WO2021189257A1

WO2021189257A1 - Malicious process detection method and apparatus, electronic device, and storage medium

Info

Publication number: WO2021189257A1
Application number: PCT/CN2020/080922
Authority: WO
Inventors: 郭子亮
Original assignee: 深圳市欢太科技有限公司; Oppo广东移动通信有限公司
Priority date: 2020-03-24
Filing date: 2020-03-24
Publication date: 2021-09-30
Also published as: CN115023699A

Abstract

Embodiments of the present application relate to the technical field of network security, and disclosed are a malicious process detection method and apparatus, an electronic device, and a storage medium. The method comprises: obtaining a target process requesting a network connection; obtaining a system call operation of the target process; and if the system call operation matches a target system call operation, determining that the target process is a malicious process. In the embodiments of the present application, the target process is first determined according to whether a network connection to the outside exists, and then, whether the target process is a malicious process is determined according to the system call operation of the target process, so that malicious processes established by a command interpreter of a system may be detected, and malicious processes that are not established according to system rules may also be detected, thereby greatly reducing the leakage rate of malicious processes and realizing more effective detection.

Description

Malicious process detection method, device, electronic equipment and storage medium

Technical field

This application relates to the field of network security technology, and more specifically, to a method, device, electronic device, and storage medium for detecting malicious processes.

Background technique

At present, the firewall usually has strict restrictions on the access of external machines to the machine, but there are few restrictions on the machine's active connection to the external machine. Therefore, if the hacker uses the rebound connection, even if the machine actively connects to the external machine, it can well evade the firewall. Supervise to attack the machine and threaten the safety of the machine. Therefore, in order to improve network security, it is necessary to detect malicious processes with bounced connections in the host, but it is currently impossible to achieve effective detection of such malicious processes.

Summary of the invention

This application proposes a malicious process detection method, device, electronic equipment, and computer readable storage medium to improve the above-mentioned defects.

In the first aspect, an embodiment of the present application provides a method for detecting a malicious process. The method includes: obtaining a target process requesting a network connection; obtaining a system call operation of the target process; if the system call operation is related to the target system The invocation operation matches, and it is determined that the target process is a malicious process.

In the second aspect, an embodiment of the present application also provides a device for detecting malicious processes. The device includes: a process acquisition module for acquiring a target process requesting a network connection; an operation acquiring module for acquiring information about the target process System call operation; an operation matching module for determining that the target process is a malicious process if the system call operation matches the target system call operation.

In a third aspect, an embodiment of the present application also provides an electronic device, including: one or more processors; a memory; one or more application programs, wherein the one or more application programs are stored in the memory And is configured to be executed by the one or more processors, and the one or more programs are configured to execute the foregoing method.

In a fourth aspect, the embodiments of the present application also provide a computer-readable storage medium, and the computer-readable storage medium stores program code, and the program code can be invoked by a processor to execute the foregoing method.

The malicious process detection method, device, electronic equipment, and computer readable storage medium provided by this application obtain the target process requesting network connection, and then obtain the system call operation of the target process, and perform the system call operation and the target system call operation Match and determine that the target process is a malicious process. Therefore, the embodiment of the present application first selects the target process according to whether the process requests an external network connection, and then determines the target process matching the target system call operation according to whether the system call operation of the target process matches the target system call operation It is a malicious process, so that it can detect not only the malicious process established by the system's own command interpreter, but also the malicious process that is not established according to the system rules, thereby greatly reducing the rate of false negatives of malicious processes and improving malicious processes The report rate is higher to achieve more effective detection.

Description of the drawings

In order to more clearly describe the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can be obtained based on these drawings without creative work.

Figure 1 shows a schematic diagram of a socket-based communication process;

FIG. 2 shows a schematic diagram of an application scenario of a malicious process detection method provided by an embodiment of the present application;

FIG. 3 shows a schematic flowchart of a method for detecting a malicious process according to an embodiment of the present application;

FIG. 4 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application;

FIG. 5 shows a schematic flowchart of a malicious process detection method provided by another embodiment of the present application;

Fig. 6 shows a schematic flowchart of step S320 in Fig. 5 in an exemplary embodiment;

FIG. 7 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application;

FIG. 8 shows a schematic flowchart of step S420 in FIG. 7 in an exemplary embodiment of the present application;

FIG. 9 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application;

FIG. 10 shows a schematic flowchart of step S530 in FIG. 9 in an exemplary embodiment of the present application;

FIG. 11 shows a schematic flowchart of a method for detecting a malicious process according to yet another embodiment of the present application;

FIG. 12 shows a schematic flowchart of a malicious process detection method provided by an exemplary embodiment of the present application;

FIG. 13 shows a block diagram of a module for detecting a malicious process according to an embodiment of the present application;

FIG. 14 shows a structural block diagram of an electronic device provided by an embodiment of the present application;

FIG. 15 shows a storage unit used to store or carry program code implementing the method for detecting malicious processes according to the embodiment of the present application according to an embodiment of the present application.

Detailed ways

In order to enable those skilled in the art to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present application.

Definition of Terms

Transmission Control Protocol/Internet Protocol (TCP/IP): It is an industry standard protocol set, designed for wide area networks (WANs).

UDP (User Data Protocol, User Datagram Protocol): The protocol corresponding to TCP. Belongs to a kind of TCP/IP protocol family.

Socket (Socket): Socket is an abstraction layer of middleware that communicates between the application layer and the TCP/IP protocol suite. It is a set of interfaces. In the design mode, Socket is actually a facade mode, which hides the complex TCP/IP protocol family behind the Socket interface. For users, a set of simple interfaces is everything, allowing Socket to organize data to conform to the specified protocol. Applications that use the TCP/IP protocol usually use sockets to implement communication between network processes.

Socket-based communication: Take TCP connection as an example to explain the socket-based communication process. Please refer to Figure 1. The server initializes Socket, and then binds to the port to monitor the port ( listen), call accept to block and wait for the client to connect. At this time, if a client initializes a Socket, then connects to the server, and the connection is successful, then the connection between the client and the server is established. The client sends a data request, the server receives the request and processes the request, then sends the response data to the client, the client reads the data, and finally closes the connection, and the interaction ends.

That is to say, between the server side and the client side, as a server side, after calling socket() to create a socket and calling bind() to bind the created socket to the port, listen() will be called to monitor the socket The corresponding port, that is, after the TCP server calls socket(), bind(), and listen() in turn, it will monitor the specified socket address. After the client calls socket() and connect() in turn, it will send a connection request to the TCP server. The server can receive this request and establish a connection with the client. Specifically, after the server monitors the connection request, it can call accept() to receive the connection request, so that the connection is established. After that, you can start network input and output (Input/Output, I/O) operations, that is, read and write I/O operations similar to ordinary files to realize socket-based data transmission.

