CN100407164C - Software-action description, fetching and controlling method with virtual address space characteristic - Google Patents
Software-action description, fetching and controlling method with virtual address space characteristic Download PDFInfo
- Publication number
- CN100407164C CN100407164C CN2006100258589A CN200610025858A CN100407164C CN 100407164 C CN100407164 C CN 100407164C CN 2006100258589 A CN2006100258589 A CN 2006100258589A CN 200610025858 A CN200610025858 A CN 200610025858A CN 100407164 C CN100407164 C CN 100407164C
- Authority
- CN
- China
- Prior art keywords
- address
- call
- task
- characteristic
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
Said invention discloses software behavioural abnormality detection and protecting means. It contains obtaining one software behaviour and address attribute and establishing characteristic of correspondence data integration; using said established characteristic data integration detecting and protection software abnormal behavior, wherein characteristic data integration having virtual space address attribute. Said invented method can restrict software behaviour track without error, capable of raising detecting accuracy, greatly raising identifying efficiency and convenient execution. It can independently use and conjunctively use with other data, for example short sequence, status attribute, and resource attribute. Said invention can realize real time detecting with controlling to application program behaviour, capable of being used in main unit information system safety protection and network information system invasion protection etc field.
Description
Technical field
The present invention relates to the security protection of computing machine and network information system and other need to be grasped the field of software action feature, more particularly, the present invention relates to a kind of software action abnormality detection and means of defence based on program behavior.
Background technology
From technical elements, the Prevention-Security means of network information system can be divided into initiatively and passive two kinds.Passive means or be called the reaction equation means, typically refer to: after incident takes place, by Collection Events take place at object, environment setting, the information such as result that cause, extract the feature that behavioral agent had of this incident, analyzed and standardized, and then it is used among the later Prevention-Security.Common strick precaution instrument has anti-virus, NIDS/HIDS etc.Though this detection method can detect known virus, intrusion behavior well, it is powerless to detecting novel virus or attack, even the variation of reply veteran section is all very difficult.The technology that these products adopt has a common feature: passive reaction equation.This mode can effectively detect the known attack means on the one hand.But then, in the face of attack form complicated and changeable day by day, more and more frequent attack situation, and the threat of " attacking in 1st ", the reactive techniques defence can not be satisfied safe high request, and the development of active technique more and more receives publicity.
Different with passive reactive techniques, initiatively defence resists external attack, safeguards system safety in the mode of not means influence under fire.Because this defence method relied on is the normal behavioural characteristic of system, the variation of attack means can not produce any influence to it, so that it doesn't matter is new and oldly all can be detected and be taken precautions against to its attack means.So-called " attacking in 1st " also is invalid to it.The technological difficulties of this method are: in the face of complicated day by day infosystem, how to set up one and promptly have better adaptive faculty, be convenient to practical application, normal behaviour security model efficiently again.And one of key of setting up this model is the method for behavior description (portrayal).The present invention will provide a kind of effective behavioural characteristic to describe and method for supervising, will provide effective support for setting up the normal behaviour model based on the monitoring technique of behavior safety etc. in the defence initiatively.
The modeling of safety behavior and the coupling of behavior thereof mainly contain at present: the Markov model method; Hidden markov model approach; Bayesian probability net method; Rule-based method; Traditional decision-tree; The short sequence method of system call; Neural net method etc.The subject matter that faces based on the model of conditional probability is to set up the normal behaviour model and implement high-precision test all will spend a large amount of time, and usually because the deficiency of training and false alarm rate is higher.Rule-based behavior detection model is difficult to determine efficient and feasible rule establishment to complex environment comparatively, with former face omission, flase drop may.Behavior description is the core of behavior monitoring, and different behavior description methods will cause testing result to have than big-difference on accuracy, efficient and availability.
Summary of the invention
The present invention aims to provide a kind of software action abnormality detection and means of defence, by describing, obtain and set up the behavior characteristic information model that has imaginary space address properties of software service program and use behavior characteristic information model and detect unusual with the securing software behavior, and then take precautions against the information security risk that " hacker " invasion and misuse are caused.
According to an aspect of the present invention, provide unusual detection of a kind of software action and means of defence, comprising:
Obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition;
Use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, wherein, described characteristic congregation zone has imaginary space address properties.
