CN112307469A - Kernel intrusion prevention method and device, computing equipment and computer storage medium - Google Patents
Kernel intrusion prevention method and device, computing equipment and computer storage medium Download PDFInfo
- Publication number
- CN112307469A CN112307469A CN201910691010.7A CN201910691010A CN112307469A CN 112307469 A CN112307469 A CN 112307469A CN 201910691010 A CN201910691010 A CN 201910691010A CN 112307469 A CN112307469 A CN 112307469A
- Authority
- CN
- China
- Prior art keywords
- kernel
- detection
- attack
- invading
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a device for defending an invading kernel, a computing device and a computer storage medium, wherein the method comprises the following steps: detecting the process by using an intrusion kernel detection system, and judging whether the process is the process of invading the kernel or not; if so, freezing the process and acquiring the calling information related to the process; and determining and restoring the attack content of the process according to the calling information. After detecting the process invading the kernel, the process is frozen, so that the process keeps the current state, the current occupied resources are not released, and the attack can not be continued. And aiming at the frozen process, acquiring the calling information of the process for analysis, determining the attack content of the process, and restoring the attack content so as to recover the content which is modified by the attack and avoid the problems of system crash and the like.
Description
Technical Field
The invention relates to the field of software, in particular to a method and a device for defending an invading kernel, computing equipment and a computer storage medium.
Background
The goal of the attacker to invade the kernel is to acquire the ROOT authority of the device so as to control the whole device by using the ROOT authority. Based on the safety consideration of the kernel, the process invading the kernel is detected so as to quickly and timely discover whether the process attacks the ROOT.
When an attack on the ROOT by a process invading the kernel is detected, the process may have attacked, for example, the memory, perform a destructive action on the memory, and the like. At this time, the continuous attack of the process invading the kernel is directly intercepted, which can cause the problems of incomplete recovery of the damaged memory, equipment crash, restart and the like. For example, the buffer overflow attack is directly intercepted, which is easy to cause memory crash.
Disclosure of Invention
In view of the above, the present invention has been made to provide a method and apparatus for defending against intruding kernels, a computing device, a computer storage medium, which overcome or at least partially solve the above-mentioned problems.
According to one aspect of the invention, a method for defending against kernel intrusion is provided, which comprises the following steps:
detecting the process by using an intrusion kernel detection system, and judging whether the process is the process of invading the kernel or not;
if so, freezing the process and acquiring the calling information related to the process;
and determining and restoring the attack content of the process according to the calling information.
According to another aspect of the present invention, there is provided a defense apparatus against kernel intrusion, including:
the detection module is suitable for detecting the process by using an invading kernel detection system and judging whether the process is the process invading the kernel or not;
the freezing module is suitable for freezing the process and acquiring the calling information related to the process if the detection module judges that the process is the process invading the kernel;
and the restoring module is suitable for determining and restoring the attack content of the process according to the calling information.
According to yet another aspect of the present invention, there is provided a computing device comprising: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the defense method of the intrusion kernel.
According to still another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to perform an operation corresponding to the above-mentioned method for defending against intruding a kernel.
According to the method and the device for defending the invading kernel, the computing equipment and the computer storage medium, the process is detected by the invading kernel detection system, and whether the process is the process invading the kernel is judged; if so, freezing the process and acquiring the calling information related to the process; and determining and restoring the attack content of the process according to the calling information. After detecting the process invading the kernel, the process is frozen, so that the process keeps the current state, the current occupied resources are not released, and the attack can not be continued. And aiming at the frozen process, acquiring the calling information of the process for analysis, determining the attack content of the process, and restoring the attack content so as to recover the content which is modified by the attack and avoid the problems of system crash and the like.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method of defending against intrusions into a kernel, according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a method of defending against intrusions into a kernel, according to another embodiment of the present invention;
FIG. 3 illustrates a functional block diagram of a defense apparatus for intruding a kernel according to one embodiment of the present invention;
FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a flow diagram of a method of defending against intrusions into a kernel, according to one embodiment of the invention. As shown in fig. 1, the method for defending against kernel intrusion specifically includes the following steps:
and S101, detecting the process by using an intrusion kernel detection system, and judging whether the process is the process of invading the kernel.
The device is provided with an intrusion kernel detection system, and the intrusion kernel detection system detects the process running in the device to judge whether the process is the process invading the kernel.
