CN103902902A - Rootkit detection method and system based on embedded system - Google Patents
Rootkit detection method and system based on embedded system Download PDFInfo
- Publication number
- CN103902902A CN103902902A CN201310505165.XA CN201310505165A CN103902902A CN 103902902 A CN103902902 A CN 103902902A CN 201310505165 A CN201310505165 A CN 201310505165A CN 103902902 A CN103902902 A CN 103902902A
- Authority
- CN
- China
- Prior art keywords
- detected
- filename
- list
- computing machine
- embedded device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a Rootkit detection method and system based on an embedded system. The method includes the steps that a formal embedded device with a PCI is selected, wherein an independent operation system is integrated in the embedded device; the embedded device is installed into a PCI slot of a main board of a computer to be detected; an original operation system is used in the computer to be detected for traversing a disc of the computer to be detected to obtain a file name list A of the computer to be detected; an independent operation system is used in the computer to be detected for traversing the disc of the computer to be detected to obtain a file name list B of the computer to be detected; the embedded device compares the file name list A with the file name list B, and when a newly increased file name occurs in the file name list B and the occurrence frequency of the newly increased file name exceeds an early warning value, it is determined that Rootkit exists in the computer to be detected. According to the technical scheme, the defects of a traditional detection method can be overcome, and unknown Rootkit can be detected more effectively.
Description
Technical field
The present invention relates to network security technology field, relate in particular to a kind of Rootkit detection method and system based on embedded system.
Background technology
Along with the develop rapidly of infotech, increase sharply as the program of target to steal computer control power and sensitive information, all kinds of APT events that particularly occurred in the last few years, indicate that network security has entered the antagonism on State-level, and Rootkit just this class attack in an important ring, be a kind of can be enduringly, stably, cannot detect be present in batch processing and the code on computing machine.Rootkit can hide for a long time and do not discovered in object computer, is therefore used widely in fields such as computing machine war, spy, anticomputer crime, evidence-gatherings, is also used for realizing by malicious code user simultaneously the malice of computing machine is controlled.Once effector obtains the control authority of operating system, throw in Rootkit to destination host, it is energy back door of long-time maintenance just, allow effector always with administrator right control system, and carry out hiding attack behavior by hidden file, process, registry entry, port etc., thereby escape the detection of user and fail-safe software.
Rootkit is since being born, and its technology development, always have new technology to appear at Rootkit upper, and anti-Rootkit technology generally can only be followed Rootkit technology, generally lags behind Rootkit technology.At present the detection of Rootkit is had to following two kinds of methods:
Close and suspect the computing machine that infects Rootkit, then its hard disk is mounted to other system, re-use related tool and check with feature.
Use the related tool of special detection Rootkit to detect, as chkrootkit, rkhunter, BlackLight.
But above method exists many defects in actual use, can not reach the object of the perfect Rootkit of detection.
There are following three problems in first method:
Can not real time scan monitoring, poor in timeliness, may cause detecting time lag of Rootkit;
Each scanning all needs to shut down computer, and carry hard disk is to other system, and this extremely bothers and is unfavorable for safeguarding for some critical servers;
As mark scanning can not detect unknown virus, this method can not detect all Rootkit equally.
There are following two problems in second method:
Based on current system environment operation, easily hidden or walk around by Rootkit targetedly.
These testing tools can only detect known Rootkit, and they have no longer upgraded mostly at present, cannot detect the Rootkit that uses new technology.
Summary of the invention
For above-mentioned technical matters, the invention provides a kind of Rootkit detection method and system based on embedded system, the embedded device that the method has a SOS by outside scans the disk of computing machine to be detected, obtain the filename list contrast that filename list and original operating system are obtained, determine whether and have newly-increased filename, and whether final decision infects Rootkit.
The present invention adopts with the following method and realizes: a kind of Rootkit detection method based on embedded system, comprising:
Choose the embedded device with PCI socket standard, in described embedded device, be integrated with SOS;
Described embedded device is mounted in the PCI slot of computer motherboard to be detected;
Computing machine to be detected utilizes original operating system to travel through computer disk to be detected, obtains the filename list A of computing machine to be detected; Described original operating system at least comprises: UNIX, WINDOWS.
Described embedded device utilizes SOS to travel through computer disk to be detected, obtains the filename list B of computing machine to be detected;
Described embedded device documents list of file names A and filename list B, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.Wherein, described early warning value is set according to actual conditions for user, can be three times.
Wherein, the SOS of described embedded device is realized the access for the treatment of detection computations machine disk by bottom layer driving, thereby obtains the filename list B on computing machine to be detected.
The filename list A obtaining in said method and filename list B can be saved to external memory, then contrast.
Further, described computing machine to be detected utilizes original operating system to travel through computer disk to be detected, after obtaining the filename list A of computing machine to be detected, also comprises:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, continues described embedded device and utilizes independently operating system to travel through computer disk to be detected, obtains the operation of the filename list B of computing machine to be detected.
Further, after there is Rootkit in described judgement computing machine to be detected, also comprise: corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded to early warning value is saved to external memory with the form of daily record, and sends alarm sound prompting user.
The present invention adopts following system to realize: a kind of Rootkit detection system based on embedded system, comprises embedded device and spider module:
Described embedded device, has PCI socket standard, in described embedded device, is integrated with SOS; Described embedded device is arranged in the PCI slot of computer motherboard to be detected;
Described spider module, is arranged in the original operating system of computing machine to be detected, for traveling through computer disk to be detected, obtains the filename list A of computing machine to be detected; Described original operating system at least comprises: UNIX, WINDOWS.
In the SOS of described embedded device, be integrated with system format parsing module, abnormal document detection module;
Described system format parsing module, for traveling through computer disk to be detected, obtains the filename list B of computing machine to be detected; Described system format parsing module is responsible for resolution file system format (FAT/NTFS/EXT), and obtains the filename list of each subregion.
Described abnormal document detection module, for documents list of file names A and filename list B, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.Wherein, described early warning value can be three times.
Wherein, the SOS of described embedded device is realized the access for the treatment of detection computations machine disk by bottom layer driving, thereby obtains the filename list B on computing machine to be detected.
The filename list A obtaining in said system and filename list B can be saved to external memory, then contrast.
Further, described spider module, at traversal computer disk to be detected, after obtaining the filename list A of computing machine to be detected, also comprises:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, is obtained the filename list B of computing machine to be detected by described system format parsing module.
Further, described embedded device also comprises threat early warning module, after abnormal document detection module is judged and is had Rootkit in computing machine to be detected, corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded early warning value by threat early warning module is saved to external memory with the form of daily record, and send alarm sound, point out user.
In sum, the invention provides a kind of Rootkit detection method and system based on embedded system, by external hardware equipment on the PCI slot at computing machine to be detected, in this hardware device, there is independently embedded system, utilize the operating system of this hardware device to travel through computer disk to be detected, obtain the filename list of computing machine to be detected, check whether its filename list that compares to original operating system traversal exists newly-increased filename, and judge whether its occurrence number exceedes early warning value, if so, judge in computing machine to be detected and have Rootkit.The given technical scheme of this invention can effectively detect Rootkit, especially can effectively detect unknown Rootkit.
Accompanying drawing explanation
In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of Rootkit detection method process flow diagram based on embedded system provided by the invention;
Fig. 2 is a kind of Rootkit detection system structural drawing based on embedded system provided by the invention.
Embodiment
The present invention has provided a kind of Rootkit detection method and system based on embedded system, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
First the present invention provides a kind of Rootkit detection method based on embedded system, as shown in Figure 1, comprising:
S101 chooses the embedded device with PCI socket standard, in described embedded device, is integrated with SOS;
S102 is mounted to described embedded device in the PCI slot of computer motherboard to be detected;
S103 computing machine to be detected utilizes original operating system to travel through computer disk to be detected, obtains the filename list A of computing machine to be detected;
Described in S104, embedded device utilizes SOS to travel through computer disk to be detected, obtains the filename list B of computing machine to be detected;
Embedded device documents list of file names A and filename list B described in S105, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.
Preferably, after carrying out S103, also comprise:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, continues to carry out S104.
Preferably, after there is Rootkit in described judgement computing machine to be detected, also comprise: corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded to early warning value is saved to external memory with the form of daily record, and sends alarm sound prompting user.
The present invention also provides a kind of Rootkit detection system based on embedded system, as shown in Figure 2, comprising:
Comprise embedded device 201 and spider module 202:
Described embedded device 201, has PCI socket standard, in described embedded device 201, is integrated with SOS; Described embedded device 201 is arranged in the PCI slot of computer motherboard to be detected;
Described spider module 202, is arranged in the original operating system of computing machine to be detected, for traveling through computer disk to be detected, obtains the filename list A of computing machine to be detected;
In the SOS of described embedded device 201, be integrated with system format parsing module 201-01, abnormal document detection module 201-02;
Described system format parsing module 201-01, for traveling through computer disk to be detected, obtains the filename list B of computing machine to be detected;
Described abnormal document detection module 201-02, for documents list of file names A and filename list B, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.
Preferably, described spider module 202, at traversal computer disk to be detected, after obtaining the filename list A of computing machine to be detected, also comprises:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, is obtained the filename list B of computing machine to be detected by described system format parsing module 201-01.
Preferably, described embedded device also comprises threat early warning module, after abnormal document detection module is judged and is had Rootkit in computing machine to be detected, corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded early warning value by threat early warning module is saved to external memory with the form of daily record, and send alarm sound, point out user.
As mentioned above, the present invention has provided a kind of Rootkit detection method and system based on embedded system, the difference of itself and classic method is, traditional Rootkit detection method need to be mounted to other system by hard disk to be detected, or use special instrument to detect, these modes are not only ageing very poor, substantially there is no detectability for unknown Rootkit.Method provided by the present invention is on computing machine to be detected, the external embedded device with SOS, utilizing bottom layer driving to treat detection computations machine disk travels through, obtain filename list, contrast with the filename list of origin operation system acquisition, whether exist the number of times of newly-increased filename and appearance to determine whether infection Rootkit by checking.Detection method provided by the present invention is simple to operate, ageing good, and can more effectively detect Rootkit.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation.Do not depart from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.
Claims (6)
1. the Rootkit detection method based on embedded system, is characterized in that, comprising:
Choose the embedded device with PCI socket standard, in described embedded device, be integrated with SOS;
Described embedded device is mounted in the PCI slot of computer motherboard to be detected;
Computing machine to be detected utilizes original operating system to travel through computer disk to be detected, obtains the filename list A of computing machine to be detected;
Described embedded device utilizes SOS to travel through computer disk to be detected, obtains the filename list B of computing machine to be detected;
Described embedded device documents list of file names A and filename list B, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.
2. the method for claim 1, is characterized in that, described computing machine to be detected utilizes original operating system to travel through computer disk to be detected, after obtaining the filename list A of computing machine to be detected, also comprises:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, continues described embedded device and utilizes SOS to travel through computer disk to be detected, obtains the operation of the filename list B of computing machine to be detected.
3. the method for claim 1, it is characterized in that, after there is Rootkit in described judgement computing machine to be detected, also comprise: corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded to early warning value is saved to external memory with the form of daily record, and send alarm sound, point out user.
4. the Rootkit detection system based on embedded system, is characterized in that, comprises embedded device and spider module:
Described embedded device, has PCI socket standard, in described embedded device, is integrated with SOS; Described embedded device is arranged in the PCI slot of computer motherboard to be detected;
Described spider module, is arranged in the original operating system of computing machine to be detected, for traveling through computer disk to be detected, obtains the filename list A of computing machine to be detected;
In the SOS of described embedded device, be integrated with system format parsing module, abnormal document detection module;
Described system format parsing module, for traveling through computer disk to be detected, obtains the filename list B of computing machine to be detected;
Described abnormal document detection module, for documents list of file names A and filename list B, when occurring in filename list B that newly-increased filename and described newly-increased filename occurrence number exceed early warning value, judge in computing machine to be detected and have Rootkit.
5. system as claimed in claim 4, is characterized in that, described spider module, at traversal computer disk to be detected, after obtaining the filename list A of computing machine to be detected, also comprises:
Filename list A is written in the file of preset path, and writes the whether complete mark of representation file list of file names A at the afterbody of described file;
Described embedded device reads described file every Preset Time, after judging that filename list A is complete, is obtained the filename list B of computing machine to be detected by described system format parsing module.
6. system as claimed in claim 4, it is characterized in that, described embedded device also comprises threat early warning module, after abnormal document detection module is judged and is had Rootkit in computing machine to be detected, corresponding file path, the warning time of newly-increased filename that occurrence number is exceeded early warning value by threat early warning module is saved to external memory with the form of daily record, and send alarm sound, point out user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310505165.XA CN103902902A (en) | 2013-10-24 | 2013-10-24 | Rootkit detection method and system based on embedded system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310505165.XA CN103902902A (en) | 2013-10-24 | 2013-10-24 | Rootkit detection method and system based on embedded system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103902902A true CN103902902A (en) | 2014-07-02 |
Family
ID=50994214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310505165.XA Pending CN103902902A (en) | 2013-10-24 | 2013-10-24 | Rootkit detection method and system based on embedded system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103902902A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649458A (en) * | 2016-09-26 | 2017-05-10 | 福建中金在线信息科技有限公司 | Method and system for detecting file update amount |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040111578A1 (en) * | 2002-09-05 | 2004-06-10 | Goodman Reginald A. | Personal computer internet security system |
| CN1743990A (en) * | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
| CN101046836A (en) * | 2006-03-29 | 2007-10-03 | 联想(北京)有限公司 | System and method for removing ROOTKIT |
| CN103180863A (en) * | 2010-10-21 | 2013-06-26 | F-赛酷公司 | Computer system analysis method and apparatus |
-
2013
- 2013-10-24 CN CN201310505165.XA patent/CN103902902A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040111578A1 (en) * | 2002-09-05 | 2004-06-10 | Goodman Reginald A. | Personal computer internet security system |
| CN1743990A (en) * | 2005-08-12 | 2006-03-08 | 珠海金山软件股份有限公司 | Transplatform virus detecting and killing method |
| CN101046836A (en) * | 2006-03-29 | 2007-10-03 | 联想(北京)有限公司 | System and method for removing ROOTKIT |
| CN103180863A (en) * | 2010-10-21 | 2013-06-26 | F-赛酷公司 | Computer system analysis method and apparatus |
Non-Patent Citations (1)
| Title |
|---|
| 吕良等: "基于 NetFPGA 的嵌入式安全防护系统研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649458A (en) * | 2016-09-26 | 2017-05-10 | 福建中金在线信息科技有限公司 | Method and system for detecting file update amount |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI614634B (en) | Method and apparatus for detecting fault injection | |
| ES2628820T3 (en) | use of power fingerprint (pfp) to monitor the integrity and enhance the security of computer systems | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| CN109815698B (en) | Method and non-transitory machine-readable storage medium for performing security actions | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| CN107273744A (en) | Electronic installation and guard method | |
| WO2016113911A1 (en) | Data assessment device, data assessment method, and program | |
| Aguayo Gonzalez et al. | Detecting malicious software execution in programmable logic controllers using power fingerprinting | |
| JP6000465B2 (en) | Process inspection apparatus, process inspection program, and process inspection method | |
| KR102180098B1 (en) | A malware detecting system performing monitoring of malware and controlling a device of user | |
| CN105791250B (en) | Application program detection method and device | |
| Papafotikas et al. | A machine-learning clustering approach for intrusion detection to IoT devices | |
| KR101311367B1 (en) | Method and apparatus for diagnosing attack that bypass the memory protection | |
| CN104077528A (en) | Virus detection method and device and terminal | |
| AU2019255300B2 (en) | Anti-virus device for industrial control systems | |
| CN103902902A (en) | Rootkit detection method and system based on embedded system | |
| KR102022626B1 (en) | Apparatus and method for detecting attack by using log analysis | |
| Thevenon et al. | iMRC: Integrated Monitoring & Recovery Component, a Solution to Guarantee the Security of Embedded Systems. | |
| EP2819053A1 (en) | Diagnosing a device in an automation and control system | |
| KR101725670B1 (en) | System and method for malware detection and prevention by checking a web server | |
| CN114095227A (en) | Credible authentication method and system for data communication gateway and electronic equipment | |
| Ochieng et al. | A tour of the computer worm detection space | |
| Robert et al. | Practical approaches towards securing edge devices in smart grid | |
| EP4049156A1 (en) | Malware identification | |
| Wu et al. | Industrial control trusted computing platform for power monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140702 |