Embodiment
When the inventor binds a plurality of UUID to existing IPS in the RPC process; The situation that can't effectively detect malice RPC service call behavior is wherein analysed in depth; Find that its reason is: in view of the RPC invoked procedure is that corresponding port number is a parameter need be with UUID and this UUID registration the time; Thereby connect service is provided, the design premises of therefore existing IPS is in RPC invoked procedure, promptly transmits in the TCP session connection of RPC content; Only bound a UUID, as long as IPS detects first UUID that wherein carries and just can realize protecting the purpose that malice RPC calls.
But malicious client can be escaped detection through the mode of in a RPC calls, binding a plurality of UUID, as long as the corresponding RPC service of first UUID wherein is allowed to, IPS just assert that it is non-malice that this RPC calls.Malicious client can be accomplished in several ways the purpose of in a RPC calls, binding a plurality of UUID; For example utilize the Alter Context option of RPC to be implemented in and call the corresponding respectively RPC service of a plurality of UUID in the TCP session connection, perhaps in a TCP session connection, carry a plurality of UUID but wherein first UUID corresponding be that server does not support service manner to escape detection.
On the basis of above-mentioned analysis, in RPC invoked procedure, escape the situation of detection through binding a plurality of UUID, the inventor provides a kind of malice RPC to call the detection method of behavior.
Carry out detailed elaboration below in conjunction with each accompanying drawing to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach.
As shown in Figure 1, the main realization principle process of the embodiment of the invention is following:
Step 10 when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests in client computer.
Alternatively; Because the address of client computer or port are normally fixed; The safeguard that is deployed between the client-server can like the flow of 135 ports, obtain the UUID of all RPC services of each client requests through predetermined queries port on the monitoring server.Said safeguard includes but not limited to IPS and fire compartment wall.
Step 20 in the RPC process, is resolved institute's data packets for transmission in the session connection between said client computer and the server, obtains the RPC stream that carries in the said session connection.
Wherein, The data that the payload segment of each the tcp data bag in the TCP session connection can carry upper-layer protocols such as session layer, application layer; Payload segment through to each the tcp data bag in the TCP session connection carries out protocol analysis, can obtain the mutual RPC that packet the carried stream of a session connection of client-server.
Because safeguard can't learn in advance which port the RPC service will use, thereby safeguard allows the packet of all high-order ports to pass through usually, therefore needs the session connection of all high-order ports on the monitoring server in order to ensure safety protection equipment.
Step 30, UUID and RPC stream according to said record obtain the institute cloth UUID relevant with said RPC process.
The scheme safeguard that present embodiment provides is through resolving RPC stream, obtains all UUID of being bound in this RPC stream, rather than as prior art, is resolved to first UUID and just stops parsing.
Step 40 through the query strategy storehouse, judges that whether each UUID relevant with said RPC process that obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
Particularly; Policy library and search request can be provided with according to the requirement of the different safety class of safeguard network environments of living in such as IPS or fire compartment wall; For example: for the network environment higher to safety requirements; Can in policy library, dispose normal control strategy; Said normal control strategy comprises the relevant UUID of normal RPC process, if judge that at least one UUID relevant with said client computer RPC process do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior; For the network environment lower to safety requirements; Can be in policy library the arrangement abnormalities control strategy; Said unusual control strategy comprises the UUID that malice RPC behavior is relevant, meets said unusual control strategy if judge at least one relevant UUID of said client computer RPC process, and then definite said client computer has been carried out malice RPC behavior; As long as each UUID does not meet said unusual control strategy, what all think said client computer execution is normal RPC behavior.
Alternatively, detecting after client computer carried out malice RPC behavior, also comprise: block the corresponding packet of malice RPC behavior in the said TCP session connection, can certainly block said TCP session connection.
The detection method of the malice RPC behavior that the embodiment of the invention provides; Through parsing to packet payload content in the TCP session connection; Obtain all UUID that client computer is bound in the RPC process; And according to the strategy in the policy library legitimacy of each UUID is wherein detected, detect client computer with this and whether carried out malice RPC behavior.Eliminated client computer and escaped the possibility that safeguards detect, improved the validity of safeguard detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
To introduce an embodiment in detail and come the main realization principle of the inventive method is carried out detailed elaboration and explanation according to foregoing invention principle of the present invention below.
The sketch map of the network design structure that accompanying drawing 2 provides for the embodiment of the invention.Safeguard is deployed between the client-server, and packets need mutual between the client-server just can be issued the other side through the detection of safeguard.Provided the example of several packet repeating process in the accompanying drawing 2 according to the sequencing of time.Safeguard includes but not limited to IPS, fire compartment wall etc.Certainly client-server can for brevity, be that example describes with a client computer and a server only in Fig. 2 and Fig. 3 for a plurality of.
The detail flowchart of the detection method of the malice RPC behavior that accompanying drawing 3 provides for the embodiment of the invention.
Step 301, safeguard obtain the interface querying request of client computer ClientA through the flow of monitoring server predetermined queries port (like 135 ports).
Alternatively, client computer is when the corresponding high order end slogan of the UUID of server lookup RPC service, and the Packet Flag field in the interface querying request of transmission is set to 0x03.Safeguard can identify query requests according to the feature field that comprises Packet Flag field.
If the content of Packet Flag field is not 0x03; What then represent to carry in the packet load is that (sometimes the UUID of inquiry is more for fragment data; Can't be carried in the same packet), the fragment data splicing reorganization that safeguard sends client computer, thus splice complete query requests.
Step 302, safeguard carries out protocol analysis to the interface querying request of client computer ClientA, obtains the UUID and the record of all RPC services of this client requests.
Alternatively, safeguard can adopt forms such as record sheet, single-track link table, tree to come the UUID of storage client request.When adopting the record sheet mode to store, as shown in table 1.
Table 1
Alternatively; Because server is not the corresponding RPC service of all UUID of supporting client requests; Even client computer is to the unsupported RPC service of server requests, server can not provide these services yet, therefore in order to alleviate the follow-up traffic monitoring burden of safeguard; Can delete by his-and-hers watches 1 execution in step 303.
Step 303, safeguard carries out protocol analysis to the interface querying response that server returns, and obtains the information whether server supports the UUID that client is asked, and the UUID of the unsupported RPC service of deletion server in the said record.
The service that server is corresponding as if the UUID that carries in the query requests of supporting the client computer transmission is then returned corresponding high order end slogan, otherwise is returned refusal information, like Providerrejection (0x02) in inquiry response.Safeguard is then explained the server support RPC that UUID identified service if can from inquiry response, obtain the corresponding high order end slogan of UUID, otherwise the RPC service that the explanation server is not supported UUID and identified.
Server is not supported UUID121, the RPC service that UUID80 is corresponding in the present embodiment, and table 2 is the result after his-and-hers watches 1 are deleted.
Table 2
Step 304, the high order end slogan that client computer is corresponding according to the UUID that inquires is set up the TCP session connection with server.Carry RPC stream through the TCP session connection between server and the client computer, interaction parameter and data, thus RPC is provided service.
Wherein, server flows to client computer through RPC provides the process of RPC service to be:
Step 401, client computer is sent " serial number+operator of UUID " to server, the order when this serial number is illustrated in interface querying stage client computer transmission UUID;
Operator includes but not limited to: the operator " r " of the operator " w " that write operation is corresponding, read operation correspondence, operator " q " that query manipulation is corresponding or the like.
Step 402, server are carried out corresponding processing according to " serial number+operator ";
Step 403 comprises that in said " serial number+operator " corresponding processing need be to the client computer return information time, server returns to client computer with result;
For example, when said operator was the operator " r " of read operation correspondence, server need return to client computer with the data that read; When said operator was the operator " w " of write operation correspondence, server needed the result that will write success or failure to return to client computer.
Above-mentioned steps 401 can repeat repeatedly to carry out with step 403, and the each serial number that sends of client computer can be different with operator.
Step 305, safeguard is resolved institute's data packets for transmission in the TCP session connection between client computer through this safeguard and the server, obtains RPC stream.
Safeguard carries out the IP fragmentation reorganization to the packet of this safeguard of flowing through that client computer is sent, and carries out the session content reorganization on this basis again.Then session content is carried out protocol analysis, therefrom obtain RPC stream.
Safeguard obtains all relevant UUID of client computer RPC process through step 306~step 308.
Step 306, safeguard parse the serial number of each RPC service of carrying from said RPC stream.
Alternatively, safeguard can also be resolved from RPC stream and obtained the corresponding operator of each serial number.
For example, safeguard obtains S1, S2+ " r ", S3+ " w " from the RPC stream of client computer ClientA and server.
Step 307, safeguard be according to the sequencing of record during said UUID, the corresponding serial number of each UUID that obtains writing down, and preserve the corresponding relation of UUID and serial number, as shown in table 3.
Table 3
Step 308, safeguard are searched corresponding UUID for each serial number that parses in said corresponding relation, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, through searching the combination that can also obtain the UUID AND operator relevant with said RPC process.
For example, can also obtain being combined as of each UUID relevant and each UUID AND operator: UUID2, UUID75+ " r ", UUID105+ " w " through searching with the RPC process.
Step 309, safeguard query strategy storehouse judges whether each UUID relevant with this RPC process meets the expectant control strategy, detects client computer with this and whether has carried out malice RPC behavior, if get into step 310, otherwise gets into step 311.
Whether the combination of alternatively, also judging each UUID AND operator that this RPC process is relevant meets the expectant control strategy.
Concrete detection mode includes but not limited to following two kinds:
Mode one: if comprise normal control strategy in the policy library; Said normal control strategy comprises the relevant UUID of normal RPC behavior; Then if safeguard judges that at least one UUID relevant with this RPC behavior do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 4,
Table 4
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 1; UUID75+ " r " meets strategy 2; UUID105+ " w " does not meet strategy 3, because regulation is for the RPC service of UUID105 sign in the strategy 3, only allow to carry out read operation, and ClientA attempts the RPC service execution write operation to the UUID105 sign.Owing to do not meet strategy 3, so safeguard confirms that ClientA has carried out malice RPC behavior.
Mode two:
If comprise unusual control strategy in the policy library; Said unusual control strategy comprises the relevant UUID of RPC behavior of malice; At least one relevant UUID meets said unusual control strategy if safeguard is judged this RPC process, and then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 5,
Table 5
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 4; UUID75+ " r " meets strategy 5; UUID105+ " w " does not meet strategy 6, because regulation does not allow to carry out read operation for the RPC service of UUID105 sign in the strategy 3, and ClientA attempts the write operation of the RPC service execution of UUID105 sign is allowed.Owing to meet strategy 4 and 5, so safeguard confirms that ClientA has carried out malice RPC behavior.
Need to prove that concrete detection mode is not limited to above two kinds, can be provided with flexibly.For example, carry out normal control strategy for the UUID in first preset range, normal control strategy is carried out in the UUID and the combination of the UUID AND operator in this scope that for example UUID are in 0~100 scope; To the UUID execute exception control strategy in second preset range, for example UUID is in UUID and the combination execute exception control strategy of the UUID AND operator in this scope in 101~200 scopes.
Step 310, safeguard is detecting after client computer carried out malice RPC behavior the corresponding packet of blocking-up malice RPC behavior.
Particularly, the corresponding packet of safeguard blocking-up malice RPC behavior.When employing mode one detected in step 309 like safeguard, blocking-up ClientA attempted the packet to the RPC service execution write operation of UUID105 sign.Certainly; Safeguard can also be carried out other control measure to client computer according to blocking strategy is set in advance; Carried out malice RPC behavior as long as for example detect client computer; Just block all packets in this TCP session connection of client computer, with the sign of said client computer, for example user name, address etc. add blacklist storehouse or the like.
Step 311 if safeguard detects client computer and do not carry out malice RPC behavior, allows said RPC stream through safeguard, and server provides long-range RPC service to client computer.
The detection method of the malice RPC behavior that the embodiment of the invention provides; The safeguard that is arranged between the client-server is resolved the packet in the TCP session connection of this safeguard of flowing through; Obtain client-server and carry out the RPC stream in the RPC process, and therefrom obtain all UUID that client computer is bound in the RPC process; According to the strategy in the policy library legitimacy of each UUID is wherein detected; Only all UUID all meet said normal control strategy in testing result; Perhaps do not exist when meeting unusual control strategy UUID; The RPC behavior of just confirming said client computer is normal, otherwise the affirmation client computer has been carried out malice RPC behavior.Eliminated client computer and escaped the possibility that IPS detect, improved the validity of IPS detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
Correspondingly; The embodiment of the invention also provides a kind of checkout gear of malice RPC behavior, and this device can be integrated in the safeguards such as IPS or fire compartment wall, and is as shown in Figure 5; This device comprises logging modle 501, parsing module 502, acquisition module 503 and detection module 504, and is specific as follows:
Logging modle 501 is used in client computer when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests;
Parsing module 502 is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Acquisition module 503 is used for obtaining all UUIDs relevant with said RPC process according to the UUID of logging modle 501 records and the RPC stream of parsing module 502 acquisitions;
Detection module 504 is used for judging whether each UUID of all UUID that acquisition module 503 obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
Alternatively, this checkout gear also comprises:
Blocking-up module 505 is used for after detection module 504 confirms that said client computer has been carried out malice RPC behavior the packet that the RPC of malice shown in blocking-up behavior is corresponding.
Alternatively, shown in accompanying drawing 6, said checkout gear also comprises:
Memory module 506, the sequencing when being used for, the corresponding serial number of each UUID that obtains writing down, and the corresponding relation of preservation UUID and serial number according to the said UUID of logging modle 501 records;
Correspondingly, said acquisition module 503 comprises:
Resolution unit 601 is used for flowing the serial number that parses each RPC service of carrying from said RPC;
Obtain unit 602, be used for the serial number that parses for each, in the said corresponding relation that memory module 506 is preserved, search corresponding UUID, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, said detection module 504 comprises:
Screening unit 603 is used for all UUIDs relevant with said RPC behavior that acquisition module 503 obtains are screened, and removes the UUID of the unsupported RPC service of wherein said server;
Detecting unit 604 is used for through the query strategy storehouse, judges whether each UUID that screening unit 603 screenings keep meets the expectant control strategy.
Alternatively, the said resolution unit 601 in the accompanying drawing 6 also is used for parsing the serial number of each RPC service of carrying and the combination of operator from said RPC stream;
Said acquisition unit 602; Each serial number that also is used for parsing and the combination of operator for said resolution unit 601; In said corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all the UUID AND operators relevant with said RPC process.
Correspondingly, said screening unit 603, each the UUID AND operator that also is used for said acquisition unit is obtained be combined into row filter, the combination of removing the UUID AND operator of the unsupported RPC service of wherein said server;
Said detecting unit 604 also is used for through the query strategy storehouse, judges whether the combination of each UUID AND operator that said screening unit 603 screenings keep meets the expectant control strategy.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; This program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.