CN102882875A - Active defense method and device - Google Patents
Active defense method and device Download PDFInfo
- Publication number
- CN102882875A CN102882875A CN2012103769030A CN201210376903A CN102882875A CN 102882875 A CN102882875 A CN 102882875A CN 2012103769030 A CN2012103769030 A CN 2012103769030A CN 201210376903 A CN201210376903 A CN 201210376903A CN 102882875 A CN102882875 A CN 102882875A
- Authority
- CN
- China
- Prior art keywords
- file
- source file
- tracks
- danger classes
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses an active defense method and device. A method comprises tracking remote procedure call (RPC) calling of a remote procedure call protocol; intercepting requests when a procedure of a user right launches requests of system service procedures through a preset interface, extracting routes of a source file from the requests, and building a relationship between the source file and the called system service procedures; triggering an intrusion prevention system HIPS rule based on a host machine if operation action exists, tracing back to the called system service procedures according to a procedure link, and determining the routes of the source file to be a source of the operation action; and executing host machine intrusion prevention treatment according to danger classes of the source file. The active defense method and device can reduce possibility of erroneous judgment.
Description
Technical field
The present invention relates to the computer security technique field, particularly relate to active defense method and device.
Background technology
Rogue program is a recapitulative term, refers to that any intentional establishment is used for carrying out without permission and the software program of harmful act normally.Computer virus, backdoor programs, Key Logger, password are stolen taker, Word and excel macro virus, leading viruses, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and ad ware etc., all be some examples that can be referred to as rogue program.
The anti-feature database pattern that extremely mainly depends on of traditional rogue program.Feature database is comprised of the condition code of the rogue program sample that manufacturer collects, and condition code then is that analysis project is an apprentice of and is found in the rogue program and the difference of proper software, intercepts one section program code that is similar to " searching key word ".In the killing process, engine is understood file reading and is mated with all condition codes " keyword " in the feature database, is hit if find the file routine code, just can judge that this document program is rogue program.
The feature database coupling is the effectively technology of killing known malicious program.But global rogue program quantity is how much levels and increases now, and based on the speedup of this explosion type, the generation of feature database lags behind often with upgrading, and many times antivirus software can't be prevented the unknown rogue program that extremely emerges in an endless stream.
HIPS(Host-based Intrusion Prevention System; Host Based intrusion prevention system) be a kind of by the common dangerous play in the intercepting system; not with the foundation of condition code as the judgement rogue program; but from the most original definition; directly with the behavior of program as the foundation of judging rogue program; the behavior that wherein derive in local use characteristic storehouse, the behavior threshold value is set and differentiates, tackle rogue program in the mode of the heuristic virus killing in this locality in this locality, thus reach to a certain extent the purpose of protecting user computer.By own understanding to software and system, some trigger conditions artificial or that software is built-in are prevented some abnormal actions, and to reach software systems of system safety, this trigger condition is commonly referred to as the HIPS rule.
Yet, when using in the prior art the HIPS rule to carry out Initiative Defense, the phenomenon of wrong report often appears.Therefore, the technical problem that solves in the urgent need to those skilled in the art just is, how when using the HIPS rule to carry out Initiative Defense, reduces the probability of wrong report.
Summary of the invention
The invention provides active defense method and device, can reduce the probability of erroneous judgement.
The invention provides following scheme:
The embodiment of the invention provides a kind of active defense method, comprising:
Call and follow the tracks of presetting remote procedure call protocol RPC that interface produces;
When the process of user right is initiated the request of calling system service processes by presetting interface, interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
If having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to the process of initiating described operation behavior according to chain of processes is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
According to the danger classes of described source file, carry out the main frame intrusion prevention and process.
Alternatively, described source file comprises MSI installation kit file, described the RPC that presets interface is called to follow the tracks of comprise:
The RPC of docking port IMSIServer::DoInstallRemote calls and follows the tracks of, in order to obtain the storing path of described MSI installation kit file in system.
Alternatively, described source file comprises the dynamic link library (DLL) file in the MSI installation kit file, described the RPC that presets interface is called to follow the tracks of comprise:
The RPC of docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, in order to obtain the DLL path of the dll file in the described MSI installation kit file.