When the intrusion kernel detection system detects that the process is the process of the intrusion kernel, the step S102 is executed. Otherwise, the process is not processed and continues to be executed.
Step S102, freezing the process and obtaining the calling information related to the process.
And when the process is determined to be the process invading the kernel, freezing the process by utilizing a process freezing technology, keeping the process in a controllable suspended running state, and storing the context of the process. If the intrusion kernel detection system detects that the process is modifying the memory address, the process is frozen, and the calling information related to the process can be acquired according to the context of the frozen process. For example, call information such as which functions are called by the process to modify the memory address, and parameters of the functions is obtained.
And step S103, determining and restoring the attack content of the process according to the calling information.
According to the calling information, the attack content of the process can be determined. If the attack object is determined to be the modification of the memory address according to the calling function of the process, the original address information of the memory address, the modified address information of the modified memory address and the like are determined according to the parameters and other information of the function. According to the attack content of the determined process, the process can be restored. If the memory address is restored from the modified address information to the original address information, the influence of process attack is reduced, and the equipment safety is protected.
According to the kernel intrusion defense method provided by the invention, the process is detected by using the kernel intrusion detection system, and whether the process is the process invading the kernel is judged; if so, freezing the process and acquiring the calling information related to the process; and determining and restoring the attack content of the process according to the calling information. After detecting the process invading the kernel, the process is frozen, so that the process keeps the current state, the current occupied resources are not released, and the attack can not be continued. And aiming at the frozen process, acquiring the calling information of the process for analysis, determining the attack content of the process, and restoring the attack content so as to recover the content which is modified by the attack and avoid the problems of system crash and the like.
FIG. 2 is a flow diagram illustrating a method for defending against a kernel intrusion according to another embodiment of the present invention. As shown in fig. 2, the method for defending against kernel intrusion specifically includes the following steps:
step S201, the intrusion kernel detection system sets multiple levels of detection at different module layers of the device to detect the process.
The device needs to limit the access capability between different programs, so that the problems of data leakage and the like caused by the fact that programs mutually acquire memory data of other programs or acquire data of hardware equipment and the like are prevented. Different module layers are divided in the device: a user mode layer and a kernel mode layer. The intrusion kernel detection system sets different detection conditions on different module layers of the equipment according to the characteristics of the module layers respectively to realize multistage detection on the process.
The detection condition needs to extract characteristic information of the process invading the kernel on the ROOT attack behavior in advance, and determine the detection condition corresponding to the characteristic information. The process of the invading kernel is different from the normal process, and the characteristic information of the process of the invading kernel on the ROOT attack behavior is extracted, so that the detection can be correspondingly carried out according to the characteristic information to determine whether the process is attacked by the ROOT. Analyzing the attack behavior of the ROOT by the process invading the kernel, and extracting the characteristic information of the ROOT comprises the following contents: 1. reading system information, searching for system bugs, and performing early preparation work; 2. triggering the vulnerability by using modes of competition among processes, special system calling and the like; 3. using special functions such as the heap spray heap injection function to carry out vulnerability attack and the like so as to control the PC register; 4. the authority for executing any code is acquired by bypassing safety mechanisms such as PAN/PXN/CFI and the like through an attack method based on a code multiplexing technology, such as a Return-oriented Programming (ROP) method; 5. and modifying the process information, and promoting the own authority to the ROOT authority.
Based on the extracted characteristic information, the attack behavior of the process invading the kernel to the ROOT can be divided into suspicious attack behavior and confirmed attack behavior, and different detection conditions are respectively set for different attack behaviors. The suspicious attack detection condition corresponding to the suspicious attack behavior is mainly used for detecting preparation work of the process before the process attacks the ROOT, whether the process searches for a system bug, triggering the system bug and the like so as to attack the ROOT. The method is mainly used for detecting the specific behavior of the process invading the kernel on the ROOT attack for determining the attack detection condition corresponding to the determined attack behavior.