Preferable, described obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition comprise,
Need to determine the system call inventory and the shared library address space range value of processing; Wherein,
The described inventory that calls is to find out the part that actual needs is handled as required from complete system call set;
Propose to want the application object of acquisition process to system, and the system call inventory that will handle and shared library address realm are announced to the internal system treatment mechanism;
Startup requires the application program of acquisition process, and presses black box or " white box " test request working procedure;
At the application program run duration, system's parallel processing mechanism is intercepted and captured the system call of appointment in the inventory automatically, obtains user's space entry address, the hierarchical information of respective calls in real time, and the binding structure calls tlv triple with calling mutually;
The behavioral data set that extraction system is gathered is handled, is put in storage by particular requirement.
Wherein, determine that shared library address space range value further comprises, at first whether the imaginary space address of determining shared library in the host operating system is fixed, if fixing, to clearly find out the usable range that system sets for this shared library, if the shared library space is to become along with application program, then be made as particular value.
According to one embodiment of the invention, described obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition specifically comprise:
Step 11) is determined shared library address space range value in application layer.
Step 12) is by the collection solicited message of system interface transmission from user application layer, comprising control model information,
Application name, system call inventory, shared library address realm are set, and create system job controlling queue list item, and identification is used when carrying out for system; Collection according to appointment requires to set up first floor information acquisition data structure and finish initialization;
Step 13) is in the client layer termination and restart the acquisition target program, and moves by the presumptive test mode;
The step 14) system is when carrying out a new file, system job controlling queue content according to step 12) foundation, whether judgement is the object that will gather behavioural information with the program of carrying out, if not then change step 19), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 15) judges according to the system task controlling queue whether current task is gathered the object of behavioural information by the listed system call porch of system call inventory; As not being then to change step 19); Then intercept and capture the system call of current task in this way;
Step 16) sets according to the shared library address realm, check whether return address, frame top drops on the shared library address space in the storehouse, as not being then with the binding of this address and call number, structure { call, address, layer } tlv triple, and record the corresponding process data structure of current process, change step 18), otherwise continue next step;
Step 17) in user stack, divides and search the user return address forward, do not fall into the shared library address realm until this address according to the stack frame.With the return address found and call number binding, structure { call, address, layer } tlv triple, and record current task correspondence task data structure;
Step 18) if current task is called and do not wished to create the subtask, then change step 19), otherwise, at first create new system task controlling queue list item, and search whether have the structure and the space of one deck task down in the current operation structure for the subtask; If any, set up the relation of linking and change next step, otherwise for descending one deck task creation structure and finishing initialization process;
Step 19) changes normal system over to and call treatment scheme;
Above step 15)-19) repeatedly circulation execution in obtaining specified services program behavior characteristic information process enters following treatment scheme after obtaining complete information data:
Step 110) the application behavior characteristic information of having gathered by the special purpose interface extraction system, and by call format data are handled, filed.
Preferable, the described application characteristic of setting up set detects and the securing software abnormal behavior comprises:
Submit the application object of wanting control and treatment to system, and corresponding object behavioural characteristic data acquisition is announced to the internal system treatment mechanism, wherein, described behavioural characteristic data set crossed belt imaginary space address properties;
Restart the application program that the requirement monitoring is handled;
At the application program run duration, the system monitoring treatment mechanism is discerned the object that needs monitoring automatically, and intercept and capture the system call of appointment in the described system call inventory, obtain the user's space entry address of respective calls simultaneously, and with call mutually binding constitute call, address tlv triple { call number, the address, layer };
Tlv triple { call number with structure, the address, layer } compare with the data in the respective behavior set, as comprising this tlv triple in the set, illustrate that this system call is legal, change normal system over to and call execution series, otherwise, can think illegal operation, be handled according to certain fault processing principle.
According to one embodiment of the invention, characteristic that described application is set up set detects and the securing software abnormal behavior specifically comprises:
Step 21) submits the application object that needs monitoring to by system interface, the set of respective behavior control data is provided simultaneously;
Step 22) system therefrom extracts control model information, web application name, system call inventory, the setting of shared library address realm according to monitoring request information, creates system job controlling queue item, uses when carrying out new procedures identification for system; Finish the initialization of monitor data structure according to the behavioural information data structure of the application program of submitting to;
Step 23) stop and restart the monitored object program at client layer, and by the normal mode operation;
Step 24) system is when carrying out a new file, according to step 22) the system job controlling queue item set up, whether judgement is the object that will monitor its behavior with the program of carrying out, if not then change step 28), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 25), judges according to system process controlling queue item whether current task is the task of monitored behavioural characteristic in the listed system call of inventory porch.As not being then to change step 28); Then intercept and capture current system call in this way;
Step 26) structure of consummatory behavior tlv triple, and to behavior legitimacy enforcement arbitration, as the access arbitration success, continue; Otherwise step 29 is changeed in failure);
Step 27) if current task call and do not wish to create the subtask, then change step 28), otherwise, at first create new system task controlling queue item for the subtask, and search whether have the behavior structure and the attribute information of one deck task down in the current operation behaviour structure, if any, set up the relation of linking and change next step; Otherwise, think that this process creation for illegal, changes step 29);
Step 28) changes normal system over to and call treatment scheme;
Step 29) fault processing and return user program.
