructions may be stored in a computer readable storage
  • the program instructions when executed by the processor of the computing device, the computing device executes all or part of the steps of the methods described in the embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种攻击行为的判定方法、装置、计算机存储介质以及计算设备,该攻击行为的判定方法,包括:对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列;将指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列进行比对;若指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。本发明实施例脱离"代码特征与行为"的层次,创新性的基于指令执行逻辑序列的层次,将指定操作的预设的指令执行逻辑序列与实际的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以有效的发现各类攻击行为。

Description

一种攻击行为的判定方法、装置及计算机存储介质 技术领域
本发明涉及信息网络安全领域,尤其是涉及到一种攻击行为的判定方法、装置、计算机存储介质以及计算设备。
背景技术
APT(Advanced Persistent Threat,高级持续性威胁),是黑客以窃取核心资料为目的,针对客户所发动的网络攻击和侵袭行为,是一种蓄谋已久的“恶意商业间谍威胁”。这种行为往往经过长期的经营与策划,并具备高度的隐蔽性。APT的攻击手法,在于隐匿自己,针对特定对象,长期、有计划性和组织性地窃取数据,这种发生在数字空间的偷窃资料、搜集情报的行为,就是一种“网络间谍”的行为。
APT攻击与普通的网络攻击,其最大的区别就是目的性、与长期持续性。普通攻击通常没有明确的攻击目标,只要存在漏洞的、在攻击范围内的***,都会受到无差别攻击,并且在攻击成功的那一刻就会立即开展后续工作,或破坏、或窃取、或控制等。而APT攻击,通常则是提前有着明确的攻击目标,非其目标的***即使存在漏洞,也不会被攻击。并有着明确的攻击目的,主要是以窃取为主。在攻击成功后,并不会立即工作,而是隐藏起来,当达到一定条件后,或目的物出现后,再迅速出击完成预定目的。
在技术上,APT攻击通常会使用专属的私有漏洞、编写专属的私有攻击代码,漏洞及代码并不会大范围扩散,基本上安全公司很难拿到样本,同样的也就很难通过“特征匹配”的手段来发现APT攻击。另外,APT攻击平时处于隐藏状态,在获得指令发起正式攻击前或攻击标的物出现前,并不会有过多的额外行为发生,安全软件也很难通过“行为判别”来发现APT攻击。最后,APT攻击通常是由国家或组织来发起,有着丰富的可利用的资源,可以实施各种有效的隐护,将自身隐藏在正常的软硬件的代码之中静静的潜伏,伺机行动。
曾经轰动一时的震网病毒,就充分的体现出了APT攻击的隐蔽性、危害性与难以防范性。
震网病毒攻击的目标很明确:某国家的核工厂。
投入的资源很庞大:4个操作***的0Day漏洞和2个工控***的0Day漏洞打造了完整的组合攻击链条。
攻击周期很长:先感染核工厂的***维护承包商,并潜伏等待,直到被感染的设备进入其真正的攻击目标“核工厂”的隔离网络之中,再横向传播,感染工控***,并破坏核工业设施,前后历时一年。
利用可信程序打掩护:攻击组件的核心驱动都有合法的数字签名。
当前的安全技术,对恶意攻击的检测,仍然停留在“代码恶意特征比对检测”与“敏感危险行为触发检测”的判断层次,并且对***本身及拥有正规公司合法数字签名的程序,通常会给予默认的信任而免予检查。
因此,对无已知特征、平时又无行为发生、甚至还有可信程序做掩护的APT攻击而言,当前的安全技术并没有实质的发现与防护效果,亟需解决这一技术问题。
发明内容
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的攻击行为的判定方法、装置、计算机存储介质以及计算设备,能够有效的发现各类攻击行为。
根据本发明实施例的一方面,提供了一种攻击行为的判定方法,包括:
对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;
将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;
若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
可选地,所述指定操作包括针对关键文件或关键位置的操作。
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;
从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令 执行逻辑序列。
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;
基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
设置对指定操作的实际执行情况进行监控的钩子;
利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。
可选地,通过以下方式来收集所述指定操作的预设的指令执行逻辑序列:
在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。
可选地,通过以下方式来收集所述指定操作的预设的指令执行逻辑序列:
在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;
和/或
在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。
根据本发明实施例的另一方面,提供了一种攻击行为的判定装置,包括:
监控模块,适于对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;
比对模块,适于将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;
判定模块,适于若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
可选地,所述指定操作包括针对关键文件或关键位置的操作。
可选地,所述监控模块还适于:对中央处理器执行代码的实际流程情况 进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令执行逻辑序列。
可选地,所述监控模块还适于:向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。
可选地,所述监控模块还适于:设置对指定操作的实际执行情况进行监控的钩子;利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。
可选地,所述装置还包括:
第一收集模块,适于在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。
可选地,所述装置还包括:
第二收集模块,适于在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;
和/或
在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。
根据本发明实施例的又一方面,还提供了一种计算机存储介质,所述计算机存储介质存储有计算机程序代码,当所述计算机程序代码在计算设备上运行时,导致所述计算设备执行上述的攻击行为的判定方法。
根据本发明实施例的再一方面,还提供了一种计算设备,包括:处理器;存储有计算机程序代码的存储器;当所述计算机程序代码被所述处理器运行时,导致所述计算设备执行上述的攻击行为的判定方法。
借由上述技术方案,本发明实施例脱离“代码特征与行为”的层次,创新性的基于指令执行逻辑序列的层次,将指定操作的预设的指令执行逻辑序列与实际的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以有效的发现各类攻击行为。
进一步地,本发明实施例可以有针对性的对于关键文件或关键位置的指定操作进行实际执行情况的监控,获得针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列,随后将针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列与预设的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以提高攻击行为判定的效率,及时发现攻击行为,以便采取对应的防护手段。
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。
根据下文结合附图对本发明具体实施例的详细描述,本领域技术人员将会更加明了本发明的上述以及其他目的、优点和特征。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1示出了一个完整的程序的执行逻辑关系图;
图2示出了根据本发明一实施例的攻击行为的判定方法的流程图;
图3示出了根据本发明另一实施例的攻击行为的判定方法的流程图;
图4示出了根据本发明又一实施例的指令执行流程图;
图5示出了根据本发明一实施例的攻击行为的判定装置的结构图;以及
图6示出了根据本发明另一实施例的攻击行为的判定装置的结构图。
具体实施方式
下面将参照附图更详细地描述本发明的示例性实施例。虽然附图中显示了本发明的示例性实施例,然而应当理解,可以以各种形式实现本发明而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本发明,并且能够将本发明的范围完整的传达给本领域的技术人员。
如前文介绍,对于一些攻击行为,如APT攻击等,采用当前的特征匹配或行为判别的技术手段很难发现。为了有效的发现这类攻击行为,发明人进行了创造性的构思,下面将进行详细介绍。
首先,计算机中的所有的行为都是由代码来实现的。而代码,则是由一组预定义好的指令组合而成。
举例如下:
FF 15 8C 0E 87 6B         call ds:_imp_CreateFilew@28
8B F0                     mov esi,eax
83 FE FF                  cmp esi,0FFFFFFFFh
75 33                     jnz short loc_6B818B38
FF 15 C4 0D 87 6B         call ds:_imp_GetLastError@0
83 F8 02                  cmp eax,2
75 23                     jnz short loc_6B818B33
以上的一段汇编代码,它实现了以下功能逻辑:
1、调用***API(Application Programming Interface,应用编程接口)CreateFile来创建一个文件;
2、判断文件是否创建成功;
3、如果成功,则跳转到loc_6B818B38处去执行下面的动作;
4、如果不成功,则调用GetLastError来获取错误码;
5、如果错误码不等于2,则跳转到loc_6B818B33处执行。
它用到了以下的指令:
call:调用;mov:移动;cmp:比较;jnz:按比较结果进行逻辑跳转。
发明人发现,代码一旦编译好,就是固定不变的,而指令的执行逻辑,也是固定不变的。
比如:只要文件创建成功,则一定会“跳转到loc_6B818B38处去执行”;如果创建不成功,则一定会“调用GetLastError”;如果错误码不等于2,则一定会“跳转到loc_6B818B33处执行”。
这段代码,自始至终固定了就是这个执行逻辑,不会有任何的变化,除非这段代码发生改变,否则逻辑就不会变。
图1是一个完整的程序的执行逻辑关系图,从图1中可见,整个程序的执行逻辑,是无数个“条件判断”和“分支”组成,依据不同的条件来执行不同的分支,最终会形成一条执行链路。
由此,发明人得出一个结论,对同一个程序或同一段代码而言,当一切条件都保持一致的前提下,会得到一个完全一样的执行链条,即,一组完全 一致的指令执行逻辑序列。
就上面举例所示的代码而言,只要“文件创建成功”这个条件保持不变,那指令执行逻辑序列就是固定的,这里忽略与逻辑无关的指令,只留下会改变执行路线的跳转类指令,则会得到如下的指令执行逻辑序列:
1、call CreateFile
2、jnz loc_6B818B38
另外的指令:
call GetLastError与jnz loc_6B818B33并不会得到执行,也不会进入指令执行序列中去。
基于上述构思,发明人提出了基于指令执行逻辑序列的方案来发现攻击行为。图2示出了根据本发明一实施例的攻击行为的判定方法的流程图。如图2所示,该方法可以包括以下步骤S201至S203:
步骤S201,对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列;