Specific suspected attack detection conditions include, for example: whether the number of the created processes in the time window is larger than a preset threshold value and the processes are in conditional competition with each other is detected. The number of normal processes in the time window generally does not exceed a preset threshold, and when the number of processes is greater than the preset threshold, the problems of slow running of equipment, large occupation of internal memory, downtime and the like may be caused. And when conditional competition exists among the processes, such as mutual resource preemption and the like, problems such as deadlock and the like are easily caused, system loopholes are easily triggered, and ROOT attack is caused. Or whether the thread is bound with the specified CPU to be executed by the process is detected, and when the thread is bound to the specified special CPU to be executed, the thread can read the system information, so that the ROOT attack is facilitated. Or, detecting whether the process reads the kernel version, that is, whether the process reads the system information, and preparing for the ROOT attack; or, detecting whether the process causes system crash restart or not so as to carry out ROOT attack and the like; or detecting whether the process triggers kernel warning information, attacking the kernel and the like; or detecting whether the process calls a specified system call to trigger a system bug and the like; or detecting whether the process causes system calling parameter abnormity; carrying out vulnerability attack and the like; or detecting whether the process calls a specified system function to carry out heap spraying and memory layout, carrying out vulnerability attack and the like; or, detecting whether the process creates the designated ports with the number larger than the preset threshold value in the time window, and carrying out vulnerability attack and the like. The various suspicious attack detection conditions can be used for detecting the ROOT before the ROOT is subjected to specific attack behavior by the process, so that the process invading the kernel can be detected more effectively. Furthermore, corresponding weight values can be set for the suspicious attack detection conditions, and when the accumulated weight values meet the suspicious attack detection conditions, such as a suspicious attack threshold value is reached, suspicious attack behaviors of the process on the ROOT are determined.
Determining attack detection conditions includes, for example: detecting whether the process modifies a data structure related to the process permission; detecting whether the process modifies the process access address range; detecting whether the process reads and writes any address by using the calling characteristic of the pipeline system; detecting whether the process modifies the kernel memory attribute; detecting whether a process calls a registration malicious node or not; detecting whether the process modifies a specific pointer to point to a non-read-only segment; detecting whether the process modifies the security policy configuration file, and the like. The process in each determined attack detection condition maliciously modifies the system kernel, the access address, the node and the like of the equipment, so that the determined attack on the ROOT is caused.
The kernel-state layer is a lightweight engine, high-real-time detection can be performed on the kernel-state layer based on performance reasons, and the method is suitable for determining the attack behavior of the process on the ROOT more quickly. In the embodiment, the condition for determining the attack detection is set in the kernel mode layer, so that the determination of the attack behavior is detected in high real-time, and whether the process is the process for determining the attack behavior is found in time.
When a process executes its own code, it is typically at the user-mode level. The user mode layer can detect the process more accurately and more complicatedly than the kernel mode layer. In the embodiment, the suspicious attack detection condition is set in the user mode layer, and the detection is performed based on the process, so that whether suspicious attack behaviors exist in the process or not can be conveniently found.
Step S202, the intrusion kernel detection system determines whether the process is the process of the intrusion kernel according to the detection result of the multi-stage detection.
When the process runs in the device, specifically, when the process is executed in the user mode layer, the intrusion kernel detection system detects the process according to suspicious attack detection conditions preset in the user mode layer. If the process meets the suspicious attack detection condition, setting corresponding weight values for various suspicious attack detection conditions, performing accumulation calculation according to the weight values of the suspicious attack detection condition met by the process, and if the accumulated weight values meet the suspicious attack detection condition, determining the process as a suspicious process invading the kernel if a suspicious attack threshold value is reached. When the process is executed in the kernel mode layer, the intrusion kernel detection system detects the process according to the determined attack detection conditions preset in the kernel mode layer, and if the process meets any one of the determined attack detection conditions, the process is determined to be the determined process for invading the kernel.
When the intrusion kernel detection system determines that the process is a process of an intrusion kernel, step S203 is executed.
Step S203, the process is frozen, and the calling information related to the process is acquired.
And when the process is determined to be the process invading the kernel, freezing the process by utilizing a process freezing technology, keeping the process in a controllable suspended running state, and storing the context of the process. If the intrusion kernel detection system detects that the process is modifying the memory address, the process is frozen, and the calling information related to the process can be acquired according to the context of the frozen process. For example, call information such as which functions are called by the process to modify the memory address, and parameters of the functions is obtained.
Further, for the suspicious process determined by the intrusion kernel detection system, the process can also be stopped by sending a SIGTOP signal, and then the user is prompted that the process is the suspicious process. The user is prompted, such as by means of a pop-up dialog box, to select whether to continue execution of the process or to stop execution of the process. If the user selects to stop executing the process, freezing the process and acquiring the calling information related to the process; if the user selects to continue executing the process, monitoring the subsequent execution of the process, and recording related calling information such as subsequent system calling of the process (so that the intrusion kernel detection system detects the process when the process runs in a kernel mode layer subsequently, and the recorded calling information is obtained when the process is determined to be a determined process of the intrusion kernel). For certain processes determined by the intrusion kernel detection system, the processes can be directly frozen.
And step S204, determining and restoring the attack content of the process according to the calling information.
According to the calling information, the attack content of the process can be determined. If the attack object is determined to be the modification of the memory address according to the calling function of the process, the original address information of the memory address, the modified address information of the modified memory address and the like are determined according to the parameters and other information of the function. According to the attack content of the determined process, the process can be restored. If the memory address is restored from the modified address information to the original address information, the influence of process attack is reduced, and the equipment safety is protected.
Further, the present embodiment further includes the following steps:
step S205 reports the process event information of the process to the server, and obtains a processing policy for the process issued by the server to update the detection condition.
The user mode layer monitors the suspicious process invading the kernel after detecting the suspicious process invading the kernel, records the suspicious system calling sequence in the process executing process, the suspicious information of the process, the process name, the device version information and other process event information, and the kernel mode layer sends the rule triggered by the process, the pid/uid/tgid relevant to the process and other process event information to the user mode layer after detecting the determined process invading the kernel. And the user mode layer reports the process event information to the server. Specifically, the user mode layer may report the process event information to the server through a third-party program such as a cloud interface, and the server analyzes the process event information to determine a corresponding processing policy. According to the processing strategy of the process issued by the server, suspicious attack detection conditions in the detection conditions are further updated, the attack detection conditions are determined, and the detection conditions are continuously updated, so that the detection accuracy is provided, and the attack behavior of the process invading the kernel is responded.
Further, when the behavior of the process is not included in the detection conditions and whether the behavior is a ROOT attack cannot be determined or the process invades the kernel to perform the ROOT attack but is not detected, the user mode layer collects process event information such as a system call sequence, a device version, an application list and the like of the process, reports the process event information to the server, analyzes and acquires a corresponding process processing strategy to perform the following, updates the detection conditions according to the process processing strategy, ensures real-time update of the detection conditions and deals with different attack behaviors of the process invading the kernel.
According to the defense method for invading the kernel, the invasion kernel detection system sets multi-stage detection on different module layers of equipment to detect the process, and each stage of detection corresponds to different detection conditions respectively; and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection. The method can effectively detect the attack behavior of the process before or during the process of attacking the ROOT, thereby preventing the process from being executed and avoiding the process from invading the kernel. After the process is determined, the process is frozen, and the related calling information of the process is obtained to restore the attack content of the process, so that the attack influence on the equipment is reduced.
FIG. 3 shows a functional block diagram of a defense apparatus for intruding a kernel according to one embodiment of the present invention. As shown in fig. 3, the defense apparatus for invading the kernel includes the following modules:
the detection module 310 is adapted to: and detecting the process by using an intrusion kernel detection system, and judging whether the process is the process invading the kernel.
The freezing module 320 is adapted to: and if the detection module judges that the process is the process invading the kernel, freezing the process and acquiring the calling information related to the process.
The reduction module 330 is adapted to: and determining and restoring the attack content of the process according to the calling information.
Optionally, the intrusion kernel detection system includes the following modules: an extraction module 340, a multi-level detection module 350, and a determination module 360.
The extraction module 340 is adapted to: extracting characteristic information of a process invading the kernel to ROOT attack behavior, and determining a detection condition corresponding to the characteristic information; wherein the detection conditions include suspected attack detection conditions and determined attack detection conditions.
The multi-stage detection module 350 is adapted to: and setting multi-stage detection at different module layers of the equipment to detect the process, wherein each stage of detection corresponds to different detection conditions respectively.
The determination module 360 is adapted to: and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
Optionally, the multi-stage detection module 350 is further adapted to: setting suspicious attack detection conditions for the user mode layer and setting determined attack detection conditions for the kernel mode layer.
Optionally, the determining module 360 is further adapted to: detecting the process according to the suspicious attack detection condition at the user state layer; and if the process meets the suspicious attack detection condition, determining the process as a suspicious process invading the kernel.