Above step 25)-29) repeatedly circulation execution in monitoring specified services program behavior characteristic information process, the monitoring application program is according to set behavior framework operation.
Sum up, method of the present invention provides the software line description of band address properties, and wherein fundamental is as follows:
The fundamental of system call as software action.System call is meant that operating system offers the various service interfaces of application layer software, finishes the particular task that only just can be finished by system for application software.
With the entry address of system call in application program, both user's imaginary space entry address was as the key character attribute of this system call.
With system call place task hierarchical information as this another characteristic attribute that calls.
Tectonic system calls the feature description of tlv triple { call, address, layer } as a software transfer behavior.
Application software is the behavioral data set that has the address characteristic attribute that the triplet sets of all system calls of finishing design object and need operation constitutes this software.
Adopt method of the present invention, compare with adopting the conditional probability method, when this data model is applied to relevant application item such as behavior control, but the behavior track of the constraint software of zero defect.When improving detection accuracy, can improve recognition efficiency greatly, and implement conveniently.It can independently use, and when using with other data aggregates, for example: short sequence pattern, status attribute, Resource Properties, can be the security exception monitoring model that builds up an information system provides more effective, supports neatly.Realize the real-time Detection ﹠ Controling of application programs behavior, stop up the application program leak that may occur in service, with accuracy and the efficient that significantly improves software action abnormality detection and monitoring.
Description of drawings
The above and other feature of the present invention, character and advantage will be by becoming more obvious below in conjunction with accompanying drawing to the description of embodiment, and in the accompanying drawings, identical Reference numeral is represented identical feature all the time, wherein,
Fig. 1 shows the basic process of obtaining a software action and address properties thereof and setting up the characteristic of correspondence data acquisition, wherein this characteristic congregation zone imaginary space address properties.
Fig. 2 shows and uses the institute's characteristic of setting up set detection and the dystropic basic process of securing software, wherein this characteristic congregation zone imaginary space address properties.
Fig. 3 shows the structural drawing according to the system job controlling queue and the system process controlling queue of one embodiment of the invention.
Embodiment
Further describe technical scheme of the present invention below in conjunction with specific embodiment.
At first, the invention provides unusual detection of a kind of software action and means of defence, comprising: obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition; And use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, wherein, described characteristic congregation zone has imaginary space address properties.In the method for the invention, can provide the software line description of band address properties, wherein fundamental is as follows:
1) the fundamental of system call as software action.System call is meant that operating system offers the various service interfaces of application layer software, finishes the particular task that only just can be finished by system for application software.
2) with the entry address of system call in application program, both user's imaginary space entry address was as the key character attribute of this system call.
3) with system call place task hierarchical information as this another characteristic attribute that calls.
4) tectonic system calls the feature description of tlv triple { call, address, layer } as a software transfer behavior.
5) application software is the behavioral data set that has the address characteristic attribute that the triplet sets of all system calls of finishing design object and need operation constitutes this software.
Wherein, first step: obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition, can be achieved as follows.
With reference to figure 1, Fig. 1 shows the basic process of obtaining a software action and address properties thereof and setting up the characteristic of correspondence data acquisition, wherein this characteristic congregation zone imaginary space address properties.According to the present invention, this step need be followed following basic process:
Need to determine the system call inventory and the shared library address space range value of processing.For the system call inventory, be as required, from complete system call set, find out the part that actual needs is handled.For the shared library address space, determine at first whether the imaginary space address of shared library in the host operating system is fixed.Usually system is for for the purpose of unified the processing, and shared library is arranged to the fixed area of user's space, at this moment will clearly find out the usable range of system for this shared library setting.If the shared library space is to become along with application program, then be made as particular value, such as being set to 0xfffffff.
Propose to want the application object of acquisition process to system, and the system call inventory that will handle and shared library address realm are announced to the internal system treatment mechanism.
Startup requires the application program of acquisition process, and presses black box or " white box " test request working procedure.
At the application program run duration, system's parallel processing mechanism is intercepted and captured the system call of appointment in the inventory automatically, obtains user's space entry address, the hierarchical information of respective calls in real time, and the binding structure calls tlv triple with calling mutually.
The behavioral data set that extraction system is gathered is handled, is put in storage by particular requirement.
In said process, need be described as follows some:
Determining the shared library address realm, is in order to avoid under the situation that the shared library address realm is fixed the homoplasy of different application system call address properties as far as possible.
The enforcement of this method requires host operating system that concurrent collection mechanism or machine-processed interface are provided.
Require to adopt different test modes to correspond to actual needs, require to avoid during this period adopting attack test simultaneously with assurance behavior set.
Final data is the system call sequence set that has attributes such as imaginary space address.
According to one embodiment of the invention, gathering and make described characteristic set comprises: make up a kind of mechanism at system kernel, the operation of complete monitoring specified application, and the behavior characteristic information set of obtaining this program according to setting, handle the tlv triple system call sequence behavioural characteristic model that the back makes up application program by analysis, concrete steps are as follows:
Step 11) is determined shared library address space range value (application layer) by system tool or technical descriptioon data.
Step 12) is by the collection solicited message of system interface transmission from user application layer, set comprising control model information, web application name, system call inventory, shared library address realm, create system job controlling queue list item, identification is used when carrying out for system; Collection according to appointment requires to set up first floor information acquisition data structure and finish initialization.
Step 13) is in the client layer termination and restart the acquisition target program, and moves by the presumptive test mode.
The step 14) system is when carrying out a new file, system job controlling queue content according to step 12) foundation, whether judgement is the object that will gather behavioural information with the program of carrying out, if not then change step 19), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task.
Step 15) judges according to the system task controlling queue whether current task is gathered the object of behavioural information in system call (inventory is listed) porch; As not being then to change step 19); Then intercept and capture the system call of current task in this way.
Step 16) sets according to the shared library address realm, check whether return address, frame top drops on the shared library address space in the storehouse,, construct { call, address, layer } tlv triple as not being then with this address and call number binding, and record the corresponding process data structure of current process, change step 18); Otherwise continue.
Step 17) in user stack, divides and search the user return address forward, do not fall into the shared library address realm until this address according to the stack frame.With the return address found and call number binding, structure { call, address, layer } tlv triple, and record current task correspondence task data structure.
Step 18) if current task is called and do not wished to create the subtask, then change step 19), otherwise, at first create new system task controlling queue list item, and search whether have the structure and the space of one deck task down in the current operation structure for the subtask; If any, set up the relation of linking and change next step, otherwise for descending one deck task creation structure and finishing initialization process.
Step 19) changes normal system over to and call treatment scheme;
Above step 15)-19) repeatedly circulation execution in obtaining specified services program behavior characteristic information process enters following treatment scheme after obtaining comparatively complete information data,
Step 110) the application behavior characteristic information of having gathered by the special purpose interface extraction system, and by call format data are handled, filed.
Fig. 1 shows the basic process of obtaining a software action and address properties thereof and setting up the characteristic of correspondence data acquisition from the angle of operating process, as shown in Figure 1:
Step a, at first interception system calls;
Step b judges whether this system call is behavior collection request, if then carry out step b1, information extraction, set up monitoring operation list item, initialization behavioral data structure, after this also need execution in step b2, restart the program of being gathered behavioral data, this process of restarting is to realize in application layer; If not, then enter into step c;
Step c judges whether to carry out monitored program, if decision is carried out, then enters into steps d; If decision is not carried out, then enter into step c1, judge further whether this process is the process of being gathered, if, then entering step c2, foundation links with this process inter-related task list item, if not, then enter into step I;
Steps d links for this process creation task control list item and with the operation list item; Enter step e afterwards, need explanation, also enter step e after above-mentioned step c2 finishes;
Step e obtains this process user stack address and structure calls tlv triple;
Step f judges that this tlv triple whether in the behavior set, if the result who judges then enters step g for being, if the result who judges then crosses step g for denying, directly enters step h;
Step g is preserved data in this tlv triple in behavior set;
Step h judges whether this calls is to create subprocess, if judged result is for being that then entering step h1 is subprocess creation task control table entry, and links with the operation list item; If judged result then enters step I for not;
Step I is finished normal system call task, needs explanation, at aforesaid step c1, if the result who judges also enters step I for not, also enters step I after step h1 is complete.
