CN101877039A - Fault detection technology of server operating system - Google Patents
Fault detection technology of server operating system Download PDFInfo
- Publication number
- CN101877039A CN101877039A CN2009102306167A CN200910230616A CN101877039A CN 101877039 A CN101877039 A CN 101877039A CN 2009102306167 A CN2009102306167 A CN 2009102306167A CN 200910230616 A CN200910230616 A CN 200910230616A CN 101877039 A CN101877039 A CN 101877039A
- Authority
- CN
- China
- Prior art keywords
- file
- access
- access control
- catalogue
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 24
- 238000001514 detection method Methods 0.000 title claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 49
- 230000002787 reinforcement Effects 0.000 claims abstract description 4
- 239000010410 layer Substances 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 239000012792 core layer Substances 0.000 claims description 3
- 230000006378 damage Effects 0.000 claims description 2
- 238000001914 filtration Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000011112 process operation Methods 0.000 claims description 2
- 230000001681 protective effect Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 2
- 230000002155 anti-virotic effect Effects 0.000 abstract description 2
- 230000001066 destructive effect Effects 0.000 abstract 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 abstract 1
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a fault detection technology of a server operating system. The technology comprises the following contents: (1) carrying out file integrity detection by comparing feature codes, and confirming the position of a file to be modified; (2) replacing the file to be modified with a normal file, and then carrying out forced access control on an object file by using the system reinforcement technology; and (3) recording a process item to change the file and a specific absolute path, detecting the destructive action of a malicious process, and establishing a scheme for recovering the server based on the action of the process. Compared with traditional products such as fire walls, antivirus software and the like, the fault detection technology of the server operating system can quickly process faults of the server operating system and locate fault points by forced access control, and can quickly detect and locate the faults caused by attacks to the server operating system, including known or unknown virus programs, ROOTKIT-level backdoor trojan and the like.
Description
Technical field
The present invention relates to computer system kernel field of reinforcement, mainly be that the communication between client layer and the system layer is controlled, core is the authority Access Model in the core layer reconstructed operation system of operating system, by realizing forcing access control to come the processing server fault, quick fault location point and generation reason.
Background technology
Rapid development of network technology has also been brought potential safety hazard when bringing earth-shaking variation to information sharing.Internet and Intranet be immanent to combine closely and also makes that network security problem is outstanding to be manifested.For a long time, the outside precautionary technology of network security bound pair application Network Based is paid close attention to more, and the fault that server OS occurs is but often felt simply helpless, and both can't the fast detecting fault also can't recover professional rapidly.
Current safety technique commonly used mainly contains: firewall technology, intruding detection system technology (IDS), vulnerability scanning Scanner technology etc., but all there is its limitation in every kind of technology.
Firewall technology is known as a husband when closing, Wan Fumokai, simplified safety management of network to a certain extent, but the invador may search out the back door that fire wall may open wide behind, attack for the possible just network internal in fire wall of this invador and can't take precautions against substantially.
Intruding detection system technology (IDS) be difficult to be followed the tracks of new intrusion model, and the time have the situation of false alarm to take place.
Vulnerability scanning Scanner technology is difficult to follow the tracks of new leak, and can not really scan leak in real time comprehensively.
In sum, the limitation that exists just because of above network security technology commonly used, so press for development a kind of can the fast processing operating system failure, recovery system is professional and the technology of fault location point rapidly.Can combine with application layer software such as antivirus software fast detecting and handle operating system failure of present technique will become the trend of system in future safety technique development.
The outbreak of all viruses or wooden horse generally all realizes by following steps:
(1) writing system is replaced the system core file
(2) revise registration table or related system configuration file
(3) establishment process is self adding in starting up's item or the service
The other system failure cause mainly contains following several:
(1) lacks some critical file or by mistake deleted, such as the start boot files
(2) configuration file is changed by malice, such as server ip address or the like
(3) registration malice drives
(4) the operating system critical file is modified or replaces.
Summary of the invention
The fault detection technique that the purpose of this invention is to provide a kind of server OS.
Server OS fault detection technique of the present invention is realized in the following manner: comprise following content:
(1) carries out file integrality by comparing feature codes and detect, determine the position of the file that is modified;
(2) replace with normal file after, utilize the system reinforcement technology that file destination is forced access control;
(3) process item of this file and concrete absolute path will be changed in record, can detect the destruction of malicious process, formulates the scheme of recovering server according to the behavior of this process;
Concrete steps are as follows:
Drive Layer in original operating system adds the security kernel module, handle and the detecting operation system failure, interception is also write down all kernel access path, thereby reach the technical requirement of processing server fault, authority Access Model in the core layer reconstructed operation system of operating system realizes forcing access control, and utilize and force access control technology to carry out the fast detecting and the processing of the system failure, wherein
1) the file system filter driver is when initialization, insert access rule one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all I/O requests to file or catalogue, traversal rule chained list when intercepting the I/O request of file or catalogue, and filter according to access rule, meet regular person and deliver former service function immediately, otherwise abandon;
2) the registry access filter drive program is when initialization, set up doubly linked list, insert " read-only " registry entry one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all read-write requests to registry entry, traversal rule chained list when intercepting the registry entry read-write requests, and filter according to rule, meet regular person and deliver former service function immediately, otherwise abandon;
3) the Process Protection filter drive program is when initialization, insert access rule one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all traversal requests to process, when intercepting the request of process traversal, revise process list, and former service function is delivered in amended tabulation according to regulation linked;
4) load back automatic protective system registration table, by filtering the registration table request, whether real-time monitoring has service or drive will be registered, when revising registration table when finding to have service or driving to register, and the registration that security kernel stops service or drives by force immediately;
5) set up data summarization by recursive algorithm for each file and sub-directory, and be kept in the data file, " content verification and " 16 hash result wherein for generating by the MD5 algorithm, under the prerequisite that improves performance as far as possible, guarantee verification and uniqueness; Adopt RC2 algorithm for encryption final data file, prevent irrelevant user or rogue program change content data file;
Technology of the present invention mainly is made of following module:
One, file is forced access control module
Allow user or process file/catalogue to be provided with access rule with the different access authority, and file/catalogue and user are set level of security, implement access control by rank by security model, when Any user comprises that system manager and unauthorized process operation such as create, delete, revise, read to sensitive document or catalogue, will filter and the record behavior according to rule;
Two, registration table is forced access control module
The permission process is provided with access rule with the different access authority to registry entry, Any user comprises the system manager and the unauthorized process the called when registry entry that is set to " read-only " or " disable access " is carried out write operation, will and write down detailed behavior by flat refusal;
Three, process is forced access control module
The permission process is provided with access rule with the different access authority to process, and Any user comprises that system manager and the unauthorized process of calling thereof all have no right to stop and the shielded process of operation;
Four, access control module is forced in service
Can in time find newly-increased application service or driving by this module, and stop the registration of application service or driving immediately by force, to reach the purpose that service is conducted interviews and controls;
Five, application layer file integrality detection module
Specify key read-only catalogue and the data file name that to set up check information by the user, trace routine write down the base attribute and the content verification of All Files in the catalogue automatically and regularly carry out verification and validity detect, to reach the purpose of checking vital document or catalogue integrality.
Excellent effect of the present invention is:
Server OS fault detection technique of the present invention is by system's basic resources such as control documents, registration table, process, services; fast detecting operating system failure and the puzzlement that solves viral wooden horse or the like; by forcing access control protection operating-system resources; fundamentally understand ruined degree of system and reason, so that repair fault fast.Add the security kernel module in Drive Layer (0 layer), interception is also write down all kernel access path, thereby reach the technical requirement of processing server fault, safe effect that reaches and reconstructed operation system code technology are similar, its benefit is the business continuance that can not influence the client, even do not need the client to restart system, all application on upper strata and all systems and the machine of lower floor are all supported, and can on the operating system granularity, guarantee the safety of upper layer application.
Description of drawings
Fig. 1 is fault testing process figure;
Embodiment
Add the security kernel module in Drive Layer (0 layer), interception is also write down all kernel access path, thereby reach the technical requirement of processing server fault, safe effect that reaches and reconstructed operation system code technology are similar, its benefit is the business continuance that can not influence the client, even do not need the client to restart system, all application on upper strata and all systems and the machine of lower floor are all supported, and can on the operating system granularity, guarantee the safety of upper layer application.
Mainly constitute by following module:
One, file is forced access control module
Allow user or process file/catalogue to be provided with access rule with the different access authority, and can set level of security to file/catalogue and user, implement access control by rank by security model, when Any user (comprising the system manager) and unauthorized process create, delete, revise, read etc. operation to sensitive document or catalogue, will filter (allowing or refusal) and record behavior according to rule.
Two, registration table is forced access control module
The permission process is provided with access rule with the different access authority to registry entry, when Any user (comprising the system manager) and the unauthorized process of calling thereof are carried out write operation to the registry entry that is set to " read-only " or " disable access ", will and write down detailed behavior by flat refusal.
Three, process is forced access control module
The permission process is provided with access rule with the different access authority to process, and Any user (comprising the system manager) and the unauthorized process of calling thereof all have no right to stop and the shielded process of operation.
Four, access control module is forced in service
Can in time find newly-increased application service or driving by this module, and stop the registration of application service or driving immediately by force, to reach the purpose that service is conducted interviews and controls.
Five, application layer file integrality detection module
Specify key read-only catalogue and the data file name that need set up check information by the user, trace routine write down automatically the base attribute of All Files in the catalogue and content verification and.Regularly carry out verification and validity detect, can reach the purpose of checking vital document or catalogue integrality.