Optionally, the determining module 360 is further adapted to: detecting the progress according to the determined attack detection condition in the kernel mode layer; and if the process meets the condition for determining the attack detection, determining the process as a determined process for invading the kernel.
Optionally, the intrusion kernel detection system further includes: and a reporting module 370.
The reporting module 370 is adapted to: and reporting the process event information of the process to the server, and acquiring a process processing strategy issued by the server to update the detection condition.
The descriptions of the modules refer to the corresponding descriptions in the method embodiments, and are not repeated herein.
The application also provides a non-volatile computer storage medium, wherein the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute the defense method for invading the kernel in any method embodiment.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein:
the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically execute the relevant steps in the above-described defense method embodiment of the intrusion kernel.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may be specifically configured to cause the processor 402 to execute a method for defending against an intrusion into the kernel in any of the method embodiments described above. For specific implementation of each step in the program 410, reference may be made to corresponding steps and corresponding descriptions in units in the defense embodiment of the intrusion kernel, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the intrusion kernel defense apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention discloses: A1. a method of defending against a kernel intrusion, comprising:
detecting the progress by using an intrusion kernel detection system, and judging whether the progress is the progress invading the kernel;
if so, freezing the process and acquiring the calling information related to the process;
and determining and restoring the attack content of the process according to the calling information.
A2. The method according to a1, wherein the detecting a process by using an intrusion kernel detection system specifically comprises:
setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions respectively; the detection condition is determined according to the characteristic information of the process invading the kernel on the ROOT attack behavior; the detection conditions comprise suspicious attack detection conditions and confirmed attack detection conditions;
and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
A3. The method of a2, wherein the suspected attack detection condition includes one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
A4. The method of a2, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the setting of multilevel detection at different module layers of the device to detect the process further comprises:
setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
A5. The method according to a4, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the process according to the suspicious attack detection condition at the user state layer;
and if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel.
A6. The method according to a4, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the progress at the kernel state layer according to the determined attack detection condition;
and if the process meets the determined attack detection condition, determining that the process is a determined process for invading the kernel.
A7. The method of a5 or a6, wherein the detecting a process with an intrusion kernel detection system further comprises:
and reporting the process event information of the process to a server, and acquiring a processing strategy of the process issued by the server so as to update the detection condition.
The invention also discloses: B8. a defense apparatus to intrude into a kernel, comprising:
the detection module is suitable for detecting the process by using an invading kernel detection system and judging whether the process is the process invading the kernel or not;
the freezing module is suitable for freezing the process and acquiring the calling information related to the process if the detection module judges that the process is the process invading the kernel;
and the restoring module is suitable for determining and restoring the attack content of the process according to the calling information.
B9. The apparatus of B8, wherein the intrusion kernel detection system comprises:
the extraction module is suitable for extracting the characteristic information of the ROOT attack behavior of the process invading the kernel and determining the corresponding detection condition; wherein the detection conditions include suspected attack detection conditions and determined attack detection conditions;
the multi-stage detection module is suitable for setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions;
and the determining module is suitable for determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
B10. The apparatus of B9, wherein the suspected attack detection condition includes one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
B11. The apparatus of B9, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the multi-stage detection module is further adapted to: setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
B12. The apparatus of B11, wherein the determination module is further adapted to: detecting the process according to the suspicious attack detection condition at the user state layer;
and if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel.
B13. The apparatus of B11, wherein the determination module is further adapted to: detecting the progress at the kernel state layer according to the determined attack detection condition;
and if the process meets the determined attack detection condition, determining that the process is a determined process for invading the kernel.
B14. The apparatus of B12 or B13, wherein the intrusion kernel detection system further comprises:
and the reporting module is suitable for reporting the process event information of the process to a server and acquiring a processing strategy of the process issued by the server so as to update the detection condition.
The invention also discloses: C15. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the defense method of the intrusion kernel according to any one of A1-A7.
The invention also discloses: D16. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method for defending against an intruding kernel as described in any one of a1-a 7.
Claims (10)
1. A method of defending against a kernel intrusion, comprising:
detecting the progress by using an intrusion kernel detection system, and judging whether the progress is the progress invading the kernel;
if so, freezing the process and acquiring the calling information related to the process;
and determining and restoring the attack content of the process according to the calling information.
2. The method according to claim 1, wherein the detecting the process by using the intrusion kernel detection system specifically comprises:
setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions respectively; the detection condition is determined according to the characteristic information of the process invading the kernel on the ROOT attack behavior; the detection conditions comprise suspicious attack detection conditions and confirmed attack detection conditions;
and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
3. The method of claim 2, wherein the suspected attack detection condition comprises one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
4. The method of claim 2, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the setting of multilevel detection at different module layers of the device to detect the process further comprises:
setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
5. The method of claim 4, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the process according to the suspicious attack detection condition at the user state layer;
and if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel.
6. The method of claim 4, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the progress at the kernel state layer according to the determined attack detection condition;
and if the process meets the determined attack detection condition, determining that the process is a determined process for invading the kernel.
7. The method of claim 5 or 6, wherein the detecting a process with an intrusion kernel detection system further comprises:
and reporting the process event information of the process to a server, and acquiring a processing strategy of the process issued by the server so as to update the detection condition.
8. A defense apparatus to intrude into a kernel, comprising:
the detection module is suitable for detecting the process by using an invading kernel detection system and judging whether the process is the process invading the kernel or not;
the freezing module is suitable for freezing the process and acquiring the calling information related to the process if the detection module judges that the process is the process invading the kernel;
and the restoring module is suitable for determining and restoring the attack content of the process according to the calling information.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the defense method of the intrusion kernel according to any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of defending against an intruding kernel according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691010.7A CN112307469A (en) | 2019-07-29 | 2019-07-29 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691010.7A CN112307469A (en) | 2019-07-29 | 2019-07-29 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112307469A true CN112307469A (en) | 2021-02-02 |
Family
ID=74328950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910691010.7A Pending CN112307469A (en) | 2019-07-29 | 2019-07-29 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307469A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989323A (en) * | 2021-02-03 | 2021-06-18 | 成都欧珀通信科技有限公司 | Process detection method, device, terminal and storage medium |
| CN116956310A (en) * | 2023-09-21 | 2023-10-27 | 腾讯科技(深圳)有限公司 | Vulnerability protection method, device, equipment and readable storage medium |
-
2019
- 2019-07-29 CN CN201910691010.7A patent/CN112307469A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989323A (en) * | 2021-02-03 | 2021-06-18 | 成都欧珀通信科技有限公司 | Process detection method, device, terminal and storage medium |
| CN112989323B (en) * | 2021-02-03 | 2024-02-13 | 成都欧珀通信科技有限公司 | Process detection method, device, terminal and storage medium |
| CN116956310A (en) * | 2023-09-21 | 2023-10-27 | 腾讯科技(深圳)有限公司 | Vulnerability protection method, device, equipment and readable storage medium |
| CN116956310B (en) * | 2023-09-21 | 2023-12-29 | 腾讯科技(深圳)有限公司 | Vulnerability protection method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102612500B1 (en) | Sensitive data exposure detection through logging | |
| US8627478B2 (en) | Method and apparatus for inspecting non-portable executable files | |
| RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
| US9117079B1 (en) | Multiple application versions in a single virtual machine | |
| US11562068B2 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| CN109583202B (en) | System and method for detecting malicious code in address space of process | |
| CN107315961B (en) | Program vulnerability detection method and device, computing equipment and storage medium | |
| EP2701092A1 (en) | Method for identifying malicious executables | |
| CN110119619B (en) | System and method for creating anti-virus records | |
| US9910983B2 (en) | Malware detection | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| RU2724790C1 (en) | System and method of generating log when executing file with vulnerabilities in virtual machine | |
| CN114676424B (en) | Container escape detection and blocking method, device, equipment and storage medium | |
| CN112307469A (en) | Kernel intrusion prevention method and device, computing equipment and computer storage medium | |
| CN112307482A (en) | Intrusion kernel detection method and device based on target range and computing equipment | |
| CN113098827B (en) | Network security early warning method and device based on situation awareness | |
| CN111104670B (en) | APT attack identification and protection method | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| CN112307470A (en) | Method and device for detecting intrusion kernel, computing equipment and computer storage medium | |
| US11263307B2 (en) | Systems and methods for detecting and mitigating code injection attacks | |
| CN111444509A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| US20220391507A1 (en) | Malware identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |