CN104598379B - The method of execute instruction is hidden using processor PMC Characteristics Detections - Google Patents

The method of execute instruction is hidden using processor PMC Characteristics Detections Download PDF

Info

Publication number
CN104598379B
CN104598379B CN201510003005.4A CN201510003005A CN104598379B CN 104598379 B CN104598379 B CN 104598379B CN 201510003005 A CN201510003005 A CN 201510003005A CN 104598379 B CN104598379 B CN 104598379B
Authority
CN
China
Prior art keywords
pmc
instruction
test point
reading
fragment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201510003005.4A
Other languages
Chinese (zh)
Other versions
CN104598379A (en
Inventor
周洪伟
李福林
原锦辉
张畅
袁霖
郭永辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201510003005.4A priority Critical patent/CN104598379B/en
Publication of CN104598379A publication Critical patent/CN104598379A/en
Application granted granted Critical
Publication of CN104598379B publication Critical patent/CN104598379B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of method that utilization processor PMC Characteristics Detections hide execute instruction, this method contains the following steps:Step 1, target software prepares:The source code of target software is recompilated, the software executable code of recompility is embedded in some unactivated test points;Step 2, hardware environment initialization procedure is detected;Step 3, PMC readings collect process:Collect the control transfer record quantity produced by monitored instruction fragment implementation procedure;Step 4, benchmark generating process:Benchmark generation and storage required for detection;Step 5, checking process:Check whether the information that PMC reading collectors are submitted is abnormal, so as to find to hide the instruction fragment of execution;The present invention has generality, is applicable detection and hides the instruction fragment performed in any form, it is difficult to is got around by attacker.

Description

The method of execute instruction is hidden using processor PMC Characteristics Detections
(1), technical field:It is more particularly to a kind of to utilize the present invention relates to a kind of method of detection of concealed execute instruction The method that processor PMC Characteristics Detections hide execute instruction.
(2), background technology:The PMC characteristics of Intel processor are with a small amount of register, the effect class of these registers Counter is similar to, is able to record that the number of times of some events occurs for processor.For example, can be by setting PMC characteristics Control parameter, it is desirable to which the number of times of control failover events occurs for PMC registers recording processor, when processor often performs a secondary control Transfer instruction, PMC registers carry out increment operation (update mode:New value=old value+1).
The Intel processor of most of models all supports PMC characteristics, but there is also some differences.Processor is to PMC The tenability of characteristic is divided into some versions.The tenability of current processor can be inquired about using cpuid instruction.According to support The difference of degree, can be divided into 3 versions by the PMC characteristics of processor.Intel Core Solo processors and Intel Core Duo processors only have basic performance counter, and their version number is the processors such as 1, Intel Core 2Duo Then there is stronger supporting dynamics.
PERFEVTSELx MSRs and PMCx MSR are two groups of important registers of PMC characteristics.PMCx MSR are equivalent to meter Number device, the number of times of certain the class event occurred for recording processor.It is limited to cost, processor only possesses a limited number of PMCx MSR, and the event that user's processor of concern occurs has many kinds, the PMCx MSR's possessed far more than processor Quantity.In order to solve the contradiction between them, Intel processor is also configured with corresponding control register PERFEVTSELx MSRs.PERFEVTSEL is Performance event select abbreviation, and user can be by setting PERFEVTSELx MSRs ignores other processor events come certain class processor event of concern required for specifying PMCx MSR.PERFEVTSELx MSRs length is 16 bits.Wherein 0-7 bits are EventSelect domains, for setting monitored processor event, 8-15 ratios Spy is event mask, is processor event further refinement and the classification to being monitored.For example, if necessary to monitoring processor institute The instruction number performed, can be arranged such that PERFEVTSELx MSRs:0-7 bits are 0xC0H, 8-15 bits 0x00H.This Sample, although processor only possesses a small amount of paired PERFEVTSELx MSRs and PMCx MSR, but both combinations can be to class The numerous processor event of type is selectively monitored.
In terms of execute instruction is hidden using processor PMC Characteristics Detections, Stephen T.Jones etc. are proposed Lycosid, Lionel Litty etc. proposes Patagonix.
Lycosid system architecture is as shown in figure 1, Lycosid relies on monitor of virtual machine to realize, its constituent is divided into Two parts, respectively in the operating system in virtual machine clients and in monitor of virtual machine.The two Lycosid compositions Operating system view and monitor view are built respectively, and (hide execution to refer to according to the variance reports hidden process of two views A kind of form of expression of order).
Lycosid verifies that principle completes the detection to hidden process according to cross-view.Lycosid constructs two kinds and regarded Figure:Operating system view and monitor of virtual machine view.Operating system view is Lycosid components utilisings Windows or Linux Task manager or PS orders obtain the run time of current process quantity and each process;Monitor of virtual machine view Lycosid compositions gather same category information from monitor of virtual machine.It can only be distorted due to hiding hidden process in an operating system Operating system view, it is impossible to change monitor of virtual machine view, can thus find to hide according to the difference of two kinds of views Process.
In order to be obtained in virtual machine monitor layer time, operating system internal process is related semantic, and Lycosid is according to virtual machine Page table base register in client computer, which changes, to be created and withers away to analyze virtual address space, and further infers that the wound of process Build and wither away, know the progress information of operating system activity.In order to further determine that the process for hiding execution, Lycosid records The processor time that each process is consumed in two views, and hidden process is determined according to processor time difference.Some Hidden process may seldom take system time, thus be difficult to that hidden process can not be confirmed.So-called " the CPU of Lycosid Inflation ", i.e., by force in the code of processor run time seldom process implantation a small amount of occupancy processor time, and make It runs certain time, so that changing these processes takes processor time seldom situation, and then which process is can confirm that It is hidden process.
The problem of Lycosid, is analyzed:1. Lycosid is merely able to find by form of process exist, finger hiding execution Make fragment.However, reality is and the not all hiding instruction performed presence, typical kernel in the form of process Rootkit is just not belonging to such.2. the granularity of processor time is excessive, it is difficult to confirm seldom take the processor time hide into Journey, " CPU Inflation " solution is not optimal, because the increase systematic function expense that this can be unnecessary.
Patagonix system architecture is as shown in Fig. 2 Patagonix relies on monitor of virtual machine to realize, its composition is located at In monitor of virtual machine and Patagonix virtual machine clients, monitored object is located in another virtual machine clients.
In order to obtain condition execution instruction in monitored virtual machine clients, Patagonix relies on monitor of virtual machine Support, in the relevant information of virtual machine monitor layer time collection virtual machine clients;These information are through Patagonix monitors It is passed back to the control logic in Patagonix virtual machine clients;Control logic combines home banking according to these information In reference information, detect in monitored virtual machine clients with the presence or absence of illegal instruction fragment.
Patagonix monitors periodically can not can perform all page setups of monitored system;Once instruction When the place page is performed for the first time, page exception can be caused due to lacking execution authority, monitor of virtual machine is absorbed in; Patagonix monitors gather current page content and are transferred to control logic;Control logic is in mark library lookup its fingerprint letter Breath, to determine that current page instruction is legal;If page instruction is legal, Patagonix monitors can be by its page Priority assignation is executable but not writeable, so when content of pages is updated, and the page can again lead to page due to lacking write permission Face is abnormal, and Patagonix monitors result in the opportunity checked again for.
The problem of Patagonix, is analyzed:1. the construction cost of home banking is excessive.In order to recognize legal instruction page Face, Patagonix must construct sufficiently large home banking, record the command identification of a large amount of softwares.2. Patagonix can not be recognized Hiding execute instruction fragment caused by code reuse is attacked.Patagonix is sentenced using the fingerprint based on hash algorithm Surely whether instruction fragment is legal, but code reuse is attacked and need not inject new instruction fragment, but utilizes existing instruction Fragment implements attack.In other words, even if code reuse attack occurs, and some instructions are caused to hide execution, because it does not have The integrality of the command destruction page, so Patagonix still believes that it is legal.
Lycosid is using hidden process as detection object, and its method is dfficult to apply to the detection compared with short code fragment.This be because Hiding the instruction fragment performed for simultaneously not all is present in the form of process, typical such as kernel rootkit.In addition, Lycosid has found that process switching relies on page table base change, and this detection foundation is only applicable to process, it is impossible to be applicable non-process The detection of instruction fragment is hidden, without generality.Secondly, Lycosid confirms hidden process with the processor time.But place The granularity for managing the device time is excessive, it is difficult to is accurately positioned and takes processor time few hidden process, it is clear that also is difficult to positioning and takes The instruction fragment of processor time less.
Patagonix is a kind of representational hiding instruction fragment detection method, but there is the possibility being bypassed. The fingerprint of Patagonix pages where instructing is as examination criteria, and the page where can only ensureing present instruction is really initial page Face, but there is no problem it cannot be guaranteed that the page includes instruction, and this can be code multiplexed attack and be got around completely.Generation The most basic feature of code multiplexing attack is exactly not destroy system code integrality, is completely dependent on existing code and can just realize to attack Hit.The instruction fragment performed is hidden because Patagonix detects whether to exist according to the integrality of code, this completely can be by Code reuse attack is got around.
(3), the content of the invention:
The technical problem to be solved in the present invention is:A kind of utilization processor PMC Characteristics Detections are provided and hide execute instruction Method, this method has generality, is applicable detection and hides the instruction fragment performed in any form, it is difficult to is got around by attacker.
Technical scheme:
Term is explained:
● control transfer instruction:The instruction for causing controlling stream during running software to change.In assembler language aspect, just It is the directly or indirectly jump instruction such as jmp, call.It is exactly the such selection structure language of if, while in C language aspect. Sometimes referred to as control transfer instruction is jump instruction.
●MSR(Model Specific Register):Internal processor register, the work for setting processor Environment or reflection processor current state.User can be by instructing RDMSR and WDMSR to carry out read or write, so that real Now to the control and interaction of processor.
● processor PMC (Performance Monitor Counter) characteristic:The Intel processor of most of models A kind of ardware feature supported.It is essentially one group of special MSR inside processor.Ad hoc one group of processor for image Register, the frequency for recording processor particular event.The characteristic is generally used for program feature test and debugged.
● instruction multiplexing attack (code-reuse attack):A kind of new attack pattern, its outstanding feature is to attack The process of hitting need not inject malicious code, but on the basis of existing instruction set, useful instruction fragment be excavated, by again Splicing, formation can complete the instruction stream of malicious intent.
● hide the instruction stream performed:The instruction stream of so-called hiding execution refers to that system user can not using conventional meanses Those instruction streams perceived.For example:Attacker kidnaps the implementation procedure of software using the method for distorting control data, makes maliciously to refer to Order obtains execution opportunity, after malicious instructions complete to perform, recovers the original implementation procedure of software immediately, causes system user difficult To discover the execution of malicious instructions.For system user, these malicious instructions are exactly to hide the instruction stream performed.
Malicious instructions are always run in computer system in a concealed manner, and privacy of user and system are such as stolen in realization The purposes such as control.The typical such as kernel level rootkit of adore-ng 0.56, malicious instructions are embedded in kernel address by them Space, execution opportunity is obtained when kernel performs specific activities, completes to hide specific process, file and network port etc. illegally Operation.These are hidden the instruction performed and have commanded great potential safety hazard to department of computer science, it is necessary to its examinations.
In order to find the instruction for hiding execution, the application proposes the support using Intel processor PMC ardware features, sees Examine whether the control transfer quantity produced by instruction fragment implementation procedure anomalous variation occurs, and then find to hide the evil performed Mean order.In most cases, inherently comprising control transfer instructions such as jmp, call in malicious instructions stream, its execution must Processor is so set to produce the control failover events of " extra ".In the support of processor PMC ardware features, user can easily obtain The quantity of computing device control transfer instruction, and whether hiding execution is occurred come decision-making system according to abnormal increase of the quantity Instruction fragment.
For the instruction that detection of concealed is performed, preferably start with from its substantive characteristics, this feature should hide to perform Instruction is prerequisite, and having can not getting around property.In essence, the instruction performed is hidden simply to system user (including system Keeper) hide, but it is still active in computer system, is obtained processor resource on specific opportunity, is completed to steal The malicious acts such as privacy of user.This process must can cause some control transfer instructions of computing device, and this is with regard to detection of concealed The instruction stream of execution provides opportunity.Therefore, the application is by processor PMC characteristics, the control transfer that monitoring processor is produced The number of times of event, the instruction performed according to the abnormal increase of the event times come detection of concealed.
The PMC characteristics of Intel processor provide hardware foundation to find to hide the instruction performed.PMC characteristics can be with shape Elephant regards one group of counter as, and the number of times of some special events occurs for these counter records processors, wherein control transfer thing Part is a kind of processor event that PMC characteristics are able to record that.People's research is found:Except the instruction fragment of only a few, absolutely mostly Number instruction is comprising the control transfer instructions such as row jmp, call (instruction that typically there are about 1/5 is control transfer instruction).This just anticipates When taste instruction fragment and run within a processor, processor inherently produces a number of control failover events.So, utilize PMC characteristics collecting and treating apparatus occur control failover events number of times, understand processor performed by control transfer instruction number, And then computing device how many instruction can be substantially understood.
The operation principle of the application is as shown in Figure 3.Any instruction can be performed on a processor, at the same time, processor PMC registers faithfully recording processor produce control failover events quantity.Normal instructions fragment contains 6 control transfers Instruction, hides the instruction fragment performed and contains 5 control transfer instructions.The application monitors the implementation status of normal instructions fragment, PMC registers are read before jump instruction 1 is performed, if its reading is V1, again read off after jump instruction 6 is performed PMC registers, if its reading is V2, then what is produced in this section instruction fragment implementation procedure controls transfer record quantity to be V2- V1.So, when system is in the absence of the instruction for hiding execution (as shown in Fig. 3 (a)), PMC registers have recorded processor hair Raw 6 secondary control failover events.Attacker can kidnap controlling stream using certain means, make jump instruction 4 (cloudy in (b) in such as Fig. 3 Shadow part) destination address to hide first of fragment instruction of instruction so that hiding instruction fragment obtains the opportunity performed. Now, PMC registers have recorded 11 secondary control transfer instructions because PMC registers strictly according to the facts have recorded hide instruction piece 5 secondary control failover events caused by the execution of section.So, according to abnormal the increasing of control transfer record quantity, it is possible to send out Now hide the instruction fragment performed.
A kind of method that utilization processor PMC Characteristics Detections hide execute instruction, contains the following steps:
Step 1, target software prepares:
Recompilate target software source code, make recompility software executable code be embedded in it is some unactivated Test point;The input of this step is the source code of target software, is output as ready target software;The application applicable source generation The disclosed software of code, such as linux kernel, it is impossible to the software applied to no source code;Recompile instrument and rely on existing pitching pile side Method is completed, if detection instruction and corresponding inspection function are specified in the position insertion in software dry type;
Step 2, hardware environment initialization procedure is detected:
Participating in system component includes:Test point deployment diagram, controller and some test points;The input of this step is detection Point deployment diagram, is output as the executable code for activating specified test point and the processor being ready for;1. controller is read Test point deployment diagram;2. controller activates the inspection specified in target software executable code according to the prompting of test point deployment diagram Measuring point (under initial situation, all test points are in unactivated state);3. controller sets processor PMC control registers, It is required that it records the processor event of specified type (i.e.:The control failover events of user's space/kernel spacing);
Step 3, PMC readings collect process:
Collect the control transfer record quantity produced by monitored instruction fragment implementation procedure;Participating in system component includes: Perform switching probe and PMC reading collectors;1. executable code is run on a processor, and processor records faithfully what is occurred Control transfer quantity;2. after test point is triggered, PMC readings collector will read the value of PMC registers;3. when interrupting The event of monitored instruction operation, performs switching probe and notifies PMC reading collectors in time;4. PMC readings collector is according to inspection The duality relation of measuring point, control transfer record quantity produced by calculating monitored instruction fragment implementation procedure, and submit to base Quasi- maker or determinant;
Step 4, benchmark generating process (training mode):
Benchmark generation and storage required for detection;When system is worked under training mode, system can just perform the mistake Journey;Control produced by each monitored instruction fragment implementation procedure that the input of this step is provided by PMC reading collectors turns Quantity is moved, the reference information required for detection is output as;1. PMC readings collector submits information to Reference generator;2. instruction is worked as After the white silk stage terminates, Reference generator arranges and collects information, the need for detection algorithm, generates reference information;3. base Quasi- maker is by benchmark Memory Reference information bank;Note:For reasons of efficiency, using substantially linear detection algorithm, now examine It is a threshold values to survey benchmark, is normal less than the threshold values, is abnormal more than or equal to the threshold values;
Step 5, checking process (checking mode):
Check whether the information that PMC reading collectors are submitted is abnormal, so as to find to hide the instruction fragment of execution;When being When system is worked under checking mode, system can just perform the process;This step input by PMC reading collectors provide it is each Control transfer quantity produced by monitored instruction fragment implementation procedure, and the benchmark that reference information place is provided, are output as Whether testing result (gives a warning);1. determinant extracts benchmark from reference information storehouse;2. PMC readings collector once obtains certain The monitored results of fragment are instructed, is just sent immediately to determinant and checks request and examined data;3. determinant is calculated according to detection Method completes to check, and is decided whether according to testing result to give a warning.Explanation:Require nothing more than determinant provide warning as find it is hidden The response of the instruction fragment performed is hidden, but does not repel other response means, such as interrupts performing.
In step 1, if the position of software dry type is function header and function tail;In step 3, monitored instruction operation is interrupted Event refer to process switching and system break.
Test point is the specific instruction fragment for being embedded in target software;In essence, the kernel instruction of test point is exactly Call is instructed, and its object called is the entrance function of PMC reading collectors;The effect of these instruction fragments is exactly when software is held When row arrives test point position, PMC reading collectors are waken up immediately, so that it collects the reading of PMC registers in time;
By recompilate the source code of target software test point is embedded in target software executable code specify In position;Test point is embedded into the position of four types of executable code, the position of four types is:Function header, letter Tail is counted, redirects before call instructions, redirected indirectly before jmp instructions (as shown in table 1) indirectly;The application is made with the implementation procedure of function For basic monitoring unit, so the function head and tail in the executable code of target software is respectively embedded into test point;In addition, two The destination address of the indirect jump instruction of type is all often the target that attacker distorts, so this indirect jump instruction of two classes Test point is also embedded into before;
The test point of table 1 embeds location type explanation
Sequence number Embedded location Description
1 Function header Between first instruction of function and first jump instruction
2 Function tail Function ret instructs previous instruction
3 Redirect indirectly before call instructions The previous instruction of the call instructions redirected indirectly
4 Redirect indirectly before jmp instructions The previous instruction of the jmp instructions redirected indirectly
Test point deployment diagram is used to record the current detection test point to be activated;There are two states in test point:Activation And un-activation;The test point normal work of state of activation, the reading that PMC readings collector reads PMC registers can be waken up in time Number;The test point of unactivated state is not involved in detecting work;In essence, activation test point is exactly to set some in system to open Variable is closed, when each test point is waken up, can be decided whether further to wake up PMC reading collectors according to the switching variable;
Test point deployment diagram determines this detection instruction fragment to be monitored;During system starts, it can read first Test point deployment diagram, and according to test point deployment diagram, activate the test point specified;In the software executable code of recompility, All test points are in unactivated state;Only after test point deployment diagram used in user's setting current detection, ability Enough activation specify test point to complete detection;Test point has duality relation, is read respectively in the head and tail of monitored instruction fragment The reading of PMC registers;User sets the test point to be activated, to express this monitoring demand;According to embedded test point Principle, adjustment test point deployment diagram can monitor following a few class instruction fragments (as shown in table 2):
The instruction clip types that table 2 is monitored
Sequence number Antithesis test point position Description
1 Function header → function tail Monitor single function (when function does not include indirect jump instruction)
2 Before indirect jump instruction → function header Monitor indirect jump procedure
3 Before indirect jump instruction → function tail Indirect jump instruction is monitored to the implementation procedure of function tail
4 Before function header → indirect jump instruction Function header is monitored to the implementation procedure of indirect jump instruction
Controller is responsible for the setting of system hardware and software working environment;In terms of software environment, controller will be according to test point Test point in deployment diagram, the embedded target software executable code of activation;When target software is application program, controller needs Know that specified application has been loaded into internal memory in time, then activate corresponding test point;When target software is in operating system During core, controller is needed after system completes guiding, the test point in activation kernel;In terms of hardware environment, controller is by root The associated control registers of PMC characteristics are set according to demand, including:PMC characteristics recording processor is set to perform control transfer instruction Number of times, and whether capture the control transfer record of kernel spacing or user's space.
PMC reading collectors are responsible for collecting and arrange the reading of PMC registers, and according to the duality relation of test point, obtain Know produced control transfer quantity when certain instruction fragment is performed;
Switching probe is performed to be responsible for monitoring whether the monitored implementation procedure for instructing fragment interrupts;When occurring system in system When interruption, exception, process switching, it is possible to interrupt the execution of monitored instruction fragment;Now, switching probe is performed to be accomplished by PMC reading collectors are notified, to ensure the correctness for the data that PMC readings collector is provided to determinant;The application is not limited Determine the realization of performing environment probe;A kind of feasible method adds a small amount of code in the operating system nucleus increased income, it is desirable to System occurs to submit Event Notification Service during above-mentioned event.
The data that Reference generator is provided according to PMC reading collectors, generate the benchmark needed for detection;Reference generator Produced benchmark is closely related with detection algorithm;The benchmark shape for the substantially linear detection algorithm that the application is recommended is such as<OID,k >, wherein OID is the mark of monitored instruction fragment, and k is threshold values.Note:Reference generator only works in training mode;
Benchmark produced by reference information library storage Reference generator, is used for determinant inquiry;Disobey in reference information storehouse Rely any database realizing, using the form tissue such as chained list, to avoid influence of the other softwares of database to monitoring process;
The benchmark that determinant is provided according to reference information place, judges whether the data that PMC reading collectors are provided are different Often, and according to result of determination decide whether to give a warning.
The application has two kinds of mode of operations:Training mode and detection pattern.In training mode, this method collects PMC The reading of register, and necessary processing is carried out to it, form detection benchmark.In a detection mode, this method is based on training mode Under, the detection benchmark obtained, reading progress pair and analysis with currently obtained PMC registers, according to specific inspection Method of determining and calculating, generates testing result.Under training mode, determinant is not involved in work.In a detection mode, Reference generator is not involved in Work.
Except some monitoring scenes, the application there may be wrong report and fail to report.The benchmark of the application is given birth to using training mode Into.Because in training mode, system is difficult often with all execution routes of limit.Included when monitored instruction fragment Instruction number is more, and problem is more serious.But under some specific monitoring scenes, the application is not present wrong report or failed to report. For example:Indirect jump procedure is monitored using the present invention, and this jump procedure can only perform a jump instruction, and any malice Hiding execution instruction fragment performed by jump instruction inherently exceed well over the quantity, now there will be no wrong report and leak Report.In order to avoid reporting by mistake or failing to report, it should control monitored instruction fragment under some scale, generally hundreds of instructions.
The detection algorithm used in this application is substantially linear detection algorithm, and the algorithm is summarized as following formula:
Wherein, k represents some constant, and y represents the quantity of produced control failover events when the instruction fragment is performed;Pass through The training of some time, the control transfer number no more than k produced by the instruction fragment that system discovery is currently monitored;Therefore And, when in actually detected, when same instruction fragment is produced more than k control transfer instruction when performing, then it is assumed that there occurs different Often, it may be possible in current instruction fragment implementation procedure, the other unknown instruction fragments of computing device.
Substantially linear detection algorithm adapts to the less instruction fragment of monitoring instruction number.Monitoring scheme the most typical can be with Monitor and call situation between single function, or monitoring function, the instruction fragment now monitored is from hundreds of instructions to several instructions .The long instruction fragment of the inadaptable monitoring of substantially linear detection algorithm, because different due to instructing fragment to exist Execution route, its implementation procedure can produce the control transfer record that quantity is not waited, it is assumed that its maximum is Amax, and minimum value is Amin, and the control transfer that the typically hiding instruction fragment performed is produced is recorded as B, then and substantially linear detection algorithm is set up Condition be Amax-Amin<B.If the execution route of monitoring is long, its execution route will increase, then Amax-Amin Can accordingly it increase, so that above-mentioned condition can not be met.
The detection algorithm of the application does not repel other detection algorithms.It can typically be calculated using the classification based on pattern-recognition Method, produced record quantity when making its identification normally run by training, and then recognize the extra note produced by misoperation Record., can be according to considering in terms of requirement of real-time, detection efficiency using which kind of detection algorithm.The application is from real-time From the aspect of, it is recommended to use substantially linear detection algorithm, the less instruction fragment of detection instruction number.
Compared with substantially linear detection algorithm, complex sorting algorithm, such as sorting algorithm based on neutral net, Go for increasingly complex classification demand.All data simply can only be divided into two by substantially linear detection algorithm, and Sorting algorithm more can flexibly recognize normal node and abnormal branch.But these sorting algorithms need more systematicness Energy expense, and substantially linear detection algorithm will not then take systematic function expense substantially.
In general, when monitored object is included compared with MIMD, complex sorting algorithm can be used, to tackle Complicated classification demand.When monitored object only has a small amount of instruction, particularly monitor indirect jump procedure etc. only several instructions when, Substantially linear detection algorithm can be used.
Beneficial effects of the present invention:
1st, the present invention exists for the detection method of existing hiding instruction fragment and is bypassed, and does not possess general problem, It is conceived to the intrinsic propesties of instruction operation, it is proposed that a kind of new hiding command detection method;Due in software executable code There are about 1/5 is control transfer instruction, and the execution of any instruction fragment can cause the control transfer instruction of respective numbers to perform, because This, the present invention is under the assistance of processor PMC ardware features, time of the processor control failover events produced by trace command operation Number, detects whether there are extra, unknown control failover events, and is increased according to the abnormal of control failover events number of times, finds Hiding instruction fragment in computer systems is hidden, the detection method has generality, and applicable detection is hidden in any form The instruction fragment of execution, it is difficult to got around by attacker.
(4), illustrate:
Fig. 1 is Lycosid system architecture schematic diagram;
Fig. 2 is Patagonix system architecture schematic diagram;
Fig. 3 is the operation principle schematic diagram for the method that execute instruction is hidden using processor PMC Characteristics Detections;
Fig. 4 is the workflow schematic diagram for the method that execute instruction is hidden using processor PMC Characteristics Detections;
Fig. 5 is that PMC registers reading collects schematic diagram;
Fig. 6 is the schematic diagram of training mode and detection pattern;
Fig. 7 is two class detection algorithm contrast schematic diagrams.
(5), embodiment:
The method for hiding execute instruction using processor PMC Characteristics Detections contains the following steps (as shown in Figure 4):
Step 1, target software prepares:
Recompilate target software source code, make recompility software executable code be embedded in it is some unactivated Test point;The input of this step is the source code of target software, is output as ready target software;The application applicable source generation The disclosed software of code, such as linux kernel, it is impossible to the software applied to no source code;Recompile instrument and rely on existing pitching pile side Method is completed, if detection instruction and corresponding inspection function are specified in the position insertion in software dry type;
Step 2, hardware environment initialization procedure is detected:
Participating in system component includes:Test point deployment diagram, controller and some test points;The input of this step is detection Point deployment diagram, is output as the executable code for activating specified test point and the processor being ready for;1. controller is read Test point deployment diagram;2. controller activates the inspection specified in target software executable code according to the prompting of test point deployment diagram Measuring point (under initial situation, all test points are in unactivated state);3. controller sets processor PMC control registers, It is required that it records the processor event of specified type (i.e.:The control failover events of user's space/kernel spacing);
Step 3, PMC readings collect process:
Collect the control transfer record quantity produced by monitored instruction fragment implementation procedure;Participating in system component includes: Perform switching probe and PMC reading collectors;1. executable code is run on a processor, and processor records faithfully what is occurred Control transfer quantity;2. after test point is triggered, PMC readings collector will read the value of PMC registers;3. when interrupting The event of monitored instruction operation, performs switching probe and notifies PMC reading collectors in time;4. PMC readings collector is according to inspection The duality relation of measuring point, control transfer record quantity produced by calculating monitored instruction fragment implementation procedure, and submit to base Quasi- maker or determinant;
Step 4, benchmark generating process (training mode):
Benchmark generation and storage required for detection;When system is worked under training mode, system can just perform the mistake Journey;Control produced by each monitored instruction fragment implementation procedure that the input of this step is provided by PMC reading collectors turns Quantity is moved, the reference information required for detection is output as;1. PMC readings collector submits information to Reference generator;2. instruction is worked as After the white silk stage terminates, Reference generator arranges and collects information, the need for detection algorithm, generates reference information;3. base Quasi- maker is by benchmark Memory Reference information bank;Note:For reasons of efficiency, using substantially linear detection algorithm, now examine It is a threshold values to survey benchmark, is normal less than the threshold values, is abnormal more than or equal to the threshold values;
Step 5, checking process (checking mode):
Check whether the information that PMC reading collectors are submitted is abnormal, so as to find to hide the instruction fragment of execution;When being When system is worked under checking mode, system can just perform the process;This step input by PMC reading collectors provide it is each Control transfer quantity produced by monitored instruction fragment implementation procedure, and the benchmark that reference information place is provided, are output as Whether testing result (gives a warning);1. determinant extracts benchmark from reference information storehouse;2. PMC readings collector once obtains certain The monitored results of fragment are instructed, is just sent immediately to determinant and checks request and examined data;3. determinant is calculated according to detection Method completes to check, and is decided whether according to testing result to give a warning.Explanation:Require nothing more than determinant provide warning as find it is hidden The response of the instruction fragment performed is hidden, but does not repel other response means, such as interrupts performing.
In step 1, if the position of software dry type is function header and function tail;In step 3, monitored instruction operation is interrupted Event refer to process switching and system break.
Test point is the specific instruction fragment for being embedded in target software;In essence, the kernel instruction of test point is exactly Call is instructed, and its object called is the entrance function of PMC reading collectors;The effect of these instruction fragments is exactly when software is held When row arrives test point position, PMC reading collectors are waken up immediately, so that it collects the reading of PMC registers in time;
By recompilate the source code of target software test point is embedded in target software executable code specify In position;Test point is embedded into the position of four types of executable code, the position of four types is:Function header, letter Tail is counted, redirects before call instructions, redirected indirectly before jmp instructions (as shown in table 1) indirectly;The application is made with the implementation procedure of function For basic monitoring unit, so the function head and tail in the executable code of target software is respectively embedded into test point;In addition, two The destination address of the indirect jump instruction of type is all often the target that attacker distorts, so this indirect jump instruction of two classes Test point is also embedded into before;
The test point of table 1 embeds location type explanation
Sequence number Embedded location Description
1 Function header Between first instruction of function and first jump instruction
2 Function tail Function ret instructs previous instruction
3 Redirect indirectly before call instructions The previous instruction of the call instructions redirected indirectly
4 Redirect indirectly before jmp instructions The previous instruction of the jmp instructions redirected indirectly
Test point deployment diagram is used to record the current detection test point to be activated;There are two states in test point:Activation And un-activation;The test point normal work of state of activation, the reading that PMC readings collector reads PMC registers can be waken up in time Number;The test point of unactivated state is not involved in detecting work;In essence, activation test point is exactly to set some in system to open Variable is closed, when each test point is waken up, can be decided whether further to wake up PMC reading collectors according to the switching variable;
Test point deployment diagram determines this detection instruction fragment to be monitored;During system starts, it can read first Test point deployment diagram, and according to test point deployment diagram, activate the test point specified;In the software executable code of recompility, All test points are in unactivated state;Only after test point deployment diagram used in user's setting current detection, ability Enough activation specify test point to complete detection;Test point has duality relation, is read respectively in the head and tail of monitored instruction fragment The reading of PMC registers;User sets the test point to be activated, to express this monitoring demand;According to embedded test point Principle, adjustment test point deployment diagram can monitor following a few class instruction fragments (as shown in table 2):
The instruction clip types that table 2 is monitored
Sequence number Antithesis test point position Description
1 Function header → function tail Monitor single function (when function does not include indirect jump instruction)
2 Before indirect jump instruction → function header Monitor indirect jump procedure
3 Before indirect jump instruction → function tail Indirect jump instruction is monitored to the implementation procedure of function tail
4 Before function header → indirect jump instruction Function header is monitored to the implementation procedure of indirect jump instruction
Controller is responsible for the setting of system hardware and software working environment;In terms of software environment, controller will be according to test point Test point in deployment diagram, the embedded target software executable code of activation;When target software is application program, controller needs Know that specified application has been loaded into internal memory in time, then activate corresponding test point;When target software is in operating system During core, controller is needed after system completes guiding, the test point in activation kernel;In terms of hardware environment, controller is by root The associated control registers of PMC characteristics are set according to demand, including:PMC characteristics recording processor is set to perform control transfer instruction Number of times, and whether capture the control transfer record of kernel spacing or user's space.
PMC reading collectors are responsible for collecting and arrange the reading of PMC registers, and according to the duality relation of test point, obtain Know produced control transfer quantity when certain instruction fragment is performed;The principle of PMC register readings is collected as shown in figure 5, Fig. 5 (a) describe when monitored execution process instruction is without situation when interrupting, described in Fig. 5 (b) when monitored instruction is held in When row process there is a situation where to interrupt;As shown in Fig. 5 (a), the value for reading PMC registers at the fragment beginning (uses V1 Represent), the value that PMC registers are again read off at the end of the fragment (uses V2Represent), then V2-V1It will be the instruction fragment institute The control transfer quantity of generation;As shown in Fig. 5 (b), when monitored instruction fragment implementation procedure for some reason After interruption, the value of PMC registers when PMC readings collector records interruption in time (uses V3Represent), when the instruction fragment again During execution, the readings that PMCx MSR are recorded again (uses V4Represent), then the calculating of the control transfer quantity produced by the fragment Method is:V2-V4+V3-V1;A kind of extreme situation is that the instruction fragment is frequently interrupted, now the work of PMC readings collector Make shown in (b) of the principle again similar to Fig. 5.Two tuples are output as produced by PMC reading collectors<OID,n>, wherein OID represents the mark of monitored instruction fragment, can be represented with the first address or integrity fingerprint of the instruction fragment, and n is control System transfer quantity.
Switching probe is performed to be responsible for monitoring whether the monitored implementation procedure for instructing fragment interrupts;When occurring system in system When interruption, exception, process switching, it is possible to interrupt the execution of monitored instruction fragment;Now, switching probe is performed to be accomplished by PMC reading collectors are notified, to ensure the correctness for the data that PMC readings collector is provided to determinant;The application is not limited Determine the realization of performing environment probe;A kind of feasible method adds a small amount of code in the operating system nucleus increased income, it is desirable to System occurs to submit Event Notification Service during above-mentioned event.
The data that Reference generator is provided according to PMC reading collectors, generate the benchmark needed for detection;Reference generator Produced benchmark is closely related with detection algorithm;The benchmark shape for the substantially linear detection algorithm that the application is recommended is such as<OID,k >, wherein OID is the mark of monitored instruction fragment, and k is threshold values.Note:Reference generator only works in training mode;
Benchmark produced by reference information library storage Reference generator, is used for determinant inquiry;Disobey in reference information storehouse Rely any database realizing, using the form tissue such as chained list, to avoid influence of the other softwares of database to monitoring process;
The benchmark that determinant is provided according to reference information place, judges whether the data that PMC reading collectors are provided are different Often, and according to result of determination decide whether to give a warning.
The application has two kinds of mode of operations:Training mode and detection pattern (as shown in Figure 6).In training mode, should Method collects the reading of PMC registers, and necessary processing is carried out to it, forms detection benchmark.In a detection mode, this method base In the detection benchmark under training mode, obtained, reading progress pair and analysis with currently obtained PMC registers are pressed According to specific detection algorithm, testing result is generated.Under training mode, determinant is not involved in work.In a detection mode, benchmark is given birth to Grow up to be a useful person and be not involved in work.
Except some monitoring scenes, the application there may be wrong report and fail to report.The benchmark of the application is given birth to using training mode Into.Because in training mode, system is difficult often with all execution routes of limit.Included when monitored instruction fragment Instruction number is more, and problem is more serious.But under some specific monitoring scenes, the application is not present wrong report or failed to report. For example:Indirect jump procedure is monitored using the present invention, and this jump procedure can only perform a jump instruction, and any malice Hiding execution instruction fragment performed by jump instruction inherently exceed well over the quantity, now there will be no wrong report and leak Report.In order to avoid reporting by mistake or failing to report, it should control monitored instruction fragment under some scale, generally hundreds of instructions.
The detection algorithm used in this application is substantially linear detection algorithm, and the algorithm is summarized as following formula:
Wherein, k represents some constant, and y represents the quantity of produced control failover events when the instruction fragment is performed;Pass through The training of some time, the control transfer number no more than k produced by the instruction fragment that system discovery is currently monitored;Therefore And, when in actually detected, when same instruction fragment is produced more than k control transfer instruction when performing, then it is assumed that there occurs different Often, it may be possible in current instruction fragment implementation procedure, the other unknown instruction fragments of computing device.
Substantially linear detection algorithm adapts to the less instruction fragment of monitoring instruction number.Monitoring scheme the most typical can be with Monitor and call situation between single function, or monitoring function, the instruction fragment now monitored is from hundreds of instructions to several instructions .The long instruction fragment of the inadaptable monitoring of substantially linear detection algorithm, because different due to instructing fragment to exist Execution route, its implementation procedure can produce the control transfer record that quantity is not waited, it is assumed that its maximum is Amax, and minimum value is Amin, and the control transfer that the typically hiding instruction fragment performed is produced is recorded as B, then and substantially linear detection algorithm is set up Condition be Amax-Amin<B.If the execution route of monitoring is long, its execution route will increase, then Amax-Amin Can accordingly it increase, so that above-mentioned condition can not be met.
The detection algorithm of the application does not repel other detection algorithms.It can typically be calculated using the classification based on pattern-recognition Method, produced record quantity when making its identification normally run by training, and then recognize the extra note produced by misoperation Record., can be according to considering in terms of requirement of real-time, detection efficiency using which kind of detection algorithm.The application is from real-time From the aspect of, it is recommended to use substantially linear detection algorithm, the less instruction fragment of detection instruction number.
Compared with substantially linear detection algorithm, complex sorting algorithm, such as sorting algorithm based on neutral net, Go for increasingly complex classification demand.As shown in fig. 7, substantially linear detection algorithm can only be simply by all data one It is divided into two, and sorting algorithm more can flexibly recognize normal node and abnormal branch.But these sorting algorithms need more Many systematic function expenses, and substantially linear detection algorithm will not then take systematic function expense substantially.
In general, when monitored object is included compared with MIMD, complex sorting algorithm can be used, to tackle Complicated classification demand.When monitored object only has a small amount of instruction, particularly monitor indirect jump procedure etc. only several instructions when, Substantially linear detection algorithm can be used.

Claims (9)

1. a kind of method that utilization processor PMC Characteristics Detections hide execute instruction, it is characterized in that:Contain the following steps:
Step 1, target software prepares:
The source code of target software is recompilated, the software executable code of recompility is embedded in some unactivated detections Point;Recompiling instrument relies on pile pitching method to complete, if the position insertion in software dry type specifies detection instruction and corresponding Inspection function;
Step 2, hardware environment initialization procedure is detected:
Participating in system component includes:Test point deployment diagram, controller and test point;
1. controller reads test point deployment diagram;2. controller is according to the prompting of test point deployment diagram, and activating target software can hold 3. controller sets processor PMC control registers to the test point specified in line code, it is desirable to which it records the processing of specified type Device event;
Step 3, PMC readings collect process:
Collect the control transfer record quantity produced by monitored instruction fragment implementation procedure;Participating in system component includes:Perform Switch probe and PMC reading collectors;
1. executable code is run on a processor, and processor records faithfully control transfer quantity occurred;2. test point is worked as After being triggered, PMC readings collector will read the value of PMC registers;3. when the event for occurring interrupting monitored instruction operation, hold Row switching probe notifies PMC reading collectors in time;4. PMC readings collector is according to the duality relation of test point, calculate by Control transfer record quantity produced by monitoring instruction fragment implementation procedure, and submit to Reference generator or determinant;
Step 4, benchmark generating process:
Benchmark generation and storage required for detection;
1. PMC readings collector submits information to Reference generator;2. after the training stage terminates, Reference generator arrange and Information is collected, the need for detection algorithm, reference information is generated;3. Reference generator is by benchmark Memory Reference information bank;
Step 5, checking process:
Check whether the information that PMC reading collectors are submitted is abnormal, so as to find to hide the instruction fragment of execution;
1. determinant extracts benchmark from reference information storehouse;2. PMC readings collector once obtains the monitored results of certain instruction fragment, Just sent immediately to determinant and check request and examined data;3. determinant completes to check according to detection algorithm, and according to inspection Result is surveyed to decide whether to give a warning.
2. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute State in step 1, if the position of software dry type is function header and function tail;In step 3, the event of monitored instruction operation is interrupted Refer to process switching and system break.
3. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute It is the specific instruction fragment for being embedded in target software to state test point;The kernel instruction of test point is exactly call instructions, what it was called Object is the entrance function of PMC reading collectors;The effect of these instruction fragments is exactly when software goes to test point institute in place When putting, PMC reading collectors are waken up immediately, so that it collects the reading of PMC registers in time;
By recompilating the specified location that test point is embedded in the executable code of target software by the source code of target software In;Test point is embedded into the position of four types of executable code, the position of four types is:Function header, function tail, Redirect before call instructions, redirected indirectly before jmp instructions indirectly.
4. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute Stating test point deployment diagram is used to record the current detection test point to be activated;There are two states in test point:Activate and do not swash It is living;The test point normal work of state of activation, the reading that PMC readings collector reads PMC registers can be waken up in time;Do not swash The test point of state living is not involved in detecting work;
Test point deployment diagram determines this detection instruction fragment to be monitored;During system starts, detection can be read first Point deployment diagram, and according to test point deployment diagram, activate the test point specified;In the software executable code of recompility, own Test point is in unactivated state;After only user sets test point deployment diagram used in current detection, it can swash Specified test point living completes detection;Test point has duality relation, is posted respectively in the head and tail reading PMC of monitored instruction fragment The reading of storage;User sets the test point to be activated, to express this monitoring demand.
5. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute State the setting that controller is responsible for system hardware and software working environment;In terms of software environment, controller will according to test point deployment diagram, Test point in the embedded target software executable code of activation;When target software is application program, controller needs to obtain in time Know that specified application has been loaded into internal memory, then activate corresponding test point;When target software is operating system nucleus, control Device processed is needed after system completes guiding, the test point in activation kernel;In terms of hardware environment, controller will be set according to demand The associated control registers of PMC characteristics are put, including:PMC characteristics recording processor is set to perform the number of times of control transfer instruction, with And whether capture the control transfer record of kernel spacing or user's space.
6. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute State PMC reading collectors to be responsible for collecting and arrange the reading of PMC registers, and according to the duality relation of test point, know that certain refers to Make fragment is produced when performing to control transfer quantity.
7. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute Execution switching probe is stated to be responsible for monitoring whether the monitored implementation procedure for instructing fragment interrupts;When occur in system system break, When exception, process switching, it is possible to interrupt the execution of monitored instruction fragment;Now, switching probe is performed to be accomplished by notifying PMC reading collectors, to ensure the correctness for the data that PMC readings collector is provided to determinant.
8. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute The data that Reference generator is provided according to PMC reading collectors are stated, the benchmark needed for detection is generated;Produced by Reference generator Benchmark be closely related with detection algorithm;
Benchmark produced by reference information library storage Reference generator, is used for determinant inquiry;Reference information storehouse independent of appoint What database realizing, using the form tissue such as chained list, to avoid influence of the other softwares of database to monitoring process;
The benchmark that determinant is provided according to reference information place, judges whether the data that PMC reading collectors are provided are abnormal, and Decided whether to give a warning according to result of determination.
9. the method that utilization processor PMC Characteristics Detections according to claim 1 hide execute instruction, it is characterized in that:Institute Detection algorithm is stated for substantially linear detection algorithm, the algorithm is summarized as following formula:
Wherein, k represents some constant, and y represents the quantity of produced control failover events when the instruction fragment is performed;By some The training of time, the control transfer number no more than k produced by the instruction fragment that system discovery is currently monitored;So, When in actually detected, when same instruction fragment is produced more than k control transfer instruction when performing, then it is assumed that there occurs exception, It is the other unknown instruction fragments of computing device in current instruction fragment implementation procedure.
CN201510003005.4A 2015-01-04 2015-01-04 The method of execute instruction is hidden using processor PMC Characteristics Detections Expired - Fee Related CN104598379B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510003005.4A CN104598379B (en) 2015-01-04 2015-01-04 The method of execute instruction is hidden using processor PMC Characteristics Detections

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510003005.4A CN104598379B (en) 2015-01-04 2015-01-04 The method of execute instruction is hidden using processor PMC Characteristics Detections

Publications (2)

Publication Number Publication Date
CN104598379A CN104598379A (en) 2015-05-06
CN104598379B true CN104598379B (en) 2017-08-18

Family

ID=53124190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510003005.4A Expired - Fee Related CN104598379B (en) 2015-01-04 2015-01-04 The method of execute instruction is hidden using processor PMC Characteristics Detections

Country Status (1)

Country Link
CN (1) CN104598379B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572103B (en) * 2016-10-28 2019-12-13 桂林电子科技大学 hidden port detection method based on SDN network architecture
CN109271288B (en) * 2017-07-17 2021-09-21 展讯通信(上海)有限公司 Method for evaluating performance of processor before silicon
CN114896595A (en) * 2022-04-19 2022-08-12 北京邮电大学 Hidden instruction detection technology aiming at processor instruction set security defects

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000187600A (en) * 1998-12-22 2000-07-04 Nec Corp Watchdog timer system
US7502940B2 (en) * 2001-08-01 2009-03-10 Sas Validy Method to protect software against unwanted use with a “conditional branch” principle
CN103679038B (en) * 2013-12-06 2016-09-21 清华大学 Concurrent program shares detection method and the system of data class leak

Also Published As

Publication number Publication date
CN104598379A (en) 2015-05-06

Similar Documents

Publication Publication Date Title
US11295341B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
Gras et al. ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures.
CN105229612B (en) The detection performed using the abnormal program of hardware based microarchitecture data
Arcuri et al. A hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering
Xu et al. A sharper sense of self: Probabilistic reasoning of program behaviors for anomaly detection with context sensitivity
Ho et al. PREC: practical root exploit containment for android devices
US11956264B2 (en) Method and system for verifying validity of detection result
Wang et al. Attentional heterogeneous graph neural network: Application to program reidentification
DE202011111121U1 (en) System for capturing complex malware
US20170083705A1 (en) Apparatus and method for analyzing malicious code in multi-core environment
RU2757597C1 (en) Systems and methods for reporting computer security incidents
WO2018127794A1 (en) Management of security vulnerabilities
CN104598379B (en) The method of execute instruction is hidden using processor PMC Characteristics Detections
Chen et al. Invariants based failure diagnosis in distributed computing systems
Thummapudi et al. Detection of ransomware attacks using processor and disk usage data
Murtaza et al. Total ADS: Automated software anomaly detection system
Zhou et al. Colefunda: Explainable silent vulnerability fix identification
CN114553596A (en) Multi-dimensional security condition real-time display method and system suitable for network security
Ganz et al. Detecting backdoors in collaboration graphs of software repositories
US20210243219A1 (en) Security handling skill measurement system, method, and program
DE112014004611T5 (en) Control system and authentication device
Pektaş et al. Runtime-behavior based malware classification using online machine learning
Mehresh Schemes for surviving advanced persistent threats
Pendergrass et al. Lkim: The linux kernel integrity measurer
CN110516445A (en) Identification method and device for anti-detection malicious code and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170818

Termination date: 20220104