System call: When Linux starts, it first starts the kernel. The kernel is a computer program that directly manages and manages the hardware, including CPU, memory space, hard disk interface, network interface, and so on. All computer operations must be passed to the hardware through the kernel. In order to facilitate the call of the kernel, the function of the kernel is summarized as a system call, and the function of the kernel can be realized through the system call operation. The system call provides a clear interface for the upper program and hides the complex structure of the kernel. A function on an operating system can be seen as the effect of a combination of system calls.

Shell: Shell is a command-language interpreter, with its own built-in shell command set, which is an interface program used to interact with the Linux kernel. The shell provides an interface through which the user can access the services of the operating system kernel. Specifically, in a Linux system, the shell communicates with various upper-layer applications, and the shell communicates with system calls. Shell is both a command language and a programming language. In addition, a shell script is a script program written for the shell, a program with command parsing and execution. Shell scripts can be interpreted by the shell and passed to the kernel.

Shell process: a running process of a shell program written in accordance with the programming syntax specified by the shell.

At present, commonly used shells in Linux and UNIX systems include Bourne shell (sh), (Bourne Again shell, bash), C shell (csh), and Korn shell (ksh). Among them, bash is the default shell of most Linux systems. In the embodiments of the present application, these shells can also be recorded as shells that come with the system.

In order to express the technical solutions of the embodiments of the present application more clearly, before describing the embodiments of the present application in detail, the technical problems solved by the embodiments of the present application and the process by which the inventor finds the problems will be described as follows:

At present, the connection between the control terminal and the controlled terminal can generally be achieved through two connection methods. Among them, the first connection mode can be called forward connection. In this connection mode, the control end actively connects to the port of the controlled end, and the controlled end monitors the port to realize the connection, that is, when the connection is forward, the controlled end As the server in the network concept, the control terminal is the client in the network concept. For example, remote desktops, web services, shells, etc. are generally implemented by forward connections.

However, due to firewall restrictions, insufficient authority, and port occupation, the use of the first connection method may lead to problems such as the control end being unable to connect to the controlled end, continuous control of the controlled end, or failure to receive requests from the controlled end. Therefore, some attackers such as hackers, in order to break through the aforementioned restrictions to control or attack or invade the user's host, they will use the second connection method to establish a connection with the host of the attacked party, namely: the host of the attacking party is in the host of the attacked party Create a socket on the above, the attacked party actively connects to the attacker’s port, and the attacker listens to the port for connection. At this time, the attacked party acts as the client and the attacker acts as the server. Compared with the aforementioned forward connection The roles of the client and server are reversed, and this connection method can be called a bounce connection.

When a host has a process based on a bounced connection, the process can be recorded as a malicious process. This type of process will threaten the security of the host. Therefore, in order to improve network security, it is necessary to detect the malicious process with bounced connections in the host.

In addition, if the malicious process corresponds to a program with command parsing and execution, the program can be called a reverse shell, and the malicious process can be further recorded as a reverse shell process. Therefore, according to the embodiments of this application, The provided method can detect the reverse shell process.

Reverse shell (reverse shell) program: It is a shell based on reverse connection. The control end monitors the port, the controlled end initiates a request to the port, and transfers the input and output of its command line to the control end. Reverse shell is essentially the reversal of the roles of the client and server in the network concept.

However, the inventor found in his research that programs based on rebound connections do not have to be built using the shell that comes with the system, and hackers can create a rebound shell without using the shell that comes with the system. For example, hackers can build on a self-developed command interpreter. , Write a program with command parsing and execution, which can be used as a shell. In addition, hackers can also upload a shell program or copy the system shell to another directory and use it after changing the shell name, making the shell program incompatible with the system's own shell The designated naming method is not in the designated directory of the system's own shell. This type of shell program is difficult to be detected by the current detection methods, that is, the current detection method will fail to report when it is applied to detect this type of malicious process.

Therefore, based on the foregoing problems, embodiments of the present application provide a method, device, electronic device, and computer-readable storage medium for detecting malicious processes, so as to reduce the false negative rate of malicious processes.

For the convenience of detailed description, the following exemplarily describes the application scenarios applicable to the embodiments of the present application with reference to the accompanying drawings.

Please refer to FIG. 2. FIG. 2 shows a schematic diagram of an application scenario of an image recognition method provided by an embodiment of the present application. The application scenario includes a communication system 10 provided by an embodiment of the present application. The communication system 10 includes: a first host 100 and a second host 200. The first host 100 and the second host 120 may be connected through a network.

Among them, the first host 100 and the second host 200 may be terminals or servers. If they are terminals, the terminals may be, but are not limited to, mobile phones, tablets, MP3 players (Moving Picture Experts Group Audio Layer III, standard audio layer for dynamic image compression). 3) MP4 (Moving Picture Experts Group Audio Layer IV, standard audio layer for dynamic image compression 4) Players, personal computers or wearable electronic devices, etc. The embodiment of the present application does not limit the device type of a specific terminal. If it is a server, the server can be a traditional server or a cloud server, it can be a server, or a server cluster composed of several servers, or a cloud computing service center.

The first host 100 and the second host 200 may be the same device or different devices, which is not limited here. For example, the first host 100 and the second host 200 may both be terminals or servers, or one may be a terminal and the other may be a server.

In the embodiment of the present application, the first host 100 can be used to represent the compromised host, that is, the host of the attacked party, and the second host 200 can be used to represent the intruding host, that is, the host of the attacker. If the second host 200 creates a socket in the first host 100, so that the first host 100 actively requests to connect to the second host 200, the process related to this process can be regarded as the malicious process described in the embodiment of the present application. At this time, the first host 100 corresponds to the client in the network concept, and the second host 200 corresponds to the server in the network concept.

It is understandable that a specific host can have a role reversal between the invaded host and the invaded host under different circumstances. That is, if at a certain moment, host A is invaded by host B, then host A can be used as The compromised host is represented by the first host 100, and the host B can be used as the intruding host, and the second host 200 is represented; and if at another moment, the host A invades the host B, at this time, the host A can be used as the intruding host. The second host 200 indicates that the host B can be used as the compromised host, which is represented by the first host 100.

The method, device, electronic device, and computer readable storage medium for detecting malicious processes provided by the embodiments of the present application will be described in detail below through specific embodiments.

Please refer to FIG. 3, which shows a schematic flow chart of a method for detecting a malicious process provided by an embodiment of the present application, which can be applied to the above-mentioned first host. The following will elaborate on the process shown in FIG. 3. The method can include:

S110: Obtain a target process requesting a network connection.

Among them, the target process is a process with external connections, that is, the compromised host under this process will request network connections from other hosts. The process can request a network connection to the outside based on various communication protocols, for example, the communication protocol can be TCP, UDP communication protocol, etc., which are not limited here.

Taking the request for network connection based on TCP and UDP communication protocol as an example, the process should create a socket and use the socket to send connection requests to other hosts. For example, it is necessary to call connect() to send the connection request. Therefore, the process that has called connect() can be obtained as the target process for requesting a network connection.