步骤S202,将指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列进行比对;
步骤S203,若指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
本发明实施例创新性的基于指令执行逻辑序列的层次,将指定操作的预设的指令执行逻辑序列与实际的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以有效的发现各类攻击行为。
在本发明的可选实施例中,上文提及的指定操作可以是针对关键文件或关键位置的各种敏感操作。这里的关键文件可以是对企业或个人用户比较重要的文件,也可以是对***比较重要的文件等等,本发明实施例对此不作限制。这里的关键位置可以是***目录、关键磁盘区域等,本发明实施例对此不作限制。攻击者对这些关键文件或关键位置进行攻击,以达到窃取数据、获取权限等目的。
本发明实施例可以有针对性的对于关键文件或关键位置的指定操作进行实际执行情况的监控,获得针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列,随后将针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列与预设的指令执行逻辑序列进行比对,在比对不一致时,判定 攻击行为在发生,可以提高攻击行为判定的效率,及时发现攻击行为,以便采取对应的防护手段。
上面步骤S201中对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列,本发明实施例提供了利用已有监控能力或设置监控等可选的方案,下面将分别进行详细介绍。
在方案一中,可以对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;随后从保存的分支指令的相关信息中,提取指定操作的实际的指令执行逻辑序列。
在方案二中,可以向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;基于申请的能力,从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。
在该方案中,对于如何实现指令执行的监控能力,可根据不同的平台采用不同的方式,比如:奔腾处理器引入的BTM(Branch Trace Message,分支跟踪消息)机制、P6处理器引入的LBR(Last Branch Recording,最后分支记录)机制等,都可以实现相应能力。
此外,芯片厂商、硬件厂商或操作***厂商也可以在***中融入指令执行序列的监控,本发明实施例可以申请相应的能力,基于申请的能力,获取分支指令的相关信息,进而从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。
在方案三中,可以设置对指定操作的实际执行情况进行监控的钩子;之后利用设置的钩子,在指定操作的实际执行过程中对指定操作进行捕获,获取指定操作的实际的指令执行逻辑序列。
上面步骤S202中提及的指定操作的预设的指令执行逻辑序列,是指定操作在正常操作场景下的指令执行逻辑序列,具体可以通过下面的方式来收集。
方式一,在可信环境下,收集指定操作的预设的指令执行逻辑序列。这里的可信环境可以是出厂***环境或者正规公司合法数字签名的***环境等,本发明实施例可以根据实际需求来选取可信环境,对此不作限制。
方式二,在单台计算机中,收集指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。
例如,收集的指定操作实际执行过程所涉及的20个指令执行逻辑序列均为序列P,那么可以将序列P确定为指定操作的预设的指令执行逻辑序列。需要说明的是,这里的举例仅是示意性的,并不对本发明进行限制。
方式三,在多台计算机中,收集各台计算机的指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于各台计算机对应的一个或多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。
例如,在30台计算机中,对指定操作实际执行过程所产生的指令执行逻辑序列均为序列P,那么可以将序列P确定为指定操作的预设的指令执行逻辑序列。需要说明的是,这里的举例仅是示意性的,并不对本发明进行限制。
以上方式二和方式三的方案是基于“对同一个程序或同一段代码而言,当一切条件都保持一致的前提下,会得到一个完全一样的执行链条”的原理,正常操作场景下,无论在单台计算机中多次采集同条件的相同指令序列,还是在多台计算机分布式采集同条件的相同指令序列,所采集到的指令序列都应该是相同的,如果有不同,只可能是有异常存在,比如:有APT攻击代码的HOOK(钩子)点等。
以上介绍了图2所示的实施例中各个环节的多种实现方式,下面将通过具体的实施例对本发明实施例提供的攻击行为的判定方法做进一步说明。
在一个具体实施例中,假如APT攻击者的目的是将所有的带有“保密”字样的文件数据窃取,那么它在设计工作逻辑时,无非是在文件创建成功后,去读取并判断文件标题是否有“保密”字样,如果有,那就回传,如果没有就忽略。
无论它如何设计操作逻辑,文件操作的指令执行逻辑序列都会随之发生改变,因为其会在逻辑链条中增加“判断”与“回传”的逻辑,而这两个逻辑在正常情况下是没有的。
首先,有APT攻击代码的存在,与没有APT攻击代码的存在,其指令执行逻辑一定是不同的。
其次,操作“保密”文件,与操作“非保密”文件时,其指令执行逻辑仍然是不同的。
因此,如图3所示,可以采用步骤S301至S303来发现攻击行为。
步骤S301,对文件操作的实际执行情况进行监控,获取文件操作的实际的指令执行逻辑序列。
在该步骤中,文件操作具体可以是针对“保密”文件的操作。
步骤S302,将文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列进行比对。
步骤S303,若文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列比对不一致,则判定APT攻击行为在发生。
若文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列比对一致,则判定APT攻击行为没有发生,可以返回步骤S301继续对文件操作的实际执行情况进行监控。
下面再举一个在现实中实际发生过的例子。在震网病毒对某国家的核工厂发动APT攻击时,使用了一个Windows操作***的快捷方式解析漏洞(漏洞编号:MS10-046),它的利用原理及指令执行流程如下图4所示。
Windows操作***在解析快捷方式时的执行逻辑如下(这里做了简化):
1、调用GetIconLocationW;
2、判断快捷方式中的一个特殊标志位;
3、如果标志位是非零,则调用LookupIconIndex;
4、如果标志位是零,则调用CPL_FindCPLInfo;
5、继续调用CPL_LoadAndFindApplet;
6、最后调用LoadLibrary加载指定的DLL/CPL文件。
前三个执行逻辑1、2、3是正常的快捷方式解析逻辑,因为那个标志位在正常情况下,永远是非零。
但当APT攻击者进行攻击时,将攻击用的快捷方式中的特殊标志位设置为了“零”,随即触发了特殊的执行逻辑,快捷方式解析逻辑也就发生了变化,开始进入了4、5、6的执行环节,从而将攻击者的恶意DLL程序加载并执行起来,完成了攻击。
本发明实施例在采集正常快捷方式解析操作的指令执行逻辑序列时,显然只可能采集到1至3步的执行逻辑,不可能采集到4至6步。
但当APT攻击发生时,指令执行逻辑序列中必然要出现4至6步的指令逻辑,在做指令执行逻辑序列对比时,此APT攻击就必然会被发现。
需要说明的是,不仅仅是文件操作,其它任何操作,都可以应用本发明来进行指令执行逻辑序列的判断,以发现APT攻击导致的异常逻辑的存在。
比如:在***启动阶段,对BIOS(Basic Input Output System,基本输入 输出***)、硬件固件中的代码进行正常指令逻辑的收集,假如其中存在有恶意代码,其满足特定条件时作恶(如特定的时间),当开始作恶时,其逻辑必然将随之发生变化,必将被指令执行逻辑序列对比发现。
本发明实施例虽然以发现APT攻击来举例,只是因为APT攻击相对与普通的攻击而言更难以发现,但并不意味着本发明只能发现APT攻击,其对普通攻击仍然有着良好的效果。
需要说明的是,本发明与平台(如Intel、AMD、ARM等)无关,与操作***(如Windows\Linux等)无关,可适用于任意的平台与***。
实际应用中,上述所有可选实施方式可以采用结合的方式任意组合,形成本发明的可选实施例,在此不再一一赘述。
基于上文各个实施例提供的攻击行为的判定方法,基于同一发明构思,本发明实施例还提供了一种攻击行为的判定装置。
图5示出了根据本发明一实施例的攻击行为的判定装置的结构图。如图5所示,该装置可以包括监控模块510、比对模块520以及判定模块530。
现介绍本发明实施例的攻击行为的判定装置的各组成或器件的功能以及各部分间的连接关系:
监控模块510,适于对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列;
比对模块520,与监控模块510相耦合,适于将指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列进行比对;
判定模块530,与比对模块520相耦合,适于若指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
在本发明的可选实施例中,指定操作包括针对关键文件或关键位置的操作。
在本发明的可选实施例中,监控模块510还适于:对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;从保存的分支指令的相关信息中,提取指定操作的实际的指令执行逻辑序列。
在本发明的可选实施例中,监控模块510还适于:向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器 实际执行到的分支指令的相关信息的能力;基于申请的能力,从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。
在本发明的可选实施例中,监控模块510还适于:设置对指定操作的实际执行情况进行监控的钩子;利用设置的钩子,在指定操作的实际执行过程中对指定操作进行捕获,获取指定操作的实际的指令执行逻辑序列。
在本发明的可选实施例中,如图6所示,上面图5展示的攻击行为的判定装置还可以包括:
第一收集模块610,与比对模块520相耦合,适于在可信环境下,收集指定操作的预设的指令执行逻辑序列。
在本发明的可选实施例中,如图6所示,上面图5展示的攻击行为的判定装置还可以包括:
第二收集模块620,与比对模块520相耦合,适于在单台计算机中,收集指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列;
和/或
在多台计算机中,收集各台计算机的指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于各台计算机对应的一个或多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。
基于同一发明构思,本发明实施例还提供了一种计算机存储介质,该计算机存储介质存储有计算机程序代码,当计算机程序代码在计算设备上运行时,导致计算设备执行上述的攻击行为的判定方法。
基于同一发明构思,本发明实施例还提供了一种计算设备,包括:处理器;存储有计算机程序代码的存储器;当计算机程序代码被处理器运行时,导致计算设备执行上述的攻击行为的判定方法。
所属领域的技术人员可以清楚地了解到,上述描述的***、装置、单元和模块的具体工作过程,可以参考前述方法实施例中的对应过程,为简洁起见,在此不另赘述。
另外,在本发明各个实施例中的各功能单元可以物理上相互独立,也可以两个或两个以上功能单元集成在一起,还可以全部功能单元都集成在一个处理单元中。上述集成的功能单元既可以采用硬件的形式实现,也可以采用软件或者固件的形式实现。
本领域普通技术人员可以理解:所述集成的功能单元如果以软件的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,其包括若干指令,用以使得一台计算设备(例如个人计算机,服务器,或者网络设备等)在运行所述指令时执行本发明各实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM)、随机存取存储器(RAM),磁碟或者光盘等各种可以存储程序代码的介质。
或者,实现前述方法实施例的全部或部分步骤可以通过程序指令相关的硬件(诸如个人计算机,服务器,或者网络设备等的计算设备)来完成,所述程序指令可以存储于一计算机可读取存储介质中,当所述程序指令被计算设备的处理器执行时,所述计算设备执行本发明各实施例所述方法的全部或部分步骤。
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:在本发明的精神和原则之内,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案脱离本发明的保护范围。

Claims (16)

  1. 一种攻击行为的判定方法,其特征在于,包括:
    对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;
    将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;
    若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
  2. 根据权利要求1所述的方法,其特征在于,所述指定操作包括针对关键文件或关键位置的操作。
  3. 根据权利要求1或2所述的方法,其特征在于,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
    对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;
    从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令执行逻辑序列。
  4. 根据权利要求1或2所述的方法,其特征在于,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
    向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;
    基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。
  5. 根据权利要求1或2所述的方法,其特征在于,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:
    设置对指定操作的实际执行情况进行监控的钩子;
    利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。
  6. 根据权利要求1或2所述的方法,其特征在于,通过以下方式来收集所述指定操作的预设的指令执行逻辑序列:
    在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。
  7. 根据权利要求1或2所述的方法,其特征在于,通过以下方式来收集 所述指定操作的预设的指令执行逻辑序列:
    在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;
    和/或
    在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。
  8. 一种攻击行为的判定装置,其特征在于,包括:
    监控模块,适于对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;
    比对模块,适于将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;
    判定模块,适于若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。
  9. 根据权利要求8所述的装置,其特征在于,所述指定操作包括针对关键文件或关键位置的操作。
  10. 根据权利要求8或9所述的装置,其特征在于,所述监控模块还适于:对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令执行逻辑序列。
  11. 根据权利要求8或9所述的装置,其特征在于,所述监控模块还适于:向平台或操作***申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。
  12. 根据权利要求8或9所述的装置,其特征在于,所述监控模块还适于:设置对指定操作的实际执行情况进行监控的钩子;利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。
  13. 根据权利要求8或9所述的装置,其特征在于,还包括:
    第一收集模块,适于在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。
  14. 根据权利要求8或9所述的装置,其特征在于,还包括:
    第二收集模块,适于在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;
    和/或
    在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。
  15. 一种计算机存储介质,所述计算机存储介质存储有计算机程序代码,当所述计算机程序代码在计算设备上运行时,导致所述计算设备执行权利要求1-7中任一项所述的攻击行为的判定方法。
  16. 一种计算设备,包括:处理器;存储有计算机程序代码的存储器;当所述计算机程序代码被所述处理器运行时,导致所述计算设备执行权利要求1-7中任一项所述的攻击行为的判定方法。
PCT/CN2019/105747 2019-09-12 2019-09-12 一种攻击行为的判定方法、装置及计算机存储介质 WO2021046811A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/105747 WO2021046811A1 (zh) 2019-09-12 2019-09-12 一种攻击行为的判定方法、装置及计算机存储介质
CN201980094807.7A CN113632432B (zh) 2019-09-12 2019-09-12 一种攻击行为的判定方法、装置及计算机存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/105747 WO2021046811A1 (zh) 2019-09-12 2019-09-12 一种攻击行为的判定方法、装置及计算机存储介质

Publications (1)

Publication Number Publication Date
WO2021046811A1 true WO2021046811A1 (zh) 2021-03-18

Family

ID=74867332

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/105747 WO2021046811A1 (zh) 2019-09-12 2019-09-12 一种攻击行为的判定方法、装置及计算机存储介质

Country Status (2)

Country Link
CN (1) CN113632432B (zh)
WO (1) WO2021046811A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113946869A (zh) * 2021-11-02 2022-01-18 深圳致星科技有限公司 用于联邦学习和隐私计算的内部安全攻击检测方法及装置
CN115514548A (zh) * 2022-09-16 2022-12-23 北京易诚互动网络技术股份有限公司 一种保障互联网应用安全的方法及装置
WO2023179461A1 (zh) * 2022-03-25 2023-09-28 华为技术有限公司 一种处理疑似攻击行为的方法及相关装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640529B (zh) * 2022-03-24 2024-02-02 中国工商银行股份有限公司 攻击防护方法、装置、设备、存储介质和计算机程序产品

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801031A (zh) * 2004-12-31 2006-07-12 福建东方微点信息安全有限责任公司 运用程序行为知识库判断已知程序被攻击的方法
WO2013089767A1 (en) * 2011-12-16 2013-06-20 Intel Corporation Method and system using exceptions for code specialization in a computer architecture that supports transactions
US20160012225A1 (en) * 2008-08-29 2016-01-14 AVG Netherlands B.V. System and method for the detection of malware
CN105577608A (zh) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 网络攻击行为检测方法和装置
CN109635565A (zh) * 2018-11-28 2019-04-16 江苏通付盾信息安全技术有限公司 恶意程序的检测方法、装置、计算设备及计算机存储介质

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973531B1 (en) * 2014-06-06 2018-05-15 Fireeye, Inc. Shellcode detection
CN105791261B (zh) * 2015-12-28 2019-06-21 华为技术有限公司 一种跨站脚本攻击的检测方法和检测设备
US10789361B2 (en) * 2016-01-24 2020-09-29 Minerva Labs Ltd. Ransomware attack remediation
US10990682B2 (en) * 2017-12-18 2021-04-27 Nuvoton Technology Corporation System and method for coping with fault injection attacks
EP3738058B1 (en) * 2018-01-12 2022-11-23 Virsec Systems, Inc. Defending against speculative execution exploits
CN108846287A (zh) * 2018-06-26 2018-11-20 北京奇安信科技有限公司 一种检测漏洞攻击的方法及装置
CN109829313B (zh) * 2019-02-28 2020-11-24 中国人民解放军战略支援部队信息工程大学 一种基于代码复用编程防御sgx侧信道攻击的方法及装置
CN110135166B (zh) * 2019-05-08 2021-03-30 北京国舜科技股份有限公司 一种针对业务逻辑漏洞攻击的检测方法及***

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801031A (zh) * 2004-12-31 2006-07-12 福建东方微点信息安全有限责任公司 运用程序行为知识库判断已知程序被攻击的方法
US20160012225A1 (en) * 2008-08-29 2016-01-14 AVG Netherlands B.V. System and method for the detection of malware
WO2013089767A1 (en) * 2011-12-16 2013-06-20 Intel Corporation Method and system using exceptions for code specialization in a computer architecture that supports transactions
CN105577608A (zh) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 网络攻击行为检测方法和装置
CN109635565A (zh) * 2018-11-28 2019-04-16 江苏通付盾信息安全技术有限公司 恶意程序的检测方法、装置、计算设备及计算机存储介质

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113946869A (zh) * 2021-11-02 2022-01-18 深圳致星科技有限公司 用于联邦学习和隐私计算的内部安全攻击检测方法及装置
WO2023179461A1 (zh) * 2022-03-25 2023-09-28 华为技术有限公司 一种处理疑似攻击行为的方法及相关装置
CN115514548A (zh) * 2022-09-16 2022-12-23 北京易诚互动网络技术股份有限公司 一种保障互联网应用安全的方法及装置

Also Published As

Publication number Publication date
CN113632432B (zh) 2023-09-19
CN113632432A (zh) 2021-11-09

Similar Documents

Publication Publication Date Title
US10073970B2 (en) System and method for reverse command shell detection
EP3225009B1 (en) Systems and methods for malicious code detection
US10893068B1 (en) Ransomware file modification prevention technique
WO2021046811A1 (zh) 一种攻击行为的判定方法、装置及计算机存储介质
Javaheri et al. Detection and elimination of spyware and ransomware by intercepting kernel-level system routines
KR102307534B1 (ko) 다수 소프트웨어 개체들에 걸쳐서 악성 행동을 트래킹하기 위한 시스템들 및 방법들
US7530104B1 (en) Threat analysis
RU2646352C2 (ru) Система и способ для применения индикатора репутации для облегчения сканирования на наличие вредоносных программ
US8918878B2 (en) Restoration of file damage caused by malware
US8966624B2 (en) System and method for securing an input/output path of an application against malware with a below-operating system security agent
US10055585B2 (en) Hardware and software execution profiling
US8272059B2 (en) System and method for identification and blocking of malicious code for web browser script engines
JP5326062B1 (ja) 非実行ファイル検査装置及び方法
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
JP5265061B1 (ja) 悪意のあるファイル検査装置及び方法
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
GB2485622A (en) Server detecting malware in user device.
Kumara et al. Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
Verma et al. A literature review on malware and its analysis
KR101614809B1 (ko) 엔드포인트 응용프로그램 실행 제어 시스템 및 그 제어 방법
TWI711939B (zh) 用於惡意程式碼檢測之系統及方法
WO2021144978A1 (ja) 攻撃推定装置、攻撃推定方法及び攻撃推定プログラム
US20200382552A1 (en) Replayable hacktraps for intruder capture with reduced impact on false positives
Huang et al. Identifying HID-based attacks through process event graph using guilt-by-association analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19945113

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19945113

Country of ref document: EP

Kind code of ref document: A1