Claims (1)
1. the fault detection technique of a server OS is characterized in that, comprises following content:
(1) carries out file integrality by comparing feature codes and detect, determine the position of the file that is modified;
(2) replace with normal file after, utilize the system reinforcement technology that file destination is forced access control;
(3) process item of this file and concrete absolute path will be changed in record, detects the destruction of malicious process, formulates the scheme of recovering server according to the behavior of this process;
Concrete steps are as follows:
Drive Layer in original operating system adds the security kernel module, handle and the detecting operation system failure, interception is also write down all kernel access path, thereby reach the technical requirement of processing server fault, authority Access Model in the core layer reconstructed operation system of operating system realizes forcing access control, and utilize and force access control technology to carry out the fast detecting and the processing of the system failure, wherein
1) the file system filter driver is when initialization, insert access rule one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all I/O requests to file or catalogue, traversal rule chained list when intercepting the I/O request of file or catalogue, and filter according to access rule, meet regular person and deliver former service function immediately, otherwise abandon;
2) the registry access filter drive program is when initialization, set up doubly linked list, insert " read-only " registry entry one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all read-write requests to registry entry, traversal rule chained list when intercepting the registry entry read-write requests, and filter according to rule, meet regular person and deliver former service function immediately, otherwise abandon;
3) the Process Protection filter drive program is when initialization, insert access rule one by one, and allow dynamically to add or deletion appointment node at run duration, so that intercept and capture all traversal requests to process, when intercepting the request of process traversal, revise process list, and former service function is delivered in amended tabulation according to regulation linked;
4) load back automatic protective system registration table, by filtering the registration table request, whether real-time monitoring has service or drive will be registered, when revising registration table when finding to have service or driving to register, and the registration that security kernel stops service or drives by force immediately;
5) set up data summarization by recursive algorithm for each file and sub-directory, and be kept in the data file, " content verification and " 16 hash result wherein for generating by the MD5 algorithm, under the prerequisite that improves performance as far as possible, guarantee verification and uniqueness; Adopt RC2 algorithm for encryption final data file, prevent irrelevant user or rogue program change content data file;
System mainly is made of following module:
One, file is forced access control module
Allow user or process file/catalogue to be provided with access rule with the different access authority, and file/catalogue and user are set level of security, implement access control by rank by security model, when Any user comprises that system manager and unauthorized process operation such as create, delete, revise, read to sensitive document or catalogue, will filter and the record behavior according to rule;
Two, registration table is forced access control module
The permission process is provided with access rule with the different access authority to registry entry, Any user comprises the system manager and the unauthorized process the called when registry entry that is set to " read-only " or " disable access " is carried out write operation, will and write down detailed behavior by flat refusal;
Three, process is forced access control module
The permission process is provided with access rule with the different access authority to process, and Any user comprises that system manager and the unauthorized process of calling thereof all have no right to stop and the shielded process of operation;
Four, access control module is forced in service
Can in time find newly-increased application service or driving by this module, and stop the registration of application service or driving immediately by force, to reach the purpose that service is conducted interviews and controls;
Five, application layer file integrality detection module
Specify key read-only catalogue and the data file name that to set up check information by the user, trace routine write down the base attribute and the content verification of All Files in the catalogue automatically and regularly carry out verification and validity detect, to reach the purpose of checking vital document or catalogue integrality.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102306167A CN101877039A (en) | 2009-11-23 | 2009-11-23 | Fault detection technology of server operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102306167A CN101877039A (en) | 2009-11-23 | 2009-11-23 | Fault detection technology of server operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101877039A true CN101877039A (en) | 2010-11-03 |
Family
ID=43019594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102306167A Pending CN101877039A (en) | 2009-11-23 | 2009-11-23 | Fault detection technology of server operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101877039A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143220A (en) * | 2010-02-02 | 2011-08-03 | 国际商业机器公司 | Method and system for discovering physical server location by correlating external and internal server information |
| CN102156839A (en) * | 2011-04-12 | 2011-08-17 | 浪潮电子信息产业股份有限公司 | Method for limiting authority of cloud computing privileged user by using mandatory access control |
| CN103778378A (en) * | 2012-03-28 | 2014-05-07 | Ae平方有限公司 | Method and apparatus for controlling operation performed by a mobile computing device |
| CN104573511A (en) * | 2013-10-15 | 2015-04-29 | 联想(北京)有限公司 | Method and system for searching and killing Rootkit virus |
| CN105303087A (en) * | 2015-11-26 | 2016-02-03 | 中国农业银行股份有限公司 | User permission information updating method and user permission information updating device |
| WO2016150304A1 (en) * | 2015-03-20 | 2016-09-29 | 中兴通讯股份有限公司 | Security vulnerability strengthening method and system |
| CN106228078A (en) * | 2016-07-29 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | Method for safe operation based on enhancement mode ROST under a kind of Linux |
| CN106708732A (en) * | 2016-12-12 | 2017-05-24 | 中国航空工业集团公司西安航空计算技术研究所 | Software running detection method based on feature codes |
| CN107038392A (en) * | 2017-04-28 | 2017-08-11 | 郑州云海信息技术有限公司 | A kind of method of client integrity detection |
| CN108881219A (en) * | 2018-06-14 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of file permission management method and system based on forced symmetric centralization |
| CN110457953A (en) * | 2019-07-26 | 2019-11-15 | 中国银行股份有限公司 | A kind of detection method and device of file integrality |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| CN110704868A (en) * | 2019-09-06 | 2020-01-17 | 苏州浪潮智能科技有限公司 | Access control list correction method, device, equipment and medium of NFSv4 |
-
2009
- 2009-11-23 CN CN2009102306167A patent/CN101877039A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143220A (en) * | 2010-02-02 | 2011-08-03 | 国际商业机器公司 | Method and system for discovering physical server location by correlating external and internal server information |
| CN102156839A (en) * | 2011-04-12 | 2011-08-17 | 浪潮电子信息产业股份有限公司 | Method for limiting authority of cloud computing privileged user by using mandatory access control |
| CN103778378A (en) * | 2012-03-28 | 2014-05-07 | Ae平方有限公司 | Method and apparatus for controlling operation performed by a mobile computing device |
| CN104573511A (en) * | 2013-10-15 | 2015-04-29 | 联想(北京)有限公司 | Method and system for searching and killing Rootkit virus |
| WO2016150304A1 (en) * | 2015-03-20 | 2016-09-29 | 中兴通讯股份有限公司 | Security vulnerability strengthening method and system |
| CN105303087B (en) * | 2015-11-26 | 2018-01-09 | 中国农业银行股份有限公司 | A kind of user right information update method and device |
| CN105303087A (en) * | 2015-11-26 | 2016-02-03 | 中国农业银行股份有限公司 | User permission information updating method and user permission information updating device |
| CN106228078A (en) * | 2016-07-29 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | Method for safe operation based on enhancement mode ROST under a kind of Linux |
| CN106708732A (en) * | 2016-12-12 | 2017-05-24 | 中国航空工业集团公司西安航空计算技术研究所 | Software running detection method based on feature codes |
| CN107038392A (en) * | 2017-04-28 | 2017-08-11 | 郑州云海信息技术有限公司 | A kind of method of client integrity detection |
| CN108881219A (en) * | 2018-06-14 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of file permission management method and system based on forced symmetric centralization |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| CN110457953A (en) * | 2019-07-26 | 2019-11-15 | 中国银行股份有限公司 | A kind of detection method and device of file integrality |
| CN110704868A (en) * | 2019-09-06 | 2020-01-17 | 苏州浪潮智能科技有限公司 | Access control list correction method, device, equipment and medium of NFSv4 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101877039A (en) | Fault detection technology of server operating system | |
| JP7084778B2 (en) | Systems and methods for cloud-based detection, exploration and elimination of targeted attacks | |
| Kharaz et al. | {UNVEIL}: A {Large-Scale}, automated approach to detecting ransomware | |
| Wei et al. | Managing security of virtual machine images in a cloud environment | |
| US7784098B1 (en) | Snapshot and restore technique for computer system recovery | |
| US20180375826A1 (en) | Active network backup device | |
| CN101520831B (en) | Safe terminal system and terminal safety method | |
| WO2018045073A1 (en) | Systems and methods for identifying and mapping sensitive data on an enterprise | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| WO2006137057A2 (en) | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies | |
| US10262139B2 (en) | System and method for detection and prevention of data breach and ransomware attacks | |
| CN101667232B (en) | Terminal credible security system and method based on credible computing | |
| Kara | A basic malware analysis method | |
| KR101031786B1 (en) | Malicious code prevention apparatus and method using level classification of suspicious behavior and isolated execution, and computer-readable medium storing program for method thereof | |
| Hamed et al. | Protecting windows OS against local threats without using antivirus | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| CN101788944A (en) | Method for detecting failures of AIX system by means of mandatory access control | |
| JP6738013B2 (en) | Attack content analysis program, attack content analysis method, and attack content analysis device | |
| Alsmadi et al. | Practical information security | |
| Alzahrani et al. | An overview of ransomware in the windows platform | |
| Smelcer | Rise of fileless malware | |
| Fan et al. | Privacy theft malware multi‐process collaboration analysis | |
| CN114186222A (en) | Lesovirus protection method and system | |
| Kharraz | Techniques and Solutions for Addressing Ransomware Attacks | |
| Viswanathan et al. | Dynamic monitoring of website content and alerting defacement using trusted platform module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20101103 |