CN103746960A - Script behavior associated defense system - Google Patents
Script behavior associated defense system Download PDFInfo
- Publication number
- CN103746960A CN103746960A CN201310638232.5A CN201310638232A CN103746960A CN 103746960 A CN103746960 A CN 103746960A CN 201310638232 A CN201310638232 A CN 201310638232A CN 103746960 A CN103746960 A CN 103746960A
- Authority
- CN
- China
- Prior art keywords
- script
- behavior
- website
- thread
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a script behavior associated defense system. Characteristics that will be executed in a same thread are explained through script execution, script behaviors and thread associated information are recorded in the script execution process, the execution process of script information is monitored to judge whether the process is normal, and if the process is abnormal, then corresponding intercept measures are adopted. According to existing website protection, only API is intercepted, and when a suspicious behavior exists, the existing website protection cannot be used for positioning and indentifying the suspicious behavior is generated by which script, and the existing website protection cannot be used for intercepting or positioning some backdoor, and if the backdoor is hidden deeply, the backdoor is hard to find out and clean. The system of the invention can be used for fast positioning the script behavior and prohibiting the next execution of the script to as to make websites run in the safe state, and at the same time, the system of the invention can be used for realizing website permission setting, prohibiting website script operations in multiple directories, detecting and intercepting database accounts used by the websites, controlling the enforceability of specified site programs, controlling specified website outer network connection and prohibiting specified website specified component loading and the like, and advantages of careful setting, safety and reliability can be realized.
Description
Technical field
The invention belongs to network safety filed, be specifically related to the associated system of defense of script behavior, for website script behavior, detect and interception, can earlier find safety problem, and make corresponding measure, prevent that hacker from destroying.
Background technology
Behind hacker attacks website, generally all can write script back door Webshell; the service of stealing, destruction system and website, downloading data storehouse etc.; website using protection software engineering is only tackled API; can not understand is the behavior which script produces; the most direct problem is to trace difficulty, consuming time, cannot find and hide very dark back door.If website is by hacker attacks, it writes the high file of back door hiding and is difficult to carry out killing by prior art, must have a kind of detection recognition system for script behavior, pinpoints the problems as early as possible, hacker is prohibited outdoors, allow website and server operate in safe condition.
Summary of the invention
The object of this invention is to provide the associated system of defense of script behavior.
The associated system of defense of script behavior, utilizes and records that script is carried out and thread related information records the act of execution with monitoring script back door Webshell, thereby realize monitoring, the measuring ability of system.
The associated system of defense of described script behavior, when hacker's access services device script back door Webshell, script is transmitted in Web service meeting and IP information is processed to the script interpreter of appointment, and script interpreter is carried out script and same thread, be carried out to finishing meeting from beginning, even if script creates new thread, also can further keep a record again, in script implementation, record current script behavior and thread related information, and judge that whether its process is normal, if normal, directly process and return; If abnormal, by the thread information recording in script behavior and thread related information, obtain corresponding script information, more further take to tackle accordingly or record measure.
The associated system of defense of described script behavior, utilize script behavior and thread related information, realize the location of script behavior file and trace, prevent that website script from banning use of high rights database account number across directory operation, appointed website or forbidding loading the function of the database of appointment.
The present invention is this behavior of angle fast, and can forbid the execution again of script, allow website operate in safe condition, also can realize the setting of website authority simultaneously, control specified sites program enforceability, control the function that appointed website connects outer net, have advantages of arrange careful, safe and reliable.
accompanying drawing explanation:
Fig. 1 is the flow chart that normal Web service is processed.
Fig. 2 is the associated defense module flow chart of script behavior of the present invention.
embodiment:
Below in conjunction with drawings and the specific embodiments, the present invention is further described in more detail.
During user (or hacker) access websites script, Web service all can forward Complied executing in the script interpreter that user asks appointment, script interpreter will be processed and must read the script argument information being transmitted by Web service, processing keeps a record when script interpreter reads, and associated script information and thread are recorded, for script behavior detection is below prepared, script implementation is processed in same thread, when having suspicious actions, read the specified recorded information of current script place thread, just can judge it is the behavior which script produces, reach the object of behavior and script association, for safety detection ready.
application example:
1, forbid that website script is across directory operation
The Website server of IIS of take is example, script can obtain the directory information of website when carrying out, by interception file read, the API of establishment, row catalogue, whether detect is the file operation of normal catalogue, can forbid the catalogue beyond script accesses virtual main frame on website, prevent across catalogue, cross-site attack, can detect which script is carrying out across the access of catalogue or is destroying other website simultaneously, can the very first time suspicious script prompt to keeper, keeper can earlier be pinpointed the problems, or the destruction that directly interception prevents malicious script;
2, detect and tackle the database account number that website is used
The present invention by interception script for the API of connection data storehouse MYSQL/MSSQL, can be achieved as follows function:
A) by the website ID in recorded information, control the database that can only use website and log in account number;
While b) high authority account number being used in website, make corresponding prompting, allow keeper's very first time understand risk, prevent from using high authority account number because of website, cause server invaded, can accomplish the object of taking precautions against in advance;
C) can specify which script energy accessing database, which script can not be accessed, as long as when hacker passes through back door access database, can find the very first time and tackle it, records hacker's IP simultaneously, and safety doubles.