Alternatively, described danger classes according to described source file, carry out the processing of main frame intrusion prevention and comprise:
Determine the danger classes of source file;
According to the danger classes of described source file, described operation behavior is carried out interception.
Alternatively, described danger classes according to described source file, carry out the processing of main frame intrusion prevention and comprise:
According to the danger classes of described source file, carry out indicating risk to the user, and with the information indicating of described source file to the user.
The embodiment of the invention provides a kind of Initiative Defense device, comprising:
Tracking cell is followed the tracks of for the remote procedure call protocol RPC that presets the interface generation is called;
Interception unit, be used for when when the process of user right is initiated the request of calling system service processes by presetting interface, the interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
The source determining unit is if for having operation behavior to trigger Host Based intrusion prevention system HIPS rule and tracing back to described invoked system service process according to chain of processes, then be defined as the path of described source file the source of described operation behavior;
Processing unit is used for the danger classes according to described source file, carries out the main frame intrusion prevention and processes.
Alternatively, described source file comprises MSI installation kit file, and described tracking cell comprises:
First follows the tracks of subelement, and the RPC that is used for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, in order to obtain the storing path of described MSI installation kit file in system.
Alternatively, described source file comprises the dynamic link library (DLL) file in the MSI installation kit file, and described tracking cell comprises:
Second follows the tracks of subelement, and the RPC that is used for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, in order to obtain the DLL path of the dll file in the described MSI installation kit file.
Alternatively, described processing unit comprises:
The operation intercepting subelement is used for the danger classes according to described source file, and described operation behavior is carried out interception.
Alternatively, described processing unit comprises:
The indicating risk subelement is used for the danger classes according to described source file, carries out indicating risk to the user, and with the information indicating of described source file to the user.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
By the present invention, for the user start the operation certain file after, can transfer to by a process under the user right and go in another process under the system service authority to carry out, the situation that causes the chain of processes chain rupture, can related between source file and the invoked system service authority process will be set up, thereby when certain operation behavior triggers the HIPS rule, can trace back to the real source of operation behavior, and then carry out the judgement of danger classes by the file to place, real source, determine whether to tackle or to eject prompting, can reduce like this probability of erroneous judgement.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use among the embodiment, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the HIPS system schematic;
Fig. 2 is the flow chart of the method that provides of the embodiment of the invention;
Fig. 3 is the schematic diagram of the device that provides of the embodiment of the invention;
Fig. 4 is the schematic diagram of the system that provides of the embodiment of the invention;
Fig. 5 is the schematic diagram of another system of providing of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain belongs to the scope of protection of the invention.
For the ease of understanding the present invention, at first the related content of HIPS is simply introduced.Referring to Fig. 1, modal HIPS is the software by regular hook procedure action of " 3D " class.So-called 3D comprises AD (Application Defend; the application program defense system), RD (Registry Defend; the registration table defense system), FD (File Defend; the file defense system); the most intuitively action that these three HIPS are on the defensive and adopt, the safety that plays protection system of moving intuitively by tackling these.Wherein, the effect of AD is the key operation of monitoring program operation, loading, access physical memory, operation bottom disk, keyboard record etc.; The effect of FD is exactly supervisory control system to the reading of any file, revise, establishment, deletion action; The effect of RD is that monitoring is to the operation of registration table.
For example: suppose to have the poisoning intrusion computer, then:
Virus at first can be set up viral entity at hard disk, at this time will trigger " establishment " rule of FD;
Then read virion, can trigger FD and " read " rule;
Then move again virion, can trigger every rule of AD;
If infection type is viral, in running, also can revise the file of hard disk, for example infect the exe file, at this moment, can trigger FD " modification " rule; If damage type is viral, also can delete the file of hard disk in the running, files such as deletion exe, gho at this moment, can trigger FD " deletion " rule;
Next, the common meeting of virus edit the registry reaches the purpose of self-starting or destruction, and can trigger the RD rule this moment.
Each triggering rule, HIPS will search from the rule base the inside, if there has been the rule to this operation the rule base the inside, just by rule process; If no, will inquire the user.If in above-mentioned testing process, have operation behavior to be blocked, even if this is one question file is arranged so, can not work the mischief to system.
