Summary of the invention
The present invention aims to provide a kind of software action abnormality detection and means of defence, by describing, obtain and set up the behavior characteristic information model that has imaginary space address properties of software service program and use behavior characteristic information model and detect unusual with the securing software behavior, and then take precautions against the information security risk that " hacker " invasion and misuse are caused.
According to an aspect of the present invention, provide unusual detection of a kind of software action and means of defence, comprising:
Obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition;
Use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, wherein, described characteristic congregation zone has imaginary space address properties.
Preferable, described obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition comprise,
Need to determine the system call inventory and the shared library address space range value of processing; Wherein,
The described inventory that calls is to find out the part that actual needs is handled as required from complete system call set;
Propose to want the application object of acquisition process to system, and the system call inventory that will handle and shared library address realm are announced to the internal system treatment mechanism;
Startup requires the application program of acquisition process, and presses black box or " white box " test request working procedure;
At the application program run duration, system's parallel processing mechanism is intercepted and captured the system call of appointment in the inventory automatically, obtains user's space entry address, the hierarchical information of respective calls in real time, and the binding structure calls tlv triple with calling mutually;
The behavioral data set that extraction system is gathered is handled, is put in storage by particular requirement.
Wherein, determine that shared library address space range value further comprises, at first whether the imaginary space address of determining shared library in the host operating system is fixed, if fixing, to clearly find out the usable range that system sets for this shared library, if the shared library space is to become along with application program, then be made as particular value.
According to one embodiment of the invention, described obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition specifically comprise:
Step 11) is determined shared library address space range value in application layer.
Step 12) is by the collection solicited message of system interface transmission from user application layer, comprising control model information,
Application name, system call inventory, shared library address realm are set, and create system job controlling queue list item, and identification is used when carrying out for system; Collection according to appointment requires to set up first floor information acquisition data structure and finish initialization;
Step 13) is in the client layer termination and restart the acquisition target program, and moves by the presumptive test mode;
The step 14) system is when carrying out a new file, system job controlling queue content according to step 12) foundation, whether judgement is the object that will gather behavioural information with the program of carrying out, if not then change step 19), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 15) judges according to the system task controlling queue whether current task is gathered the object of behavioural information by the listed system call porch of system call inventory; As not being then to change step 19); Then intercept and capture the system call of current task in this way;
Step 16) sets according to the shared library address realm, check whether return address, frame top drops on the shared library address space in the storehouse, as not being then with the binding of this address and call number, structure { call, address, layer } tlv triple, and record the corresponding process data structure of current process, change step 18), otherwise continue next step;
Step 17) in user stack, divides and search the user return address forward, do not fall into the shared library address realm until this address according to the stack frame.With the return address found and call number binding, structure { call, address, layer } tlv triple, and record current task correspondence task data structure;
Step 18) if current task is called and do not wished to create the subtask, then change step 19), otherwise, at first create new system task controlling queue list item, and search whether have the structure and the space of one deck task down in the current operation structure for the subtask; If any, set up the relation of linking and change next step, otherwise for descending one deck task creation structure and finishing initialization process;
Step 19) changes normal system over to and call treatment scheme;
Above step 15)-19) repeatedly circulation execution in obtaining specified services program behavior characteristic information process enters following treatment scheme after obtaining complete information data:
Step 110) the application behavior characteristic information of having gathered by the special purpose interface extraction system, and by call format data are handled, filed.
Preferable, the described application characteristic of setting up set detects and the securing software abnormal behavior comprises:
Submit the application object of wanting control and treatment to system, and corresponding object behavioural characteristic data acquisition is announced to the internal system treatment mechanism, wherein, described behavioural characteristic data set crossed belt imaginary space address properties;
Restart the application program that the requirement monitoring is handled;
At the application program run duration, the system monitoring treatment mechanism is discerned the object that needs monitoring automatically, and intercept and capture the system call of appointment in the described system call inventory, obtain the user's space entry address of respective calls simultaneously, and with call mutually binding constitute call, address tlv triple { call number, the address, layer };
Tlv triple { call number with structure, the address, layer } compare with the data in the respective behavior set, as comprising this tlv triple in the set, illustrate that this system call is legal, change normal system over to and call execution series, otherwise, can think illegal operation, be handled according to certain fault processing principle.
