CN115795457A - Trojan horse program monitoring method and device, computing equipment and storage medium - Google Patents
Trojan horse program monitoring method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN115795457A CN115795457A CN202211387093.9A CN202211387093A CN115795457A CN 115795457 A CN115795457 A CN 115795457A CN 202211387093 A CN202211387093 A CN 202211387093A CN 115795457 A CN115795457 A CN 115795457A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- abnormal process
- program
- trojan
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 283
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 62
- 230000008569 process Effects 0.000 claims abstract description 222
- 230000002159 abnormal effect Effects 0.000 claims abstract description 138
- 238000012544 monitoring process Methods 0.000 claims description 20
- 230000015654 memory Effects 0.000 claims description 19
- 238000005065 mining Methods 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 abstract description 2
- 230000006854 communication Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 11
- 230000008859 change Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a Trojan horse program monitoring method, a Trojan horse program monitoring device, a computing device and a storage medium, wherein the method is executed in the computing device and comprises the following steps: detecting whether a key file path of the operating system is changed or not, and if so, acquiring a caller process triggering the key file path to be changed as a first abnormal process; acquiring a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process; and performing feature matching on the first abnormal process and the second abnormal process to determine whether the first abnormal process and the second abnormal process are Trojan programs or not. According to the technical scheme of the invention, quick response and alarm can be realized for the Trojan horse programs including the mining program.
Description
Technical Field
The present invention relates to the technical field of computers and operating systems, and in particular, to a Trojan horse program monitoring method, a monitoring apparatus, a computing device, and a storage medium.
Background
At present, due to the development of technologies and products such as a virtual currency block chain and the continuous increase of the value of virtual currency, hosts inside some enterprises are often maliciously implanted into mining trojans, server resources are consumed to conduct mining, and the mining is impossible to prevent.
In the prior art, because a mining program usually occupies a large amount of system resources and network resources, a manual checking scheme is adopted, and the abnormal conditions of the internal host of the enterprise organization, such as abnormal conditions including multiple host blocking, fan blazing, frequent and unresponsive online business or service, internal network congestion and the like, are checked in combination with experience. Moreover, if the abnormality cannot be solved even after the system and the program are repeatedly restarted and removed, whether a malicious excavation program is infected or not needs to be considered. The existing manual checking scheme is over dependent on the manual experience level and consumes manpower.
For this reason, a Trojan horse program monitoring method is needed to solve the problems existing in the above-mentioned solutions.
Disclosure of Invention
Therefore, the present invention provides a monitoring method and a monitoring device for Trojan horse programs, so as to solve or at least alleviate the above problems.
According to an aspect of the present invention, there is provided a Trojan horse program monitoring method, executed in a computing device, where an operating system runs, the method comprising: detecting whether a key file path of the operating system is changed or not, and if so, acquiring a caller process triggering the key file path to be changed as a first abnormal process; acquiring a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process; and performing feature matching on the first abnormal process and the second abnormal process to determine whether the first abnormal process and the second abnormal process are Trojan programs or not.
Optionally, in the method for monitoring a trojan horse program according to the present invention, obtaining a process with the highest system resource occupancy from one or more processes running on an operating system includes: and acquiring a process with the highest system resource occupation from one or more processes running on the operating system based on a preset time interval.
Optionally, in the method for monitoring a trojan program according to the present invention, acquiring a process with the highest system resource occupation as a second abnormal process includes: judging whether the resource occupancy rate of the process with the highest system resource occupancy reaches a preset resource occupancy rate; and if so, taking the process with the highest system resource occupation as a second abnormal process.
Optionally, in the method for monitoring a trojan horse program according to the present invention, acquiring a process with the highest system resource occupancy includes: and acquiring the process with the highest CPU resource occupation or the highest storage resource occupation.
Optionally, in the Trojan horse program monitoring method according to the present invention, the method further comprises: acquiring a key file path of the operating system; and calculating the digest value of the key file path and backing up the digest value.
Optionally, in the method for monitoring a trojan program according to the present invention, performing feature matching on the first exception process and the second exception process to determine whether the first exception process and the second exception process are the trojan program includes: judging whether the first abnormal process and the second abnormal process initiate abnormal network connection or not; if the abnormal network connection is initiated, judging whether the abnormal network connection is encrypted by adopting a preset protocol or not, and judging whether an exchange certificate in the encryption process is a certificate in a Trojan program feature library or not; if yes, determining that the first abnormal process and the second abnormal process are Trojan programs.
Optionally, in the method for monitoring a Trojan horse program according to the present invention, the Trojan horse program is a mining program, and determining whether an exchange certificate in an encryption process is a known certificate in a Trojan horse program feature library includes: judging whether an exchange certificate in the encryption process is a mine pool certificate in a mine excavation program feature library, and judging whether a target mine pool IP (Internet protocol) which is in abnormal network connection with the mine excavation program belongs to a mine pool IP address pool in the mine excavation program feature library; and if so, determining that the first abnormal process and the second abnormal process are the mining program.
Optionally, in the method for monitoring a trojan program according to the present invention, performing feature matching on the first exception process and the second exception process to determine whether the first exception process and the second exception process are the trojan program, further includes: performing file feature matching on the calling files of the first abnormal process and the second abnormal process to determine whether the calling files contain Trojan horse program feature files or not; and if the calling file contains the Trojan program feature file, determining that the first abnormal process and the second abnormal process are Trojan programs.
According to an aspect of the present invention, there is provided a monitoring apparatus residing in a computing device having an operating system running therein, the apparatus comprising: the detection module is suitable for detecting whether a key file path of the operating system is changed or not, and if so, acquiring a caller process triggering the key file path to be changed as a first abnormal process; the acquisition module is suitable for acquiring a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process; and the characteristic matching module is suitable for performing characteristic matching on the first abnormal process and the second abnormal process so as to determine whether the first abnormal process and the second abnormal process are Trojan horse programs or not.
According to an aspect of the invention, there is provided a computing device comprising: at least one processor; a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the Trojan horse program monitoring method as described above.
According to an aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the Trojan horse program monitoring method as described above.
According to the technical scheme of the invention, the Trojan program monitoring method is provided, wherein a caller process triggering the change of the key file path is taken as an abnormal process by detecting whether the key file path of the operating system is changed, and a process with the highest system resource occupation is taken as the abnormal process. And for the abnormal process which may be a Trojan program, performing feature matching on the abnormal process through a feature matching module to determine whether the abnormal process is the Trojan program or not so as to alarm for the Trojan program. Therefore, the invention can quickly discriminate the Trojan programs including the mining programs by detecting the resource occupation conditions of the file paths and the processes and performing characteristic matching, thereby automatically monitoring the Trojan programs including the mining programs on the premise of consuming less system resources and quickly responding and alarming the Trojan programs including the mining programs.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention;
fig. 2 and fig. 3 respectively show a flow chart of a Trojan horse program monitoring method 200 according to an embodiment of the present invention;
fig. 4 shows a schematic view of a monitoring device 400 according to an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention. As shown in FIG. 1, in a basic configuration, computing device 100 includes at least one processing unit 102 and system memory 104. According to one aspect, the processing unit 102 may be implemented as a processor depending on the configuration and type of computing device. The system memory 104 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. In accordance with one aspect, an operating system 105 is included in system memory 104.
According to one aspect, the operating system 105 is, for example, adapted to control the operation of the computing device 100. Further, the examples are practiced in conjunction with a graphics library, other operating systems, or any other application program, and are not limited to any particular application or system. This basic configuration is illustrated in fig. 1 by those components within the dashed line. According to one aspect, computing device 100 has additional features or functionality. For example, according to one aspect, computing device 100 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in FIG. 1 by removable storage device 109 and non-removable storage device 110.
As stated hereinabove, according to one aspect, a program module 103 is stored in the system memory 104. According to one aspect, the program modules 103 may include one or more applications, the invention not being limited to the type of application, for example, the applications may include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided applications, web browser applications, and the like. In an embodiment according to the invention, the application in the program module 103 may comprise a monitoring apparatus 400, the monitoring apparatus 400 being configured to perform the Trojan horse program monitoring method 200 of the invention.
According to one aspect, examples may be practiced in a circuit comprising discrete electronic elements, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, an example may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 1 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functionality described herein may be operated via application-specific logic integrated with other components of the computing device 100 on the single integrated circuit (chip). Embodiments of the invention may also be practiced using other technologies capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum technologies. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuits or systems.
According to one aspect, computing device 100 may also have one or more input devices 112, such as a keyboard, mouse, pen, voice input device, touch input device, or the like. Output device(s) 114 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 100 may include one or more communication connections 116 that allow communications with other computing devices 118. Examples of suitable communication connections 116 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel, and/or serial ports.
The term computer readable media as used herein includes computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, or program modules 103. System memory 104, removable storage 109, and non-removable storage 110 are all examples of computer storage media (i.e., memory storage). Computer storage media may include Random Access Memory (RAM), read Only Memory (ROM), electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture that can be used to store information and that can be accessed by the computer device 100. In accordance with one aspect, any such computer storage media may be part of computing device 100. Computer storage media does not include a carrier wave or other propagated data signal.
In accordance with one aspect, communication media is embodied by computer readable instructions, data structures, program modules 103, or other data in a modulated data signal (e.g., a carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
In an embodiment according to the invention, the computing device 100 is configured to perform a Trojan horse program monitoring method 200 according to the invention. Computing device 100 includes one or more processors, and one or more readable storage media storing program instructions that, when configured by the one or more processors, cause the computing device to perform Trojan horse program monitoring method 200 in an embodiment of the invention.
According to an embodiment of the invention, the monitoring apparatus 400 of the computing device 100 is configured to perform the Trojan horse program monitoring method 200 according to the invention. Among other things, the monitoring apparatus 400 contains a plurality of program instructions for executing the Trojan horse program monitoring method 200 of the present invention, which may instruct a processor to execute the Trojan horse program monitoring method 200 according to the present invention.
Fig. 2 and fig. 3 respectively show a flow chart of a Trojan horse program monitoring method 200 according to an embodiment of the present invention. The method 200 is suitable for execution in a monitoring apparatus 400 of a computing device (the aforementioned computing device 100) in which an operating system is running.
According to one embodiment of the invention, the Trojan horse program may comprise, for example, a mine excavation program, although the invention is not limited to a particular type of Trojan horse program.
As shown in fig. 2 and 3, method 200 includes steps 210-230.
In step 210, it is detected whether the key file path of the operating system is changed, and if so, the caller process triggering the change of the key file path is acquired, and the caller process triggering the change of the key file path is taken as a first abnormal process. Here, the critical file path of the system may include one or more.
It should be noted that, for the trojan horse programs including the mining program, some special configuration files are usually generated on the critical file path of the operating system, or file replacement is performed on the critical file path. For example, the mining program may add a system boot task to the operating system cron task, or, adding a self-starting task under the directories of/etc/init.d/,/etc/rc/rc.local,/etc/system/etc. of the boot self-starting detection, or adding ssh public key registration. For another example, the mining program may replace system commands on the critical file path, including replacing system commands such as netstat, ps, ls, etc., and hide the virus file by hiding the virus file as a system command. In addition, a conventional storage algorithm mining program generates a large number of temporary files under the/tmp directory, including the property files of the corresponding mine pools.
The Trojan horse program generates a special configuration file on a key file path of an operating system, or performs operations such as file replacement on the key file path, and the like, which all cause the key file path to be changed. Based on this, in the embodiment of the present invention, by detecting whether the key file path of the operating system is changed, when it is detected that the key file path of the operating system is changed, the caller process that triggers the change of the key file path may be a trojan program, and therefore, the caller process that triggers the change of the key file path may be used as a first abnormal process, and it is necessary to further verify whether the first abnormal process (caller process) is a trojan program through the feature matching module.
In one embodiment, before step 210 is executed, after the operating system is started, a key file path of the operating system may be obtained, a digest value of the key file path may be calculated, and the digest value of the key file path may be backed up, so as to implement digital fingerprint backup of the key file path of the operating system.
Specifically, the digest value of the key file path may be calculated based on a digest algorithm, and the digest value of the key file path may be backed up and stored. It can be understood that when the key file path is changed, the digest value of the key file path is also changed.
In one implementation, the digest algorithm may be implemented, for example, as MD5, and accordingly, the digest value of the critical file path may be the MD5 value (also referred to as a "digital fingerprint") of the critical file path.
In one embodiment, the key files of the operating system include, for example,/etc/hosts files,/usjbin directory common system files,/etc/parent timed task files,/root/. Ssh/authorized _ keys certified public key files, etc.
In step 210, when it is detected that the/etc/hosts file is rewritten or that an auto-run task is newly added to the/etc/crottab timing task file, it may be determined that the key file path of the operating system has changed, and may record the caller process triggering the key file path change and the changed content, and use the caller process triggering the key file path change as the first abnormal process.
In step 220, a process with the highest system resource occupancy is obtained from one or more processes running on the operating system, and the process with the highest system resource occupancy is taken as a second abnormal process.
Specifically, the process with the highest system resource occupation may be obtained from one or more processes running on the operating system based on the predetermined time interval. Here, the process with the highest system resource occupation may be, for example, the process with the highest CPU resource occupation or the process with the highest storage resource occupation. The process with the highest memory resource occupation, that is, the process calling the disk memory io the most frequently.
It should be noted that, since the trojan programs including the mining program occupy a large amount of system computing power or storage capacity, when the trojan programs run on the operating system, the trojan programs behave as: the CPU resource or the storage resource of the system is largely occupied by the abnormal process for a long time.
Based on this, in an embodiment of the present invention, the process with the highest system resource occupation in each predetermined time interval is counted by timing sampling, and the process with the highest system resource occupation determined by the statistics may be a trojan program, so that the process with the highest system resource occupation in each predetermined time interval may be used as a second abnormal process, and it is necessary to further verify whether the second abnormal process (the process with the highest system resource occupation) is the trojan program by using the feature matching module.
In one embodiment, information such as a predetermined resource occupancy rate and a predetermined resource occupancy duration may be configured in advance for an abnormal resource occupancy condition, and a configuration file is generated. After acquiring the process with the highest system resource occupancy from one or more processes running on the operating system every other predetermined four navigation bureaus, whether the resource occupancy rate of the process with the highest system resource occupancy reaches the predetermined resource occupancy rate or not can be judged based on the configuration file, and if the resource occupancy rate reaches the predetermined resource occupancy rate, the process with the highest system resource occupancy rate can be used as a second abnormal process. Further, whether the resource occupation duration of the process with the highest system resource occupation reaches the preset duration or not can be further judged, and if the resource occupation duration of the process with the highest system resource occupation reaches the preset resource occupation duration or not, the process with the highest system resource occupation can be used as a second abnormal process.
In step 230, the abnormal process (the first abnormal process, the second abnormal process) may be feature-matched by the feature matching module to determine whether the abnormal process (the first abnormal process, the second abnormal process) is the trojan horse program. Here, the abnormal process may include a caller process (a first abnormal process) which triggers the change of the critical file path and a process (a second abnormal process) which occupies the highest system resource, which are obtained in the foregoing. That is, for both the first and second abnormal processes determined as described above, step 230 may be performed to perform feature matching on the abnormal process to determine whether the abnormal process is a trojan program.
If the characteristic matching module determines that the first abnormal process and the second abnormal process are the Trojan programs, the alarm can be given to the Trojan programs, and therefore quick response and alarm to the Trojan programs including the mining programs can be achieved.
In one embodiment, the performing of the feature matching on the abnormal process (the first abnormal process, the second abnormal process) may be performing file feature matching on a call file of the abnormal process (the first abnormal process, the second abnormal process) to determine whether the call file contains a trojan program feature file (a binary feature file). If the calling file of the abnormal process (the first abnormal process and the second abnormal process) contains the Trojan horse program feature file, the abnormal process (the first abnormal process and the second abnormal process) can be determined to be the Trojan horse program.
In addition, since the network connection process of the trojan horse program including the mining program is usually encrypted, that is, encrypted communication is performed. Also, the encryption may be performed using a predetermined protocol, for example, TLS (Transport Layer Security) is used to establish an encrypted data channel. For example, a mining program needs to be connected with a mine pool through a network to provide computing power through the mine pool to achieve coordinated mining, a TLS certificate is adopted by the mining program in an encrypted communication process with the mine pool, and the IP of a public mine pool is determined.
Based on this, in one embodiment, the abnormal process is subjected to feature matching, and the abnormal program can also be subjected to encrypted communication feature matching. Specifically, the abnormal processes (the first abnormal process and the second abnormal process) can be subjected to feature matching through the following method: and judging whether the abnormal processes (the first abnormal process and the second abnormal process) initiate abnormal network connection, if the abnormal processes (the first abnormal process and the second abnormal process) initiate abnormal network connection, judging whether the abnormal network connection process adopts a preset protocol for encryption, and judging whether an exchange certificate in the encryption process is a known certificate in a Trojan program feature library. Here, the predetermined protocol is, for example, a TLS protocol, that is, it may be determined whether a process of an abnormal network connection is encrypted using the TLS protocol.
If the process of the abnormal network connection is encrypted by adopting a preset protocol, and the exchange certificate in the encryption process is a certificate known in a Trojan program feature library, the abnormal process (the first abnormal process and the second abnormal process) can be determined to be the Trojan program.
In one embodiment, the trojan program is, for example, a mining program, and accordingly, the trojan program feature library may be implemented as a mining program feature library. The excavation program may establish an abnormal network connection with the target mine pool.
Judging whether the exchange certificate in the encryption process is a known certificate in the Trojan horse program feature library, specifically, the method can be implemented as follows: and judging whether the exchange certificate in the encryption process is a known mine pool certificate in the mine excavation program feature library, and judging whether a target mine pool IP which is in abnormal network connection with the mine excavation program belongs to a mine pool IP address pool in the mine excavation program feature library. And if the exchange certificate is a known mine pool certificate in the mining program feature library, and the target mine pool IP establishing abnormal network connection with the mining program belongs to the mine pool IP address pool in the mining program feature library, determining that the abnormal processes (the first abnormal process and the second abnormal process) are the mining program.
Fig. 4 shows a schematic view of a monitoring device 400 according to an embodiment of the invention. The monitoring apparatus 400 resides in a computing device (e.g., the aforementioned computing device 100) in which an operating system runs. The monitoring apparatus 400 is adapted to perform the Trojan horse program monitoring method 200 of the present invention.
As shown in fig. 4, the monitoring apparatus 400 includes a detection module 410, an acquisition module 420, and a feature matching module 430, which are connected in communication in sequence.
The detecting module 410 is adapted to detect whether a critical file path of an operating system is changed, and if so, obtain a caller process triggering the critical file path to be changed as a first abnormal process. The obtaining module 420 is adapted to obtain a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process. The feature matching module 430 is adapted to perform feature matching on the first exception process and the second exception process to determine whether the first exception process and the second exception process are trojan programs.
It should be noted that the detection module 410 is configured to perform the aforementioned step 210, the acquisition module 420 is configured to perform the aforementioned step 220, and the feature matching module 430 is configured to perform the aforementioned step 230. Here, for the specific execution logic of the detecting module 410, the obtaining module 420, and the feature matching module 430, reference is made to the description of the steps 210 to 230 in the method 200, and details are not repeated here.
According to the Trojan program monitoring method, whether a key file path of an operating system is changed or not is detected, a caller process triggering the key file path to be changed is used as an abnormal process, and a process with the highest system resource occupation is used as the abnormal process. And for the abnormal process which may be a Trojan program, performing feature matching on the abnormal process through a feature matching module to determine whether the abnormal process is the Trojan program or not so as to alarm for the Trojan program. Therefore, the invention can quickly discriminate the Trojan programs including the mining programs by detecting the resource occupation conditions of the file paths and the processes and performing characteristic matching, thereby automatically monitoring the Trojan programs including the mining programs on the premise of consuming less system resources and quickly responding and alarming the Trojan programs including the mining programs.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the mobile terminal will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the Trojan horse program monitoring method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, readable media includes readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules 103 or other data. Communication media typically embodies computer readable instructions, data structures, program modules 103 or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may additionally be divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore, may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense with respect to the scope of the invention, as defined in the appended claims.
Claims (11)
1. A Trojan horse program monitoring method executed in a computing device having an operating system running therein, the method comprising:
detecting whether a key file path of the operating system is changed or not, and if so, acquiring a caller process triggering the key file path to be changed as a first abnormal process;
acquiring a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process;
and performing feature matching on the first abnormal process and the second abnormal process to determine whether the first abnormal process and the second abnormal process are Trojan programs or not.
2. The method of claim 1, wherein obtaining a process with a highest system resource occupancy from among one or more processes running on an operating system comprises:
and acquiring the process with the highest system resource occupation from one or more processes running on the operating system based on a preset time interval.
3. The method according to claim 1 or 2, wherein the step of acquiring the process with the highest system resource occupation as the second abnormal process comprises:
judging whether the resource occupancy rate of the process with the highest system resource occupancy reaches a preset resource occupancy rate;
and if so, taking the process with the highest system resource occupation as a second abnormal process.
4. The method of any of claims 1-3, wherein obtaining a process with a highest system resource occupancy comprises:
and acquiring the process with the highest CPU resource occupation or the highest storage resource occupation.
5. The method of any one of claims 1-4, wherein the method further comprises:
acquiring a key file path of the operating system;
and calculating the digest value of the key file path and backing up the digest value.
6. The method of any one of claims 1-5, wherein feature matching the first and second exception processes to determine whether the first and second exception processes are Trojan programs comprises:
judging whether the first abnormal process and the second abnormal process initiate abnormal network connection or not;
if the abnormal network connection is initiated, judging whether the abnormal network connection is encrypted by adopting a preset protocol or not, and judging whether an exchange certificate in the encryption process is a certificate in a Trojan program feature library or not;
if yes, determining that the first abnormal process and the second abnormal process are Trojan programs.
7. The method of claim 6, wherein the Trojan program is a mining program, and the determining whether the exchange certificate in the encryption process is a known certificate in a Trojan program feature library comprises:
judging whether an exchange certificate in the encryption process is a mine pool certificate in a mine excavation program feature library, and judging whether a target mine pool IP (Internet protocol) which is in abnormal network connection with the mine excavation program belongs to a mine pool IP address pool in the mine excavation program feature library;
if yes, determining that the first abnormal process and the second abnormal process are the mining programs.
8. The method of any of claims 1-7, wherein feature matching the first and second exception processes to determine whether the first and second exception processes are Trojan programs, further comprises:
performing file feature matching on the calling files of the first abnormal process and the second abnormal process to determine whether the calling files contain Trojan program feature files or not;
and if the calling file contains the Trojan horse program feature file, determining that the first abnormal process and the second abnormal process are Trojan horse programs.
9. A monitoring apparatus residing in a computing device having an operating system running therein, the apparatus comprising:
the detection module is suitable for detecting whether a key file path of the operating system is changed or not, and if so, acquiring a caller process triggering the key file path to be changed as a first abnormal process;
the acquisition module is suitable for acquiring a process with the highest system resource occupation from one or more processes running on the operating system as a second abnormal process;
and the characteristic matching module is suitable for performing characteristic matching on the first abnormal process and the second abnormal process so as to determine whether the first abnormal process and the second abnormal process are Trojan programs or not.
10. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-8.
11. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211387093.9A CN115795457A (en) | 2022-11-07 | 2022-11-07 | Trojan horse program monitoring method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211387093.9A CN115795457A (en) | 2022-11-07 | 2022-11-07 | Trojan horse program monitoring method and device, computing equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115795457A true CN115795457A (en) | 2023-03-14 |
Family
ID=85435917
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211387093.9A Pending CN115795457A (en) | 2022-11-07 | 2022-11-07 | Trojan horse program monitoring method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115795457A (en) |
-
2022
- 2022-11-07 CN CN202211387093.9A patent/CN115795457A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11216555B2 (en) | System and method of providing a set of convolutions to a computing device for detecting anomalous events | |
| CN108932426B (en) | Unauthorized vulnerability detection method and device | |
| CN114270351A (en) | Data leakage detection | |
| US9058492B1 (en) | Techniques for reducing executable code vulnerability | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
| US9813443B1 (en) | Systems and methods for remediating the effects of malware | |
| US9064120B2 (en) | Systems and methods for directing application updates | |
| CN110008758B (en) | ID obtaining method and device, electronic equipment and storage medium | |
| US20210092135A1 (en) | System and method for generating and storing forensics-specific metadata | |
| US9569617B1 (en) | Systems and methods for preventing false positive malware identification | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN115795457A (en) | Trojan horse program monitoring method and device, computing equipment and storage medium | |
| US10637877B1 (en) | Network computer security system | |
| WO2021144978A1 (en) | Attack estimation device, attack estimation method, and attack estimation program | |
| US10546117B1 (en) | Systems and methods for managing security programs | |
| CN114500278B (en) | Method and device for upgrading feature library through proxy server | |
| CN113849246B (en) | Plug-in identification method, plug-in loading method, computing device and storage medium | |
| EP2835757B1 (en) | System and method protecting computers from software vulnerabilities | |
| EP3462354B1 (en) | System and method for detection of anomalous events based on popularity of their convolutions | |
| CN112906000B (en) | Program access method, device, equipment and readable storage medium | |
| US11392696B1 (en) | Systems and methods for detecting code implanted into a published application | |
| CN117609983A (en) | API calling method, API calling device, electronic equipment and storage medium | |
| CN114692157A (en) | Method and system for judging malicious execution of shellcode | |
| CN113468528A (en) | Malicious device identification method and device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |