CN117395058A - Dynamic terminal system network protection method based on eBPF technology - Google Patents

Abstract

The invention provides a method for protecting a dynamic terminal system network based on eBPF technology, which is characterized by comprising a server side strategy management program and a network protection application installed on terminal equipment, wherein the network protection strategy of the dynamic terminal system is issued by the server side through interaction between the protection application and the server side, and the protection application operates on the equipment according to the strategy to protect the safety of the terminal equipment; the server side policy management program comprises: the protection application comprises a policy management module, a security alarm checking module and a terminal management module, wherein the protection application comprises: the system comprises a strategy configuration module, a process monitoring module, a network monitoring module, a data transmission monitoring module and a behavior detection module; the invention can timely adjust the checking strategy by dynamically updating the strategy, timely respond to some sudden safety events, improve the safety of the equipment, and reduce the setting workload of the terminal of the operation and maintenance personnel by remotely managing the safety strategy of the equipment through the server, thereby improving the operation and maintenance efficiency.

Description

Dynamic terminal system network protection method based on eBPF technology

Technical Field

The invention relates to the field of network security, in particular to a method for protecting a dynamic terminal system network based on an eBPF technology.

Background

At present, the terminal system is distributed in deployment positions, large in deployment quantity and difficult to manage, the system security policies are generally relatively solidified, and once novel security holes appear, the security policies are difficult to update in time, discover the holes and carry out security protection.

Most of the security strategies of the current terminal system are solidified, are not flexible enough, and when a certain device has high-risk loopholes and is utilized to implant malicious codes, part of the devices are remotely controlled and can be used as a springboard to externally launch network attacks. Moreover, the system is invaded, and security problems such as equipment data leakage and the like can be caused. The following security measures are generally adopted at present:

(1) Enhancing the safety awareness of the system user. The user timely changes the default user name, sets the complex password, adopts the strong identity authentication and encryption measures, timely upgrades the patch, and regularly carries out configuration detection and baseline detection.

(2) The production process of the reinforcing system is controlled. And a safety gateway is well controlled, safety elements are integrated into the system production, the back gate is stopped, and the code error rate is reduced.

(3) The production standard and the safety standard of the sound system are established, and a foundation is provided for defining the safety responsibility and establishing the supervision mechanism.

(4) And establishing a supervision mechanism. On one hand, the equipment is subjected to factory safety detection; on the other hand, the established system is checked regularly to urge correction.

The mode mainly strengthens the safety of equipment use in the aspect of system and production management and reduces the potential safety hazard of the equipment, but once the problem occurs, response is delayed, the reaction is not enough in time and is difficult to remedy.

Disclosure of Invention

The invention aims to provide a network protection method of a dynamic terminal system based on an eBPF technology, which aims to solve the problems that the safety measures adopted by the terminal system at present are mainly from the aspects of system, production management, equipment use safety is enhanced, equipment potential safety hazard is reduced, once a problem occurs, response is delayed, response is not enough in time and remedy is difficult.

In order to achieve the above purpose, the present invention provides the following technical solutions:

a dynamic terminal system and network protection method based on eBPF technology, including the strategy management program of the server side and installing the network protection application in the terminal equipment, through the interaction of the protection application and the server side, issue the network protection strategy of the dynamic terminal system of the equipment through the server side, the protection application operates on the equipment according to the strategy, protects the safety of the terminal equipment; the server side policy management program comprises: the system comprises a policy management module, a security alarm viewing module and a terminal management module, wherein the protection application comprises: the system comprises a strategy configuration module, a process monitoring module, a network monitoring module, a data transmission monitoring module and a behavior detection module; the data interaction between the service end policy management program and the terminal equipment comprises the following steps: and issuing a security policy and reporting a security event.

The strategy management module in the server side strategy management program provides interface definition DSL language customization strategy arrangement, and controls the process monitoring module, the network monitoring module and the data transmission monitoring module; the method is characterized in that the security rules of the terminal equipment are dynamically managed by setting process control rules, network ip, port white lists, flow control rules and the like; the process control rule specifically comprises:

rule action: inhibit (not), allow (allow)

Process name string list, e.g., [ "proc_name_1", "proc_name_2", "proc_name_3" ]

Examples are as follows:

program "proc_name_1", "proc_name_2", "proc_name_3" is prohibited from executing

not["proc_name_1","proc_name_2","proc_name_3"]

Allowing program ABC to execute

allow["ABC"]

If the program does not set the control rule, the execution is allowed, and the security event is reported to the server

The flow control rule specifically includes:

rule action: inhibit (not), allow (allow), restrict access traffic (limit)

The regular direction: inbound (in), outbound (out)

Ip range: network segment (net 10.20.0.0/16), ip address (10.20.1.10)

Port range: port segment (portrange 133-135), specific port (port 8080), if not set, indicates all ports

Examples are as follows:

disabling access to a network segment to a terminal device

not in(net 10.20.0.0/16)

Allowing a device to access an Ip

allow out(10.20.1.10)

Limiting outbound traffic to not more than 10M per second for an Ip, e.g. more than discarding packets

limit out(10.20.1.10port 8080)10M/s。

The security alarm viewing module in the server policy management program can display alarm events uploaded by each terminal device on a server HTML page.

A terminal management module is arranged in the server side strategy management program; and managing basic information of the equipment, accessing authentication, and activating and closing a security policy.

The policy configuration module in the terminal equipment network protection application runs in the terminal equipment network protection application, communicates with the server side policy management program, acquires policy configuration information from the policy management module of the server side policy management program, and caches the policy configuration information in the terminal equipment for the subsequent behavior detection module.

The process monitoring module in the protection application sets a kernel probe through an eBPF, monitors a process creation method, receives a callback event when a system creates a process, calls the behavior detection module, and judges whether to allow the process creation or not according to policy configuration.

The network monitoring module in the protection application adds a data processing program of a kernel network layer through the XDP of the eBPF, when the network layer receives data, the callback program processes, analyzes network source places ip and port and destination places ip and port, calls the behavior detection module, and judges whether to allow a process to execute or not according to policy configuration.

The data transmission monitoring module in the protection application monitors the transmitted data packet through the TC module of the eBPF, sources ip, ports and destinations ip, ports, data transmission contents, such as calling a behavior detection module, and the behavior detection module judges whether to allow the process to execute according to policy configuration

The behavior detection module in the protection application matches the data detected by the monitoring module through the DSL language interpreter, judges that the subsequent processing comprises data release and discarding of the data packet according to the matching result, calls the behavior detection module after the network monitoring module receives the callback, reads the dynamic policy configuration information cached in the policy configuration module, checks the validity of the data according to the input data of the event, and executes corresponding event processing logic according to the policy configuration detection judgment result, and specifically comprises the following steps:

when the validity of the data is detected to pass, judging whether the data passes or not according to a strategy;

and when the validity detection of the data does not pass, discarding the network data packet, and prohibiting access.

Compared with the prior art, the invention has the following beneficial effects:

the method dynamically updates the protection rule of the equipment end by the strategy issued by the server end, and controls the data transmission by monitoring the process and the network state, thereby achieving the method of dynamically protecting the equipment.

The operation and maintenance personnel can check the security event of the terminal in real time, monitor the process state, the network monitoring state and the data transmission state, dynamically issue an inspection strategy according to the security requirement, control the process start and stop of the terminal equipment, monitor the network port and protect the data request of an external unknown source; the inspection strategy can be timely adjusted through dynamic updating of the strategy, the safety event aiming at some sudden safety events can be timely responded, the safety of equipment is improved, the setting workload of the terminal of operation and maintenance personnel is reduced through the safety strategy of the server side remote management equipment, and therefore the operation and maintenance efficiency is improved.

Drawings

FIG. 1 is a schematic view of an overall frame of the present invention;

FIG. 2 policy configuration issuing flow;

fig. 3 behavior detection security event reporting flow.

Detailed Description

In order to clarify the technical problems, technical solutions, implementation processes and performance, the present invention will be further described in detail below with reference to examples. It should be understood that the specific embodiments described herein are for purposes of illustration only. The invention is not intended to be limiting. Various exemplary embodiments, features and aspects of the disclosure will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements, and circuits well known to those skilled in the art have not been described in detail in order not to obscure the present disclosure.

Example 1

Referring to fig. 1-3, a method for protecting a dynamic end system network based on eBPF technology, the method comprising the steps of:

step 1: the system consists of a server policy management program (hereinafter referred to as a server) and a client program (hereinafter referred to as a client) on the terminal equipment, wherein when the server and the equipment are respectively installed and run on a foundation, application packaging can package all the related modules into a full installation package, and the full installation package comprises description information of the capabilities required by the modules for platform installation;

step 2: the server side policy management program: a server program of BS architecture, wherein a manager logs in through a browser and manages the server program;

step 3: the server comprises the following modules:

policy management: system manager is used to configure policy for terminal equipment

Safety alarm viewing: for checking security event information reported by each terminal device, such as opening illegal process, illegal ip and port access, abnormal flow alarm, etc

And (3) terminal management: basic information of terminal equipment in a management system, access authentication, security policy activation and closing and the like;

step 4: after an administrator logs in a server, equipment basic information is configured through a terminal management module, and then policy information such as process control rules, network ips, port whitelists, flow control rules and the like is configured through a policy management module;

the process control rule specifically comprises the following contents:

rule action: inhibit (not), allow (allow)

Process name string list, e.g., [ "proc_name_1", "proc_name_2", "proc_name_3" ]

Examples are as follows:

program "proc_name_1", "proc_name_2", "proc_name_3" is prohibited from executing

not["proc_name_1","proc_name_2","proc_name_3"]

Allowing program ABC to execute

allow["ABC"]

If the program does not set the control rule, the execution is allowed, and the security event is reported to the server

The flow control rule specifically comprises the following contents:

rule action: inhibit (not), allow (allow), restrict access traffic (limit)

The regular direction: inbound (in), outbound (out)

Ip range: network segment (net 10.20.0.0/16), ip address (10.20.1.10)

Port range: port segment (portrange 133-135), specific port (port 8080), if not set, indicates all ports

Examples are as follows:

disabling access to a network segment to a terminal device

not in(net 10.20.0.0/16)

Allowing a device to access an Ip

allow out(10.20.1.10)

Limiting outbound traffic to not more than 10M per second for an Ip, e.g. more than discarding packets

limit out(10.20.1.10port 8080)10M/s。

Step 5: after the client program is installed and started, connecting the server according to the configuration information in the installation package;

step 6: the client program communicates through an Https bidirectional authentication mode to acquire a strategy configured in service strategy management;

step 7: analyzing a process monitoring rule in the configuration file, setting a kernel probe through an eBPF, and intercepting a process starting event;

step 8: analyzing a network monitoring rule in the configuration file, and adding a data monitoring program of a kernel network layer through an XDP module of the eBPF;

step 9: analyzing a data transmission monitoring rule in the configuration file, and adding a data monitoring program of a kernel network layer by a TC module of the eBPF;

step 10: the client side also calls a corresponding eBPF program registered by a corresponding behavior detection module when the analysis configuration rule is set according to the steps 7 to 9, and meanwhile, rule configuration information is set to bpf_map so that configuration information of the client side program set in a user mode can be obtained when the kernel-mode eBPF program runs, and therefore whether current data accords with rules set in the user mode is checked through the eBPF in the kernel mode;

step 11: when the eBPF monitors and receives a probe callback of a system creation process, acquiring the created process name, inquiring whether the process name exists in a process name list forbidden to be started in the bpf_map, if yes, starting an interrupt process, and sending a security alarm event to a user state behavior detection module through the bpf_perf_event;

step 12: when the data monitoring program of the XDP module of the eBPF receives the callback, judging whether to allow the data packet to pass through or not by analyzing the network source ip and port and the destination ip and port and combining the rule set in the bpf_map, and if not, sending a security alarm event to the user state behavior detection module through the bpf_perf_event;

step 13: when the data monitoring program of the TC module of the eBPF receives the callback, acquiring network data packet information through the data object of the callback: the source ip and port, the destination ip and port and the data transmission content respectively count the network traffic according to the destination or source information, when the network traffic reaches the set limit, the data packet is discarded, and a security alarm event is sent to the user state behavior detection module through bpf_perf_event;

step 14: after receiving a security alarm event sent by the eBPF program through bpf_perf_event, a behavior detection module of a user of the client sends the security alarm event to a security alarm checking module of the server through Https;

step 15: a system administrator can log in a server through a browser and check the safety alarm information of the equipment through a safety alarm check module;

step 16: the system management modifies the safety rules of the equipment through the safety strategy configuration module according to the safety problems fed back by the safety alarm information;

step 17: after the security policy of the terminal equipment is modified, the ip and port corresponding to the terminal equipment client program configured in the basic information of the query equipment are sent to the terminal program through the TCP protocol.

Step 18: after receiving the configuration information, the device side executes the processes from step 7 to step 9.

The method dynamically updates the protection rule of the equipment end by the strategy issued by the server end, and controls the data transmission by monitoring the process and the network state, thereby achieving the method of dynamically protecting the equipment.

The operation and maintenance personnel can check the security event of the terminal in real time, monitor the process state, the network monitoring state and the data transmission state, dynamically issue an inspection strategy according to the security requirement, control the process start and stop of the terminal equipment, monitor the network port and protect the data request of an external unknown source; the inspection strategy can be timely adjusted through dynamic updating of the strategy, the safety event aiming at some sudden safety events can be timely responded, the safety of equipment is improved, the setting workload of the terminal of operation and maintenance personnel is reduced through the safety strategy of the server side remote management equipment, and therefore the operation and maintenance efficiency is improved.

The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the above-described embodiments, and that the above-described embodiments and descriptions are only preferred embodiments of the present invention, and are not intended to limit the invention, and that various changes and modifications may be made therein without departing from the spirit and scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (9)

1. The dynamic terminal system based on the eBPF technology and the network protection method are characterized by comprising a server side strategy management program and a network protection application installed on terminal equipment, wherein the network protection strategy of the dynamic terminal system is issued through the server side by interaction between the protection application and the server side, and the protection application operates on the equipment according to the strategy to protect the safety of the terminal equipment; the server side policy management program comprises: the system comprises a policy management module, a security alarm viewing module and a terminal management module, wherein the protection application comprises: the system comprises a strategy configuration module, a process monitoring module, a network monitoring module, a data transmission monitoring module and a behavior detection module; the data interaction between the service end policy management program and the terminal equipment comprises the following steps: and issuing a security policy and reporting a security event.

2. The eBPF technology-based dynamic terminal system and network protection method of claim 1, wherein said policy management module in said service-side policy management program provides interface definition DSL language customized policy arrangement, controls said process monitoring module, said network monitoring module and said data transmission monitoring module; the method is characterized in that the security rules of the terminal equipment are dynamically managed by setting process control rules, network ip, port white lists, flow control rules and the like; the process control rule specifically comprises:

rule action: inhibit (not), allow (allow);

a list of process namestrings, e.g., [ "proc_name_1", "proc_name_2", "proc_name_3" ];

if the program does not set the control rule, allowing execution and reporting a security event to the server;

the flow control rule specifically includes:

rule action: inhibit (not), allow (allow), limit access traffic (limit);

the regular direction: inbound (in), outbound (out);

ip range: network segment (net 10.20.0.0/16), ip address (10.20.1.10);

port range: port segments (portrange 133-135), specific ports (port 8080), if not set, represent all ports.

3. The eBPF technology-based dynamic terminal system and network protection method according to claim 1, wherein said security alarm viewing module in said server policy management program can display the alarm event uploaded by each terminal device on a server HTML page.

4. The dynamic terminal system and the network protection method based on the eBPF technology as claimed in claim 1, wherein a terminal management module is arranged in the server policy management program; and managing basic information of the equipment, accessing authentication, and activating and closing a security policy.

5. The eBPF technology-based dynamic terminal system and network protection method according to claim 2, wherein said policy configuration module in said terminal device network protection application operates in the terminal device network protection application, communicates with said server-side policy management program, obtains policy configuration information from said policy management module of the server-side policy management program, and buffers the policy configuration information in the terminal device for use by the subsequent behavior detection module.

6. The eBPF technology-based dynamic terminal system and network protection method of claim 1, wherein said process monitoring module in said protection application sets a kernel probe through eBPF, monitors a process creation method, when the system creates a process, said kernel probe receives a callback event, invokes said behavior detection module, and said behavior detection module determines whether to allow the process creation according to policy configuration.

7. The eBPF technology-based dynamic terminal system and network protection method of claim 1, wherein said network monitoring module in said protection application adds a kernel network layer data processing program through the XDP of the eBPF, and when the network layer receives data, the callback program processes, parses out network source ip, port and destination ip, port, and invokes said behavior detection module, and said behavior detection module determines whether to allow the process to execute according to the policy configuration.

8. The eBPF technology-based dynamic terminal system and network protection method according to claim 1, wherein said data transmission monitoring module in said protection application monitors the transmitted data packet through the TC module of the eBPF, source ip, port and destination ip, port, data transmission contents such as calling a behavior detection module, and the behavior detection module determines whether to allow the process to execute according to the policy configuration.

9. The eBPF technology-based dynamic terminal system and network protection method of claim 1, wherein said behavior detection module in said protection application matches the data detected by the monitoring module through a DSL language interpreter, determines that the subsequent processing includes data release and discarding of the data packet according to the matching result, and when the network monitoring module receives the callback, invokes said behavior detection module, said behavior detection module reads the dynamic policy configuration information cached in said policy configuration module, and according to the input data of the event, said input data includes source ip, port and destination ip, port, checks the validity of the data, and executes the corresponding event processing logic according to the policy configuration detection determination result, which specifically includes:

when the validity of the data is detected to pass, judging whether the data passes or not according to a strategy;

and when the validity detection of the data does not pass, discarding the network data packet, and prohibiting access.