Summary of the invention
In order to solve problem of the prior art, embodiments provide a kind of intrusion detection method and device.
This technical scheme is as follows:
On the one hand, it is provided that a kind of intrusion detection method, the method includes:
Obtain system call chain table;
From this system call chain table, guiding system calls pointer;
This system call pointer fingerprint algorithm is processed, obtains system call pointer finger print data;
The system call pointer fingerprint number that this system call pointer finger print data currently obtained and local terminal are prestored
According to comparing;
When determining that the system call pointer that current this system call pointer finger print data obtained and local terminal prestore refers to
When stricture of vagina data are inconsistent, determine local terminal generation intrusion event;
This acquisition system call chain table includes:
Acquisition system calls processing routine entrance;
Call processing routine entrance according to this system, obtain this system call chain table pointer, this system call chain
List index points to the first address of this system call chain table;
According to this system call chain table pointer, obtain system call chain table;
This acquisition system is called processing routine entrance and is included:
Perform SIDT assembly instruction, by base address and the length value of the interrupt-descriptor table in IDTR depositor
Copy in internal memory;
Base address and length value according to this interrupt-descriptor table obtain interrupt-descriptor table;
This interrupt-descriptor table is stored in internal memory;
According to interrupt-descriptor table, acquisition system calls the door descriptor of correspondence;
According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this calls processing routine entrance according to this system, obtains this system call chain table pointer and includes:
First Call assembly instruction is searched in internal memory;
Perform this Call assembly instruction;
This Call assembly instruction calls processing routine entrance according to this system, obtains this system call chain table pointer.
Alternatively, before obtaining system call chain table, the method also includes:
At initial phase, obtain the system call pointer finger print data of initial phase;
The system call pointer finger print data of this initial phase is stored in local terminal.
Alternatively, at initial phase, after obtaining the system call pointer finger print data of initial phase,
The method also includes:
The system call pointer finger print data of this initial phase is stored server.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should
Method also includes:
The system call pointer fingerprint that this system call pointer finger print data currently obtained is prestored with server
Data are compared;
When this system call pointer finger print data determining current acquisition calls finger with the system that this server prestores
When pin finger print data is inconsistent, determine local terminal generation intrusion event.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should
Method also includes:
The system call pointer that the system call pointer finger print data prestored by this local terminal and this server prestore refers to
Stricture of vagina data are compared;
When determining that the system call pointer that system call pointer finger print data that local terminal prestores and server prestore refers to
When stricture of vagina data are inconsistent, determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table, the method also includes:
Acquisition system call address file, this system call address file is used for storing this system call pointer;
This system call address file is compared with this system call chain table;
When determining that this system call address file and this system call chain table are inconsistent, determine that local terminal enters
Invade event.
Optionally it is determined that after local terminal generation intrusion event, the method also includes:
According to this intrusion event, export warning information.
On the other hand, it is provided that a kind of invasion detecting device, this device includes:
First acquisition module, is used for obtaining system call chain table;
Derive module, call pointer for guiding system from this system call chain table;
Fingerprint algorithm processing module, for this system call pointer fingerprint algorithm is processed, be
Tracking pointer finger print data;
First comparing module, for prestore this system call pointer finger print data currently obtained and local terminal
System call pointer finger print data is compared;
First determines module, for when determining that current this system call pointer finger print data obtained is pre-with local terminal
When the system call pointer finger print data deposited is inconsistent, determine local terminal generation intrusion event;
This first acquisition module includes:
First acquiring unit, is used for the system that obtains and calls processing routine entrance;
Second acquisition unit, for calling processing routine entrance according to this system, obtains this system call chain table
Pointer, this system call chain table pointer points to the first address of this system call chain table;
3rd acquiring unit, for according to this system call chain table pointer, obtains system call chain table;
This first acquiring unit is additionally operable to perform SIDT assembly instruction, the interruption in IDTR depositor is described
Base address and the length value of symbol table copy in internal memory;Base address according to this interrupt-descriptor table and length value
Obtain interrupt-descriptor table;This interrupt-descriptor table is stored in internal memory;According to interrupt-descriptor table, obtain
The system of taking calls the door descriptor of correspondence;According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this second acquisition unit is additionally operable in internal memory search first Call assembly instruction;Perform
This Call assembly instruction;This Call assembly instruction calls processing routine entrance according to this system, obtains this system
Call chain list index.
Alternatively, this device also includes:
Second acquisition module, at initial phase, obtaining the system call pointer fingerprint of initial phase
Data;
First memory module, for being stored in local terminal by the system call pointer finger print data of this initial phase.
Alternatively, this device also includes:
Second memory module, for storing service by the system call pointer finger print data of this initial phase
Device.
Alternatively, this device also includes:
Second comparing module, for prestoring this system call pointer finger print data currently obtained with server
System call pointer finger print data compare;
Second determines module, for when this system call pointer finger print data and this service determining current acquisition
When system call pointer finger print data that device prestores is inconsistent, determine local terminal generation intrusion event.
Alternatively, this device also includes:
3rd comparing module, pre-with this server for the system call pointer finger print data that this local terminal is prestored
The system call pointer finger print data deposited is compared;
3rd determines module, for when determining that the system call pointer finger print data that local terminal prestores is pre-with server
When the system call pointer finger print data deposited is inconsistent, determine local terminal generation intrusion event.
Alternatively, this device also includes:
3rd acquisition module, is used for obtaining system call address file, and this system call address file is used for depositing
Store up this system call pointer;
4th comparing module, for comparing this system call address file with this system call chain table;
4th determines module, for when determining that this system call address file is inconsistent with this system call chain table
Time, determine local terminal generation intrusion event.
Alternatively, this device also includes:
Output alarm modules, for according to this intrusion event, exports warning information.
The technical scheme that the embodiment of the present invention provides has the benefit that
The finger print data of pointer is called by obtaining current system, and by current finger print data with prestore
System call pointer finger print data is compared, and to determine whether that intrusion event occurs, it is right to detect
The intrusion event of system kernel state, it is achieved that protection comprehensive to system, improves system reliability.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to the present invention
Embodiment is described in further detail.
Fig. 1 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides.The execution of this embodiment
Main body is terminal unit, sees Fig. 1, and the method includes:
101, system call chain table is obtained;
102, from this system call chain table, guiding system calls pointer;
103, this system call pointer fingerprint algorithm is processed, obtain system call pointer finger print data;
104, the system call pointer that this system call pointer finger print data currently obtained and local terminal prestore is referred to
Stricture of vagina data are compared;
105, finger is called when this system call pointer finger print data determining current acquisition with the system that local terminal prestores
When pin finger print data is inconsistent, determine local terminal generation intrusion event.
The method that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will
Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into
Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system,
Improve system reliability.
Alternatively, this acquisition system call chain table includes:
Acquisition system calls processing routine entrance;
Call processing routine entrance according to this system, obtain this system call chain table pointer, this system call chain
List index points to the first address of this system call chain table;
According to this system call chain table pointer, obtain system call chain table.
Alternatively, this acquisition system is called processing routine entrance and is included:
Perform SIDT assembly instruction, by base address and the length value of the interrupt-descriptor table in IDTR depositor
Copy in internal memory;
Base address and length value according to this interrupt-descriptor table obtain interrupt-descriptor table;
This interrupt-descriptor table is stored in internal memory;
According to interrupt-descriptor table, acquisition system calls the door descriptor of correspondence;
According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this calls processing routine entrance according to this system, obtains this system call chain table pointer and includes:
First Call assembly instruction is searched in internal memory;
Perform this Call assembly instruction;
This Call assembly instruction calls processing routine entrance according to this system, obtains this system call chain table pointer.
Alternatively, before obtaining system call chain table, the method also includes:
At initial phase, obtain the system call pointer finger print data of initial phase;
The system call pointer finger print data of this initial phase is stored in local terminal.
Alternatively, at initial phase, after obtaining the system call pointer finger print data of initial phase,
The method also includes:
The system call pointer finger print data of this initial phase is stored server.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should
Method also includes:
The system call pointer fingerprint that this system call pointer finger print data currently obtained is prestored with server
Data are compared;
When this system call pointer finger print data determining current acquisition calls finger with the system that this server prestores
When pin finger print data is inconsistent, determine local terminal generation intrusion event.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should
Method also includes:
The system call pointer that the system call pointer finger print data prestored by this local terminal and this server prestore refers to
Stricture of vagina data are compared;
When determining that the system call pointer that system call pointer finger print data that local terminal prestores and server prestore refers to
When stricture of vagina data are inconsistent, determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table, the method also includes:
Acquisition system call address file, this system call address file is used for storing this system call pointer;
This system call address file is compared with this system call chain table;
When determining that this system call address file and this system call chain table are inconsistent, determine that local terminal enters
Invade event.
Optionally it is determined that after local terminal generation intrusion event, the method also includes:
According to this intrusion event, export warning information.
Above-mentioned all optional technical schemes, can use and arbitrarily combine the alternative embodiment forming the present invention,
This repeats the most one by one.
Fig. 2 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides.The execution of this embodiment
Main body is terminal unit, sees Fig. 2, and the method includes:
201, at initial phase, acquisition system calls processing routine entrance;
Specifically, this step 201 includes: (Store Interrupt Descriptor Table protects to perform SIDT
Deposit interrupt-descriptor table) assembly instruction, by IDTR (Integrated Device Technology Register,
IDT depositor) in the base address of interrupt-descriptor table and length (limit for length) value copy in internal memory;According to
The base address of this interrupt-descriptor table and length (limit for length) value obtain interrupt-descriptor table, and this interruption are retouched
State symbol table to store in internal memory;The door descriptor of correspondence is called according to interrupt-descriptor table obtains system.Root
Performing int $ 0x80 assembly instruction according to this descriptor, thus CPU is switched to kernel state, the system of forwarding to is called
Processing routine entrance: system_call ().
Wherein, IDTR depositor is preserved the base address of 32 of current interrupt-descriptor table and 16
Length (limit for length) value, this base address is the memory address of interrupt-descriptor table.
Such as, base address and the length value of the above-mentioned interrupt-descriptor table obtained from IDTR depositor can be answered
Realize by code below:
Asm (" sidt%0 ": "=m " (idtr));
Idt=(struct struct_idt*) (* (unsigned long*) &idtr [2]+8*0x80);
System_call=(idt->offset_high<<16) | idt->offset_low;// instructed by inline assembler
Export to sidt data, in idtr variable, will interrupt-descriptor table export in internal memory
It should be noted that at the initial phase of intrusion detection method, it is thus necessary to determine that used during detection
Reference finger data, that is to say by performing step 201 and subsequent step, obtain the system that local terminal prestores
Call pointer finger print data.
202, call processing routine entrance according to system, obtain system call chain table pointer;
Wherein, this system call chain table pointer pointing system calls the first address of chained list, and wherein, this system is adjusted
All system call pointer are comprised with chained list.
Specifically, this step 202 includes: searches first Call assembly instruction in internal memory, performs this Call
Assembly instruction, during this Call assembly instruction performs, calls processing routine entrance according to this system
(system_call ()), obtains this system call chain table pointer.
Such as, the process of this system call chain table interface of the above-mentioned Call of utilization instruction acquisition can apply following generation
Code realizes:
Unsigned char*syscall_key=" xff x14 x85 ";
For (i=0;i<(128-2);i++)
{ if (memoryaddr [i]==syscall_key [0] &&memoryaddr [i+1]==syscall_key [1]
&&memoryaddr [i+2]==syscall_key [2])
{
break;
// search first Call instruction, thus utilize Call instruction to obtain this system call chain table interface.
203, according to this system call chain table pointer, system call chain table is obtained;
204, from this system call chain table, guiding system calls pointer;
Wherein, the entry address of the kernel function that this system call pointer pointing system calls.
In general, operating system has generally comprised more than one kernel function, i.e. has more than one system to adjust
With pointer, in this step 204, from this system call chain table, derive all of system call pointer, bag
Include: _ NR_read, _ NR_write, _ NR_open, _ NR_kill, _ NR_mkdir, _ NR_umask,
_ NR_getpgid and _ NR_getdents64 etc., except above-mentioned enumerate pointer in addition to, this system call pointer is also
Can include other kinds, the embodiment of the present invention does not limits at this.
Alternatively, this step 204 specifically includes: access this system call chain table one by one by the way of circulation
Each node, thus derive the system call pointer comprised in each node.
It addition, during Xun Huan, while deriving all system call pointer, need to preserve this system
Call chain list index, the process of this preservation can be realized by code below:
Original_getdents64=(int (*) (const char*)) sys_call_table [_ NR_getdents64];// protect
Deposit system call chain list index _ NR_getdents64 pointer.
Code cited in above-described embodiment is only a kind of mode realizing its corresponding function, and this function also may be used
To apply other programs or hardware capability to realize, this is not construed as limiting by the embodiment of the present invention.
205, this system call pointer fingerprint algorithm is processed, obtain system call pointer finger print data;
Wherein, this fingerprint algorithm can be Message Digest 5, e.g., and MD5 (Message Digest Algorithm
5, Message Digest Algorithm 5) algorithm, SHA-1 (Secure Hash Algorithm, SHA)
Algorithm etc.;Or this fingerprint algorithm can also be other similar algorithm, and the embodiment of the present invention does not limits.
It should be noted that in this step 205, respectively each system is called this pointer fingerprint algorithm
Process, obtain system corresponding to each system call pointer and call this pointer finger print data.Preferably,
Can by the way of circulation one by one processing system call each node of chained list, derive node comprises be
Tracking pointer, this system call pointer fingerprint algorithm processes, and obtains system call pointer fingerprint number
According to.
The derivation process of above-mentioned steps 204 and the fingerprint algorithm processing procedure of step 205 can be with the most suitable
Sequence is carried out, and e.g., after all of system call pointer being derived in step 204, calls the system derived
Pointer carries out fingerprint algorithm process.Certainly, the derivation process of this step 204 and the fingerprint algorithm of step 205
Processing procedure can also is that and carries out parallel, e.g., derives one or more system call pointer in step 204
Time, i.e. perform step 205 and the system call pointer derived is carried out fingerprint algorithm process, until deriving all
Till system call pointer and the system call pointer to derivation have all carried out fingerprint algorithm process.
206, the system call pointer finger print data of initial phase is stored in local terminal;
In the process, this storage can be to be stored in the form of a file by this system call pointer finger print data
In the storage device of local terminal.For example, it is possible to create file in the storage device such as disk of this terminal unit,
This system call pointer finger print data is write in this document.
Preferably, when storing this system call pointer finger print data, can by each system call pointer or
The corresponding storage of finger print data that pointer entries label generates with it, in order to during follow-up detection, permissible
Determine the pointer entries label changed, further determine that the object of intrusion event.
Above step 201-206, is to obtain local terminal to prestore the process of system call pointer finger print data.By upper
State step, this system call pointer finger print data be stored as the system call pointer finger print data that local terminal prestores,
The system call pointer finger print data prestored by this local terminal is as security baseline, during follow-up detection,
Using this security baseline as comparison standard, the most current system call pointer finger print data and this security baseline
When comparison is inconsistent, determine terminal unit generation intrusion event.
207, the system call pointer finger print data of this initial phase is stored server;
Alternatively, after the system call pointer finger print data of initial phase is stored on the terminal device,
The system call pointer finger print data of this initial phase can also be stored server.
Wherein, this server can be to provide the merit on the service for checking credentials or the server of security service or server
Energy module, this is not especially limited by the embodiment of the present invention.
It should be noted that for above-mentioned steps 206 and step 207, step 207 can be saved, only should
The system call pointer finger print data of initial phase is stored in local terminal;Or save step 206, this is the most first
The system call pointer finger print data in stage beginning stores server;Or this is held according to the embodiment of the present invention
Row step 206 and 207, to guarantee when the finger print data of arbitrary preservation makes a mistake, it is possible to according to local terminal or
The finger print data that server preserves carries out follow-up detection process.
208, obtain current system and call pointer finger print data;
Alternatively, this step 208 specifically includes: every the first prefixed time interval, obtains current system and adjusts
Use pointer finger print data.Wherein, this first prefixed time interval can be set in advance by system or developer
Fixed, the embodiment of the present invention does not limits at this.Acquisition in this step 208 can periodically be carried out, its week
Phase is the first prefixed time interval.Certainly, this system call pointer finger print data prestored according to local terminal
The detection carried out can also be started terminal unit by user and trigger or other by user operate triggering, the present invention
This is not especially limited by embodiment.
It should be noted that system when this current system call pointer finger print data obtained occurs with the behavior of acquisition
The interior nuclear state of system is corresponding;When intrusion event occurs, a certain item in system call chain table or multinomial
May be modified, i.e. some or multiple system call pointer is modified, once some or multiple system
Tracking pointer is modified, then according to the finger print data accessed by amended system call pointer with initial
Finger print data accessed by the change stage is compared, will necessarily be different, therefore, it can pass through finger print data
Comparison, it is determined whether occur intrusion event.
In this step 208, obtain current system and call the process of pointer finger print data and the mistake of step 201-203
Cheng Xiangtong, does not repeats them here.
209, the system call pointer that this system call pointer finger print data currently obtained and local terminal prestore is referred to
Stricture of vagina data are compared;
Specifically, this step 209 includes: obtain, from local terminal, the system call pointer finger print data that local terminal prestores,
The system call pointer finger print data that this system call pointer finger print data currently obtained is prestored with this local terminal
In each group of finger print data with same pointers list item label compare, if any of which one group or
Many groups are inconsistent, it is determined that local terminal generation intrusion event.
This finger print data is numbered corresponding storage with the system call pointer generating finger print data or pointer entries,
Therefore, in comparison process, when determining any one system call pointer or pointer entries label pair by comparison
When the finger print data answered is inconsistent, it may be determined that terminal unit currently there occurs intrusion event, records this and differs
The system call pointer caused or pointer entries label, repair this intrusion event targetedly for follow-up
Multiple.
210, finger is called when this system call pointer finger print data determining current acquisition with the system that local terminal prestores
When pin finger print data is inconsistent, determine local terminal generation intrusion event, perform step 213;
211, the system call pointer that the system call pointer finger print data that this local terminal prestores is prestored with server
Finger print data is compared;
In embodiments of the present invention, above-mentioned steps 209-211 is only with by calling finger by the system currently got
While the system call pointer finger print data that pin finger print data and local terminal prestore is compared, parallel to local terminal
The system call pointer finger print data that system call pointer finger print data and the server prestored prestores is compared
As a example by illustrate.And in the another embodiment that the embodiment of the present invention provides, this 209-211 is all right
Replaced by following steps: the system that this system call pointer finger print data currently obtained is prestored with server
Call pointer finger print data to compare;When these system call pointer finger print data and clothes of determining current acquisition
When the business system call pointer finger print data that prestores of device is inconsistent, determine local terminal generation intrusion event.
And the probability of the system call pointer finger print data amendment prestored local terminal due to intrusion event is less,
Therefore the system call pointer finger print data that within each detection cycle, local terminal can not also be prestored and service
The system call pointer finger print data that device prestores is compared, in the another kind of enforcement that the embodiment of the present invention provides
In mode, this 209-211 can also be replaced by following steps: arranges the second prefixed time interval, every second
Prefixed time interval, the system that system call pointer finger print data and the server prestored by local terminal prestores is called
Pointer finger print data is compared, if inconsistent, determines local terminal generation intrusion event, and wherein, second is pre-
If time interval is more than relatively the first prefixed time interval, this second prefixed time interval can be by system or open
The personnel of sending out preset, and the embodiment of the present invention does not limits at this.
Specifically, this step 211 specifically includes following arbitrary interaction: (1) obtains service from server
The system call pointer finger print data that device prestores, the system call pointer finger print data that server is prestored and basis
The system call pointer finger print data that end prestores is compared;(2) system call pointer that local terminal prestores is referred to
Stricture of vagina data are sent to server, server the system call pointer finger print data prestored by server and local terminal
The system call pointer finger print data prestored is compared, and comparison result is back to local terminal.
212, when determining that the system call pointer finger print data that local terminal prestores calls finger with the system that server prestores
When pin finger print data is inconsistent, determine local terminal generation intrusion event;
It should be noted that in this step 212, when the system call pointer finger print data determining that local terminal prestores
Time inconsistent with the system call pointer finger print data that server prestores, it is believed that the system that this local terminal prestores is called
The system call pointer when system call pointer that pointer finger print data is corresponding is set up from security baseline is different, really
Determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table in step 203, the method also includes: the system that obtains is adjusted
With address file, this system call address file is used for storing this system call pointer;This system is called ground
Location file is compared with this system call chain table;When determining that this system call address file calls with this system
When chained list is inconsistent, determine local terminal generation intrusion event.
Owing to this system call address file includes all of system call pointer, therefore this system calls ground
The list item of pointer included in the file of location and system call chain table is relation one to one, according to pointer gauge
Item label, has same pointers list item by this system call address file in the list item of this system call chain table
The respective items of label is compared, and when appointing one or more groups respective items inconsistent, determines that local terminal is invaded
Event.
213, according to this intrusion event, warning information is exported.
Wherein, according to this intrusion event, exporting warning information, it is default that this warning information can be that local terminal sends
The sound, terminate current intrusion behavior, send e-mails remote control center or other have warning merit
The mode of energy, this warning information can also mix for various ways, and the embodiment of the present invention does not limits at this.
In embodiments of the present invention, only to illustrate based on as a example by linux system, and it is true that for it
For the operating system that his kernel state separates with User space, it is also possible to the method that the application embodiment of the present invention provides
Performing intrusion detection, the embodiment of the present invention does not limits at this.
The method that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will
Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into
Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system,
Improve system reliability.
Seeing Fig. 3, embodiments provide a kind of invasion detecting device, this device includes: first obtains
Module 301, derivation module 302, fingerprint algorithm processing module the 303, first comparing module 304 and first are true
Cover half block 305;Wherein the first acquisition module 301 is used for obtaining system call chain table;First acquisition module 301
It is connected with deriving module 302, derives module 302 and call finger for guiding system from this system call chain table
Pin;Deriving module 302 to be connected with fingerprint algorithm processing module 303, fingerprint algorithm processing module 303 is used for
This system call pointer fingerprint algorithm is processed, obtains system call pointer finger print data;Fingerprint is calculated
Method processing module 303 is connected with the first comparing module 304, and the first comparing module 304 will be for will currently obtain
This system call pointer finger print data compare with the system call pointer finger print data that local terminal prestores;The
With first, one comparing module 304 determines that module 305 is connected, first determines that module 305 is for current when determining
This system call pointer finger print data obtained is inconsistent with the system call pointer finger print data that local terminal prestores
Time, determine local terminal generation intrusion event.
Alternatively, seeing Fig. 4, on the basis of Fig. 3 shown device structure, the first acquisition module 301 includes:
First acquiring unit 3011, second acquisition unit 3012 and the 3rd acquiring unit 3013;Wherein, first obtain
Take unit 3011 and call processing routine entrance for obtaining system;First acquiring unit 3011 and second obtains
Unit 3012 connects, and second acquisition unit 3012, for calling processing routine entrance according to this system, obtains
This system call chain table pointer, this system call chain table pointer points to the first address of this system call chain table;The
Two acquiring units 3012 are connected with the 3rd acquiring unit 3013, and the 3rd acquiring unit 3013 is for according to this being
Tracking chain list index, obtains system call chain table.
Alternatively, this first acquiring unit 3012 is additionally operable to perform SIDT assembly instruction, is deposited by IDTR
Base address and the length value of the interrupt-descriptor table in device copy in internal memory;According to this interrupt-descriptor table
Base address and length value obtain interrupt-descriptor table;This interrupt-descriptor table is stored in internal memory;According to
Disconnected descriptor table, acquisition system calls the door descriptor of correspondence;According to this descriptor, the system of forwarding to is called
Processing routine entrance.
Alternatively, this second acquisition unit 3013 is additionally operable in internal memory search first Call assembly instruction;
Perform this Call assembly instruction;This Call assembly instruction calls processing routine entrance according to this system, and obtaining should
System call chain table pointer.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 5, shown in Fig. 3
On the basis of apparatus structure, this device also includes: the second acquisition module 306 and the first memory module 307;Its
In, the first acquisition module 301 is connected with the second acquisition module 306, and the second acquisition module 306 is for just
In stage beginning, obtain the system call pointer finger print data of initial phase;Second acquisition module 306 and
One memory module 307 connects, and the first memory module 307 is for by the system call pointer of this initial phase
Finger print data is stored in local terminal.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 6, shown in Fig. 5
On the basis of apparatus structure, this device also includes: the second memory module 308;Wherein, the second acquisition module
306 are connected with the second memory module 308, and the second memory module 308 is for adjusting the system of this initial phase
Server is stored with pointer finger print data.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 7, shown in Fig. 6
On the basis of apparatus structure, this device also includes: the second comparing module 309 and second determines module 702;Its
In, the second memory module 308 is connected with the second comparing module 309, and the second comparing module 309 is used for ought
The system call pointer finger print data that this system call pointer finger print data and the server of front acquisition prestore is carried out
Comparison;With second, second comparing module 309 determines that module 310 is connected, second determines that module 310 is for working as
Determine the system call pointer fingerprint that this system call pointer finger print data of current acquisition prestores with this server
When data are inconsistent, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 8, shown in Fig. 6
On the basis of apparatus structure, this device also includes: the 3rd comparing module 311 and the 3rd determines module 312;Its
In the second memory module 308 be connected with the 3rd comparing module 311, the 3rd comparing module 311 is for by this
The system call pointer finger print data that the system call pointer finger print data that end prestores and this server prestore is carried out
Comparison;With the 3rd, 3rd comparing module 311 determines that module 312 is connected, the 3rd determines that module 312 is for working as
Determine the system call pointer finger print data that the system call pointer finger print data that local terminal prestores prestores with server
Time inconsistent, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 9, shown in Fig. 3
On the basis of apparatus structure, this device also includes: the 3rd acquisition module 313, the 4th comparing module 314 and
Four determine module 315;Wherein the first acquisition module 301 is connected with the 3rd acquisition module 313, and the 3rd obtains mould
Block 313 is used for obtaining system call address file, and this system call address file is used for storing this system and calls
Pointer;3rd acquisition module 313 is connected with the 4th comparing module 314, and the 4th comparing module 314 is used for will
This system call address file is compared with this system call chain table;4th comparing module 314 is true with the 4th
Cover half block 315 connects, and the 4th determines that module 315 is for when determining this system call address file and this system
Call chained list inconsistent time, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Figure 10, in Fig. 3 institute
On the basis of showing device structure, this device also includes: output alarm modules 316;Wherein, first determines module
305 are connected with output alarm modules 316, and output alarm modules 316 is for according to this intrusion event, and output is alert
Notify breath.
It should be understood that the invasion detecting device that above-described embodiment provides is when intrusion detection, only with above-mentioned
The division of each functional module is illustrated, and in actual application, can above-mentioned functions be divided as desired
Join and completed by different functional modules, the internal structure of equipment will be divided into different functional modules, with complete
Become all or part of function described above.It addition, above-described embodiment provide invasion detecting device with enter
Invading detection method embodiment and belong to same design, it implements process and refers to embodiment of the method, the most no longer
Repeat.
The device that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will
Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into
Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system,
Improve system reliability.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can be passed through
Hardware completes, it is also possible to instructing relevant hardware by program and complete, the program being somebody's turn to do can be stored in one
Planting in computer-readable recording medium, storage medium mentioned above can be read only memory, disk or light
Dish etc..
More than should be only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvement etc. made, should be included in the guarantor of the present invention
Within the scope of protecting.