CN103514402B - Intrusion detection method and device - Google Patents

Intrusion detection method and device Download PDF

Info

Publication number
CN103514402B
CN103514402B CN201310462793.4A CN201310462793A CN103514402B CN 103514402 B CN103514402 B CN 103514402B CN 201310462793 A CN201310462793 A CN 201310462793A CN 103514402 B CN103514402 B CN 103514402B
Authority
CN
China
Prior art keywords
system call
print data
finger print
pointer
local terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310462793.4A
Other languages
Chinese (zh)
Other versions
CN103514402A (en
Inventor
韩方
张涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huaduo Network Technology Co Ltd
Original Assignee
Guangzhou Huaduo Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huaduo Network Technology Co Ltd filed Critical Guangzhou Huaduo Network Technology Co Ltd
Priority to CN201310462793.4A priority Critical patent/CN103514402B/en
Publication of CN103514402A publication Critical patent/CN103514402A/en
Application granted granted Critical
Publication of CN103514402B publication Critical patent/CN103514402B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The invention discloses an intrusion detection method and device, and belongs to the technical field of computer security. The method comprises the steps that a system call chain table is obtained; a system call pointer is derived out of the system call chain table; the system call pointer is processed through a fingerprint algorithm, and system call pointer fingerprint data are obtained; the system call pointer fingerprint data obtained at present are compared with system call pointer fingerprint data prestored in a home terminal; when the system call pointer fingerprint data obtained at present are determined to be inconsistent with the system call pointer fingerprint data prestored in the home terminal, an intrusion event is determined to occur in the hole terminal. The intrusion detection device comprises a first obtaining module, a deriving module, a fingerprint algorithm processing module, a first comparison module and a first determining module. According to the intrusion detection method and device, the present fingerprint data are compared with the prestored system call pointer fingerprint data to judge whether the intrusion event occurs, the intrusion event to a system kernel mode can be detected, comprehensive protection of a system is achieved, and system reliability is improved.

Description

Intrusion detection method and device
Technical field
The present invention relates to computer security technique field, particularly to a kind of intrusion detection method and device.
Background technology
More and more it is used for enterprise servers along with linux system, how to improve the safety of linux system The problem that property becomes a significant.
In order to provide real-time protection to linux system, general use Host-based intrusion detection technology, by collecting and The information such as system journal and the configuration file of User space, library file and system command of analysis, in detecting system Intrusion event whether is had to occur.
During realizing the present invention, inventor finds that prior art at least there is problems in that
Self is divided into User space and kernel state two parts by linux system.It is currently based on the master of linux system The information collected in machine Intrusion Detection Technique and analyze belongs to the information of User space, it is impossible to in linux system Core detects, and the intrusion event to linux system kernel state therefore cannot be detected.
Summary of the invention
In order to solve problem of the prior art, embodiments provide a kind of intrusion detection method and device. This technical scheme is as follows:
On the one hand, it is provided that a kind of intrusion detection method, the method includes:
Obtain system call chain table;
From this system call chain table, guiding system calls pointer;
This system call pointer fingerprint algorithm is processed, obtains system call pointer finger print data;
The system call pointer fingerprint number that this system call pointer finger print data currently obtained and local terminal are prestored According to comparing;
When determining that the system call pointer that current this system call pointer finger print data obtained and local terminal prestore refers to When stricture of vagina data are inconsistent, determine local terminal generation intrusion event;
This acquisition system call chain table includes:
Acquisition system calls processing routine entrance;
Call processing routine entrance according to this system, obtain this system call chain table pointer, this system call chain List index points to the first address of this system call chain table;
According to this system call chain table pointer, obtain system call chain table;
This acquisition system is called processing routine entrance and is included:
Perform SIDT assembly instruction, by base address and the length value of the interrupt-descriptor table in IDTR depositor Copy in internal memory;
Base address and length value according to this interrupt-descriptor table obtain interrupt-descriptor table;
This interrupt-descriptor table is stored in internal memory;
According to interrupt-descriptor table, acquisition system calls the door descriptor of correspondence;
According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this calls processing routine entrance according to this system, obtains this system call chain table pointer and includes:
First Call assembly instruction is searched in internal memory;
Perform this Call assembly instruction;
This Call assembly instruction calls processing routine entrance according to this system, obtains this system call chain table pointer.
Alternatively, before obtaining system call chain table, the method also includes:
At initial phase, obtain the system call pointer finger print data of initial phase;
The system call pointer finger print data of this initial phase is stored in local terminal.
Alternatively, at initial phase, after obtaining the system call pointer finger print data of initial phase, The method also includes:
The system call pointer finger print data of this initial phase is stored server.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should Method also includes:
The system call pointer fingerprint that this system call pointer finger print data currently obtained is prestored with server Data are compared;
When this system call pointer finger print data determining current acquisition calls finger with the system that this server prestores When pin finger print data is inconsistent, determine local terminal generation intrusion event.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should Method also includes:
The system call pointer that the system call pointer finger print data prestored by this local terminal and this server prestore refers to Stricture of vagina data are compared;
When determining that the system call pointer that system call pointer finger print data that local terminal prestores and server prestore refers to When stricture of vagina data are inconsistent, determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table, the method also includes:
Acquisition system call address file, this system call address file is used for storing this system call pointer;
This system call address file is compared with this system call chain table;
When determining that this system call address file and this system call chain table are inconsistent, determine that local terminal enters Invade event.
Optionally it is determined that after local terminal generation intrusion event, the method also includes:
According to this intrusion event, export warning information.
On the other hand, it is provided that a kind of invasion detecting device, this device includes:
First acquisition module, is used for obtaining system call chain table;
Derive module, call pointer for guiding system from this system call chain table;
Fingerprint algorithm processing module, for this system call pointer fingerprint algorithm is processed, be Tracking pointer finger print data;
First comparing module, for prestore this system call pointer finger print data currently obtained and local terminal System call pointer finger print data is compared;
First determines module, for when determining that current this system call pointer finger print data obtained is pre-with local terminal When the system call pointer finger print data deposited is inconsistent, determine local terminal generation intrusion event;
This first acquisition module includes:
First acquiring unit, is used for the system that obtains and calls processing routine entrance;
Second acquisition unit, for calling processing routine entrance according to this system, obtains this system call chain table Pointer, this system call chain table pointer points to the first address of this system call chain table;
3rd acquiring unit, for according to this system call chain table pointer, obtains system call chain table;
This first acquiring unit is additionally operable to perform SIDT assembly instruction, the interruption in IDTR depositor is described Base address and the length value of symbol table copy in internal memory;Base address according to this interrupt-descriptor table and length value Obtain interrupt-descriptor table;This interrupt-descriptor table is stored in internal memory;According to interrupt-descriptor table, obtain The system of taking calls the door descriptor of correspondence;According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this second acquisition unit is additionally operable in internal memory search first Call assembly instruction;Perform This Call assembly instruction;This Call assembly instruction calls processing routine entrance according to this system, obtains this system Call chain list index.
Alternatively, this device also includes:
Second acquisition module, at initial phase, obtaining the system call pointer fingerprint of initial phase Data;
First memory module, for being stored in local terminal by the system call pointer finger print data of this initial phase.
Alternatively, this device also includes:
Second memory module, for storing service by the system call pointer finger print data of this initial phase Device.
Alternatively, this device also includes:
Second comparing module, for prestoring this system call pointer finger print data currently obtained with server System call pointer finger print data compare;
Second determines module, for when this system call pointer finger print data and this service determining current acquisition When system call pointer finger print data that device prestores is inconsistent, determine local terminal generation intrusion event.
Alternatively, this device also includes:
3rd comparing module, pre-with this server for the system call pointer finger print data that this local terminal is prestored The system call pointer finger print data deposited is compared;
3rd determines module, for when determining that the system call pointer finger print data that local terminal prestores is pre-with server When the system call pointer finger print data deposited is inconsistent, determine local terminal generation intrusion event.
Alternatively, this device also includes:
3rd acquisition module, is used for obtaining system call address file, and this system call address file is used for depositing Store up this system call pointer;
4th comparing module, for comparing this system call address file with this system call chain table;
4th determines module, for when determining that this system call address file is inconsistent with this system call chain table Time, determine local terminal generation intrusion event.
Alternatively, this device also includes:
Output alarm modules, for according to this intrusion event, exports warning information.
The technical scheme that the embodiment of the present invention provides has the benefit that
The finger print data of pointer is called by obtaining current system, and by current finger print data with prestore System call pointer finger print data is compared, and to determine whether that intrusion event occurs, it is right to detect The intrusion event of system kernel state, it is achieved that protection comprehensive to system, improves system reliability.
Accompanying drawing explanation
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, institute in embodiment being described below The accompanying drawing used is needed to be briefly described, it should be apparent that, the accompanying drawing in describing below is only the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, Other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides;
Fig. 2 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides;
Fig. 3 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 4 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 5 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 6 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 7 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 8 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Fig. 9 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides;
Figure 10 is a kind of invasion detecting device structural representation that the embodiment of the present invention provides.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to the present invention Embodiment is described in further detail.
Fig. 1 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides.The execution of this embodiment Main body is terminal unit, sees Fig. 1, and the method includes:
101, system call chain table is obtained;
102, from this system call chain table, guiding system calls pointer;
103, this system call pointer fingerprint algorithm is processed, obtain system call pointer finger print data;
104, the system call pointer that this system call pointer finger print data currently obtained and local terminal prestore is referred to Stricture of vagina data are compared;
105, finger is called when this system call pointer finger print data determining current acquisition with the system that local terminal prestores When pin finger print data is inconsistent, determine local terminal generation intrusion event.
The method that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system, Improve system reliability.
Alternatively, this acquisition system call chain table includes:
Acquisition system calls processing routine entrance;
Call processing routine entrance according to this system, obtain this system call chain table pointer, this system call chain List index points to the first address of this system call chain table;
According to this system call chain table pointer, obtain system call chain table.
Alternatively, this acquisition system is called processing routine entrance and is included:
Perform SIDT assembly instruction, by base address and the length value of the interrupt-descriptor table in IDTR depositor Copy in internal memory;
Base address and length value according to this interrupt-descriptor table obtain interrupt-descriptor table;
This interrupt-descriptor table is stored in internal memory;
According to interrupt-descriptor table, acquisition system calls the door descriptor of correspondence;
According to this descriptor, the system of forwarding to calls processing routine entrance.
Alternatively, this calls processing routine entrance according to this system, obtains this system call chain table pointer and includes:
First Call assembly instruction is searched in internal memory;
Perform this Call assembly instruction;
This Call assembly instruction calls processing routine entrance according to this system, obtains this system call chain table pointer.
Alternatively, before obtaining system call chain table, the method also includes:
At initial phase, obtain the system call pointer finger print data of initial phase;
The system call pointer finger print data of this initial phase is stored in local terminal.
Alternatively, at initial phase, after obtaining the system call pointer finger print data of initial phase, The method also includes:
The system call pointer finger print data of this initial phase is stored server.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should Method also includes:
The system call pointer fingerprint that this system call pointer finger print data currently obtained is prestored with server Data are compared;
When this system call pointer finger print data determining current acquisition calls finger with the system that this server prestores When pin finger print data is inconsistent, determine local terminal generation intrusion event.
Alternatively, after the system call pointer finger print data of this initial phase is stored server, should Method also includes:
The system call pointer that the system call pointer finger print data prestored by this local terminal and this server prestore refers to Stricture of vagina data are compared;
When determining that the system call pointer that system call pointer finger print data that local terminal prestores and server prestore refers to When stricture of vagina data are inconsistent, determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table, the method also includes:
Acquisition system call address file, this system call address file is used for storing this system call pointer;
This system call address file is compared with this system call chain table;
When determining that this system call address file and this system call chain table are inconsistent, determine that local terminal enters Invade event.
Optionally it is determined that after local terminal generation intrusion event, the method also includes:
According to this intrusion event, export warning information.
Above-mentioned all optional technical schemes, can use and arbitrarily combine the alternative embodiment forming the present invention, This repeats the most one by one.
Fig. 2 is the flow chart of a kind of intrusion detection method that the embodiment of the present invention provides.The execution of this embodiment Main body is terminal unit, sees Fig. 2, and the method includes:
201, at initial phase, acquisition system calls processing routine entrance;
Specifically, this step 201 includes: (Store Interrupt Descriptor Table protects to perform SIDT Deposit interrupt-descriptor table) assembly instruction, by IDTR (Integrated Device Technology Register, IDT depositor) in the base address of interrupt-descriptor table and length (limit for length) value copy in internal memory;According to The base address of this interrupt-descriptor table and length (limit for length) value obtain interrupt-descriptor table, and this interruption are retouched State symbol table to store in internal memory;The door descriptor of correspondence is called according to interrupt-descriptor table obtains system.Root Performing int $ 0x80 assembly instruction according to this descriptor, thus CPU is switched to kernel state, the system of forwarding to is called Processing routine entrance: system_call ().
Wherein, IDTR depositor is preserved the base address of 32 of current interrupt-descriptor table and 16 Length (limit for length) value, this base address is the memory address of interrupt-descriptor table.
Such as, base address and the length value of the above-mentioned interrupt-descriptor table obtained from IDTR depositor can be answered Realize by code below:
Asm (" sidt%0 ": "=m " (idtr));
Idt=(struct struct_idt*) (* (unsigned long*) &idtr [2]+8*0x80);
System_call=(idt->offset_high<<16) | idt->offset_low;// instructed by inline assembler Export to sidt data, in idtr variable, will interrupt-descriptor table export in internal memory
It should be noted that at the initial phase of intrusion detection method, it is thus necessary to determine that used during detection Reference finger data, that is to say by performing step 201 and subsequent step, obtain the system that local terminal prestores Call pointer finger print data.
202, call processing routine entrance according to system, obtain system call chain table pointer;
Wherein, this system call chain table pointer pointing system calls the first address of chained list, and wherein, this system is adjusted All system call pointer are comprised with chained list.
Specifically, this step 202 includes: searches first Call assembly instruction in internal memory, performs this Call Assembly instruction, during this Call assembly instruction performs, calls processing routine entrance according to this system (system_call ()), obtains this system call chain table pointer.
Such as, the process of this system call chain table interface of the above-mentioned Call of utilization instruction acquisition can apply following generation Code realizes:
Unsigned char*syscall_key=" xff x14 x85 ";
For (i=0;i<(128-2);i++)
{ if (memoryaddr [i]==syscall_key [0] &&memoryaddr [i+1]==syscall_key [1] &&memoryaddr [i+2]==syscall_key [2])
{
break;
// search first Call instruction, thus utilize Call instruction to obtain this system call chain table interface.
203, according to this system call chain table pointer, system call chain table is obtained;
204, from this system call chain table, guiding system calls pointer;
Wherein, the entry address of the kernel function that this system call pointer pointing system calls.
In general, operating system has generally comprised more than one kernel function, i.e. has more than one system to adjust With pointer, in this step 204, from this system call chain table, derive all of system call pointer, bag Include: _ NR_read, _ NR_write, _ NR_open, _ NR_kill, _ NR_mkdir, _ NR_umask, _ NR_getpgid and _ NR_getdents64 etc., except above-mentioned enumerate pointer in addition to, this system call pointer is also Can include other kinds, the embodiment of the present invention does not limits at this.
Alternatively, this step 204 specifically includes: access this system call chain table one by one by the way of circulation Each node, thus derive the system call pointer comprised in each node.
It addition, during Xun Huan, while deriving all system call pointer, need to preserve this system Call chain list index, the process of this preservation can be realized by code below:
Original_getdents64=(int (*) (const char*)) sys_call_table [_ NR_getdents64];// protect Deposit system call chain list index _ NR_getdents64 pointer.
Code cited in above-described embodiment is only a kind of mode realizing its corresponding function, and this function also may be used To apply other programs or hardware capability to realize, this is not construed as limiting by the embodiment of the present invention.
205, this system call pointer fingerprint algorithm is processed, obtain system call pointer finger print data;
Wherein, this fingerprint algorithm can be Message Digest 5, e.g., and MD5 (Message Digest Algorithm 5, Message Digest Algorithm 5) algorithm, SHA-1 (Secure Hash Algorithm, SHA) Algorithm etc.;Or this fingerprint algorithm can also be other similar algorithm, and the embodiment of the present invention does not limits.
It should be noted that in this step 205, respectively each system is called this pointer fingerprint algorithm Process, obtain system corresponding to each system call pointer and call this pointer finger print data.Preferably, Can by the way of circulation one by one processing system call each node of chained list, derive node comprises be Tracking pointer, this system call pointer fingerprint algorithm processes, and obtains system call pointer fingerprint number According to.
The derivation process of above-mentioned steps 204 and the fingerprint algorithm processing procedure of step 205 can be with the most suitable Sequence is carried out, and e.g., after all of system call pointer being derived in step 204, calls the system derived Pointer carries out fingerprint algorithm process.Certainly, the derivation process of this step 204 and the fingerprint algorithm of step 205 Processing procedure can also is that and carries out parallel, e.g., derives one or more system call pointer in step 204 Time, i.e. perform step 205 and the system call pointer derived is carried out fingerprint algorithm process, until deriving all Till system call pointer and the system call pointer to derivation have all carried out fingerprint algorithm process.
206, the system call pointer finger print data of initial phase is stored in local terminal;
In the process, this storage can be to be stored in the form of a file by this system call pointer finger print data In the storage device of local terminal.For example, it is possible to create file in the storage device such as disk of this terminal unit, This system call pointer finger print data is write in this document.
Preferably, when storing this system call pointer finger print data, can by each system call pointer or The corresponding storage of finger print data that pointer entries label generates with it, in order to during follow-up detection, permissible Determine the pointer entries label changed, further determine that the object of intrusion event.
Above step 201-206, is to obtain local terminal to prestore the process of system call pointer finger print data.By upper State step, this system call pointer finger print data be stored as the system call pointer finger print data that local terminal prestores, The system call pointer finger print data prestored by this local terminal is as security baseline, during follow-up detection, Using this security baseline as comparison standard, the most current system call pointer finger print data and this security baseline When comparison is inconsistent, determine terminal unit generation intrusion event.
207, the system call pointer finger print data of this initial phase is stored server;
Alternatively, after the system call pointer finger print data of initial phase is stored on the terminal device, The system call pointer finger print data of this initial phase can also be stored server.
Wherein, this server can be to provide the merit on the service for checking credentials or the server of security service or server Energy module, this is not especially limited by the embodiment of the present invention.
It should be noted that for above-mentioned steps 206 and step 207, step 207 can be saved, only should The system call pointer finger print data of initial phase is stored in local terminal;Or save step 206, this is the most first The system call pointer finger print data in stage beginning stores server;Or this is held according to the embodiment of the present invention Row step 206 and 207, to guarantee when the finger print data of arbitrary preservation makes a mistake, it is possible to according to local terminal or The finger print data that server preserves carries out follow-up detection process.
208, obtain current system and call pointer finger print data;
Alternatively, this step 208 specifically includes: every the first prefixed time interval, obtains current system and adjusts Use pointer finger print data.Wherein, this first prefixed time interval can be set in advance by system or developer Fixed, the embodiment of the present invention does not limits at this.Acquisition in this step 208 can periodically be carried out, its week Phase is the first prefixed time interval.Certainly, this system call pointer finger print data prestored according to local terminal The detection carried out can also be started terminal unit by user and trigger or other by user operate triggering, the present invention This is not especially limited by embodiment.
It should be noted that system when this current system call pointer finger print data obtained occurs with the behavior of acquisition The interior nuclear state of system is corresponding;When intrusion event occurs, a certain item in system call chain table or multinomial May be modified, i.e. some or multiple system call pointer is modified, once some or multiple system Tracking pointer is modified, then according to the finger print data accessed by amended system call pointer with initial Finger print data accessed by the change stage is compared, will necessarily be different, therefore, it can pass through finger print data Comparison, it is determined whether occur intrusion event.
In this step 208, obtain current system and call the process of pointer finger print data and the mistake of step 201-203 Cheng Xiangtong, does not repeats them here.
209, the system call pointer that this system call pointer finger print data currently obtained and local terminal prestore is referred to Stricture of vagina data are compared;
Specifically, this step 209 includes: obtain, from local terminal, the system call pointer finger print data that local terminal prestores, The system call pointer finger print data that this system call pointer finger print data currently obtained is prestored with this local terminal In each group of finger print data with same pointers list item label compare, if any of which one group or Many groups are inconsistent, it is determined that local terminal generation intrusion event.
This finger print data is numbered corresponding storage with the system call pointer generating finger print data or pointer entries, Therefore, in comparison process, when determining any one system call pointer or pointer entries label pair by comparison When the finger print data answered is inconsistent, it may be determined that terminal unit currently there occurs intrusion event, records this and differs The system call pointer caused or pointer entries label, repair this intrusion event targetedly for follow-up Multiple.
210, finger is called when this system call pointer finger print data determining current acquisition with the system that local terminal prestores When pin finger print data is inconsistent, determine local terminal generation intrusion event, perform step 213;
211, the system call pointer that the system call pointer finger print data that this local terminal prestores is prestored with server Finger print data is compared;
In embodiments of the present invention, above-mentioned steps 209-211 is only with by calling finger by the system currently got While the system call pointer finger print data that pin finger print data and local terminal prestore is compared, parallel to local terminal The system call pointer finger print data that system call pointer finger print data and the server prestored prestores is compared As a example by illustrate.And in the another embodiment that the embodiment of the present invention provides, this 209-211 is all right Replaced by following steps: the system that this system call pointer finger print data currently obtained is prestored with server Call pointer finger print data to compare;When these system call pointer finger print data and clothes of determining current acquisition When the business system call pointer finger print data that prestores of device is inconsistent, determine local terminal generation intrusion event.
And the probability of the system call pointer finger print data amendment prestored local terminal due to intrusion event is less, Therefore the system call pointer finger print data that within each detection cycle, local terminal can not also be prestored and service The system call pointer finger print data that device prestores is compared, in the another kind of enforcement that the embodiment of the present invention provides In mode, this 209-211 can also be replaced by following steps: arranges the second prefixed time interval, every second Prefixed time interval, the system that system call pointer finger print data and the server prestored by local terminal prestores is called Pointer finger print data is compared, if inconsistent, determines local terminal generation intrusion event, and wherein, second is pre- If time interval is more than relatively the first prefixed time interval, this second prefixed time interval can be by system or open The personnel of sending out preset, and the embodiment of the present invention does not limits at this.
Specifically, this step 211 specifically includes following arbitrary interaction: (1) obtains service from server The system call pointer finger print data that device prestores, the system call pointer finger print data that server is prestored and basis The system call pointer finger print data that end prestores is compared;(2) system call pointer that local terminal prestores is referred to Stricture of vagina data are sent to server, server the system call pointer finger print data prestored by server and local terminal The system call pointer finger print data prestored is compared, and comparison result is back to local terminal.
212, when determining that the system call pointer finger print data that local terminal prestores calls finger with the system that server prestores When pin finger print data is inconsistent, determine local terminal generation intrusion event;
It should be noted that in this step 212, when the system call pointer finger print data determining that local terminal prestores Time inconsistent with the system call pointer finger print data that server prestores, it is believed that the system that this local terminal prestores is called The system call pointer when system call pointer that pointer finger print data is corresponding is set up from security baseline is different, really Determine local terminal generation intrusion event.
Alternatively, after obtaining system call chain table in step 203, the method also includes: the system that obtains is adjusted With address file, this system call address file is used for storing this system call pointer;This system is called ground Location file is compared with this system call chain table;When determining that this system call address file calls with this system When chained list is inconsistent, determine local terminal generation intrusion event.
Owing to this system call address file includes all of system call pointer, therefore this system calls ground The list item of pointer included in the file of location and system call chain table is relation one to one, according to pointer gauge Item label, has same pointers list item by this system call address file in the list item of this system call chain table The respective items of label is compared, and when appointing one or more groups respective items inconsistent, determines that local terminal is invaded Event.
213, according to this intrusion event, warning information is exported.
Wherein, according to this intrusion event, exporting warning information, it is default that this warning information can be that local terminal sends The sound, terminate current intrusion behavior, send e-mails remote control center or other have warning merit The mode of energy, this warning information can also mix for various ways, and the embodiment of the present invention does not limits at this.
In embodiments of the present invention, only to illustrate based on as a example by linux system, and it is true that for it For the operating system that his kernel state separates with User space, it is also possible to the method that the application embodiment of the present invention provides Performing intrusion detection, the embodiment of the present invention does not limits at this.
The method that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system, Improve system reliability.
Seeing Fig. 3, embodiments provide a kind of invasion detecting device, this device includes: first obtains Module 301, derivation module 302, fingerprint algorithm processing module the 303, first comparing module 304 and first are true Cover half block 305;Wherein the first acquisition module 301 is used for obtaining system call chain table;First acquisition module 301 It is connected with deriving module 302, derives module 302 and call finger for guiding system from this system call chain table Pin;Deriving module 302 to be connected with fingerprint algorithm processing module 303, fingerprint algorithm processing module 303 is used for This system call pointer fingerprint algorithm is processed, obtains system call pointer finger print data;Fingerprint is calculated Method processing module 303 is connected with the first comparing module 304, and the first comparing module 304 will be for will currently obtain This system call pointer finger print data compare with the system call pointer finger print data that local terminal prestores;The With first, one comparing module 304 determines that module 305 is connected, first determines that module 305 is for current when determining This system call pointer finger print data obtained is inconsistent with the system call pointer finger print data that local terminal prestores Time, determine local terminal generation intrusion event.
Alternatively, seeing Fig. 4, on the basis of Fig. 3 shown device structure, the first acquisition module 301 includes: First acquiring unit 3011, second acquisition unit 3012 and the 3rd acquiring unit 3013;Wherein, first obtain Take unit 3011 and call processing routine entrance for obtaining system;First acquiring unit 3011 and second obtains Unit 3012 connects, and second acquisition unit 3012, for calling processing routine entrance according to this system, obtains This system call chain table pointer, this system call chain table pointer points to the first address of this system call chain table;The Two acquiring units 3012 are connected with the 3rd acquiring unit 3013, and the 3rd acquiring unit 3013 is for according to this being Tracking chain list index, obtains system call chain table.
Alternatively, this first acquiring unit 3012 is additionally operable to perform SIDT assembly instruction, is deposited by IDTR Base address and the length value of the interrupt-descriptor table in device copy in internal memory;According to this interrupt-descriptor table Base address and length value obtain interrupt-descriptor table;This interrupt-descriptor table is stored in internal memory;According to Disconnected descriptor table, acquisition system calls the door descriptor of correspondence;According to this descriptor, the system of forwarding to is called Processing routine entrance.
Alternatively, this second acquisition unit 3013 is additionally operable in internal memory search first Call assembly instruction; Perform this Call assembly instruction;This Call assembly instruction calls processing routine entrance according to this system, and obtaining should System call chain table pointer.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 5, shown in Fig. 3 On the basis of apparatus structure, this device also includes: the second acquisition module 306 and the first memory module 307;Its In, the first acquisition module 301 is connected with the second acquisition module 306, and the second acquisition module 306 is for just In stage beginning, obtain the system call pointer finger print data of initial phase;Second acquisition module 306 and One memory module 307 connects, and the first memory module 307 is for by the system call pointer of this initial phase Finger print data is stored in local terminal.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 6, shown in Fig. 5 On the basis of apparatus structure, this device also includes: the second memory module 308;Wherein, the second acquisition module 306 are connected with the second memory module 308, and the second memory module 308 is for adjusting the system of this initial phase Server is stored with pointer finger print data.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 7, shown in Fig. 6 On the basis of apparatus structure, this device also includes: the second comparing module 309 and second determines module 702;Its In, the second memory module 308 is connected with the second comparing module 309, and the second comparing module 309 is used for ought The system call pointer finger print data that this system call pointer finger print data and the server of front acquisition prestore is carried out Comparison;With second, second comparing module 309 determines that module 310 is connected, second determines that module 310 is for working as Determine the system call pointer fingerprint that this system call pointer finger print data of current acquisition prestores with this server When data are inconsistent, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 8, shown in Fig. 6 On the basis of apparatus structure, this device also includes: the 3rd comparing module 311 and the 3rd determines module 312;Its In the second memory module 308 be connected with the 3rd comparing module 311, the 3rd comparing module 311 is for by this The system call pointer finger print data that the system call pointer finger print data that end prestores and this server prestore is carried out Comparison;With the 3rd, 3rd comparing module 311 determines that module 312 is connected, the 3rd determines that module 312 is for working as Determine the system call pointer finger print data that the system call pointer finger print data that local terminal prestores prestores with server Time inconsistent, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Fig. 9, shown in Fig. 3 On the basis of apparatus structure, this device also includes: the 3rd acquisition module 313, the 4th comparing module 314 and Four determine module 315;Wherein the first acquisition module 301 is connected with the 3rd acquisition module 313, and the 3rd obtains mould Block 313 is used for obtaining system call address file, and this system call address file is used for storing this system and calls Pointer;3rd acquisition module 313 is connected with the 4th comparing module 314, and the 4th comparing module 314 is used for will This system call address file is compared with this system call chain table;4th comparing module 314 is true with the 4th Cover half block 315 connects, and the 4th determines that module 315 is for when determining this system call address file and this system Call chained list inconsistent time, determine local terminal generation intrusion event.
Alternatively, the embodiment of the present invention additionally provides a kind of invasion detecting device, sees Figure 10, in Fig. 3 institute On the basis of showing device structure, this device also includes: output alarm modules 316;Wherein, first determines module 305 are connected with output alarm modules 316, and output alarm modules 316 is for according to this intrusion event, and output is alert Notify breath.
It should be understood that the invasion detecting device that above-described embodiment provides is when intrusion detection, only with above-mentioned The division of each functional module is illustrated, and in actual application, can above-mentioned functions be divided as desired Join and completed by different functional modules, the internal structure of equipment will be divided into different functional modules, with complete Become all or part of function described above.It addition, above-described embodiment provide invasion detecting device with enter Invading detection method embodiment and belong to same design, it implements process and refers to embodiment of the method, the most no longer Repeat.
The device that the embodiment of the present invention provides, calls the finger print data of pointer by obtaining current system, and will Current finger print data and the system call pointer finger print data prestored are compared, with determine whether into Event of invading occurs, and the intrusion event to system kernel state can be detected, it is achieved that protection comprehensive to system, Improve system reliability.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can be passed through Hardware completes, it is also possible to instructing relevant hardware by program and complete, the program being somebody's turn to do can be stored in one Planting in computer-readable recording medium, storage medium mentioned above can be read only memory, disk or light Dish etc..
More than should be only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvement etc. made, should be included in the guarantor of the present invention Within the scope of protecting.

Claims (16)

1. an intrusion detection method, it is characterised in that described method includes:
Obtain system call chain table;
From described system call chain table, guiding system calls pointer;
Described system call pointer fingerprint algorithm is processed, obtains system call pointer finger print data;
The system call pointer fingerprint that the described system call pointer finger print data currently obtained is prestored with local terminal Data are compared;
When the system call pointer determining that the described system call pointer finger print data of current acquisition prestores with local terminal When finger print data is inconsistent, determine local terminal generation intrusion event;
Described acquisition system call chain table includes:
Acquisition system calls processing routine entrance;
Call processing routine entrance according to described system, obtain described system call chain table pointer, described system Call chain list index points to the first address of described system call chain table;
According to described system call chain table pointer, obtain system call chain table;
Described acquisition system is called processing routine entrance and is included:
Perform SIDT assembly instruction, by base address and the length value of the interrupt-descriptor table in IDTR depositor Copy in internal memory;
Base address and length value according to described interrupt-descriptor table obtain interrupt-descriptor table;
Described interrupt-descriptor table is stored in internal memory;
According to interrupt-descriptor table, acquisition system calls the door descriptor of correspondence;
According to described door descriptor, the system of forwarding to calls processing routine entrance.
Method the most according to claim 1, it is characterised in that described call process according to described system Program entry, obtains described system call chain table pointer and includes:
First Call assembly instruction is searched in internal memory;
Perform described Call assembly instruction;
Described Call assembly instruction calls processing routine entrance according to described system, obtains described system call chain List index.
Method the most according to claim 1, it is characterised in that before obtaining system call chain table, institute Method of stating also includes:
At initial phase, obtain the system call pointer finger print data of initial phase;
The system call pointer finger print data of described initial phase is stored in local terminal.
Method the most according to claim 3, it is characterised in that at initial phase, obtains and initializes After the system call pointer finger print data in stage, described method also includes:
The system call pointer finger print data of described initial phase is stored server.
Method the most according to claim 4, it is characterised in that the system of described initial phase is adjusted After storing server with pointer finger print data, described method also includes:
The system call pointer that the described system call pointer finger print data currently obtained and server prestore is referred to Stricture of vagina data are compared;
When the described system call pointer finger print data determining current acquisition is adjusted with the system that described server prestores With pointer finger print data inconsistent time, determine local terminal generation intrusion event.
Method the most according to claim 4, it is characterised in that the system of described initial phase is adjusted After storing server with pointer finger print data, described method also includes:
The system call pointer finger print data prestored by described local terminal calls finger with the system that described server prestores Pin finger print data is compared;
When determining that the system call pointer that system call pointer finger print data that local terminal prestores and server prestore refers to When stricture of vagina data are inconsistent, determine local terminal generation intrusion event.
Method the most according to claim 1, it is characterised in that after obtaining system call chain table, institute Method of stating also includes:
Acquisition system call address file, described system call address file is used for storing described system and calls finger Pin;
Described system call address file is compared with described system call chain table;
When determining that described system call address file and described system call chain table are inconsistent, determine that local terminal is sent out Raw intrusion event.
Method the most according to claim 1, it is characterised in that after determining local terminal generation intrusion event, Described method also includes:
According to described intrusion event, export warning information.
9. an invasion detecting device, it is characterised in that described device includes:
First acquisition module, is used for obtaining system call chain table;
Derive module, call pointer for guiding system from described system call chain table;
Fingerprint algorithm processing module, for processing described system call pointer fingerprint algorithm, obtains System call pointer finger print data;
First comparing module, for prestoring the described system call pointer finger print data currently obtained with local terminal System call pointer finger print data compare;
First determines module, for when described system call pointer finger print data and the local terminal determining current acquisition When the system call pointer finger print data that prestores is inconsistent, determine local terminal generation intrusion event;
Described first acquisition module includes:
First acquiring unit, is used for the system that obtains and calls processing routine entrance;
Second acquisition unit, for calling processing routine entrance according to described system, obtains described system and calls Chain list index, described system call chain table pointer points to the first address of described system call chain table;
3rd acquiring unit, for according to described system call chain table pointer, obtains system call chain table;
Described first acquiring unit is additionally operable to perform SIDT assembly instruction, the interruption in IDTR depositor is retouched Base address and the length value of stating symbol table copy in internal memory;Base address according to described interrupt-descriptor table and length Angle value obtains interrupt-descriptor table;Described interrupt-descriptor table is stored in internal memory;According to interrupt descriptors Table, acquisition system calls the door descriptor of correspondence;According to described door descriptor, the system of forwarding to calls process journey Sequence entrance.
Device the most according to claim 9, it is characterised in that described second acquisition unit is additionally operable to First Call assembly instruction is searched in internal memory;Perform described Call assembly instruction;Described Call compilation refers to Order calls processing routine entrance according to described system, obtains described system call chain table pointer.
11. devices according to claim 9, it is characterised in that described device also includes:
Second acquisition module, at initial phase, obtaining the system call pointer fingerprint of initial phase Data;
First memory module, for being stored in this by the system call pointer finger print data of described initial phase End.
12. devices according to claim 11, it is characterised in that described device also includes:
Second memory module, for storing clothes by the system call pointer finger print data of described initial phase Business device.
13. devices according to claim 12, it is characterised in that described device also includes:
Second comparing module, pre-with server for the described system call pointer finger print data that will currently obtain The system call pointer finger print data deposited is compared;
Second determines module, for when determining that the described system call pointer finger print data of current acquisition is with described When system call pointer finger print data that server prestores is inconsistent, determine local terminal generation intrusion event.
14. devices according to claim 13, it is characterised in that described device also includes:
3rd comparing module, for the system call pointer finger print data and the described service that are prestored by described local terminal The system call pointer finger print data that device prestores is compared;
3rd determines module, for when determining that the system call pointer finger print data that local terminal prestores is pre-with server When the system call pointer finger print data deposited is inconsistent, determine local terminal generation intrusion event.
15. devices according to claim 9, it is characterised in that described device also includes:
3rd acquisition module, is used for obtaining system call address file, and described system call address file is used for Store described system call pointer;
4th comparing module, for comparing described system call address file with described system call chain table Right;
4th determines module, for when determining that described system call address file is with described system call chain table not Time consistent, determine local terminal generation intrusion event.
16. devices according to claim 9, it is characterised in that described device also includes:
Output alarm modules, for according to described intrusion event, exports warning information.
CN201310462793.4A 2013-09-30 2013-09-30 Intrusion detection method and device Active CN103514402B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310462793.4A CN103514402B (en) 2013-09-30 2013-09-30 Intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310462793.4A CN103514402B (en) 2013-09-30 2013-09-30 Intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN103514402A CN103514402A (en) 2014-01-15
CN103514402B true CN103514402B (en) 2017-01-11

Family

ID=49897108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310462793.4A Active CN103514402B (en) 2013-09-30 2013-09-30 Intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN103514402B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104008337B (en) * 2014-05-07 2019-08-23 广州华多网络科技有限公司 A kind of active defense method and device based on linux system
CN106888106A (en) * 2015-12-16 2017-06-23 国家电网公司 The extensive detecting system of IT assets in intelligent grid
CN105700995A (en) * 2016-01-19 2016-06-22 浪潮电子信息产业股份有限公司 Method of detecting validity of server intrusion switch intruder
CN107016283B (en) * 2017-02-15 2019-09-10 中国科学院信息工程研究所 Android privilege-escalation attack safety defense method and device based on integrity verification

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101271498A (en) * 2008-03-25 2008-09-24 浙江大学 Method for implementing reliable computation through threatened linked list and safety linked list in Linux operating system
CN101901313A (en) * 2010-06-10 2010-12-01 中科方德软件有限公司 Linux file protection system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100544674B1 (en) * 2003-11-11 2006-01-23 한국전자통신연구원 Dynamic Changing Method of Intrusion Detection Rule In Kernel Level Intrusion Detection System

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101271498A (en) * 2008-03-25 2008-09-24 浙江大学 Method for implementing reliable computation through threatened linked list and safety linked list in Linux operating system
CN101901313A (en) * 2010-06-10 2010-12-01 中科方德软件有限公司 Linux file protection system and method

Also Published As

Publication number Publication date
CN103514402A (en) 2014-01-15

Similar Documents

Publication Publication Date Title
US10055582B1 (en) Automated detection and remediation of ransomware attacks involving a storage device of a computer network
US7835390B2 (en) Network traffic identification by waveform analysis
CN109951477B (en) Method and device for detecting network attack based on threat intelligence
US8572016B2 (en) Match engine for detection of multi-pattern rules
US20180285596A1 (en) System and method for managing sensitive data
CN106682505A (en) Virus detection method, terminal, server and system
US20160188723A1 (en) Cloud website recommendation method and system based on terminal access statistics, and related device
CN104598815B (en) Recognition methods, device and the client of malice advertising program
US9690598B2 (en) Remotely establishing device platform integrity
CN103514402B (en) Intrusion detection method and device
CN107302586B (en) Webshell detection method and device, computer device and readable storage medium
CN111898124B (en) Process access control method and device, storage medium and electronic equipment
WO2018017498A1 (en) Inferential exploit attempt detection
CN107770125A (en) A kind of network security emergency response method and emergency response platform
US9910994B1 (en) System for assuring security of sensitive data on a host
US11151087B2 (en) Tracking file movement in a network environment
US11907379B2 (en) Creating a secure searchable path by hashing each component of the path
CN110099044A (en) Cloud Host Security detection system and method
CN111191243A (en) Vulnerability detection method and device and storage medium
CN101540704B (en) Unreliable DBMS malicious intrusion detection system and method
Lai et al. GAN‐Based Information Leakage Attack Detection in Federated Learning
CN110443039A (en) Detection method, device and the electronic equipment of plug-in security
CN112600828B (en) Attack detection and protection method and device for power control system based on data message
US11533323B2 (en) Computer security system for ingesting and analyzing network traffic
CN101902338A (en) Intrusion detection system and method adopting unified detection framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20140115

Assignee: All kinds of fruits garden, Guangzhou network technology company limited

Assignor: Guangzhou Huaduo Network Technology Co., Ltd.

Contract record no.: 2015990000266

Denomination of invention: Detection method and device for oil well intrusion based on video image intelligent analysis

License type: Common License

Record date: 20150511

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
GR01 Patent grant
GR01 Patent grant
C56 Change in the name or address of the patentee
CP02 Change in the address of a patent holder

Address after: 511446 Guangzhou City, Guangdong Province, Panyu District, South Village, Huambo Business District Wanda Plaza, block B1, floor 28

Patentee after: Guangzhou Huaduo Network Technology Co., Ltd.

Address before: 510655, Guangzhou, Whampoa Avenue, No. 2, creative industrial park, building 3-08,

Patentee before: Guangzhou Huaduo Network Technology Co., Ltd.