Second step of method of the present invention: use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, can be achieved as follows:
With reference to figure 2, Fig. 2 shows and uses the institute's characteristic of setting up set detection and the dystropic basic process of securing software, wherein this characteristic congregation zone imaginary space address properties.According to the present invention, this step need be followed following basic process:
Submit the application object of wanting control and treatment to system, and the behavioural characteristic data acquisition of the band imaginary space address properties of corresponding object announced the obtaining and set up mode and can carry out of behavior characteristic set to the internal system treatment mechanism with reference to first step of front;
Restart the application program that the requirement monitoring is handled;
At the application program run duration, the system monitoring treatment mechanism is discerned the object that needs monitoring automatically, and intercepts and captures the system call of appointment in the inventory, obtain the user's space entry address of respective calls simultaneously, and with call mutually binding constitute call, address tlv triple { call number, address, layer };
The tlv triple { call number, address, layer } of structure is compared with the data in the respective behavior set,, illustrate that this system call is legal, change normal system over to and call execution series as comprising this tlv triple in the set.Otherwise, can think illegal operation, handled according to certain fault processing principle.
According to one embodiment of the invention, utilizing the behavioral data set to implement monitoring comprises: set up a kind of controlling mechanism at system kernel, the operation of complete monitoring specified application, and according to the behavior characteristic information of setting this program of intercepting and capturing with address properties, arbitration conducts interviews after handling by analysis, and handle accordingly according to arbitration result, concrete steps are as follows:
Step 21) submits the application object that needs monitoring to by system interface, the set of respective behavior control data is provided simultaneously.
Step 22) system therefrom extracts control model information, web application name, system call inventory, the setting of shared library address realm according to monitoring request information, creates system job controlling queue item, uses when carrying out new procedures identification for system; Finish the initialization of monitor data structure according to the behavioural information data structure of the application program of submitting to.
Step 23) stop and restart the monitored object program at client layer, and by the normal mode operation.
Step 24) system is when carrying out a new file, according to step 22) the system job controlling queue item set up, whether judgement is the object that will monitor its behavior with the program of carrying out, if not then change step 28), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task.
Step 25), judges according to system process controlling queue item whether current task is the task of monitored behavioural characteristic in the listed system call of inventory porch; As not being then to change step 28); Then intercept and capture current system call in this way.
Step 26) structure of consummatory behavior tlv triple, and to behavior legitimacy enforcement arbitration.As the access arbitration success, continue; Otherwise step 29 is changeed in failure).
Step 27) if current task is called and do not wished to create the subtask, then change step 28), otherwise, at first create new system task controlling queue item, and search whether have the behavior structure and the attribute information of one deck task down in the current operation behaviour structure for the subtask.If any, set up the relation of linking and change next step; Otherwise, think that this process creation for illegal, changes step 29).
Step 28) changes normal system over to and call treatment scheme.
Step 29) fault processing and return user program.
Above step 25)-29) repeatedly circulation execution in monitoring specified services program behavior characteristic information process, the monitoring application program is according to set behavior framework operation.
Fig. 2 shows the characteristic of setting up set detection of application institute and the dystropic basic process of securing software from the angle of operating process, as shown in Figure 2:
Step a ', at first interception system calls;
Step b ', judge whether this system call is the behavior monitoring request, if then carry out step b1 ', information extraction, set up monitoring operation list item, initialization behavioral data structure, after this also need execution in step b2 ', restart the program of being gathered behavioral data, this process of restarting is to realize in application layer; If not, then enter into step c ';
Step c ' judges whether to carry out monitored program, if decision is carried out, then enters into steps d '; If decision is not carried out, then enter into step c1 ', judge further whether this process is monitored process, if, then enter step e ', if not, then enter into step h ';
Steps d ', link for this process creation task control list item and with the operation list item; Enter step e ' afterwards, need explanation, also enter step e ' after above-mentioned step c1 ' finishes;
Step e ' obtains this process user stack address and structure calls tlv triple;
Step f ' judges this tlv triple whether in the behavior set, if the result who judges is for being then to enter step g ', if the result who judges then enters step f1 ' for denying, carry out fault processing, warning, record audit information etc., finish this step afterwards;
Step g ', judge whether this calls is to create subprocess, if judged result is for being that then entering step g 1 ' is subprocess creation task control table entry, and links with the operation list item; If judged result then enters step h ' for not;
Step h ' finishes normal system call task, needs explanation, at aforesaid step c1, if the result who judges also enters step h ' for not, and step g 1 ' the complete step h ' that also enters afterwards.
According to one embodiment of the invention, when carrying out method of the present invention, wherein comprised two formations: the system job controlling queue: wherein each is used to register that current needs are gathered or the specifying information of the operation of control, includes the pointer that holds the behavior characteristic information space simultaneously; And system task controlling queue: wherein each is used to register current task ID, historical context information, control types, hierarchical information, the pointer that holds this layer program behavior information space, affiliated job identification, start-up time, next entries in queues pointer etc.
Fig. 3 shows the structural drawing according to the system job controlling queue and the system process controlling queue of one embodiment of the invention, when carrying out method of the present invention, describe a kind of operating procedure and mechanism of accurately obtaining or monitoring the set of designated program behavioural characteristic, wherein comprised two formations:
(1) system job controlling queue: each entries in queues wherein is used to register that current needs are gathered or the specifying information of the operation of control, includes the pointer that holds the behavior characteristic information space simultaneously.
(2) system process controlling queue: each entries in queues wherein is used to register current process ID, historical context information, control types, hierarchical information, the pointer that holds this layer program behavior information space, affiliated job identification, start-up time, next entries in queues pointer etc.
With reference to figure 3, Fig. 3 has described above-mentioned two main control data formations, and wherein one is the operation controlling queue, and it is a dique.Wherein each queue structure's item comprises following operation basic control information (main field) and the relation of the two.
Job name (Object_name): the comspec of concrete application program.For example :/usr/sbin/vsftpd (ftp file server daemon).
Control types (O_type): collection type or control type.
The first structured fingers (O_datap) of behavioural information: the address that is used to deposit the data structure of operation behaviour characteristic information.
Flag information (O_flag): be used to deposit various operation flag.
Synchrolock (O_lock): the operation that is used for behavioural information is synchronous.
Can there be a plurality of list items simultaneously in this formation, can implement to gather or monitoring to a plurality of operations simultaneously.
Another formation is the task control formation, and it also is a dique.Wherein each queue table structure item comprises following process basic control information (main field):
Process identification number (p_pid): it is process identification (PID) unique in the system.
Control types (p_type): show that process is to gather or slave mode.
Queue pointer (p_p): point to this layer behavioural information structure space.
Layer level number (p_level): process is residing level in operation;
The process initiation time (p_stime): process is the actual time that starts in system.
Process transfer historical record (p_l): the history that the process executive system is called.
Can there be a plurality of list items simultaneously in this formation, has write down the associated process information of all collections or controlled operation.
Adopt method of the present invention, compare with adopting the conditional probability method, when this data model is applied to relevant application item such as behavior control, but the behavior track of the constraint software of zero defect.When improving detection accuracy, can improve recognition efficiency greatly, and implement conveniently.It can independently use, and when using with other data aggregates, for example: short sequence pattern, status attribute, Resource Properties, can be the security exception monitoring model that builds up an information system provides more effective, supports neatly.Realize the real-time Detection ﹠ Controling of application programs behavior, stop up the application program leak that may occur in service, with accuracy and the efficient that significantly improves software action abnormality detection and monitoring.
The foregoing description provides to being familiar with the person in the art and realizes or use of the present invention; those skilled in the art can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.
Claims (6)
1. a detection and the means of defence that software action is unusual is characterized in that, comprising:
Obtain a software action and address properties thereof and foundation and described software action and the corresponding characteristic set of address properties thereof;
Use the characteristic set of being set up and detect and the securing software abnormal behavior, wherein, described characteristic congregation zone has imaginary space address properties.
2. the method for claim 1 is characterized in that, described obtain a software action and address properties thereof and set up with described software action and the corresponding characteristic set of address properties thereof comprise,
Need to determine the system call inventory and the shared library address space range value of processing; Wherein, described system call inventory is to find out the part that actual needs is handled as required from complete system call set;
Propose to want the application object of acquisition process to system, and the system call inventory that will handle and shared library address space range value are announced to the internal system treatment mechanism;
Start the application program of wanting acquisition process, and move this application program of wanting acquisition process by black box or " white box " test request;
Want the application program run duration of acquisition process at this, system's parallel processing mechanism is intercepted and captured the system call of appointment in the inventory automatically, obtains user's imaginary space entry address, the hierarchical information of respective calls in real time, and the binding structure calls tlv triple with calling mutually;
The behavioral data set that extraction system is gathered, the behavior data acquisition comprise described tlv triple.
3. method as claimed in claim 2, it is characterized in that, determine that shared library address space range value further comprises, at first whether the imaginary space address of determining shared library in the system is fixed, if fixing, to clearly find out the usable range of system,, then be made as particular value if the imaginary space address of shared library is to become along with application program for this shared library setting imaginary space address.