3, control the enforceability of specified sites program
Appointed website is arranged to the authority of executable program, when authority need be carried out in certain website, do not wish that again there is execution authority other website, can treat respectively simultaneously.
4, control appointed website and connect outer net
Can realize some websites access outer net and carry out some and communicate by letter normally, but be not that the overall situation is outer, not connect, forbid that outer net connects, and can prevent from connecting operation etc. outside common PHPDDOS, back door.
5, forbid that appointed website loads assignment component
Can realize the assembly that appointed website loads appointment, the security risk of avoiding overall charging assembly likely to bring.
Claims (5)
1. the associated system of defense of script behavior, is characterized in that, utilizes to record that script is carried out and thread related information records the act of execution with monitoring script back door Webshell, thereby realizes monitoring, the measuring ability of system.
2. the associated system of defense of script behavior as claimed in claim 1, it is characterized in that, hacker's access services device script back door Webshell, script is transmitted in Web service meeting and IP information is processed to the script interpreter of appointment, script interpreter is carried out script and same thread, be carried out to finishing meeting from beginning, even if script creates new thread, also can further keep a record again, in script implementation, record current script behavior and thread related information, and judge that whether its process is normal, if normal, directly process and return; If abnormal, by the thread information recording in script behavior and thread related information, obtain corresponding script information, more further take to tackle accordingly or record measure.
3. the associated system of defense of script behavior as claimed in claim 1, is characterized in that, utilizes script behavior and thread related information, realizes the location of script behavior file and traces.
4. the associated system of defense of script behavior as claimed in claim 1, is characterized in that, utilizes script behavior and thread related information, realizes and prevents that website script is across directory operation.
5. the associated system of defense of script behavior as claimed in claim 1, is characterized in that, utilizes script behavior and thread related information, realizes appointed website and bans use of high rights database account number, or forbid loading the database of appointment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310638232.5A CN103746960A (en) | 2013-12-03 | 2013-12-03 | Script behavior associated defense system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310638232.5A CN103746960A (en) | 2013-12-03 | 2013-12-03 | Script behavior associated defense system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103746960A true CN103746960A (en) | 2014-04-23 |
Family
ID=50503947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310638232.5A Pending CN103746960A (en) | 2013-12-03 | 2013-12-03 | Script behavior associated defense system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103746960A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
| CN106850617A (en) * | 2017-01-25 | 2017-06-13 | 余洋 | Webshell detection method and device |
| CN112702360A (en) * | 2021-03-19 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Linux system intrusion checking method based on hacker behavior |
-
2013
- 2013-12-03 CN CN201310638232.5A patent/CN103746960A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
| CN105760379B (en) * | 2014-12-16 | 2020-01-21 | 中国移动通信集团公司 | Method and device for detecting webshell page based on intra-domain page association relation |
| CN106850617A (en) * | 2017-01-25 | 2017-06-13 | 余洋 | Webshell detection method and device |
| CN112702360A (en) * | 2021-03-19 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Linux system intrusion checking method based on hacker behavior |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hossain et al. | Combating dependence explosion in forensic analysis using alternative tag propagation semantics | |
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| Jang et al. | SGX-Bomb: Locking down the processor via Rowhammer attack | |
| EP3326100B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US10334083B2 (en) | Systems and methods for malicious code detection | |
| US10339300B2 (en) | Advanced persistent threat and targeted malware defense | |
| US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
| US11714884B1 (en) | Systems and methods for establishing and managing computer network access privileges | |
| Borders et al. | Siren: Catching evasive malware | |
| Sood et al. | An empirical study of HTTP-based financial botnets | |
| Rasthofer et al. | How current android malware seeks to evade automated code analysis | |
| Mulliner et al. | Poster: Honeydroid-creating a smartphone honeypot | |
| CN113632432B (en) | Method and device for judging attack behaviors and computer storage medium | |
| US20160335433A1 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| CN103839008A (en) | Immune safety service for one-word script backdoors and PHP variable function backdoors | |
| US9774627B2 (en) | Detecting memory-scraping malware | |
| Shan et al. | Enforcing mandatory access control in commodity OS to disable malware | |
| CN103746960A (en) | Script behavior associated defense system | |
| Isohara et al. | Lsm-based secure system monitoring using kernel protection schemes | |
| Musch et al. | U Can't Debug This: Detecting {JavaScript}{Anti-Debugging} Techniques in the Wild | |
| US10372905B1 (en) | Preventing unauthorized software execution | |
| US9075991B1 (en) | Looting detection and remediation | |
| CA2691129A1 (en) | Activex object method and computer program system for protecting against crimeware key stroke loggers | |
| JPWO2015178002A1 (en) | Information processing apparatus, information processing system, and communication history analysis method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140423 |
|
| RJ01 | Rejection of invention patent application after publication |