When certain behavior triggered the HIPS rule, HIPS need to find the process of having carried out the behavior, according to the safe class of the process of carrying out the behavior, need to determine whether interception or prompting.But some rogue programs may start another process B by its process A in order better to hide oneself, carry out concrete malicious act by process B, even also more multistage process transfer may be arranged, just finally carry out a malicious act.At this moment, if only get access to the current process of carrying out the behavior, then judge whether that according to current process the needs interception then is inaccurate.Therefore, just need to find the chain of processes at the process place of having carried out the behavior, trace to source, find the real source of behavior, for example, the process A in the previous example, if the safe class of process A is lower, then can tackle or point out to the user, etc.
The inventor finds in realizing process of the present invention; why prior art can often have the phenomenon of wrong report to occur; although be because prior art can get access to the chain of processes at the behavior place of triggering rule; but; carry out in the process of Initiative Defense at the file for some specific types; after triggering the HIPS rule; when reviewing the source of behavior according to chain of processes; can't trace back to real source; the situation that therefore often can occur reporting by mistake is so that some normal behaviors also can't be carried out smoothly.For example, by a MSI(Windows Installer) installation kit installs in the process of certain program, as long as find to have carried out the behavior of an edit the registry startup item, the HIPS system does not just all eject prompting with making any distinction between, if after the user judges, find it is an operation that can allow, then manually selected the user just can continue installation process after the options such as " allowing this time operation ".
The inventor also finds in realizing process of the present invention, why when carrying out Initiative Defense for some file, can't trace back to real source, be because, some file following phenomenon may occur in running: the user starts after operation this document, can transfer to by a process under the user right and go in another process under the system service authority to carry out, the behavior that triggers the HIPS rule may be just execution after the process under transferring to the system service authority, and when HIPS obtains chain of processes, can only trace back to the initial process under this system service authority, and can't with user right under chain of processes associate, that is to say that this special file can cause the chain rupture of chain of processes in the process of implementation, therefore, also just can't trace back to real source.
For example, the user double-clicks a MSI installation kit, and system can be related according to extension name, at first starts the process of the msiexec.exe of active user's authority, msiexec.exe, and system process is the part of WindowsInstaller.Be used for installing Windows Installer installation kit (MSI), then the msiexec.exe of this user right can be transmitted to Server corresponding to interface with request by calling interface, be that the msiexec.exe of system service authority is (if the msiexec.exe of this system service authority not yet starts, then need with DCOM it to be started first), carry out again afterwards follow-up operation behavior.Like this, after certain operation behavior triggers the HIPS authority, when reviewing by chain of processes, can only trace back to the msiexec.exe of system service authority, but in fact the source of this operation behavior should be this MSI installation kit itself, or certain the DLL(Dynamic Link Library in the MSI installation kit, dynamic link library) file.Like this, in the prior art, owing to can't know the behavior which MSI installation kit specifically or which dynamic link library are carried out, therefore as long as find to have triggered the HIPS rule, and trace back to the msiexec.exe of system service authority, just carry out without exception indicating risk, obviously, this can cause a large amount of wrong reports.
Therefore, in embodiments of the present invention, just can be by setting up related between source file and the invoked system service authority process, trace back to the real source of operation behavior, and then carry out fail safe by the file to place, real source and judge, determine whether to tackle or to eject prompting.Below the method that just embodiment of the invention provided at length introduce.
Referring to Fig. 2, the active defense method that the embodiment of the invention provides may further comprise the steps:
S201: call and follow the tracks of presetting remote procedure call protocol RPC that interface produces;
S202: when the process of user right is initiated the request of calling system service processes by presetting interface, the interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
During specific implementation, by being called, follows the tracks of the RPC that presets interface, intercept the request of calling system Service Privileges process, then from request, extract the fullpath of source file, so just can set up related between source file and the invoked system service process.Wherein, the RPC of this interface of IMSIServer::DoInstallRemote called follow the tracks of, and interception request bag, can get access to the complete trails of original MSI installation kit, the RPC of this interface of CMsiCustomAction::PrepareDLLCustomAction called follow the tracks of, and the interception request bag, just can get access to the DLL path corresponding to dll file of MSI installation kit the inside.