4. method as claimed in claim 3 is characterized in that, the described software action and address properties and foundation thereof of obtaining specifically comprises with described software action and the corresponding characteristic set of address properties thereof:
Step 11) is determined shared library address space range value in application layer;
Step 12) is by the collection solicited message of system interface transmission from application layer, set comprising control model information, application name, system call inventory, shared library address space range, create system job controlling queue list item, identification is used when carrying out for system; Collection according to appointment requires to set up first floor information acquisition data structure and finish initialization;
Step 13) stops and restarts the application object of acquisition process in application layer;
The step 14) system is when carrying out a new file, system job controlling queue content according to step 12) foundation, whether judgement is the object that will gather behavioural information with the program of carrying out, if not then change step 19), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 15) judges according to the system task controlling queue whether current task is gathered the object of behavioural information by the listed system call porch of system call inventory; As not being then to change step 19); Then intercept and capture the system call of current task in this way;
Step 16) sets according to the shared library address space range, check whether return address, frame top drops on the shared library address space in the storehouse, as not being then with the binding of this address and call number, structure { call, address, layer } tlv triple, and record the corresponding process data structure of current process, change step 18), otherwise continue next step;
Step 17) in user stack, divides and search the user return address forward, do not fall into the shared library address space range until this address according to the stack frame; With the return address found and call number binding, structure { call, address, layer } tlv triple, and record current task correspondence task data structure;
Step 18) if current task is called and do not wished to create the subtask, then change step 19), otherwise, at first create new system task controlling queue list item, and search whether have the structure and the space of one deck task down in the current operation structure for the subtask; If any, set up the relation of linking and change next step, otherwise for descending one deck task creation structure and finishing initialization process;
Step 19) changes normal system over to and call treatment scheme.
5. the method for claim 1 is characterized in that, the described application characteristic of setting up set detects and the securing software abnormal behavior comprises:
Submit the application object of wanting control and treatment to system, and give the internal system treatment mechanism corresponding object characteristic set announcement, wherein, described behavioural characteristic data set crossed belt imaginary space address properties;
Restart the application object of wanting control and treatment;
At the application program run duration, the system monitoring treatment mechanism is discerned the application object that needs control and treatment automatically, and interception system calls the system call of appointment in the inventory, obtain the user's space entry address of respective calls simultaneously, and with call mutually binding and constitute tlv triple { call number, the address, layer };
Tlv triple { call number with structure, the address, layer } compare with the data in the described characteristic set, as comprising this tlv triple in the set, illustrate that this system call is legal, change normal system over to and call execution series, otherwise, think illegal operation, handled according to certain fault processing principle.
6. method as claimed in claim 5 is characterized in that, the described application characteristic of setting up set detects and the securing software abnormal behavior specifically comprises:
Step 21) submits the application object that needs monitoring to by system interface, the individual features data acquisition is provided simultaneously;
Step 22) system therefrom extracts control model information, web application name, system call inventory, the setting of shared library address realm and creates system job controlling queue item according to monitoring request information, uses when carrying out new procedures identification for system; Finish the initialization of monitor data structure according to the characteristic set of the application program of submitting to;
Step 23) stop and restart the application object that will monitor at client layer, and by the normal mode operation;
Step 24) system is when carrying out a new file, according to step 22) the system job controlling queue item set up, whether judgement is the object that will monitor its behavior with the program of carrying out, if not then change step 28), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 25) in the listed system call of inventory porch, judges according to system process controlling queue item whether current task is the task of monitored behavioural characteristic, as not being then to change step 28); Then intercept and capture current system call in this way;
Step 26) structure of consummatory behavior tlv triple, and to behavior legitimacy enforcement arbitration, as the access arbitration success, continue; Otherwise step 29 is changeed in failure);
Step 27) if current task call and do not wish to create the subtask, then change step 28), otherwise, at first create new system task controlling queue item for the subtask, and search whether have the behavior structure and the attribute information of one deck task down in the current operation behaviour structure, if any, set up the relation of linking and change next step; Otherwise, think that this process creation for illegal, changes step 29);
Wherein said step 28) calls treatment scheme for changing normal system over to; Described step 29) is fault processing and return user program;
Above step 25)-29) repeatedly circulation execution in monitoring the application behavior characteristic information process that will monitor processing, the monitoring application program is according to set behavior framework operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100258589A CN100407164C (en) | 2006-04-20 | 2006-04-20 | Software-action description, fetching and controlling method with virtual address space characteristic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100258589A CN100407164C (en) | 2006-04-20 | 2006-04-20 | Software-action description, fetching and controlling method with virtual address space characteristic |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1892615A CN1892615A (en) | 2007-01-10 |
| CN100407164C true CN100407164C (en) | 2008-07-30 |
Family
ID=37597500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100258589A Active CN100407164C (en) | 2006-04-20 | 2006-04-20 | Software-action description, fetching and controlling method with virtual address space characteristic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100407164C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101661543B (en) * | 2008-08-28 | 2015-06-17 | 西门子(中国)有限公司 | Method and device for detecting security flaws of software source codes |
| CN101373506B (en) * | 2008-10-22 | 2010-04-21 | 南京大学 | Method for detecting software loophole model based on loophole model |
| CN102662827B (en) * | 2010-04-13 | 2015-02-04 | 张溟 | Software detection method |
| CN102646068B (en) * | 2010-04-13 | 2015-01-07 | 江苏理工学院 | Software detecting method of software detector |
| CN105975389A (en) * | 2016-04-28 | 2016-09-28 | 乐视控股(北京)有限公司 | Process data extraction method and apparatus |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1649312A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Program grade invasion detecting system and method based on sequency mode evacuation |
| CN1694412A (en) * | 2004-07-16 | 2005-11-09 | 北京航空航天大学 | Network invading alarm method based on finite state automation |
| US20060015941A1 (en) * | 2004-07-13 | 2006-01-19 | Mckenna John J | Methods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems |
-
2006
- 2006-04-20 CN CN2006100258589A patent/CN100407164C/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| US20060015941A1 (en) * | 2004-07-13 | 2006-01-19 | Mckenna John J | Methods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems |
| CN1694412A (en) * | 2004-07-16 | 2005-11-09 | 北京航空航天大学 | Network invading alarm method based on finite state automation |
| CN1649312A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Program grade invasion detecting system and method based on sequency mode evacuation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1892615A (en) | 2007-01-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| CN105283852B (en) | A kind of method and system of fuzzy tracking data | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| Liu | Architectures for intrusion tolerant database systems | |
| JP6100898B2 (en) | Method and device for processing messages | |
| CN109766699A (en) | Hold-up interception method and device, storage medium, the electronic device of operation behavior | |
| Wang et al. | Blockeye: Hunting for defi attacks on blockchain | |
| CN106411578A (en) | Website monitoring system and method applicable to power industry | |
| CN103493061A (en) | Methods and apparatus for dealing with malware | |
| KR102542720B1 (en) | System for providing internet of behavior based intelligent data security platform service for zero trust security | |
| CN107004086A (en) | Security information and incident management | |
| CN105103147A (en) | Tracing with a workload distributor | |
| CN105283849A (en) | Parallel tracing for performance and detail | |
| CN103902885A (en) | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system | |
| CN100407164C (en) | Software-action description, fetching and controlling method with virtual address space characteristic | |
| CN100557545C (en) | A kind of method of distinguishing the harmful program behavior | |
| CN109074454A (en) | Malware is grouped automatically based on artefact | |
| CN107483414A (en) | A kind of security protection system and its means of defence based on cloud computing virtualized environment | |
| CN108762888A (en) | A kind of virus detection system examined oneself based on virtual machine and method | |
| CN101441689A (en) | Login protection method | |
| CN109684072A (en) | The system and method for being used to detect the computing resource of malicious file based on machine learning model management | |
| CN103701783A (en) | Preprocessing unit, data processing system consisting of same, and processing method | |
| CN101873318A (en) | Application and data security method aiming at application system on application basis supporting platform | |
| CN110752969A (en) | Performance detection method, device, equipment and medium | |
| CN104361281A (en) | Method for solving phishing attack of Android platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: SHANGHAI PUDONG SOFTWARE PARK INFORMATION TECHNOLO Free format text: FORMER NAME: INFORMATION TECH. CO., LTD. SHANGHAI PUDONG SOFTWARE ZONE |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 201203 Shanghai Guo Shou Jing Road, Zhangjiang hi tech Park No. 498 Building No. 1 room 1507-1511 Patentee after: Shanghai Pudong Software Park Information Technology Co., Ltd. Address before: 201203 Shanghai Guo Shou Jing Road, Zhangjiang hi tech Park No. 498 Building No. 1 room 1507-1511 Patentee before: Information Tech. Co., Ltd. Shanghai Pudong Software Zone |