S120: Obtain the system call operation of the target process.

Among them, the system call operation is used to record the system calls used by the process. In some embodiments, the system call operation of a process includes the type of system call and the time when the process uses the system call, thereby obtaining the system call operation of the target process , Can determine the system call operation used by the target process. In addition, if the number of acquired system call operations is multiple, by acquiring multiple system call operations of the target process, the execution order of the multiple system call operations can also be determined.

In some embodiments, the system call operation of the target process can be obtained through the process identification (PID) of the target process. Among them, PID is a value used to uniquely identify a process.

It should be noted that, in the embodiments of the present application, when the number is multiple, the number can be characterized as two or more.

S130: If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.

There may be many types of processes running in the system. The types of processes can include but are not limited to shell processes, database processes (such as mysql), server processes (such as apache, tomcat, nginx), etc., which are not limited here. It is understandable that the system call operations of different processes are different, so the type of process can be determined through the system call operation.

In some embodiments, the target system call operation may be a system call operation of a specified type of process. Therefore, by matching the system call operation of the target process with the target system call operation, it can be determined whether the system call operation of the target process conforms to The characteristics of the process of the specified type.

In general, when the invading host attacks the invaded host, it will use the program with command analysis execution (such as shell program) to realize the attack based on rebound connection, so this kind of program (that is, the program with command analysis execution) The corresponding process can be defined as a malicious process in the embodiment of this application. At this time, the process of the specified type may be the process corresponding to the program with command parsing and execution, and the target system call operation may be the system call operation used in this type of process. For example, if the detected malicious process is a rebound shell process, then the specified type of process may be a shell process, and the target system call operation may be a system call operation of the shell process.

Among them, the number of system call operations and target system call operations can be one or more, which is not limited here.

In some embodiments, if the number of system call operations and the number of target system call operations are both multiple, the system call operation matches the target system call operation, which can be multiple system call operations types and multiple target systems. The type of the call operation matches. As an implementation manner, if among multiple target system call operations, a target system call operation that matches each of the multiple system call operations can be found, and it can be determined that the system call operation matches the target system call operation, for example, If multiple system call operations are A1, A2, A3, and multiple target system call operations are A1, A3, A2, A4, A5, it can be determined that the two match.

In other embodiments, since the execution order of the system call operations determines the type of a process to a certain extent, it is also possible to determine whether the target process is a malicious process according to the execution order of the system call operations. That is, when the system call operation matches the target system call operation, multiple system call operations and multiple target system call operations may at least partially overlap, and the execution order of the overlapped parts is required to be consistent. Specific implementation manners can be seen in the following embodiments, which will not be repeated here.

In some embodiments, after determining that the target process is a malicious process, the compromised host can perform related processing on the malicious process. As an implementation manner, the malicious process can be terminated, and the termination can include killing the malicious process or other operations, which is not limited here, so as to prevent the malicious process from continuing to attack the host in time, so as to eliminate the threat of the malicious process in time , Protect the security of the host.

In some embodiments, the compromised host can be connected to the operation and maintenance management device, and after detecting the malicious process, the compromised host can report the detection result to the operation and maintenance management device. The operation and maintenance management equipment receives the reported detection result and can perform corresponding maintenance on the intruded host. Wherein, the operation and maintenance management device may be a server, a firewall, a network management device, and so on.

In addition, the operation and maintenance management equipment can generate alarm information to remind the operation and maintenance personnel or other related personnel to respond to the maintenance of the compromised host. The alarm information may be voice prompts, text prompts, light-on prompts, etc., which is not limited in this embodiment.

In practical applications, generally shell programs created based on the shell that comes with the system will be named and stored in accordance with system rules, that is, named according to a fixed naming method and stored in a fixed directory. Therefore, in the prior art, when detecting a rebound shell process, the shell process is first acquired and then judged whether there is an external network connection to detect whether the shell process is a rebound shell process. At present, when obtaining the shell process, it is often to find the shell process in a fixed directory and according to a fixed name. Therefore, if a hacker writes a program, the program is not named according to the fixed naming method in the system rules, or the program is not stored in the aforementioned fixed directory, or even the shell that comes with the system is not used to write the program , Then this kind of program can evade the detection of the existing technology. However, if this type of program can still make the host running this type of program actively establish a connection to the external host, then this type of program can still be defined as a rebound shell program, and the corresponding process is a rebound shell process. Therefore, the existing detection methods may fail to report such rebound shell processes that are not established in accordance with the system rules, resulting in partial rebound shell security threats that cannot be detected and reported.

Therefore, compared with the prior art, the malicious process detection method provided by this embodiment first obtains the target process requesting network connection, and then obtains the system call operation of the target process, and according to the system call operation of the target process and The matching result of the target system call operation determines whether the target process is a malicious process. It can detect not only malicious processes established according to system rules, but also malicious processes not established according to system rules, which greatly reduces the false negative rate of malicious processes and improves the Report rate of malicious processes, thereby improving the security of terminal use. Specifically, it can effectively detect the processes corresponding to various reverse shell programs that do not use the shell that comes with the system, such as those generated by hacker tools such as metasploit or created by command interpreters written by hackers. Good recognition effect. Moreover, because in general, the number of processes that the intruded host requests for external connections is smaller than the processes created by the system’s own shell. Therefore, the embodiment of this application obtains the target process according to whether a network connection is requested first, which can improve detection. Efficiency, better detection performance.

In some embodiments, a process that performs network communication based on a socket may be acquired as a candidate process, and then a process requesting an external connection is determined from the candidate process as a target process. Specifically, please refer to FIG. 4, which shows a method for detecting a malicious process provided by another embodiment of the present application. The method may include:

S210: Obtain candidate processes.

Among them, the candidate process is a process that performs network communication based on a socket. This part of the process includes both processes that request external connections based on sockets and processes that are connected by other hosts based on sockets. In other words, candidate processes are not only The socket is created, and the socket is also used, for example, the socket has been used for binding (bind) or connection (connect).

In addition, in some possible embodiments, the candidate process may also include a process that only creates a socket but does not use the socket, that is, only calls socket(), but does not call bind() or connect(). In an implementation manner, the process that created the socket can be searched for, and then the process can be determined as a candidate process. The specific implementation manner can be seen in the embodiments described later, and will not be repeated here.

S220: Determine the target process according to the candidate process.

In some embodiments, the system call operation of the candidate process can be obtained to detect whether there is a connection function. For example, it can be detected whether the candidate process calls connect(). If the candidate process calls connect(), the candidate process can be determined as the request network The connected process, that is, the candidate process is determined as the target process.

In other embodiments, the connection event of the candidate process may also be monitored, so that when the connection event is monitored, the candidate process whose connection event is monitored is determined as the target process. Specific implementation manners can be seen in the following embodiments, which will not be repeated here.

S230: Obtain a system call operation of the target process.

S240: If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.

In some embodiments, the number of system call operations is more than one, and the number of target system call operations is more than one. The specific implementation of step S240 may be as follows: The execution sequence of the operations matches, and the target process is determined to be a malicious process.

For the convenience of description, the aforementioned multiple target system call operations performed sequentially can be recorded as the target system call sequence, and multiple system call operations performed sequentially by the target process are recorded as the target process system call sequence, then multiple system calls The execution order of the operations matches the execution order of the multiple target system call operations, which can be recorded as the system call sequence of the target process matches the target system call sequence.

For example, if multiple system call operations are A1, A2, A3 in the order of execution, that is, the system call sequence of the target process is A1, A2, A3, and the multiple target system call operations are in the order of execution. A1, A3, A2, that is, the target system call sequence is A1, A3, A2, at this time, it can be determined that the system call sequence of the target process does not match the target system call sequence. For another example, if the system call sequence of the target process is A1, A2, A3, and the target system call sequence is A0, A1, A2, A3, A4, it can be determined that the system call sequence of the target process matches the target system call sequence.

In some embodiments, if the malicious process is a reverse shell process, the execution order of multiple target system call operations can be determined by the system call operations executed sequentially by the shell process, and thus the target process that satisfies the match can be called a shell process .

In some embodiments, the sequence of multiple target system call operations may include: waiting for data on the socket, reading data, executing commands, writing data, and waiting for data on the socket . Among them, reading data is reading data on the socket, and writing data is writing data in the socket. In some embodiments, if there is a target system call sequence composed of the aforementioned multiple target system call operations in the system call sequence of the target process. The overlapped part can make the detection the most accurate, that is

Since the target system call sequence is "waiting for data on the socket, reading data, executing commands, writing data, waiting for data on the socket", it can better reflect the characteristics of the shell process, and even in some implementations For example, as long as the system call sequence of a process is consistent with the target system call sequence, the process can be determined to be a shell process. If it is inconsistent, the process is determined not to be a shell process. Therefore, based on this target system call sequence, other The non-shell process is determined to be an error detection caused by a malicious process, which improves the detection accuracy of the shell process, thereby improving the detection accuracy of the rebound shell process.

In addition, if “waiting for data on the socket, reading data, executing commands, writing data, waiting for data on the socket” is a standard system call sequence, the target system call sequence can be in addition to the standard system call sequence In addition, other target system call sequences can also be used to match the system call sequence of the target process. As an implementation mode, it can be selected when the execution order of each system call operation in the standard system call sequence remains unchanged. A subset of the standard system call sequence is regarded as the target system call sequence. For example, the target system call sequence can be "read data, execute command, write data", "wait for data on socket, read data, execute command, write data" "Etc., it is not limited here.

It should be noted that, for the parts that are not described in detail in the foregoing steps, reference may be made to the foregoing embodiments, and details are not described herein again.

In some embodiments, the target process can be determined according to the candidate process by monitoring the connection event of the candidate process, so that subsequent matching of the target process can be performed in time, thereby improving the efficiency of the malicious process, so that the malicious process can be detected in time , Which helps prevent malicious process attacks in time, and can further improve terminal security. Specifically, please refer to FIG. 5. FIG. 5 shows a method for detecting a malicious process provided by another embodiment of the present application. The method may include:

S310: Obtain candidate processes.

S320: Monitor the connection event of the candidate process.

Among them, the connection event is used to request a network connection.

In some embodiments, a process can request a network connection by calling connect(). In one example, if a process calls connect(), the connection event of the process can be monitored.

In some embodiments, the audit function can be used to monitor the connection events of the candidate process. Audit can customize the audit of the specified files or commands. As long as the corresponding rules are configured, the configuration rules can be through the command line (temporary This can be achieved in two ways: effective) or by editing the configuration file (permanently effective), which is not limited in this embodiment.

In some embodiments, in order to be able to monitor connection events for a long time or multiple times, the connection events of candidate processes can be monitored by editing configuration files and configuring audit configuration items. If a connection event occurs, it will be written to the audit log. By auditing the audit log, the process ID corresponding to the process where the connection event occurred can be found to determine the process where the connection event occurred.

In addition, in some embodiments, in order to avoid a decrease in operating efficiency or even a jam due to too many processes being monitored at the same time, the number of simultaneous monitoring can be controlled. Specifically, please refer to FIG. 6, which shows a schematic flowchart of step S320 in FIG. 5 in an exemplary embodiment. In this embodiment, step S320 may include:

S321: Detect whether the number of candidate processes exceeds the specified monitoring number.

After obtaining candidate processes, the number of candidate processes can be multiple. If the number of candidate processes is too large, the number of processes that the host needs to monitor at the same time may be too large, which may result in reduced system operation efficiency or even jamming, so it is control simultaneous The number of monitored processes, the number of candidate processes can be obtained, and whether the number of candidate processes exceeds the specified monitoring number.

Among them, the designated monitoring quantity can be determined according to actual needs, can also be preset by the program, or customized by the user, which is not limited here.

In some implementations, the designated monitoring quantity can be determined by the current system operating performance. In one example, the current system operating performance can be reflected by the central processing unit (CPU) occupancy rate. At this time, the CPU occupancy rate can be set to the specified The mapping relationship table between the monitoring quantities, the corresponding designated monitoring quantity can be determined according to the CPU occupancy rate. The higher the CPU occupancy rate, the lower the designated monitoring number corresponding to the CPU occupancy rate. This can be used when the CPU occupancy rate is high. Reduce the number of monitoring, because too many processes are being monitored at the same time, resulting in reduced operating efficiency and even stuck. The CPU occupancy rate can be a specified value or a range of values, which is not limited here.

In addition, the designated monitoring quantity can also be determined according to other parameters that can reflect the operating performance of the system, such as memory occupancy, which is not limited in this embodiment.

S322: If the number of candidate processes exceeds the specified monitoring number, determine candidate processes to be monitored from the candidate processes.

If the number of candidate processes exceeds the specified number of monitoring, the candidate processes to be monitored are determined from the candidate processes, where the number of candidate processes to be monitored is less than the number of candidate processes, which can be reduced by subsequently monitoring only the connection events of the candidate processes to be monitored The number of processes monitored at the same time.

As an implementation manner, the number of candidate processes to be monitored can be less than or equal to the specified monitoring number, and when the number of candidate processes exceeds the specified monitoring number, the number of candidate processes to be monitored at the same time can be reduced to no more than the specified monitoring number.

As another implementation method, you can set the target monitoring quantity for each round. If the target monitoring quantity is less than or equal to the specified monitoring quantity, then the candidate process can be divided into multiple rounds for monitoring. Each round only monitors the target monitoring quantity and the candidate processes are to be monitored. Candidate processes, after completing one round of monitoring, the next round of candidate processes can be obtained as candidate processes to be monitored.

As yet another implementation manner, it can also be based on a preset screening rule. For example, the preset poetry selection rule can be based on the time when the connection event occurs. Specifically, the candidate process Monitoring is performed to monitor the connection event at an early time, and monitor the connection event at a later time. The details are not repeated here.

S323: Monitor connection events of candidate processes to be monitored.

In this embodiment, the implementation of step S323 is substantially the same as the foregoing step S320, and will not be repeated here.

S330: If it is monitored that the connection event of the candidate process occurs, acquire the candidate process as the target process.

In some embodiments, the connection events of the candidate process can be monitored by configuring the audit (audit) configuration item. If a connection event occurs, it will be written to the audit log. By auditing the audit log, the candidate process corresponding to the connection event can be obtained Process IDs to further obtain candidate processes corresponding to these process IDs as target processes. Therefore, the target process that actively requests the network connection is obtained from the candidate process.

S340: Obtain a system call operation of the target process.

S350: If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.

It should be noted that, for parts that are not described in detail in the foregoing steps, reference may be made to the foregoing embodiment, and details are not described herein again.

In some embodiments, when obtaining the candidate process, the process that created the socket may be searched for, and then the process that created the socket may be determined as the candidate process that uses the socket. Specifically, please refer to FIG. 7. FIG. 7 shows a method for detecting a malicious process provided by still another embodiment of the present application. The method may include:

S410: Find the first process.

Among them, the first process is a process that creates a socket, that is, a process that creates a socket, and may include a process that uses a socket and a process that does not use a socket.

In some embodiments, the process information of all processes may be acquired first, and then the process corresponding to the process information containing socket-related information is determined as the first process according to whether the process information contains socket-related information. Then the process information of the first process includes socket-related information. The specific implementation manner can be seen in the following embodiments, which will not be repeated here.

In other embodiments, the process that created the socket can be directly found as the first process. In an example, the command lsof-i can be used. The -i option of lsof can be used to list all processes that have created a socket. The listed information includes the process ID of the process and the corresponding socket created If the socket index is specified, the process corresponding to the process identifier listed in the lsof-i command can be used as the first process, so that the first process can be found. Among them, the socket index is used to uniquely identify a socket. For example, the socket index may be the index node (inode) of the socket. In other examples, other commands may also be used to directly search for the first process, which is not limited in this embodiment.

S420: Determine a candidate process from the first process.

In some possible embodiments, the first process can be directly used as a candidate process. In other words, all processes that have created sockets are determined as candidate processes. After the candidate process is determined, when the target process is determined according to the candidate process, the part of the process that only created the socket but is not used can be filtered out by detecting connect(). Even if this part of the process is not filtered out, it is still determined as When the target process is the target process, this part of the process can also be filtered out when the subsequent system call operation matches. Therefore, the first process is directly used as the candidate process to realize the detection of the malicious process.

Specifically, because under normal circumstances, if there is no bind(), listen() or connect(), then subsequent socket I/O calls will not be entered, so the process that created the socket can be directly determined as a candidate process, then When the target process is subsequently determined from the candidate processes, or when the matching is performed according to the system call operation, the part of the process that only creates but does not use the socket can still be filtered out, so that it can still effectively detect that not only the socket is created but also used, and Specifically, it is a malicious process that uses sockets to request external connections. Therefore, in some possible embodiments, the first process can be directly determined as a candidate process, and the malicious process can still be detected at this time.

In addition, in some embodiments, after the first process is found, whether the number of the first process exceeds the specified threshold can be detected first, so that when the number of the first process exceeds the specified threshold, the candidate process can be selected from the first process. , And when the specified threshold is not exceeded, the first process can be directly used as a candidate process. Therefore, when the number of first processes is small, that is, when there are fewer processes that have established sockets, the first process can be directly used as a candidate process. Perform follow-up inspections and reduce operation steps, thereby helping to improve inspection efficiency. Specifically, please refer to FIG. 8. FIG. 8 shows a schematic flowchart of step S420 in FIG. 7 in an exemplary embodiment of the present application. In this embodiment, step S420 may include:

S421: Detect whether the number of first processes exceeds a specified threshold.

The specified threshold may be determined according to actual needs, may also be preset by the system, or may be user-defined, which is not limited in this embodiment. In some embodiments, the specified threshold may be determined by the CPU usage rate. As the CPU usage rate increases, the specified threshold value may be reduced, so that the specified threshold value can be adjusted according to the current system operating efficiency to control the number of first processes.

In some embodiments, the specified threshold is greater than or equal to the specified monitoring quantity, so that the number of the first process can be controlled first before the subsequent control of the number of candidate processes monitored at the same time based on the specified monitoring quantity, so as to avoid candidates determined by the first process The number of processes is too large, which reduces the efficiency of the system.

In some embodiments, it is detected whether the number of first processes exceeds a specified threshold. If the number of first processes exceeds the specified threshold, step S422 may be executed. If the number of first processes does not exceed the specified threshold, the first process may be directly used as For the candidate process, the specific implementation can be seen in step S420, which will not be repeated here. As a result, when the number of the first processes does not exceed the specified threshold, that is, when there are fewer processes that have created sockets, the first process can be directly used as a candidate process for subsequent detection, reducing operation steps, thereby helping to improve detection efficiency.

S422: If the number of the first process exceeds the specified threshold, determine the candidate process from the first process.

In some implementation manners, if the number of the first process exceeds the specified threshold, the specific implementation manner of determining the candidate process from the first process may be: from the first process, find the process that performs network communication based on the socket as a candidate process. The details can be seen in the following embodiments, which will not be repeated here.

S430: Determine the target process according to the candidate process.

S440: Obtain the system call operation of the target process.

S450: If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.

In some embodiments, the process using the socket may be found from the first process, and then these processes are determined as candidate processes. Specifically, please refer to FIG. 9. FIG. 9 shows a method for detecting a malicious process according to another embodiment of the present application. The method may include:

S510: Acquire process information corresponding to all processes.

Among them, the process information is used to record the files opened by the process, and may include the process identifier and at least one file descriptor (file descriptor, fd) information, and each file descriptor information may include: file descriptors 0, 1, 2,... …And object properties. Among them, each file descriptor has a corresponding relationship with an object attribute, and the object attribute may include an object type and an object identifier. Among them, the object type may include socket, pipe, etc., and the object identifier may include socket index, pipe index (pipe ID or pipe inode), etc.

In some embodiments, if the process has created a socket, the object type may be a socket, and the object identifier may be the socket index corresponding to the socket, and the process information of the process may include the socket Logo. In one example, the socket identifier may be the field "socket".

In addition, the process information may also include the socket index corresponding to the socket identifier. In an example, the socket index can be a number after "socket", that is, if a process creates a socket, its process information can include "socket: [435473]", where "435473" is the socket socket created by the process Connector index.

In an example, the process information corresponding to all processes can be obtained through the command ls-la/proc/pid/fd. Among them, all the information of all processes in the Linux system are stored in the /proc directory.

S520: Acquire a process including the socket identifier in the process information as the first process.

In some embodiments, if the process has created a socket, the process information of the process may include the socket identifier, so the process that contains the socket identifier in the process information can be obtained as the first process, that is, the socket is created Word process.

It should be noted that the first process can only be a name for a process, and the process information of this process contains the socket identifier, that is, the host does not have to perform the operation of obtaining the first process, but can just obtain the process information of all processes. If the socket identification and the process identification exist in the process information, the process containing the socket identification in the process information can be named the first process, and the process identification of the process can be recorded as the process identification of the first process.

S530: From the first process, search for a process that performs network communication based on a socket, as a candidate process.

In some embodiments, from the first process, search for processes that perform network communication based on sockets. As a candidate process, you can first search for process information of all processes and sockets that have been used, and then according to both Match, determine the process that has used the socket to establish a network link, as a candidate process. Specifically, please refer to FIG. 10, which shows a schematic flowchart of step S530 in FIG. 9 in an exemplary embodiment of the present application. In this embodiment, step S530 may include:

S531: Acquire a first socket index corresponding to a socket used to establish a network link for network communication.

Among them, sockets used to establish network links for network communication are used sockets, that is, sockets that are only created but not used are not included. In some embodiments, this type of socket binds a port through bind(), or sends a connection request through connect(). Therefore, by obtaining the socket index of this type of socket as the first socket index, it can be used to filter out the first process that has established a socket but is not used, so that the candidate process is determined from the first process Processes that only created sockets but are not used are not included.

In an example, the command cat/proc/net/tcp can be used to obtain the socket used to establish a network link for network communication. The /proc/net/tcp directory contains not only the creation of the socket but also the Using the socket information of the socket, the socket information contains the socket index of the socket, and the socket index corresponding to the socket used to establish a network link for network communication can be recorded as the first socket index.

S532: Obtain a second socket index corresponding to the socket created by the first process.

In some embodiments, before step S532, the process information of all processes can be obtained, and the process that contains the socket identifier in the process information is obtained as the first process, and the process information of the first process also includes the corresponding socket identifier. Therefore, based on the process information of all processes, the socket index corresponding to the socket created by the first process can be obtained as the second socket index.

Since the process information contains the process ID, namely the pid, the socket ID, and the socket index, the socket corresponding to the socket ID in the process information may have only been created but not used, so the second The socket index is matched with the first socket index to determine a candidate process that uses the socket from the first process.

S533: The first socket index is matched with the second socket index, and a process that performs network communication based on the socket is obtained as a candidate process.

According to the foregoing description, the socket corresponding to the first socket index is a socket that is not only created but also used, and the socket corresponding to the second socket index is a socket created but not necessarily used Socket, so in order to get candidate processes that have used sockets, the first socket index can be matched with the second socket index, and the second socket that matches the first socket index The process corresponding to the word index is used as a candidate process.

In an example, the process information of all processes can be obtained by the command ls-la/proc/pid/fd, and the inode number of the socket can be obtained by the command cat/proc/net/tcp as the first socket index, and then pass Inode number Find the pid corresponding to the inode number in the process information, and determine the process corresponding to the pid as a candidate process.

In another example, you can filter by keywords based on the aforementioned command to obtain process information of all processes. For example, you can use the socket identifier as the key field, and use the grep pipeline to filter out the key fields you want to obtain The process information contains the socket ID process, get the process information of the first process, use the inode number corresponding to the socket ID as the second socket index, and get the socket through the command cat/proc/net/tcp The inode number is used as the first socket index, the first socket index is matched with the second socket index, and the pid corresponding to the second socket index matching the first socket index is obtained, and the pid The corresponding process is determined as a candidate process.

The above are only examples, and other commands may be used in other examples, which is not limited in this embodiment.

S540: Determine the target process according to the candidate process.

S550: Obtain a system call operation of the target process.

S560: If the system call operation matches the target system call operation, determine that the target process is a malicious process.

In addition, in some embodiments, the process of network communication based on sockets can be directly found, that is, processes that use sockets are used as candidate processes. Therefore, there is no need to find processes that have established sockets first, and then detect Whether the socket is used to determine the candidate process, reduce the detection steps, greatly improve the detection efficiency, and help to detect the malicious process faster and in time, so as to prevent the malicious process from continuing attacks in time. Specifically, please refer to FIG. 11. FIG. 11 shows a method for detecting a malicious process according to yet another embodiment of the present application. The method may include:

S610: Find a process that performs network communication based on a socket, as a candidate process.

In some embodiments, the process of network communication based on sockets can be found through the command netstat. This command can generally be used to check the network connection of each port of the machine. . In an example, it can be found through the command netstat-tunpa.

Since the information obtained through the netstat command can include the process pids that have TCP and UDP connections, the netstat command will not count sockets that are just created but not used (bind or connect), so you can directly find the sockets for network communication. Process, as a candidate process.

In addition, in some embodiments, when the first host and the second host communicate based on UDP, the information sent by the first host may not be received by the second host, or the information sent by the second host may not be received by the first host. If it is received, there may be a loss of information transmission, causing part of the attack command to not be received by the first host. Therefore, by first detecting the process of network communication based on the TCP communication protocol, the malicious process with a higher degree of threat can be detected first, so that it can be dealt with in a more timely manner and the security threat can be solved in a timely manner.

As an implementation manner, a specific implementation manner of step S610 may be: searching for a process that performs network communication based on TCP as a candidate process.

As another implementation manner, it is also possible to first detect the process of network communication based on TCP, and then detect the process of network communication based on UDP, so as to detect malicious processes with a higher degree of threat first, and then detect malicious processes with a lower degree of threat. Therefore, in addition to the detection of malicious processes, the threat level and detection efficiency are also taken into consideration, so that malicious processes with higher threat levels can be detected earlier or in time, so as to prevent the continued attacks of the malicious process and avoid being victimized in time. Invading the host brings greater damage.

S620: Determine the target process according to the candidate process.

S630: Obtain a system call operation of the target process.

S640: If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.

Hereinafter, taking FIG. 12 as an example, the method for detecting a malicious process provided by an exemplary embodiment of the present application will be described to realize the detection of a rebound shell process. details as follows:

This method can be applied to the host, and specifically, the host runs a rebound shell detection module, and the rebound shell detection module can be used to execute the method provided in the embodiments of the present application.

After the rebound shell detection module is started, it will obtain all process information by traversing the host /proc directory. Among them, the process information includes the process ID (pid) and external connection information, and the external connection information can include the socket ID and the inode number corresponding to the socket ID. In an example, the way to obtain all process information can be through the command: ls-la/proc/pid/fd.

Then associate the process and external connection information, and only focus on the process with external connection information. Specifically, the inode number can be found through the command cat/proc/net/tcp, and then the process corresponding to the pid can be found through the inode number.

S1: Use audit to monitor connect events for such processes.

S2: Check whether there is an active connection to the external network using socket

S3: If a process actively establishes a connection to the external network, monitor the file and socket IO function of the process, and thus monitor the IO call of the socket, and obtain the system call operation of the process.

S4: Record and analyze the system call sequence of the process. Generally, the system call sequence of the shell process will meet the following characteristics:

Waiting for data on socket->read socket->execute command->write socket->->wait for data on socket. (That is, the aforementioned system call sequence is the system call sequence of the shell process)

S5: If the system call sequence of the process matches the system call sequence of the shell process, that is, the law of the system call sequence of the process conforms to the law of the system call sequence of the shell process, it can be determined that the process is a reverse shell process.

S6: If the system call sequence of the process does not match the system call sequence of the shell process, that is, the law of the system call sequence of the process does not conform to the law of the system call sequence of the shell process, it can be determined that the process is a non-reverse shell process. In some embodiments, it may also be referred to as a normal process.

Therefore, this embodiment monitors the external network connection of the process to obtain the process with external network connection, and then determines whether the process is a rebound shell process by detecting whether the system call sequence of the process conforms to the law of the system call sequence of the shell process . So it can effectively detect all kinds of reverse shell processes that do not use the shell that comes with the system, such as those generated by hacker tools such as Metasploit or command interpreters written by hackers, etc., which have a good recognition effect. Moreover, since the number of external connection events of the server is generally less than the number of creation of shell processes, the detection efficiency of the module is higher, and the detection performance will be better.

Please refer to FIG. 13, which shows a structural block diagram of a malicious process detection apparatus provided by an embodiment of the present application. The malicious process detection apparatus 1300 may include: a process acquisition module 1310, an operation acquisition module 1320, and an operation matching module 1330 .

The process acquisition module 1310 is used to acquire the target process requesting network connection;

The operation acquisition module 1320 is used to acquire the system call operation of the target process;

The operation matching module 1330 is configured to determine that the target process is a malicious process if the system call operation matches the target system call operation.

Further, the number of the system call operations is multiple, the number of the target system call operations is multiple, and the operation matching module 1330 includes: an order matching submodule, wherein:

The order matching sub-module is configured to determine that the target process is a malicious process if the execution order of the multiple system call operations matches the execution order of the multiple target system call operations.

Further, the execution order of the multiple target system call operations is determined by the system call operations executed sequentially by the shell process.

Further, the sequence of the multiple target system call operations includes: waiting for data on the socket, reading data, executing a command, writing data, and waiting for data on the socket.

Further, the process acquisition module 1310 includes: a candidate process acquisition sub-module and a target process determination sub-module, wherein:

Candidate process acquisition sub-module for acquiring candidate processes, the candidate process being a process that performs network communication based on a socket;

The target process determining sub-module is configured to determine a target process according to the candidate process, and the target process is a process that requests a network connection based on a socket.

Further, the target process determining submodule further includes: a connection event monitoring unit and a target process acquiring unit, wherein:

The connection event monitoring unit is used to monitor the connection event of the candidate process, and the connection event is used to request a network connection;

The target process obtaining unit is configured to obtain the candidate process as the target process if the connection event of the candidate process is monitored.

Further, the connection event monitoring unit includes: a monitoring quantity detection subunit, a process to be monitored determination subunit, and a process monitoring subunit, wherein:

The monitoring quantity detection subunit is used to detect whether the number of the candidate processes exceeds the specified monitoring quantity;

The process to be monitored determination subunit is configured to determine the candidate process to be monitored from the candidate processes if the number of the candidate processes exceeds the specified monitoring number;

The process monitoring subunit is used to determine and monitor the connection event of the candidate process to be monitored.

Further, the candidate process acquisition sub-module includes: a first process search unit and a first candidate determination unit, wherein:

The first process search unit is configured to search for a first process, and the first process is a process that creates a socket;

The first candidate determining unit is configured to determine a candidate process from the first process.

Further, the first process searching unit includes: a process information acquiring subunit and a socket identification determining subunit, wherein:

The process information obtaining subunit is used to obtain process information corresponding to all processes, and the process information is used to record the files opened by the process;

The first process determining subunit is used to obtain the process containing the socket identifier in the process information as the first process.

Further, the first candidate determining unit includes: a first candidate determining subunit, wherein:

The first candidate determination subunit is configured to search for a socket-based network communication process from the first process as a candidate process.

Further, the first candidate determining subunit includes: a first index obtaining subunit, a second index obtaining subunit, and an index matching subunit, wherein:

The first index obtaining sub-unit is used to obtain the first socket index corresponding to the socket used to establish a network link for network communication;

The second index obtaining sub-unit is used to obtain the second socket index corresponding to the socket created by the first process;

The index matching subunit is used to match the first socket index with the second socket index, and obtain a socket-based network communication process as a candidate process.

Further, the first candidate determining unit includes: a second candidate determining subunit, wherein:

The second candidate determination subunit is used to search for a socket-based network communication process as a candidate process.

Further, the candidate process acquiring submodule includes: a second candidate determining unit, wherein:

The second candidate determining unit is used to search for a process that performs network communication based on a socket, as a candidate process.

Further, the second candidate determining unit includes: a third candidate determining subunit, wherein:

The third candidate determination subunit is used to find a process for network communication based on the TCP communication protocol as a candidate process.

Further, the device 1300 for detecting a malicious process further includes: a process termination module, wherein:

The process termination module is used to perform termination processing on the malicious process.

The malicious process detection apparatus provided in the embodiment of the present application is used to implement the corresponding malicious process detection method in the foregoing method embodiment, and has the beneficial effects of the corresponding method embodiment, which will not be repeated here.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the device and module described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, the coupling between the modules may be electrical, mechanical or other forms of coupling.

In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or software function modules.

Please refer to FIG. 14, which shows a structural block diagram of an electronic device provided by an embodiment of the present application. The electronic device 1400 may be an electronic device capable of running application programs, such as a smart phone, a tablet computer, an e-book, a personal computer, or a server. The electronic device 1400 in this application may include one or more of the following components: a processor 1410, a memory 1420, and one or more application programs, where one or more application programs may be stored in the memory 1420 and configured to be configured by One or more processors 1410 execute, and one or more programs are configured to execute the methods described in the foregoing method embodiments.

The processor 1410 may include one or more processing cores. The processor 1410 uses various interfaces and lines to connect various parts of the entire electronic device 1400, and executes by running or executing instructions, programs, code sets, or instruction sets stored in the memory 1420, and calling data stored in the memory 1420. Various functions and processing data of the electronic device 1400. Optionally, the processor 1410 may use at least one of digital signal processing (Digital Signal Processing, DSP), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), and Programmable Logic Array (Programmable Logic Array, PLA). A kind of hardware form to realize. The processor 1410 may be integrated with one or a combination of a central processing unit (CPU), a graphics processing unit (GPU), a modem, and the like. Among them, the CPU mainly processes the operating system, user interface, and application programs; the GPU is used for rendering and drawing of display content; the modem is used for processing wireless communication. It is understandable that the above-mentioned modem may not be integrated into the processor 1410, but may be implemented by a communication chip alone.

Further, the processor 1410 further includes: an external storage device management module 1411 and a storage management service module 1414. Wherein, the external storage device management module 1411 may be the management and control center of the external storage system in the Android platform, and is a background process for managing and controlling the external storage device of the Android platform. Its functions mainly include: external storage device plug-in event detection, external storage device mounting, unloading, formatting, etc.; storage management service module 1414 is a module for the Android system framework layer to communicate with the external storage device management module 1411, and at the same time The storage management service module 1414 is also a module that provides storage access interfaces and storage mounting message broadcasts to applications. Further, in an implementation manner, the external storage device management module 1411 and the storage management service module 1414 may communicate based on the Binder communication mechanism.

The memory 1420 may include random access memory (RAM) or read-only memory (Read-Only Memory). The memory 1420 may be used to store instructions, programs, codes, code sets or instruction sets. The memory 1420 may include a storage program area and a storage data area, where the storage program area may store instructions for implementing the operating system and instructions for implementing at least one function (such as touch function, sound playback function, image playback function, etc.) , Instructions used to implement the following various method embodiments, etc. The data storage area can also store data created by the electronic device 1400 during use (such as phone book, audio and video data, chat record data) and the like.

If each unit in the malicious process detection device shown in FIG. 13 is used as a function module such as a program package, each unit in the malicious process detection device is stored in the memory 1420 and can be called by the processor and executes the corresponding Function.

Please refer to FIG. 15, which shows a structural block diagram of a computer readable storage medium provided by an embodiment of the present application. The computer readable storage medium 1500 stores program code, and the program code can be invoked by a processor to execute the method described in the foregoing method embodiment.

The computer readable storage medium 1500 may be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM. Optionally, the computer-readable storage medium 1500 includes a non-transitory computer-readable storage medium. The computer readable storage medium 1500 has storage space for the program code 1510 for executing any method steps in the above-mentioned methods. These program codes can be read from or written into one or more computer program products. The program code 1510 may be compressed in an appropriate form, for example.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the application, not to limit them; although the application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the foregoing embodiments are modified, or some of the technical features thereof are equivalently replaced; these modifications or replacements do not drive the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims

A method for detecting malicious processes, characterized in that the method includes:

Obtain the target process requesting a network connection;

Acquiring the system call operation of the target process;

If the system call operation matches the target system call operation, it is determined that the target process is a malicious process.
The method according to claim 1, wherein the number of the system call operation is multiple, the number of the target system call operation is multiple, and the system call operation is based on whether the system call operation is the same as the target system call operation. Matching, determining that the target process is a malicious process, including:

If the execution order of the multiple system call operations matches the execution order of the multiple target system call operations, it is determined that the target process is a malicious process.
The method according to claim 2, wherein the execution order of the multiple target system call operations is determined by the system call operations executed sequentially by the shell process.
The method according to any one of claims 1-3, wherein the sequence of a plurality of the target system call operations includes: waiting for data on the socket, reading data, executing commands, writing data, waiting for the socket Data on the word.
The method according to any one of claims 1 to 4, wherein said acquiring a target process requesting a network connection comprises:

Acquiring a candidate process, where the candidate process is a process that performs network communication based on a socket;

A target process is determined according to the candidate process, and the target process is a process that requests a network connection based on a socket.
The method according to claim 5, wherein the determining a target process according to the candidate process comprises:

Monitoring the connection event of the candidate process, the connection event is used to request a network connection;

If it is monitored that the connection event of the candidate process occurs, the candidate process is acquired as the target process.
The method according to claim 6, wherein the monitoring the connection event of the candidate process comprises:

Detecting whether the number of candidate processes exceeds a specified monitoring number;

If the number of the candidate processes exceeds the designated monitoring quantity, determine the candidate processes to be monitored from the candidate processes;

Monitor the connection event of the candidate process to be monitored.
The method according to any one of claims 5-7, wherein said obtaining candidate processes comprises:

Find a first process, where the first process is a process that creates a socket;

A candidate process is determined from the first process.
The method according to claim 8, wherein said searching for the first process comprises:

Acquiring process information corresponding to all processes, where the process information is used to record files opened by the process;

The process that contains the socket identifier in the process information is acquired as the first process.
The method according to claim 8 or 9, wherein the determining a candidate process from the first process comprises:

Detecting whether the number of the first processes exceeds a specified threshold, and the specified threshold is greater than or equal to a specified monitoring number;

If the number of the first process exceeds the specified threshold, a candidate process is determined from the first process.
The method according to any one of claims 8-10, wherein the determining a candidate process from the first process comprises:

From the first process, a process that performs network communication based on a socket is searched for as a candidate process.
The method according to claim 11, wherein the searching for a socket-based network communication process from the first process as a candidate process comprises:

Obtaining a first socket index corresponding to a socket used to establish a network link for network communication;

Acquiring a second socket index corresponding to the socket created by the first process;

The first socket index is matched with the second socket index, and the process of network communication based on the socket is obtained as a candidate process.
The method according to claim 8 or 9, wherein the determining a candidate process from the first process comprises:

Use the first process as a candidate process.
The method according to any one of claims 4-7, wherein said obtaining candidate processes comprises:

Find the process based on socket for network communication, as a candidate process.
The method according to any one of claims 11-14, wherein the searching for a socket-based network communication process as a candidate process comprises:

Find the process of network communication based on the TCP communication protocol as a candidate process.
The method according to any one of claims 1-15, wherein if the system call operation matches a target system call operation, after determining that the target process is a malicious process, the method further comprises:

Perform termination processing on the malicious process.
A detection device for malicious processes, characterized in that the device includes:

Process acquisition module, used to acquire the target process requesting network connection;

The operation acquisition module is used to acquire the system call operation of the target process;

The operation matching module is configured to determine that the target process is a malicious process if the system call operation matches the target system call operation.
The device according to claim 17, wherein the process acquisition module comprises:

Candidate process acquisition sub-module for acquiring candidate processes, the candidate process being a process that performs network communication based on a socket;

The connection event monitoring sub-module is used to monitor the connection event of the candidate process, and the connection event is used to request a network connection;

The target process acquisition sub-module is configured to acquire the candidate process as the target process if the connection event of the candidate process is monitored.
An electronic device, characterized in that it comprises:

One or more processors;

Memory

One or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors, and the one or more programs are configured to execute such as The method of any one of claims 1-16.
A computer readable storage medium, wherein the computer readable storage medium stores program code, and the program code can be called by a processor to execute the method according to any one of claims 1-16 .