During specific implementation, can be by the relevant api function of communication between monitoring (for example HOOK) and RPC carrying out, reach the purpose of above-mentioned tracking, wherein, need to be according to different operating system versions, the api function that HOOK is different, to reach the purpose of following the tracks of accurately and tackling, in Windows XP operating system, can the following api function of HOOK: NtRequestWaitReplyPort etc., in Windows Vista and version afterwards thereof, can the following api function of HOOK: NtAlpcSendWaitReplyPort etc.
Like this, in previous example, after supposing that still the user double-clicks a MSI installation kit and starts the installation process of certain program, system still can at first start the process of the msiexec.exe of active user's authority, then the msiexec.exe of this user right can call (if the request that MSI installation kit file itself is initiated of corresponding interface, then this process can be called this interface of IMSIServer::DoInstallRemote, if the request that certain DLL in the installation kit file initiates, then this process can be called this interface of CMsiCustomAction::PrepareDLLCustomAction), request is transmitted to Server corresponding to interface; After aforementioned api function is carried out HOOK, when the process Forward-reques of user right to Server the time, just can intercept this request, then by resolving the parameter of this function, just can get access to the fullpath of MSI installation kit, perhaps the DLL path of certain dll file in the MSI installation kit file.And then this request is transmitted to the process msiexec.exe of system service authority, next, the process msiexec.exe of system service authority can pass the path of coming according to this interface of this interface of IMSIServer::DoInstallRemote or CMsiCustomAction::PrepareDLLCustomAction and start a thread and carry out concrete fitting operation, this thread also can create new thread and do concrete thing (such as written document, write registration table etc.), when the behavior is triggered to the HIPS rule, just can at first trace back to this system service authority process of msiexec.exe, then, just can be according to the relation between the source file of recording and this system service authority process msiexec.exe, getting access to is action corresponding to which dll file in which MSI installation kit or the MSI installation kit, and the DLL path of this dll file namely is real source in the fullpath of this MSI installation kit or the MSI installation kit.
Certainly, specifically when carrying out the HOOK api function, a series of functions with interprocess communication all can be carried out HOOK, for example, under Windows XP operating system, can comprise NtCreatePort, NtConnectPort, NtRequestPort, NtAcceptPort, NtListenPort, NtReplyPort, NtReplyWaitReceivePort etc.
S203: if having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to described invoked system service process according to chain of processes, then the path of described source file is defined as the source of described operation behavior;
After operation behavior triggering HIPS rule is arranged, just can at first review according to chain of processes, if trace back to the system service process, then can be according to the association of setting up before, finding the real source of operation behavior, for example, may be certain installation kit file, or certain dll file in certain installation kit file, etc.
For example, suppose that still the user double-clicks a MSI installation kit, system can be related according to extension name, start the process of the msiexec.exe of active user's authority, then this msiexec.exe understands calling interface IMSIServer::DoInstallRemote, system can be transmitted to Server corresponding to interface to it, i.e. the msiexec.exe of SYSTEM authority (if there is no, using DCOM transfers).
And in embodiments of the present invention, by intercepting system service NtRequestWaitReplyPort (xp), NtAlpcSendWaitReplyPort (Vista Later), can when the system forwards request is to Server, get access to the fullpath of MSI bag, like this, when service processes msiexec.exe is triggered to main anti-rule, relation according to the thread chain, can get access to is action corresponding to that MSI bag, and the fullpath of this MSI bag namely is the real source of current operation behavior.
Wherein, when obtaining chain of processes, can realize by API specifically that for example, NtQueryInformationProcess can obtain the PID of parent process, like this, the one-level one-level is upwards looked for, and just can find all processes.In addition, the embodiment of the invention can also have the chain of processes management function of oneself, obtains a process creation and withdraws from event with driving, and oneself has created a chain of processes, like this, concerned as long as go to look into father and son's process that the chain of processes management function of oneself just can obtain in the whole chain of processes.
S204: according to the danger classes of described source file, carry out the main frame intrusion prevention and process.
Find after the real source of operation behavior, just can determine really to come the danger classes of source file, and really come the danger classes of source file according to this, carry out the main frame intrusion prevention and process.Wherein, the danger classes of the file in real source can know according to special danger classes evaluation system, for example, can be in advance the class information of each source file be recorded in the tabulation of server end.This tabulation comprised each process PID, create the information such as relation, file grade, then this is tabulated by inquiry, just can obtain the danger classes of current source file.
During specific implementation, the form of presentation of danger classes can have multiple, for example, and the first estate: trusted file, the second grade: grey file, the tertiary gradient: apocrypha, the fourth estate are virus or wooden horse etc., specifically when carrying out the processing of main frame intrusion prevention, can directly carry out interception to the operation behavior of the higher source file of danger classes, perhaps, also can at first carry out dangerous tip to the user, whether carry out interception by user selection.Certainly, when carrying out dangerous tip to the user, the source that is shown to user's operation behavior is exactly the real source that gets access in the embodiment of the invention, rather than the system service process.For example, in previous example, suppose to find that real source is this dll file of MSI1F.tmp, then can this document be prompted to the user by modes such as pop-up windows, rather than the system service process msiexec.exe of only prompting correspondence, certainly, when judging the harmful grade of source file, also be the harmful grade of judging this MSI1F.tmp, rather than msiexec.exe.Specifically when pointing out, can be not only the filename of source file be shown to the user, this can also be come the information such as path of source file be shown in the lump the user.
In a word, in embodiments of the present invention, for the user start the operation certain file after, can transfer to by a process under the user right and go in another process under the system service authority to carry out, the situation that causes the chain of processes chain rupture, can related between source file and the invoked system service authority process will be set up, thereby when certain operation behavior triggers the HIPS rule, can trace back to the real source of operation behavior, and then carry out the judgement of danger classes by the file to place, real source, determine whether to tackle or to eject the prompting interface, can reduce like this probability of wrong report.
Corresponding with the active defense method that the embodiment of the invention provides, the embodiment of the invention also provides a kind of Initiative Defense device, and referring to Fig. 3, this device comprises:
Tracking cell 301 is followed the tracks of for the remote procedure call protocol RPC that presets the interface generation is called;
Wherein, described source file comprises MSI installation kit file, and described tracking cell 301 can comprise:
First follows the tracks of subelement, and the RPC that is used for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, in order to obtain the storing path of described MSI installation kit file in system.
Perhaps, described source file comprises the dynamic link library (DLL) file in the MSI installation kit file, and at this moment, described tracking cell 201 can comprise:
Second follows the tracks of subelement, and the RPC that is used for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, in order to obtain the DLL path of the dll file in the described MSI installation kit file.
In actual applications, described processing unit 304 specifically can comprise:
The operation intercepting subelement is used for the danger classes according to described source file, and described operation behavior is carried out interception.
Perhaps, described processing unit 304 also can comprise:
The indicating risk subelement is used for the danger classes according to described source file, carries out indicating risk to the user, and with the information indicating of described source file to the user.
The active defense method that provides with the embodiment of the invention and install correspondingly, the embodiment of the invention also provides a kind of Active Defending System Against, and referring to Fig. 4, this system can comprise client 401 and server end 402:
Uploading unit 4015 is for end 402 that the feature of described source file is uploaded onto the server;
Described server end 402 comprises:
Danger classes determining unit 4021 is used for judging the danger classes of described source file according to the feature of described source file, and returns to client;
Described client 401 also comprises:
Certainly, in actual applications, client also can be with whole File Upload to server end, by the feature of server end extraction document, perhaps directly judge the danger classes of file according to file white list or blacklist etc.Therefore, the embodiment of the invention also provides another kind of Active Defending System Against, and referring to Fig. 5, this system comprises client 501 and server end 502 equally, wherein:
Client specifically can comprise:
Tracking cell 5011 is followed the tracks of for the remote procedure call protocol RPC that presets the interface generation is called;
Interception unit 5012, be used for when the process of user right is initiated the request of calling system service processes by presetting interface, the interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
Source determining unit 5012, if being used for having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to the process of initiating described operation behavior according to chain of processes is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
Uploading unit 5014 is for end 502 that described source file is uploaded onto the server;
Described server end 502 comprises:
Feature extraction unit 5021 is for the feature of extracting described source file;
Danger classes determining unit 5022 is used for judging the danger classes of described source file according to the feature of described source file, and returns to client;
Described client 501 also comprises:
Processing unit 5015 for the danger classes of the described source file that returns according to described server end, is carried out the main frame intrusion prevention and is processed.
In a word, in the Initiative Defense device that the embodiment of the invention provides, for the user start the operation certain file after, can transfer to by a process under the user right and go in another process under the system service authority to carry out, the situation that causes the chain of processes chain rupture, can related between source file and the invoked system service authority process will be set up, thereby when certain operation behavior triggers the HIPS rule, can trace back to the real source of operation behavior, and then carry out the judgement of danger classes by the file to place, real source, determine whether to tackle or to eject prompting, can reduce like this probability of wrong report.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the main frame intrusion prevention equipment of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
The application can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, Xiao type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.
Claims (10)
1. active defense method comprises:
Call and follow the tracks of presetting remote procedure call protocol RPC that interface produces;
When the process of user right is initiated the request of calling system service processes by presetting interface, interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
If having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to the process of initiating described operation behavior according to chain of processes is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
According to the danger classes of described source file, carry out the main frame intrusion prevention and process.
2. method according to claim 1, described source file comprises MSI installation kit file, described the RPC that presets interface is called to follow the tracks of comprise:
The RPC of docking port IMSIServer::DoInstallRemote calls and follows the tracks of, in order to obtain the storing path of described MSI installation kit file in system.
3. method according to claim 1, described source file comprises the dynamic link library (DLL) file in the MSI installation kit file, described the RPC that presets interface is called to follow the tracks of comprise:
The RPC of docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, in order to obtain the DLL path of the dll file in the described MSI installation kit file.
4. according to claim 1 to 3 each described methods, described danger classes according to described source file, carry out the main frame intrusion prevention and process and comprise:
Determine the danger classes of source file;
According to the danger classes of described source file, described operation behavior is carried out interception.
5. according to claim 1 to 3 each described methods, described danger classes according to described source file, carry out the main frame intrusion prevention and process and comprise:
According to the danger classes of described source file, carry out indicating risk to the user, and with the information indicating of described source file to the user.
6. Initiative Defense device comprises:
Tracking cell is followed the tracks of for the remote procedure call protocol RPC that presets the interface generation is called;
Interception unit, be used for when the process of user right is initiated the request of calling system service processes by presetting interface, the interception described request, the path of extraction source file from described request, and related between the path of setting up described source file and the invoked system service process;
The source determining unit, if being used for having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to the process of initiating described operation behavior according to chain of processes is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
Processing unit is used for the danger classes according to described source file, carries out the main frame intrusion prevention and processes.
7. device according to claim 6, described source file comprises MSI installation kit file, described tracking cell comprises:
First follows the tracks of subelement, and the RPC that is used for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, in order to obtain the storing path of described MSI installation kit file in system.
8. device according to claim 6, described source file comprises the dynamic link library (DLL) file in the MSI installation kit file, described tracking cell comprises:
Second follows the tracks of subelement, and the RPC that is used for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, in order to obtain the DLL path of the dll file in the described MSI installation kit file.
9. according to claim 6 to 8 each described devices, described processing unit comprises:
Danger classes is determined subelement, is used for determining the danger classes of source file;
The operation intercepting subelement is used for the danger classes according to described source file, and described operation behavior is carried out interception.
