CN104811453B - Active defense method and device - Google Patents
Active defense method and device Download PDFInfo
- Publication number
- CN104811453B CN104811453B CN201510221827.XA CN201510221827A CN104811453B CN 104811453 B CN104811453 B CN 104811453B CN 201510221827 A CN201510221827 A CN 201510221827A CN 104811453 B CN104811453 B CN 104811453B
- Authority
- CN
- China
- Prior art keywords
- source file
- file
- source
- path
- rpc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 155
- 230000007123 defense Effects 0.000 title claims abstract description 19
- 230000008569 process Effects 0.000 claims abstract description 119
- 229920005669 high impact polystyrene Polymers 0.000 claims abstract description 30
- 239000004797 high-impact polystyrene Substances 0.000 claims abstract description 30
- 230000002265 prevention Effects 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 27
- 238000001514 detection method Methods 0.000 claims abstract description 11
- 238000009434 installation Methods 0.000 claims description 40
- 230000006870 function Effects 0.000 claims description 13
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000000903 blocking effect Effects 0.000 claims 1
- 230000006399 behavior Effects 0.000 description 50
- 230000000875 corresponding effect Effects 0.000 description 9
- 241000700605 Viruses Species 0.000 description 7
- 230000001960 triggered effect Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000006378 damage Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003612 virological effect Effects 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 238000011900 installation process Methods 0.000 description 2
- 210000002845 virion Anatomy 0.000 description 2
- 239000004793 Polystyrene Substances 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Abstract
The invention discloses active defense method and device, wherein, the described method includes:The remote procedure call protocol RPC produced to preset interface is called into line trace;When the process of user right initiates the request of calling system service processes by preset interface, the request is intercepted, the path of source file is extracted from the request, and establishes associating between the source file and called system service process;If the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host is regular and traces back to the called system service process according to chain of processes, then the path of the source file is determined as to the source of the operation behavior;According to the danger classes of the source file, the processing of host intrusion prevention is performed.By means of the invention it is possible to reduce the probability of erroneous judgement.
Description
The application is 2012 applyings date September 29 days, and application number CN201210376903.0, entitled " active is anti-
The divisional application of the female case of imperial method and device ".
Technical field
The present invention relates to computer security technique field, more particularly to active defense method and device.
Background technology
Rogue program is a recapitulative term, refers to any deliberately create and is used for performing without permission and is typically harmful to
The software program of behavior.Computer virus, backdoor programs, Key Logger, password eavesdropper, Word and Excel macrovirus, draw
It is soft to lead area's virus, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and advertisement
Part etc., is all the example that some can be referred to as rogue program.
Traditional rogue program, which is prevented killing, depends on feature database pattern.Feature database is the rogue program being collected into by manufacturer
The condition code composition of sample, and to be then analysis project be an apprentice of the difference found in rogue program with proprietary software to condition code,
One section of program code for being similar to " search key " of interception.During killing, engine can read file and with feature database
All condition codes " keyword " matched, if it find that file routine code is hit, it is possible to judge this document program
For rogue program.
Feature storehouse matching is the effectively technology of killing known malicious program.But global rogue program quantity now
Increase in geometry level, based on the speedup of this explosion type, generation and the renewal of feature database are often hysteresis, are many times killed virus
Software can not be prevented killing the unknown rogue program to emerge in an endless stream.
HIPS (Host-based Intrusion Prevention System, the intrusion prevention system of Intrusion Detection based on host) is
A kind of common dangerous play by intercepting system, not using condition code as the foundation for judging rogue program, but from most former
The definition of beginning is set out, and directly using the behavior of program as the foundation of rogue program is judged, locally feature is being used wherein deriving
Storehouse, be locally located behavior asset pricing and differentiating, intercept the behavior of rogue program in the mode of local heuristic antivirus, so that
Achieve the purpose that to protect user computer to a certain extent.It is artificial or in software by oneself understanding to software and system
Some trigger conditions put prevent some abnormal actions, to reach a software systems of system safety, this triggering bar
Part is commonly referred to as HIPS rules.
However, when carrying out Initiative Defense using HIPS rules in the prior art, often there is the phenomenon reported by mistake.Therefore,
The technical problem solved there is an urgent need to those skilled in the art is that, how when carrying out Initiative Defense using HIPS rules,
Reduce the probability of wrong report.
The content of the invention
The present invention provides active defense method and device, the probability of erroneous judgement can be reduced.
The present invention provides following scheme:
The embodiment of the present invention provides a kind of active defense method, including:
The remote procedure call protocol RPC produced to preset interface is called into line trace;
When the process of user right initiates the request of calling system service processes by preset interface, described ask is intercepted
Ask, the path of source file is extracted from the request, and establish the path of the source file and called system service process
Between association;
If the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host is regular and traces back to hair according to chain of processes
The process for playing the operation behavior is called system service process, then the path of the source file is determined as the operation
The source of behavior;
According to the danger classes of the source file, the processing of host intrusion prevention is performed.
Alternatively, the source file includes MSI installation package files, and the RPC to preset interface, which is called, carries out tracking bag
Include:
To interface IMSIServer::The RPC of DoInstallRemote is called into line trace, to obtain the MSI peaces
Fill the storing path of APMB package in systems.
Alternatively, the source file includes the dynamic link library (DLL) file in MSI installation package files, described to be connect to preset
The RPC calling of mouth, which carries out tracking, to be included:
To interface CMsiCustomAction::The RPC of PrepareDLLCustomAction is called into line trace, so as to
Obtain the DLL paths of the dll file in the MSI installation package files.
Alternatively, the danger classes according to the source file, performing the processing of host intrusion prevention includes:
Determine the danger classes of source file;
According to the danger classes of the source file, interception is performed to the operation behavior.
Alternatively, the danger classes according to the source file, performing the processing of host intrusion prevention includes:
According to the danger classes of the source file, indicating risk is carried out to user, and by the information alert of the source file
To user.
The embodiment of the present invention provides a kind of Initiative Defense device, including:
Tracking cell, the remote procedure call protocol RPC for being produced to preset interface are called into line trace;
Interception unit, for when the request for passing through preset interface initiation calling system service processes when the process of user right
When, intercept the request, the path of source file extracted from the request, and establish the path of the source file with it is called
Association between system service process;
Source determination unit, for the intrusion prevention system HIPS rules if operation behavior triggering Intrusion Detection based on host, simultaneously
The called system service process is traced back to according to chain of processes, then the path of the source file is determined as the operation goes
For source;
Processing unit, for the danger classes according to the source file, performs the processing of host intrusion prevention.
Alternatively, the source file includes MSI installation package files, and the tracking cell includes:
First tracking subelement, for interface IMSIServer::The RPC of DoInstallRemote call carry out with
Track, to obtain the storing path of the MSI installation package files in systems.
Alternatively, the source file includes the dynamic link library (DLL) file in MSI installation package files, the tracking cell
Including:
Second tracking subelement, for interface CMsiCustomAction::PrepareDLLCustomAction's
RPC is called into line trace, to obtain the DLL paths of the dll file in the MSI installation package files.
Alternatively, the processing unit includes:
Operation intercepting subelement, for the danger classes according to the source file, interception is performed to the operation behavior.
Alternatively, the processing unit includes:
Indicating risk subelement, for the danger classes according to the source file, indicating risk is carried out to user, and by institute
The information alert of source file is stated to user.
The specific embodiment provided according to the present invention, the invention discloses following technique effect:
By the present invention, start for user after running certain file, can be shifted by a process under user right
Performed in another process under to system service authority, cause the situation of chain of processes chain rupture, will can establish source file with
Association between called system service authority process, so that when certain operation behavior triggering HIPS is regular, can trace back to
The real source of operation behavior, and then by carrying out the judgement of danger classes to the file at real source, to determine whether to need
Prompting is intercepted or ejected, can so reduce the probability of erroneous judgement.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment
Attached drawing to be used is needed to be briefly described, it should be apparent that, drawings in the following description are only some implementations of the present invention
Example, for those of ordinary skill in the art, without creative efforts, can also obtain according to these attached drawings
Obtain other attached drawings.
Fig. 1 is HIPS system schematics;
Fig. 2 is the flow chart of method provided in an embodiment of the present invention;
Fig. 3 is the schematic diagram of device provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram of system provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of another system provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art's all other embodiments obtained, belong to what the present invention protected
Scope.
For the ease of understanding the present invention, the related content of HIPS is simply introduced first.It is most common referring to Fig. 1
HIPS be " 3D " class by regular hook procedure act software.So-called 3D include AD (Application Defend,
Application program defense system), RD (Registry Defend, registration table defense system), FD (File Defend, file defence
System), these three HIPS are most intuitively acted used by being on the defensive, and are protected by intercept that these intuitively act to play
The safety of protecting system.Wherein, the effect of AD is monitoring programme operation, loading, accesses physical memory, operation bottom disk, keyboard
The key operation of record etc.;The effect of FD is exactly reading of the monitoring system to any file, modification, establishment, delete operation;RD
Effect be operation of the monitoring to registration table.
Such as:Assuming that there are viruses computer, then:
Virus can establish viral entities on hard disk first, will at this time trigger " establishment " rule of FD;
Then virion is read, FD " reading " rules can be triggered;
Followed by operation virion, the items that can trigger AD are regular;
If infection type is viral, the file of hard disk, such as infection exe files can be also changed in the process of running, at this time,
FD " modification " rules can be triggered;If damage type is viral, the file of hard disk can be also deleted in operational process, such as is deleted
The files such as exe, gho, at this time, can trigger FD " deletion " rules;
Next, virus would generally change registration table to achieve the purpose that self-starting or destruction, RD rules can be triggered at this time.
Triggering rule every time, HIPS will be searched inside rule base, if had inside rule base to the operation
Rule, just presses rule process;If not provided, it will inquire user.If there is operation behavior to be intercepted in above-mentioned detection process
Fall, then even if this is a problematic file, can not damage to system.
When certain behavior triggering HIPS is regular, HIPS needs to find the process for performing the behavior, according to the execution behavior
Process safe class, to determine the need for intercepting or prompt.But some rogue programs in order to preferably hide from
Oneself, may start another process B by its process A, perform specific malicious act by process B, or even there may also be
The process of more stages is called, and finally just performs a malicious act.At this time, advance if only getting working as the execution behavior
Journey, then according to current process to determine whether it is then inaccurate to need to intercept.The behavior is performed it is therefore desirable to find
Chain of processes where process, is traced to source, and finds the real source of behavior, for example, the process A in previous example, if process A
Safe class than relatively low, then can be intercepted or to user prompt, etc..
The present inventor has found that the phenomenon why prior art can often have wrong report is sent out in the implementation of the present invention
It is raw, although being the chain of processes that can be got because of the prior art where the behavior of triggering rule, special for some
During the file of type carries out Initiative Defense, after HIPS rules are triggered, when tracing the source of behavior according to chain of processes,
Real source can not be traced back to, therefore the situation of wrong report often occurs so that some normally performed activity also can not be smooth
Execution.For example, during certain program is installed by a MSI (Windows Installer) installation kit, as long as finding
As soon as performing a behavior for modification registry boot item, HIPS systems eject prompting with all not making any distinction between, if sentenced through user
Have no progeny and be the discovery that an operation that can allow, then after user has manually selected options such as " allowing this time to operate ", just meeting
Continue installation process.
The present inventor also found in the implementation of the present invention, why for some files progress Initiative Defense
When, real source can not be traced back to, is because some files are in the process of running it is possible that following phenomenon:User opens
After dynamic operation this document, it can be transferred to by a process under user right in another process under system service authority
To go to perform, the behavior of triggering HIPS rules is probably just to be performed after the process being transferred under system service authority, and
When HIPS obtains chain of processes, the originating processes under the system service authority can only be traced back to, and can not with user right into
Journey chain associates, that is to say, that this special file in the process of implementation, can cause the chain rupture of chain of processes, therefore, also with regard to nothing
Method traces back to real source.
For example, user double-clicks a MSI installation kit, system can be associated according to extension name, start an active user first
The process of the msiexec.exe of authority, msiexec.exe, system process, be Windows Installer a part.For
Windows Installer installation kits (MSI) are installed, then the msiexec.exe meeting calling interfaces of this user right please
Ask and be transmitted to the corresponding Server of interface, i.e., the msiexec.exe of system service authority is (if the system service authority
Msiexec.exe not yet starts, then needs first with DCOM to be started), perform follow-up operation behavior again afterwards.In this way, work as
After certain operation behavior triggering HIPS authorities, when being traced by chain of processes, system service authority can only be traced back to
Msiexec.exe, but actually the source of the operation behavior should be the MSI installation kits in itself, or in MSI installation kits
Some DLL (Dynamic Link Library, dynamic link library) file.In this way, conventionally, as it can not know tool
Body is the behavior which MSI installation kit or which dynamic link library perform, as long as therefore find to trigger HIPS rules, and
And the msiexec.exe of system service authority is traced back to, with regard to carrying out indicating risk without exception, it is clear that this can cause largely to report by mistake.
Therefore, in embodiments of the present invention, it is possible to by establishing source file and called system service authority process
Between association, to trace back to the real source of operation behavior, and then sentenced by carrying out security to the file at real source
It is disconnected, to determine the need for being intercepted or eject prompting.Just method provided in an embodiment of the present invention is carried out below detailed
Ground introduction.
Referring to Fig. 2, active defense method provided in an embodiment of the present invention comprises the following steps:
S201:The remote procedure call protocol RPC produced to preset interface is called into line trace;
S202:When the process of user right initiates the request of calling system service processes by preset interface, institute is intercepted
Request is stated, the path of source file is extracted from the request, and establishes the path of the source file and called system service
Association between process;
During specific implementation, by calling the RPC of preset interface into line trace, calling system Service Privileges process is intercepted
Request, the fullpath of source file is then extracted from request, can thus set up source file is with called
Association between system service processes.Wherein, to IMSIServer::The RPC of this interface of DoInstallRemote, which is called, to carry out
Tracking, and interception request bag, can get the complete trails of original MSI installation kits, to CMsiCustomAction::
The RPC of this interface of PrepareDLLCustomAction is called into line trace, and interception request bag, it is possible to gets MSI
The corresponding DLL paths of dll file inside installation kit.
, can be by monitoring (such as HOOK) with RPC into the relevant api function that in the ranks communicates, to reach during specific implementation
The purpose of above-mentioned tracking, wherein it is desired to according to different operating system versions, api function different HOOK, to reach accurate
Tracking and the purpose intercepted, can be with below HOOK api functions in WindowsXP operating systems:
NtRequestWaitReplyPort etc., can be with below HOOK api functions in version in WindowsVista and its afterwards:
NtAlpcSendWaitReplyPort etc..
In this way, in the preceding example, it will again be assumed that after user's one MSI installation kit of double-click starts the installation process of certain program,
System still can start the process of the msiexec.exe of active user's authority first, then this user right
Msiexec.exe can call corresponding interface, and (if the request that MSI installation package files are initiated in itself, then the process can be called
IMSIServer::This interface of DoInstallRemote, if the request that certain DLL in installation package file is initiated, then should
Process can call CMsiCustomAction::PrepareDLLCustomAction this interface), forward a request to interface
Corresponding Server;To foregoing api function carry out HOOK after, when the process of user right forward the request to Server when
Wait, it is possible to the request is intercepted, then by parsing the parameter of the function, it is possible to get the complete road of MSI installation kits
The DLL paths of certain dll file in footpath, or MSI installation package files.Then system service authority is forwarded the request to again
Process msiexec.exe, next, the process msiexec.exe of system service authority can be according to IMSIServer::
This interface of DoInstallRemote or CMsiCustomAction::This interface of PrepareDLLCustomAction passes
The path to come over starts a thread to carry out specific installation operation, and it is specific to do that this thread can also create new thread
Thing (such as written document, write registration table etc.), when the behavior HIPS rules are triggered to, it is possible to trace back to first
This system service authority process of msiexec.exe, then, it is possible to according to the source file recorded and the system service authority
Relation between process msiexec.exe, it is which of which MSI installation kit or MSI installation kits dll file corresponds to get
Action, the DLL paths of this dll file are really to come in the fullpath or MSI installation kits of this MSI installation kit
Source.
Certainly, specifically when carrying out HOOK api functions, will can all be carried out with a series of functions of interprocess communication
HOOK, for example, under Windows XP operating systems, can include NtCreatePort, NtConnectPort,
NtRequestPort, NtAcceptPort, NtListenPort, NtReplyPort, NtReplyWaitReceivePort etc.
Deng.
S203:If the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host is regular and is chased after according to chain of processes
Trace back to the called system service process, then the path of the source file is determined as to the source of the operation behavior;
After thering is operation behavior to trigger HIPS rules, it is possible to traced first according to chain of processes, if traced back to
System service process, then according to the association established before, can find the real source of operation behavior, for example, it may be possible to be some
Some dll file in installation package file, or some installation package file, etc..
Such as, it will again be assumed that user double-clicks a MSI installation kit, and system can be associated according to extension name, starts a current use
The process of the msiexec.exe of family authority, then this msiexec.exe can calling interface IMSIServer::
DoInstallRemote, system can forward it to the corresponding Server of interface, the i.e. msiexec.exe of SYSTEM authorities (such as
Fruit is not present, and can be risen with DCOM tune).
And in embodiments of the present invention, NtRequestWaitReplyPort (xp) is serviced by intercepting system,
NtAlpcSendWaitReplyPort (VistaLater), can get MSI when system forwards are asked to Server
The fullpath of bag, in this way, when service processes msiexec.exe is triggered to main anti-rule, according to the relation of thread chain,
It is that corresponding action of MSI bags that can get, and the fullpath of this MSI bag is that current operation behavior really comes
Source.
Wherein, specifically when obtaining chain of processes, can be realized with API, for example, NtQueryInformationProcess
The PID of parent process can be obtained, in this way, level-one level-one is looked for upwards, all processes can be found.In addition, the present invention is implemented
Example can also have the chain of processes management function of oneself, obtained a process creation using driving and exited event, oneself is created
One chain of processes, as long as in this way, go the chain of processes management function for looking into oneself obtain father and son in whole chain of processes into
Journey relation.
S204:According to the danger classes of the source file, the processing of host intrusion prevention is performed.
After finding the real source of operation behavior, it is possible to determine the danger classes of real source files, and according to this
The danger classes of real source files, performs the processing of host intrusion prevention.Wherein, the danger classes of the file in real source can be with
Known according to special danger classes evaluation system, for example, the class information of each source file can be recorded in service in advance
In the list at device end.This list contains the information such as the PID of each process, establishment relation, file hierarchies, then passes through inquiry
The list, can obtain the danger classes of current source file.
During specific implementation, the form of presentation of danger classes can have it is a variety of, for example, the first estate:Trusted file, second etc.
Level:Grey file, the tertiary gradient:Apocrypha, the fourth estate are virus or wooden horse etc., are specifically performing the processing of host intrusion prevention
When, the operation behavior of source file that can be directly higher to danger classes performs interception, alternatively, can also be carried out first to user
Dangerous tip, is chosen whether to perform interception by user.Certainly, when carrying out dangerous tip to user, it is shown to the operation of user
The source of behavior is exactly the real source got in the embodiment of the present invention, rather than system service process.For example, foregoing
In example, it is assumed that it is this dll file of MSI1F.tmp to find real source, then can be by modes such as pop-up windows by this article
Part is prompted to user, rather than only prompts corresponding system service process msiexec.exe, certainly, is judging the danger of source file
During dangerous rank, and judge the harmful grade of the MSI1F.tmp, rather than msiexec.exe., can specifically when being prompted
The filename of source file not only is shown to user, the information such as the path of the source files can also be shown to use in the lump
Family.
In short, in embodiments of the present invention, start for user after running certain file, one under user right can be passed through
Go to perform in another process that a process is transferred under system service authority, cause the situation of chain of processes chain rupture, will can build
Vertical associating between source file and called system service authority process, so that when certain operation behavior triggering HIPS is regular,
The real source of operation behavior can be traced back to, and then by carrying out the judgement of danger classes to the file at real source, is come
Determine the need for being intercepted or being ejected prompting interface, can so reduce the probability of wrong report.
Corresponding with active defense method provided in an embodiment of the present invention, the embodiment of the present invention additionally provides a kind of active and prevents
Imperial device, referring to Fig. 3, which includes:
Tracking cell 301, the remote procedure call protocol RPC for being produced to preset interface are called into line trace;
Interception unit 302, asking for calling system service processes is initiated for the process when user right by preset interface
When asking, the request is intercepted, the path of source file is extracted from the request, and establishes the path of the source file with being called
System service process between association;
Source determination unit 303, for if operation behavior triggering Intrusion Detection based on host intrusion prevention system HIPS rule,
And the called system service process is traced back to according to chain of processes, then the path of the source file is determined as the operation
The source of behavior;
Processing unit 304, for the danger classes according to the source file, performs the processing of host intrusion prevention.
Wherein, the source file includes MSI installation package files, and the tracking cell 301 can include:
First tracking subelement, for interface IMSIServer::The RPC of DoInstallRemote call carry out with
Track, to obtain the storing path of the MSI installation package files in systems.
Alternatively, the source file includes the dynamic link library (DLL) file in MSI installation package files, at this time, the tracking is single
Member 201 can include:
Second tracking subelement, for interface CMsiCustomAction::PrepareDLLCustomAction's
RPC is called into line trace, to obtain the DLL paths of the dll file in the MSI installation package files.
In practical applications, the processing unit 304 can specifically include:
Operation intercepting subelement, for the danger classes according to the source file, interception is performed to the operation behavior.
Alternatively, the processing unit 304 can also include:
Indicating risk subelement, for the danger classes according to the source file, indicating risk is carried out to user, and by institute
The information alert of source file is stated to user.
Corresponding with active defense method provided in an embodiment of the present invention and device, the embodiment of the present invention additionally provides one kind
Active Defending System Against, referring to Fig. 4, which can include client 401 and server end 402:
Tracking cell 4011, the remote procedure call protocol RPC for being produced to preset interface are called into line trace;
Interception unit 4012, asking for calling system service processes is initiated for the process when user right by preset interface
When asking, the request is intercepted, the path of source file is extracted from the request, and establishes the path of the source file with being called
System service process between association;
Source determination unit 4013, for being advised if the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host
It is called system service process then and according to chain of processes to trace back to and initiate the process of the operation behavior, then by the source
The path of file is determined as the source of the operation behavior;
Feature extraction unit 4014, for extracting the feature of the source file;Specifically, the source file feature of extraction can be with
It is the static natures such as title, the MD5 of source file, or sandbox system can also be disposed on a client device, source file is put
Enter in sandbox and run, extract its dynamic behaviour feature, uploaded to server end, so that server end is according to these features pair
Source file is judged.
Uploading unit 4015, for the feature of the source file to be uploaded onto the server end 402;
The server end 402 includes:
Danger classes determination unit 4021, the danger for judging the source file according to the feature of the source file etc.
Level, and return to client;
The client 401 further includes:
Processing unit 4016, for the danger classes of the source file returned according to the server end, performs host
Intrusion prevention processing.
Certainly, in practical applications, client can also be that whole file uploads onto the server end, be carried by server end
The feature of file is taken, or the danger classes of file is directly judged according to file white list or blacklist etc..Therefore, it is of the invention
Embodiment additionally provides another Active Defending System Against, and referring to Fig. 5, which equally includes client 501 and server end
502, wherein:
Client can specifically include:
Tracking cell 5011, the remote procedure call protocol RPC for being produced to preset interface are called into line trace;
Interception unit 5012, asking for calling system service processes is initiated for the process when user right by preset interface
When asking, the request is intercepted, the path of source file is extracted from the request, and establishes the path of the source file with being called
System service process between association;
Source determination unit 5012, for being advised if the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host
It is called system service process then and according to chain of processes to trace back to and initiate the process of the operation behavior, then by the source
The path of file is determined as the source of the operation behavior;
Uploading unit 5014, for the source file to be uploaded onto the server end 502;
The server end 502 includes:
Feature extraction unit 5021, for extracting the feature of the source file;
Danger classes determination unit 5022, the danger for judging the source file according to the feature of the source file etc.
Level, and return to client;
The client 501 further includes:
Processing unit 5015, for the danger classes of the source file returned according to the server end, performs host
Intrusion prevention processing.
In short, in Initiative Defense device provided in an embodiment of the present invention, start for user after running certain file, meeting
Go to perform in another process being transferred under system service authority by a process under user right, cause chain of processes to be broken
The situation of chain, can will establish associating between source file and called system service authority process, so that in certain operation row
During to trigger HI PS rules, the real source of operation behavior can be traced back to, and then by being carried out to the file at real source
The judgement of danger classes, to determine the need for being intercepted or eject prompting, can so reduce the probability of wrong report.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) realize one in host intrusion prevention equipment according to embodiments of the present invention
The some or all functions of a little or whole components.The present invention is also implemented as performing method as described herein
Some or all equipment or program of device (for example, computer program and computer program product).Such realization
The program of the present invention can store on a computer-readable medium, or can have the form of one or more signal.This
The signal of sample can be downloaded from internet website and obtained, and either provided on carrier signal or carried in the form of any other
For.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
This application can be applied to computer system/server, it can be with numerous other universal or special computing system rings
Border or configuration operate together.Suitable for be used together with computer system/server well-known computing system, environment and/
Or the example of configuration includes but not limited to:Personal computer system, server computer system, thin client, thick client computer, hand
Hold or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, small-sized meter
Calculation machine Xi Tong ﹑ large computer systems and distributed cloud computing technology environment including any of the above described system, etc..Department of computer science
System/server can be in the general linguistic context of the computer system executable instruction (such as program module) performed by computer system
Lower description.In general, program module can include routine, program, target program, component, logic, data structure etc., they hold
The specific task of row realizes specific abstract data type.Computer system/server can be in distributed cloud computing ring
Implement in border, in distributed cloud computing environment, task is performed by the remote processing devices being linked through a communications network.Dividing
In cloth cloud computing environment, program module can be located at and include on the Local or Remote computing system storage medium of storage device.
Claims (10)
1. a kind of active defense method, including:
By monitoring with the relevant api functions of remote procedure call protocol RPC, to preset interface produce RPC call carry out with
Track;
When the process of user right initiates the request of calling system service processes by preset interface, the request is intercepted, from
The path of source file is extracted in the request, and is established between the path of the source file and called system service process
Association;
If the intrusion prevention system HIPS of operation behavior triggering Intrusion Detection based on host is regular and traces back to initiation institute according to chain of processes
The process for stating operation behavior is called system service process, according to the path of the source file and called system service
The path of the source file, is determined as the source of the operation behavior by the association between process;
According to the danger classes of the source file, the processing of host intrusion prevention is performed.
2. according to the method described in claim 1, the source file includes MSI installation package files, the RPC to preset interface
Calling, which carries out tracking, to be included:
To interface IMSIServer::The RPC of DoInstallRemote is called into line trace, to obtain the MSI installation kits
The storing path of file in systems.
3. according to the method described in claim 1, the source file includes the dynamic link library (DLL) text in MSI installation package files
Part, the RPC calling to preset interface, which carries out tracking, to be included:
To interface CMsiCustomAction::The RPC of PrepareDLLCustomAction is called into line trace, to obtain
The DLL paths of dll file in the MSI installation package files.
4. method according to any one of claims 1 to 3, the danger classes according to the source file, performs host
Intrusion prevention processing includes:
Determine the danger classes of source file;
According to the danger classes of the source file, interception is performed to the operation behavior.
5. method according to any one of claims 1 to 3, the danger classes according to the source file, performs host
Intrusion prevention processing includes:
According to the danger classes of the source file, indicating risk is carried out to user, and by the information alert of the source file to use
Family.
6. a kind of Initiative Defense device, including:
Tracking cell, for by monitoring and the relevant api functions of remote procedure call protocol RPC, being produced to preset interface
RPC is called into line trace;
Interception unit, for when the process of user right initiates the request of calling system service processes by preset interface, blocking
The request is cut, the path of source file is extracted from the request, and establishes the path of the source file and called system
Association between service processes;
Source determination unit, for the intrusion prevention system HIPS rules and basis if operation behavior triggering Intrusion Detection based on host
It is called system service process that chain of processes, which traces back to and initiates the process of the operation behavior, according to the path of the source file
The path of the source file, is determined as the source of the operation behavior by associating between called system service process;
Processing unit, for the danger classes according to the source file, performs the processing of host intrusion prevention.
7. device according to claim 6, the source file includes MSI installation package files, and the tracking cell includes:
First tracking subelement, for interface IMSIServer::The RPC of DoInstallRemote is called into line trace, with
Just the storing path of the MSI installation package files in systems is obtained.
8. device according to claim 6, the source file includes the dynamic link library (DLL) text in MSI installation package files
Part, the tracking cell include:
Second tracking subelement, for interface CMsiCustomAction::The RPC tune of PrepareDLLCustomAction
With into line trace, to obtain the DLL paths of the dll file in the MSI installation package files.
9. according to claim 6 to 8 any one of them device, the processing unit includes:
Danger classes determination subelement, for determining the danger classes of source file;
Operation intercepting subelement, for the danger classes according to the source file, interception is performed to the operation behavior.
10. according to claim 6 to 8 any one of them device, the processing unit includes:
Indicating risk subelement, for the danger classes according to the source file, indicating risk is carried out to user, and by the source
The information alert of file is to user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510221827.XA CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510221827.XA CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
CN201210376903.0A CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210376903.0A Division CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104811453A CN104811453A (en) | 2015-07-29 |
CN104811453B true CN104811453B (en) | 2018-05-01 |
Family
ID=47484018
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210376903.0A Active CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
CN201510221827.XA Active CN104811453B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210376903.0A Active CN102882875B (en) | 2012-09-29 | 2012-09-29 | Active defense method and device |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN102882875B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882875B (en) * | 2012-09-29 | 2015-06-10 | 北京奇虎科技有限公司 | Active defense method and device |
CN108491736B (en) * | 2018-04-02 | 2020-09-22 | 北京顶象技术有限公司 | Tamper monitoring method and device |
CN108717509B (en) * | 2018-06-05 | 2020-06-23 | 厦门安胜网络科技有限公司 | Method, device and equipment for extracting program derivative in sandbox and readable medium |
CN111367684B (en) * | 2018-12-26 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
CN109784051B (en) * | 2018-12-29 | 2021-01-15 | 360企业安全技术(珠海)有限公司 | Information security protection method, device and equipment |
CN109787886B (en) * | 2019-01-22 | 2021-03-02 | 北京北信源信息安全技术有限公司 | Mail auditing method and system |
CN110717183B (en) * | 2019-12-09 | 2020-10-27 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
CN114466053B (en) * | 2022-04-11 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for call control of remote procedure call |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882875B (en) * | 2012-09-29 | 2015-06-10 | 北京奇虎科技有限公司 | Active defense method and device |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7913078B1 (en) * | 2000-06-22 | 2011-03-22 | Walter Mason Stewart | Computer network virus protection system and method |
US8245297B2 (en) * | 2001-09-04 | 2012-08-14 | E-Cop Pte. Ltd. | Computer security event management system |
CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
CN101414341B (en) * | 2007-10-15 | 2014-12-10 | 北京瑞星信息技术有限公司 | Software self-protection method |
CN101588358B (en) * | 2009-07-02 | 2012-06-27 | 西安电子科技大学 | System and method for detecting host intrusion based on danger theory and NSA |
CN102663289B (en) * | 2012-03-22 | 2015-07-15 | 北京奇虎科技有限公司 | Method and device for intercepting rogue program of modifying page elements |
-
2012
- 2012-09-29 CN CN201210376903.0A patent/CN102882875B/en active Active
- 2012-09-29 CN CN201510221827.XA patent/CN104811453B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882875B (en) * | 2012-09-29 | 2015-06-10 | 北京奇虎科技有限公司 | Active defense method and device |
Also Published As
Publication number | Publication date |
---|---|
CN102882875B (en) | 2015-06-10 |
CN104811453A (en) | 2015-07-29 |
CN102882875A (en) | 2013-01-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104811453B (en) | Active defense method and device | |
US10084817B2 (en) | Malware and exploit campaign detection system and method | |
CN101373502B (en) | Automatic analysis system of virus behavior based on Win32 platform | |
Plohmann et al. | Malpedia: a collaborative effort to inventorize the malware landscape | |
Kiss et al. | Kharon dataset: Android malware under a microscope | |
KR101899589B1 (en) | System and method for authentication about safety software | |
CN105580022A (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
CN103077353A (en) | Method and device for actively defending rogue program | |
CN111819556A (en) | Container escape detection method, device and system and storage medium | |
Wang et al. | Beyond the virus: A first look at coronavirus-themed mobile malware | |
CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
Pedro et al. | From prompt injections to sql injection attacks: How protected is your llm-integrated web application? | |
Li et al. | Large-scale third-party library detection in android markets | |
CN102857519A (en) | Active defensive system | |
US9781155B1 (en) | Detecting unwanted intrusions into an information network | |
De | Security threat analysis and prevention towards attack strategies | |
Singh et al. | RETRACTED: A hybrid layered architecture for detection and analysis of network based Zero-day attack | |
Lee | Malware and Attack Technologies Knowledge Area Issue | |
Bo et al. | Tom: A threat operating model for early warning of cyber security threats | |
Slowik | The baffling berserk bear: a decade’s activity targeting critical infrastructure | |
Hovmark et al. | Towards Extending Probabilistic Attack Graphs with Forensic Evidence: An investigation of property list files in macOS | |
Azshwanth et al. | A novel approach to detect malware in portable executables of major operating systems | |
Al Shamsi | Mapping, Exploration, and Detection Strategies for Malware Universe | |
Irolla | Formalization of Neural Network Applications to Secure 3D Mobile Applications | |
Villalón Huerta | Modeling of advanced threat actors: characterization, categorization and detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220707 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
TR01 | Transfer of patent right |