According to one embodiment of the invention, characteristic that described application is set up set detects and the securing software abnormal behavior specifically comprises:
Step 21) submits the application object that needs monitoring to by system interface, the set of respective behavior control data is provided simultaneously;
Step 22) system therefrom extracts control model information, web application name, system call inventory, the setting of shared library address realm according to monitoring request information, creates system job controlling queue item, uses when carrying out new procedures identification for system; Finish the initialization of monitor data structure according to the behavioural information data structure of the application program of submitting to;
Step 23) stop and restart the monitored object program at client layer, and by the normal mode operation;
Step 24) system is when carrying out a new file, according to step 22) the system job controlling queue item set up, whether judgement is the object that will monitor its behavior with the program of carrying out, if not then change step 28), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task;
Step 25), judges according to system process controlling queue item whether current task is the task of monitored behavioural characteristic in the listed system call of inventory porch.As not being then to change step 28); Then intercept and capture current system call in this way;
Step 26) structure of consummatory behavior tlv triple, and to behavior legitimacy enforcement arbitration, as the access arbitration success, continue; Otherwise step 29 is changeed in failure);
Step 27) if current task call and do not wish to create the subtask, then change step 28), otherwise, at first create new system task controlling queue item for the subtask, and search whether have the behavior structure and the attribute information of one deck task down in the current operation behaviour structure, if any, set up the relation of linking and change next step; Otherwise, think that this process creation for illegal, changes step 29);
Step 28) changes normal system over to and call treatment scheme;
Step 29) fault processing and return user program.
Above step 25)-29) repeatedly circulation execution in monitoring specified services program behavior characteristic information process, the monitoring application program is according to set behavior framework operation.
Sum up, method of the present invention provides the software line description of band address properties, and wherein fundamental is as follows:
The fundamental of system call as software action.System call is meant that operating system offers the various service interfaces of application layer software, finishes the particular task that only just can be finished by system for application software.
With the entry address of system call in application program, both user's imaginary space entry address was as the key character attribute of this system call.
With system call place task hierarchical information as this another characteristic attribute that calls.
Tectonic system calls the feature description of tlv triple { call, address, layer } as a software transfer behavior.
Application software is the behavioral data set that has the address characteristic attribute that the triplet sets of all system calls of finishing design object and need operation constitutes this software.
Adopt method of the present invention, compare with adopting the conditional probability method, when this data model is applied to relevant application item such as behavior control, but the behavior track of the constraint software of zero defect.When improving detection accuracy, can improve recognition efficiency greatly, and implement conveniently.It can independently use, and when using with other data aggregates, for example: short sequence pattern, status attribute, Resource Properties, can be the security exception monitoring model that builds up an information system provides more effective, supports neatly.Realize the real-time Detection ﹠ Controling of application programs behavior, stop up the application program leak that may occur in service, with accuracy and the efficient that significantly improves software action abnormality detection and monitoring.
Embodiment
Further describe technical scheme of the present invention below in conjunction with specific embodiment.
At first, the invention provides unusual detection of a kind of software action and means of defence, comprising: obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition; And use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, wherein, described characteristic congregation zone has imaginary space address properties.In the method for the invention, can provide the software line description of band address properties, wherein fundamental is as follows:
1) the fundamental of system call as software action.System call is meant that operating system offers the various service interfaces of application layer software, finishes the particular task that only just can be finished by system for application software.
2) with the entry address of system call in application program, both user's imaginary space entry address was as the key character attribute of this system call.
3) with system call place task hierarchical information as this another characteristic attribute that calls.
4) tectonic system calls the feature description of tlv triple { call, address, layer } as a software transfer behavior.
5) application software is the behavioral data set that has the address characteristic attribute that the triplet sets of all system calls of finishing design object and need operation constitutes this software.
Wherein, first step: obtain a software action and address properties thereof and set up the characteristic of correspondence data acquisition, can be achieved as follows.
With reference to figure 1, Fig. 1 shows the basic process of obtaining a software action and address properties thereof and setting up the characteristic of correspondence data acquisition, wherein this characteristic congregation zone imaginary space address properties.According to the present invention, this step need be followed following basic process:
Need to determine the system call inventory and the shared library address space range value of processing.For the system call inventory, be as required, from complete system call set, find out the part that actual needs is handled.For the shared library address space, determine at first whether the imaginary space address of shared library in the host operating system is fixed.Usually system is for for the purpose of unified the processing, and shared library is arranged to the fixed area of user's space, at this moment will clearly find out the usable range of system for this shared library setting.If the shared library space is to become along with application program, then be made as particular value, such as being set to 0xfffffff.
Propose to want the application object of acquisition process to system, and the system call inventory that will handle and shared library address realm are announced to the internal system treatment mechanism.
Startup requires the application program of acquisition process, and presses black box or " white box " test request working procedure.
At the application program run duration, system's parallel processing mechanism is intercepted and captured the system call of appointment in the inventory automatically, obtains user's space entry address, the hierarchical information of respective calls in real time, and the binding structure calls tlv triple with calling mutually.
The behavioral data set that extraction system is gathered is handled, is put in storage by particular requirement.
In said process, need be described as follows some:
Determining the shared library address realm, is in order to avoid under the situation that the shared library address realm is fixed the homoplasy of different application system call address properties as far as possible.
The enforcement of this method requires host operating system that concurrent collection mechanism or machine-processed interface are provided.
Require to adopt different test modes to correspond to actual needs, require to avoid during this period adopting attack test simultaneously with assurance behavior set.
Final data is the system call sequence set that has attributes such as imaginary space address.
According to one embodiment of the invention, gathering and make described characteristic set comprises: make up a kind of mechanism at system kernel, the operation of complete monitoring specified application, and the behavior characteristic information set of obtaining this program according to setting, handle the tlv triple system call sequence behavioural characteristic model that the back makes up application program by analysis, concrete steps are as follows:
Step 11) is determined shared library address space range value (application layer) by system tool or technical descriptioon data.
Step 12) is by the collection solicited message of system interface transmission from user application layer, set comprising control model information, web application name, system call inventory, shared library address realm, create system job controlling queue list item, identification is used when carrying out for system; Collection according to appointment requires to set up first floor information acquisition data structure and finish initialization.
Step 13) is in the client layer termination and restart the acquisition target program, and moves by the presumptive test mode.
The step 14) system is when carrying out a new file, system job controlling queue content according to step 12) foundation, whether judgement is the object that will gather behavioural information with the program of carrying out, if not then change step 19), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task.
Step 15) judges according to the system task controlling queue whether current task is gathered the object of behavioural information in system call (inventory is listed) porch; As not being then to change step 19); Then intercept and capture the system call of current task in this way.
Step 16) sets according to the shared library address realm, check whether return address, frame top drops on the shared library address space in the storehouse,, construct { call, address, layer } tlv triple as not being then with this address and call number binding, and record the corresponding process data structure of current process, change step 18); Otherwise continue.
Step 17) in user stack, divides and search the user return address forward, do not fall into the shared library address realm until this address according to the stack frame.With the return address found and call number binding, structure { call, address, layer } tlv triple, and record current task correspondence task data structure.
Step 18) if current task is called and do not wished to create the subtask, then change step 19), otherwise, at first create new system task controlling queue list item, and search whether have the structure and the space of one deck task down in the current operation structure for the subtask; If any, set up the relation of linking and change next step, otherwise for descending one deck task creation structure and finishing initialization process.
Step 19) changes normal system over to and call treatment scheme;
Above step 15)-19) repeatedly circulation execution in obtaining specified services program behavior characteristic information process enters following treatment scheme after obtaining comparatively complete information data,
Step 110) the application behavior characteristic information of having gathered by the special purpose interface extraction system, and by call format data are handled, filed.
Fig. 1 shows the basic process of obtaining a software action and address properties thereof and setting up the characteristic of correspondence data acquisition from the angle of operating process, as shown in Figure 1:
Step a, at first interception system calls;
Step b judges whether this system call is behavior collection request, if then carry out step b1, information extraction, set up monitoring operation list item, initialization behavioral data structure, after this also need execution in step b2, restart the program of being gathered behavioral data, this process of restarting is to realize in application layer; If not, then enter into step c;
Step c judges whether to carry out monitored program, if decision is carried out, then enters into steps d; If decision is not carried out, then enter into step c1, judge further whether this process is the process of being gathered, if, then entering step c2, foundation links with this process inter-related task list item, if not, then enter into step I;
Steps d links for this process creation task control list item and with the operation list item; Enter step e afterwards, need explanation, also enter step e after above-mentioned step c2 finishes;
Step e obtains this process user stack address and structure calls tlv triple;
Step f judges that this tlv triple whether in the behavior set, if the result who judges then enters step g for being, if the result who judges then crosses step g for denying, directly enters step h;
Step g is preserved data in this tlv triple in behavior set;
Step h judges whether this calls is to create subprocess, if judged result is for being that then entering step h1 is subprocess creation task control table entry, and links with the operation list item; If judged result then enters step I for not;
Step I is finished normal system call task, needs explanation, at aforesaid step c1, if the result who judges also enters step I for not, also enters step I after step h1 is complete.
Second step of method of the present invention: use the institute's characteristic of setting up set and detect and the securing software abnormal behavior, can be achieved as follows:
With reference to figure 2, Fig. 2 shows and uses the institute's characteristic of setting up set detection and the dystropic basic process of securing software, wherein this characteristic congregation zone imaginary space address properties.According to the present invention, this step need be followed following basic process:
Submit the application object of wanting control and treatment to system, and the behavioural characteristic data acquisition of the band imaginary space address properties of corresponding object announced the obtaining and set up mode and can carry out of behavior characteristic set to the internal system treatment mechanism with reference to first step of front;
Restart the application program that the requirement monitoring is handled;
At the application program run duration, the system monitoring treatment mechanism is discerned the object that needs monitoring automatically, and intercepts and captures the system call of appointment in the inventory, obtain the user's space entry address of respective calls simultaneously, and with call mutually binding constitute call, address tlv triple { call number, address, layer };
The tlv triple { call number, address, layer } of structure is compared with the data in the respective behavior set,, illustrate that this system call is legal, change normal system over to and call execution series as comprising this tlv triple in the set.Otherwise, can think illegal operation, handled according to certain fault processing principle.
According to one embodiment of the invention, utilizing the behavioral data set to implement monitoring comprises: set up a kind of controlling mechanism at system kernel, the operation of complete monitoring specified application, and according to the behavior characteristic information of setting this program of intercepting and capturing with address properties, arbitration conducts interviews after handling by analysis, and handle accordingly according to arbitration result, concrete steps are as follows:
Step 21) submits the application object that needs monitoring to by system interface, the set of respective behavior control data is provided simultaneously.
Step 22) system therefrom extracts control model information, web application name, system call inventory, the setting of shared library address realm according to monitoring request information, creates system job controlling queue item, uses when carrying out new procedures identification for system; Finish the initialization of monitor data structure according to the behavioural information data structure of the application program of submitting to.
Step 23) stop and restart the monitored object program at client layer, and by the normal mode operation.
Step 24) system is when carrying out a new file, according to step 22) the system job controlling queue item set up, whether judgement is the object that will monitor its behavior with the program of carrying out, if not then change step 28), then create system task controlling queue item in this way, set up the mapping relations of two entries in queues simultaneously for current task.
Step 25), judges according to system process controlling queue item whether current task is the task of monitored behavioural characteristic in the listed system call of inventory porch; As not being then to change step 28); Then intercept and capture current system call in this way.
Step 26) structure of consummatory behavior tlv triple, and to behavior legitimacy enforcement arbitration.As the access arbitration success, continue; Otherwise step 29 is changeed in failure).
Step 27) if current task is called and do not wished to create the subtask, then change step 28), otherwise, at first create new system task controlling queue item, and search whether have the behavior structure and the attribute information of one deck task down in the current operation behaviour structure for the subtask.If any, set up the relation of linking and change next step; Otherwise, think that this process creation for illegal, changes step 29).
Step 28) changes normal system over to and call treatment scheme.
Step 29) fault processing and return user program.
Above step 25)-29) repeatedly circulation execution in monitoring specified services program behavior characteristic information process, the monitoring application program is according to set behavior framework operation.
Fig. 2 shows the characteristic of setting up set detection of application institute and the dystropic basic process of securing software from the angle of operating process, as shown in Figure 2:
Step a ', at first interception system calls;
Step b ', judge whether this system call is the behavior monitoring request, if then carry out step b1 ', information extraction, set up monitoring operation list item, initialization behavioral data structure, after this also need execution in step b2 ', restart the program of being gathered behavioral data, this process of restarting is to realize in application layer; If not, then enter into step c ';
Step c ' judges whether to carry out monitored program, if decision is carried out, then enters into steps d '; If decision is not carried out, then enter into step c1 ', judge further whether this process is monitored process, if, then enter step e ', if not, then enter into step h ';
Steps d ', link for this process creation task control list item and with the operation list item; Enter step e ' afterwards, need explanation, also enter step e ' after above-mentioned step c1 ' finishes;
Step e ' obtains this process user stack address and structure calls tlv triple;
Step f ' judges this tlv triple whether in the behavior set, if the result who judges is for being then to enter step g ', if the result who judges then enters step f1 ' for denying, carry out fault processing, warning, record audit information etc., finish this step afterwards;
Step g ', judge whether this calls is to create subprocess, if judged result is for being that then entering step g 1 ' is subprocess creation task control table entry, and links with the operation list item; If judged result then enters step h ' for not;
Step h ' finishes normal system call task, needs explanation, at aforesaid step c1, if the result who judges also enters step h ' for not, and step g 1 ' the complete step h ' that also enters afterwards.
According to one embodiment of the invention, when carrying out method of the present invention, wherein comprised two formations: the system job controlling queue: wherein each is used to register that current needs are gathered or the specifying information of the operation of control, includes the pointer that holds the behavior characteristic information space simultaneously; And system task controlling queue: wherein each is used to register current task ID, historical context information, control types, hierarchical information, the pointer that holds this layer program behavior information space, affiliated job identification, start-up time, next entries in queues pointer etc.
Fig. 3 shows the structural drawing according to the system job controlling queue and the system process controlling queue of one embodiment of the invention, when carrying out method of the present invention, describe a kind of operating procedure and mechanism of accurately obtaining or monitoring the set of designated program behavioural characteristic, wherein comprised two formations:
(1) system job controlling queue: each entries in queues wherein is used to register that current needs are gathered or the specifying information of the operation of control, includes the pointer that holds the behavior characteristic information space simultaneously.
(2) system process controlling queue: each entries in queues wherein is used to register current process ID, historical context information, control types, hierarchical information, the pointer that holds this layer program behavior information space, affiliated job identification, start-up time, next entries in queues pointer etc.
With reference to figure 3, Fig. 3 has described above-mentioned two main control data formations, and wherein one is the operation controlling queue, and it is a dique.Wherein each queue structure's item comprises following operation basic control information (main field) and the relation of the two.
Job name (Object_name): the comspec of concrete application program.For example :/usr/sbin/vsftpd (ftp file server daemon).
Control types (O_type): collection type or control type.
The first structured fingers (O_datap) of behavioural information: the address that is used to deposit the data structure of operation behaviour characteristic information.
Flag information (O_flag): be used to deposit various operation flag.
Synchrolock (O_lock): the operation that is used for behavioural information is synchronous.
Can there be a plurality of list items simultaneously in this formation, can implement to gather or monitoring to a plurality of operations simultaneously.
Another formation is the task control formation, and it also is a dique.Wherein each queue table structure item comprises following process basic control information (main field):
Process identification number (p_pid): it is process identification (PID) unique in the system.
Control types (p_type): show that process is to gather or slave mode.
Queue pointer (p_p): point to this layer behavioural information structure space.
Layer level number (p_level): process is residing level in operation;
The process initiation time (p_stime): process is the actual time that starts in system.
Process transfer historical record (p_l): the history that the process executive system is called.
Can there be a plurality of list items simultaneously in this formation, has write down the associated process information of all collections or controlled operation.
Adopt method of the present invention, compare with adopting the conditional probability method, when this data model is applied to relevant application item such as behavior control, but the behavior track of the constraint software of zero defect.When improving detection accuracy, can improve recognition efficiency greatly, and implement conveniently.It can independently use, and when using with other data aggregates, for example: short sequence pattern, status attribute, Resource Properties, can be the security exception monitoring model that builds up an information system provides more effective, supports neatly.Realize the real-time Detection ﹠ Controling of application programs behavior, stop up the application program leak that may occur in service, with accuracy and the efficient that significantly improves software action abnormality detection and monitoring.
The foregoing description provides to being familiar with the person in the art and realizes or use of the present invention; those skilled in the art can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.