10. according to claim 6 to 8 each described devices, described processing unit comprises:
The indicating risk subelement is used for the danger classes according to described source file, carries out indicating risk to the user, and with the information indicating of described source file to the user.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510221827.XA CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
| CN201210376903.0A CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210376903.0A CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510221827.XA Division CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102882875A true CN102882875A (en) | 2013-01-16 |
| CN102882875B CN102882875B (en) | 2015-06-10 |
Family
ID=47484018
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210376903.0A Active CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
| CN201510221827.XA Active CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510221827.XA Active CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN102882875B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108491736A (en) * | 2018-04-02 | 2018-09-04 | 北京顶象技术有限公司 | Distort monitoring method and device |
| CN110717183A (en) * | 2019-12-09 | 2020-01-21 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
| CN111367684A (en) * | 2018-12-26 | 2020-07-03 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
| CN114466053A (en) * | 2022-04-11 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for call control of remote procedure call |
| CN114697131A (en) * | 2022-04-27 | 2022-07-01 | 京东科技控股股份有限公司 | Data calling method and device, storage medium and electronic equipment |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882875B (en) * | 2012-09-29 | 2015-06-10 | 北京奇虎科技有限公司 | Active defense method and device |
| CN108717509B (en) * | 2018-06-05 | 2020-06-23 | 厦门安胜网络科技有限公司 | Method, device and equipment for extracting program derivative in sandbox and readable medium |
| CN109784051B (en) * | 2018-12-29 | 2021-01-15 | 360企业安全技术(珠海)有限公司 | Information security protection method, device and equipment |
| CN109787886B (en) * | 2019-01-22 | 2021-03-02 | 北京北信源信息安全技术有限公司 | Mail auditing method and system |
| CN112596932A (en) * | 2021-01-04 | 2021-04-02 | 天冕信息技术(深圳)有限公司 | Service registration and interception method and device, electronic equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250133A1 (en) * | 2001-09-04 | 2004-12-09 | Lim Keng Leng Albert | Computer security event management system |
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7913078B1 (en) * | 2000-06-22 | 2011-03-22 | Walter Mason Stewart | Computer network virus protection system and method |
| CN101588358B (en) * | 2009-07-02 | 2012-06-27 | 西安电子科技大学 | System and method for detecting host intrusion based on danger theory and NSA |
| CN102663289B (en) * | 2012-03-22 | 2015-07-15 | 北京奇虎科技有限公司 | Method and device for intercepting rogue program of modifying page elements |
| CN102882875B (en) * | 2012-09-29 | 2015-06-10 | 北京奇虎科技有限公司 | Active defense method and device |
-
2012
- 2012-09-29 CN CN201210376903.0A patent/CN102882875B/en active Active
- 2012-09-29 CN CN201510221827.XA patent/CN104811453B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250133A1 (en) * | 2001-09-04 | 2004-12-09 | Lim Keng Leng Albert | Computer security event management system |
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108491736A (en) * | 2018-04-02 | 2018-09-04 | 北京顶象技术有限公司 | Distort monitoring method and device |
| CN108491736B (en) * | 2018-04-02 | 2020-09-22 | 北京顶象技术有限公司 | Tamper monitoring method and device |
| CN111367684A (en) * | 2018-12-26 | 2020-07-03 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
| CN111367684B (en) * | 2018-12-26 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
| CN110717183A (en) * | 2019-12-09 | 2020-01-21 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
| CN114466053A (en) * | 2022-04-11 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for call control of remote procedure call |
| CN114466053B (en) * | 2022-04-11 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for call control of remote procedure call |
| CN114697131A (en) * | 2022-04-27 | 2022-07-01 | 京东科技控股股份有限公司 | Data calling method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102882875B (en) | 2015-06-10 |
| CN104811453B (en) | 2018-05-01 |
| CN104811453A (en) | 2015-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882875B (en) | Active defense method and device | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| CN102651061B (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
| JP6706273B2 (en) | Behavioral Malware Detection Using Interpreted Virtual Machines | |
| CN101373502B (en) | Automatic analysis system of virus behavior based on Win32 platform | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| EP3326100B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| CN102902919B (en) | A kind of identifying processing methods, devices and systems of suspicious operation | |
| RU2646352C2 (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| KR101647487B1 (en) | Analysis system and method for patch file | |
| EP2790122B1 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| KR101212553B1 (en) | Apparatus and method for detecting malicious files | |
| EP2637121A1 (en) | A method for detecting and removing malware | |
| CN109074450B (en) | Threat defense techniques | |
| CN102629310A (en) | System and method for protecting computer system from being infringed by activities of malicious objects | |
| CN103001947A (en) | Program processing method and program processing system | |
| JP6030566B2 (en) | Unauthorized application detection system and method | |
| CN102999720A (en) | Program identification method and system | |
| CN102857519B (en) | Active defensive system | |
| CN102982281A (en) | Program condition detecting method and system | |
| CN103473501A (en) | Malware tracking method based on cloud safety | |
| CN103970574A (en) | Office program running method and device and computer system | |
| CN102999721A (en) | Program processing method and system | |
| US11816211B2 (en) | Active signaling in response to attacks on a transformed binary |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220713 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |