CN100367230C - Action control method based on LSM programme - Google Patents
Action control method based on LSM programme Download PDFInfo
- Publication number
- CN100367230C CN100367230C CNB2004100139631A CN200410013963A CN100367230C CN 100367230 C CN100367230 C CN 100367230C CN B2004100139631 A CNB2004100139631 A CN B2004100139631A CN 200410013963 A CN200410013963 A CN 200410013963A CN 100367230 C CN100367230 C CN 100367230C
- Authority
- CN
- China
- Prior art keywords
- lsm
- sequence
- program
- capture point
- capture
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a program action controlling method by utilizing an LSM interception point. The method of the present invention comprises the following steps: intercepting LSM control point information through which a monitored program passes to generate an LSM interception point sequence whose length is 10; comparing the generated sequence with an available sequence in a normal action mode library and adding the sequence into the normal action mode library when a matched sequence can not exist in the library; monitoring a designated program; intercepting the LSM control point information through which the monitored program passes; comparing the generated sequence with the available sequence in the normal action mode library and sending an alarm to a system if no matched sequence. The present invention provides a program action control method which uses LSM interception points as program action modeling data source, and can increase the capacity for identifying abnormal programs of safe server equipment.
Description
One, technical field
The present invention relates to security server equipment, particularly the method for in the security server program behavior being controlled as the Internet server.
Two, background technology
Along with going deep into gradually of social informatization, networking process, the safety of infosystem becomes more and more important.Increasing Internet server (as Web server, ftp server, Email server, dns server) brings into operation on security server equipment.In traditional security server, security control mainly realizes by access control.But this controling mechanism still exists a lot of problems, therefore, the program behavior control technology occurred.The ultimate principle of program behavior control is to judge according to the behavior of program or the normal degree of resource behaviour in service whether system is used by user's malice.It generally by to the program behavior modeling, is monitored its behavior and whether meets behavior model.Compare with traditional access control technology, program behavior is controlled the program that can guarantee effectively and can be moved according to the mode of desired design.The key issue of program behavior control is the foundation of normal behaviour model, and its essence is summed up as the processing to selected monitored procedural audit data.Therefore, the quality of Audit data source quality directly influences the effect of behavior control.At present, the Audit data source is generally system call in the existing program behavior control method.
LSM (Linux Security Modules; the Linux security module) framework is analyzed the resource that system needs protection; determine which is the object that will protect, and further determine corresponding which data structure of these objects, and which function is operated it by analyzing source program.In final (is granularity with the function) function that object is conducted interviews, insert hook (hook) and intercept and capture visit, call security mechanism, and pass through the data structure that other hooks revises the object correspondence, to satisfy the needs of security mechanism.Utilize capture point that the LSM capture point has following benefit: LSM as the data source of program behavior modeling in system call or kernel function, its size ratio system call is also thin, and all is positioned on the accessing points to various resources, and is close with security relationship; The action sequence that system call record the process and kernel are mutual, the sequence of LSM record the process access resources is safer relevant.
But the existing system call sequence that utilizes exists deficiency to be as the program behavior control method of program behavior modeling: the normal behaviour library is too huge, and detection efficiency is lower, rate of false alarm is high.
Three, summary of the invention
It is too huge as the normal behaviour library that the program behavior control technology of program behavior modeling exists that the present invention is primarily aimed in the security server equipment the existing system call sequence that utilizes, the problem that detection efficiency is low, rate of false alarm is high, provide a kind of LSM of utilization capture point as the program behavior control method of the data source of program behavior modeling with the auxiliary ability that improves the unusual program behavior of security server recognition of devices.
For realizing purpose of the present invention, the invention provides a kind of based on utilizing LSM to carry to obtain the method for a little carrying out program behavior control, this method may further comprise the steps: (1) if the normal procedure behavior pattern storehouse that utilizes the LSM capture point to describe is not also set up fully, then execution in step 2, otherwise change step 4; (2) intercept and capture monitored program the LSM control point information of process, generate the LSM capture point sequence that a length equals 10; (3) sequence of generation and the existing sequence in the normal behaviour library are compared,, then this sequence is joined in the normal behaviour library, change step (1) if there is not the sequence of coupling to exist; (4) begin to monitor the program of appointment; (5) intercept and capture monitored program the LSM control point information of process, generate the LSM capture point sequence that a length equals 10; (6) sequence that generates is compared with the existing sequence in the normal behaviour library,, then send alarm (abnormal behaviour is arranged) to system if there not be the sequence existence of coupling, if EOP (end of program) then the step of changeing (7), otherwise commentaries on classics step (5); (7) monitoring finishes.
The invention provides a kind of LSM of utilization capture point as the program behavior control method of the data source of program behavior modeling with the auxiliary ability that improves the unusual program behavior of security server recognition of devices.Library is little, and detection efficiency is higher, rate of false alarm is low.
Below in conjunction with accompanying drawing specific embodiment is elaborated.
Four, description of drawings
Fig. 1 is the process flow diagram of security server monitoring of tools program behavior
Fig. 2 is the process flow diagram of the inventive method
Fig. 3 is the process flow diagram that obtains the LSM capture point
Five, embodiment
As shown in Figure 1.The user is starting the program object that needs monitoring as manually being provided with according to demand after the security server monitoring of tools program of Internet server.Behind the intercepted data that has obtained monitored program, security server is given recognition mechanism with it and is handled, and normally the data of intercepting and capturing and the normal behaviour library of monitored program is compared, and carries out necessary abnormality processing, normally then continues.The normal behaviour library of the monitored program of prior art is very big.
The inventive method as shown in Figure 2.Step 10 is initial actuatings.Step 11 is finished security server equipment and is obtained LSM capture point data and generate the LSM capture point sequence that a length equals 10.This data sequence obtains with the custom-designed processing mode of the present invention, is different from the short sequence of traditional system call.Step 11 will be specifically introduced in conjunction with Fig. 3 in the part of back.
Security server equipment can independently be provided with certain specific program behavior according to user's demand, video and in a computer system, may move a plurality of program implementation simultaneously, therefore the step 12 of Fig. 2 will judge whether this process needs monitoring according to the process number of program behavior, monitoring if desired, step 13 will find the corresponding normal behaviour library of this program.Step 14 judges whether recognition mechanism trains, if execution in step 17 then, otherwise execution in step 15.Step 15 is finished the function of on-line study, under the situation that recognition mechanism does not train, this step is compared data sequence and the normal behaviour library intercepted and captured, illustrate that then this sequence is a new normal sequence if in the storehouse, can not find matching sequence, step 16 is kept at it in normal behaviour library of program, otherwise abandons.
Fig. 3 describes step 11 in detail, and its effect is to obtain the LSM capture point data that are different from system call.Step 100 is origination action.In order to obtain LSM capture point data, step 102 has been revised the entry address of Hook Function acquiescence in the system, carries out self-defining Hook Function by step 103, obtains LSM capture point data.Whether step 104 judgment data sequence length equals 10, does not then return step 101 if do not wait, otherwise execution in step 105 finishes this process.
For example, can protect the Email server program with the inventive method.After the normal behaviour library of having set up the Email server program of using LSM capture point sequence description, start real-time monitoring to the Email server program.If the assailant successfully carries out buffer overflow attack to the Email server program, and obtained the control of system, then when the assailant begins to carry out some illegal operations, watchdog routine can monitor the LSM capture point sequence that does not have appearance in the normal behaviour library, thereby discovery and prevention assailant carry out any operation.
Because the capture point of LSM is in system call or kernel function, and all be positioned on the accessing points to various resources, therefore have the granularity thinner with the close LSM capture point of security relationship than system call, replace with it that original system call sequence that utilizes can reduce normal behaviour library scale as the program behavior control technology of program behavior modeling in the security server equipment, improve detection efficiency, reduce rate of false alarm.So LSM capture point data sequence is the core of the inventive method among Fig. 3.
Claims (2)
1. program behavior control method based on LSM, it is characterized in that utilizing in the security server monitoring of tools programming system Linux security module LSM capture point to carry out program behavior control, this method may further comprise the steps, step 1: if the normal procedure behavior pattern storehouse that utilizes the LSM capture point to describe is not also set up fully, then execution in step 2, otherwise change step 4; Step 2: intercept and capture monitored program the LSM control point information of process, generate the LSM capture point sequence that a length equals 10; Step 3: the sequence of generation and the existing sequence in the normal behaviour library are compared,, then this sequence is joined in the normal behaviour library, change step 1 if there is not the sequence of coupling to exist; Step 4: the program that begins to monitor appointment; Step 5: intercept and capture monitored program the LSM control point information of process, generate the LSM capture point sequence that a length equals 10; Step 6: the sequence that generates is compared with the existing sequence in the normal behaviour library,, then send alarm to system if there not be the sequence existence of coupling, if EOP (end of program) then change step 7, otherwise commentaries on classics step 5; Step 7: monitoring finishes.
2. by the described program behavior control method of claim 1, it is characterized in that obtaining LSM capture point data and generate a length that to equal the step of 10 LSM capture point sequence as follows, step 100: origination action based on LSM; Step 101: call the LSM Hook Function; Step 102: the entry address of having revised Hook Function acquiescence in the described system; Step 103: carry out self-defining Hook Function, obtain LSM capture point data; Step 104: whether the judgment data sequence length equals 10, does not then return step 101 if do not wait, otherwise execution in step 105; Step 105: finish this process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100139631A CN100367230C (en) | 2004-01-19 | 2004-01-19 | Action control method based on LSM programme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100139631A CN100367230C (en) | 2004-01-19 | 2004-01-19 | Action control method based on LSM programme |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1648869A CN1648869A (en) | 2005-08-03 |
| CN100367230C true CN100367230C (en) | 2008-02-06 |
Family
ID=34867847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100139631A Expired - Fee Related CN100367230C (en) | 2004-01-19 | 2004-01-19 | Action control method based on LSM programme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100367230C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246566B (en) * | 2012-02-03 | 2017-12-01 | 腾讯科技(深圳)有限公司 | The resource monitoring method and device of application program |
| CN102930202A (en) * | 2012-11-05 | 2013-02-13 | 曙光信息产业(北京)有限公司 | Operation executing method in Linux system |
| CN104899511B (en) * | 2015-05-21 | 2018-01-19 | 成都中科慧创科技有限公司 | A kind of active defense method based on program behavior algorithm |
| CN106251876A (en) * | 2015-06-12 | 2016-12-21 | 徐文波 | Audio mixed method based on HOOK technology and system |
| CN106991329A (en) * | 2017-03-31 | 2017-07-28 | 山东超越数控电子有限公司 | A kind of trust calculation unit and its operation method based on domestic TCM |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1266228A (en) * | 1999-03-04 | 2000-09-13 | 英业达股份有限公司 | Dynamic monitoring and controlling method for files system |
| US6477485B1 (en) * | 2000-10-27 | 2002-11-05 | Otis Elevator Company | Monitoring system behavior using empirical distributions and cumulative distribution norms |
| US6480919B2 (en) * | 1998-09-14 | 2002-11-12 | Compaq Information Technologies Group, L.P. | Method and apparatus for providing seamless hooking and intercepting of selected kernel and hal exported entry points |
| US6529784B1 (en) * | 2000-02-29 | 2003-03-04 | Caldera Systems, Inc. | Method and apparatus for monitoring computer systems and alerting users of actual or potential system errors |
-
2004
- 2004-01-19 CN CNB2004100139631A patent/CN100367230C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6480919B2 (en) * | 1998-09-14 | 2002-11-12 | Compaq Information Technologies Group, L.P. | Method and apparatus for providing seamless hooking and intercepting of selected kernel and hal exported entry points |
| CN1266228A (en) * | 1999-03-04 | 2000-09-13 | 英业达股份有限公司 | Dynamic monitoring and controlling method for files system |
| US6529784B1 (en) * | 2000-02-29 | 2003-03-04 | Caldera Systems, Inc. | Method and apparatus for monitoring computer systems and alerting users of actual or potential system errors |
| US6477485B1 (en) * | 2000-10-27 | 2002-11-05 | Otis Elevator Company | Monitoring system behavior using empirical distributions and cumulative distribution norms |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1648869A (en) | 2005-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112769796B (en) | Cloud network side collaborative defense method and system based on end side edge computing | |
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| CN105139139B (en) | Data processing method and device and system for O&M audit | |
| CN102999716B (en) | virtual machine monitoring system and method | |
| CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
| CN1835014A (en) | Method and system of monitoring on-line service risk | |
| CN103618652A (en) | Audit and depth analysis system and audit and depth analysis method of business data | |
| EP2479698A1 (en) | Systems and methods for detecting fraud associated with systems application processing | |
| CN107004086A (en) | Security information and incident management | |
| CN103106368A (en) | Vulnerability scanning method for grade protection | |
| CN111510339B (en) | Industrial Internet data monitoring method and device | |
| CN103701783A (en) | Preprocessing unit, data processing system consisting of same, and processing method | |
| CN101873318A (en) | Application and data security method aiming at application system on application basis supporting platform | |
| CN103186733A (en) | Database user behavior management system and database user behavior management method | |
| CN103294558A (en) | MapReduce scheduling method supporting dynamic trust evaluation | |
| CN109981686A (en) | A kind of network security situational awareness method and system based on circulation confrontation | |
| CN111935189B (en) | Industrial control terminal strategy control system and industrial control terminal strategy control method | |
| CN106934031A (en) | The monitoring of focus record and processing method and processing device in real time processing system | |
| CN102868699A (en) | Method and tool for vulnerability detection of server providing data interaction services | |
| CN100367230C (en) | Action control method based on LSM programme | |
| CN106899553A (en) | A kind of industrial control system safety protecting method based on private clound | |
| CN114493203A (en) | Method and device for safety arrangement and automatic response | |
| CN100407164C (en) | Software-action description, fetching and controlling method with virtual address space characteristic | |
| CN112948822A (en) | Big data audit scene analysis method and system applied to intelligent education system | |
| CN116090015A (en) | Intelligent authority application management system and method based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |