CN109558724A - A kind of software action integrity verification method - Google Patents

A kind of software action integrity verification method Download PDF

Info

Publication number
CN109558724A
CN109558724A CN201811435451.2A CN201811435451A CN109558724A CN 109558724 A CN109558724 A CN 109558724A CN 201811435451 A CN201811435451 A CN 201811435451A CN 109558724 A CN109558724 A CN 109558724A
Authority
CN
China
Prior art keywords
software
client
message
server
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811435451.2A
Other languages
Chinese (zh)
Inventor
杨力
王焱济
妥艳君
张程辉
庞晓健
柳强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201811435451.2A priority Critical patent/CN109558724A/en
Publication of CN109558724A publication Critical patent/CN109558724A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Abstract

The invention discloses a kind of software action integrity verification methods, and using C/S framework, the verifying of software action feature is responsible in the tactful configuration, characteristic storage, characteristic matching function of Server Side Include software;Client includes that the system of software calls collection, and the behavioural characteristic collection of software can be generated according to system call sequence;The safe lane based on SSL is disposed between server and client side, colleague both sides are interacted by corresponding communication module, realize authentication and data transmission encryption when mutually access.The present invention solves the problems, such as the remote proving of software integrity.

Description

A kind of software action integrity verification method
Technical field
The invention belongs to field of information security technology, and in particular to a kind of software action integrity verification method.
Background technique
Software is the foundation stone of Internet application, and the dependence to software is presented as to the dependence of computer system in modern society, And the defect of computer system is largely also in that software issue generated.It is more next especially under current background The shape of the Open Dynamic under the closed state programming internet environment of traditional static state is rushed in more software operations and exploitation environment State.More and more software vulnerabilities and defect are found and are utilized by malicious attacker.
In security fields, the integrality of software provides an angle different from the past operating status current to software It is assessed.The integrality of software represents the confidence level of software.Currently, there are two ways to software integrity is verified, Static authentication mode and dynamic authentication mode.Static authentication passes through the state of analysis verification software program file and data file, So that it is guaranteed that the original state of software is reliable, but this trust state cannot be during software be run under transmitting It goes, this is a major challenge that software integrity ensures.
One definition being widely recognized as of trusted software is: operation action and its result always meet people and are expected, and It remains to provide the software continuously serviced when receiving interference.The integrality of software action refers to: software is in actual moving process The anticipatory behavior rule of generated behavior trace and software matches.
The more software dynamic behaviour integrity verification methods studied at present there are many software called based on system Behavior model.System dependent on software calls relevant information and certain modeling method, establishes the normal row for being used for characterization software The behavior model being characterized.Program, which executes at place in system calling situation after being invaded, to be embodied, therefore is based on system The software action model of calling can be used for the behavior integrity verification of software.
Summary of the invention
In view of the above-mentioned deficiencies in the prior art, the technical problem to be solved by the present invention is that providing a kind of software action Integrity verification method can verify its integrality during software is run, to guarantee the credible of runs software in real time Property.
The invention adopts the following technical scheme:
A kind of software action integrity verification method, using C/S framework, the strategy configuration of Server Side Include software, spy Sign storage, characteristic matching function, are responsible for the verifying of software action feature;Client includes that the system of software calls collection, can The behavioural characteristic collection of software is generated according to system call sequence;The safe lane based on SSL is disposed between server and client side, Colleague both sides are interacted by corresponding communication module, realize authentication and data transmission encryption when mutually access.
Specifically, client includes registration step and verification step, under the original state of client, client is transported first Row and the system call sequence for collecting the software that needs are verified carry out analysis to system call sequence by n-gram algorithm and build Mould generates short sequence signature;The behavior that each short sequence is regarded as to software, calculates ratio shared by each behavior;According to Each behavior is associated with the related hardware of client or system software, uses the credible platform mould of computer by policy mandates Short sequence and corresponding value are done Hash calculation by block TPM, generate the characteristic behavior of software;Finally by all characteristic behaviors of software With behavior server is sent to than the foundation characteristic collection as software, server is stored the feature set received and in database Foundation characteristic collection does similarity identification, the high software action of similarity be it is believable, otherwise it is assumed that software action integrality by It destroys, the result of verifying is returned into client after server authentication.
Further, in the registration process of client, client uses username and password login service device first, establishes The communication channel of safety;User end to server sends registration request, and server receives the legal of checking request after registration request Property, the strategy of software required for corresponding client is then searched on strategic server, strategy is comprising required for software registration Time and corresponding software and hardware information, and policy information is sent to client;Client receives the corresponding letter of server After breath, the system that the software and collecting of bringing into operation generates when its operation calls queue, after reaching the time required to strategy, uses n- Gram algorithm calls queue to handle system, analyzes each system and calls the short sequence SCS of high frequencyjAnd its it corresponding accounts for Compare Rj;According to the requirement of strategy, the operating status of software is associated with the hardware information of computer or operating system, from the flat of TPM The trust value that relative strategy is taken out in platform configuration register PCR calculates each short sequence and plan using cryptography hash function Value HSCS after being slightly associated withj=Hash (SCSj||PCRi), (HSCS of every a pairj, Rj) it is used as one group of behavioural characteristic, all high frequencies Behavioural characteristic composition software behavior base feature set BSC;The set is sent to by client after obtaining behavioural characteristic collection Server, server are stored in database after receiving;Server returns to the successful information of client registers after storing successfully, visitor Software and its policy information are stored in strategy file by family end, and computer will select to open according to the information of strategy file when booting Dynamic movement.
Further, it includes two fields, respectively message header and note that user end to server, which sends registration request, Volume strategy, the field that head includes have: type of message, User ID and machine ID, and registration policy includes the title and waiting of software The set of duration;Server generates registration request after the registration operation requests for receiving client initiation;Login request message Structural body is { header, policy [] }, and wherein header structural body is { op, UserID, ext }, respectively indicates operation class Type, user name additional information, the generation that server generates login request message m have to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate registration request Header information header, type of message reg, ext fill in machine ID, and User ID and machine ID are obtained from the message received It arrives;
S2012, for each client, create a tactful array, which includes verifying needed for client device All softwares title waiting time, dbase and waiting time search from database according to machine ID.
Further, client registers request processing rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest;
If the field in S2022, message is that empty or field type and value are not inconsistent, refusal operation;
S2023, the dbase in strategy is added in proof listing, for the software in each list, uses trace The system call sequence generated when its operation of tool persistent collection, and be saved in temporary file, time and the setting of collection Waiting time is identical.
Further, client registers response message structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest UserID to RegistrationResponse head information UserID;
S2032, message header.ext be corresponding software name;
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its it is corresponding Accounting RjCharacteristic information (the HSCS of generationj, Rj);
S2034, RegistrationResponse message is sent to server.
Further, server end registration response processing rule is as follows:
S2041, parsing message refuse if the required field of message is that the type of empty or certain fields and value are not inconsistent Operation;
S2042, from database search UserID registration information, verify header in UserID and ext whether Match, mismatch is then refused to operate;
S2043, the behavior base feature set BSC for receiving software is stored in database, verification software behavior after giving over to Whether believable foundation.
Further, in the verification step of client, server sends verification request to client first;Client is received Inspection policy configuration file after to request takes out the PCR of relative strategy according to strategy from the PCR of TPMi, while taking out and continuing The system of collection calls queue, is handled using n-gram algorithm queue, analyzes each system and calls the short sequence of high frequency Arrange (SCSj) and its corresponding accounting Rj, finally feature, HSCS are calculated using hash algorithmj=Hash (SCSj||PCRi), by institute There are high-frequency characteristic and its set SC of composition to be sent to server and takes out base from database after server receives feature set SC Plinth feature set BSC, the similarity gathered using cosine similarity algorithm comparison two.
Further, the structural body for verifying request message is { header, policy [] }, wherein header structural body is Op, and UserID, ext }, action type, user name and additional information are respectively indicated, server generates login request message m's Generation has to comply with following rule:
S3011, setting action type are verification, and UserID is the ID of login user;
S3012, the software information that requests verification is filled according to the strategy in database;
S3013, checking request is sent to client;
S302, client receive and handle checking request;
Processing rule is as follows:
S3021, parsing message m refuse the behaviour if the field in message is that empty or field type and value are not inconsistent Make;
S3022, according to the strategy in message, parse the dbase for needing to verify;
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including, Refuse the operation;
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use The analysis of n-gram algorithm.
Further, client validation response message structure is { header, assertion [] }, and create-rule is as follows:
S3031, header, the header.ext of message of the header information of checking request to authentication response information are replicated For corresponding software name;
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call high frequency short Sequence SCSjAnd its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj);
S3033, RegistrationResponse message is sent to server;
S304, server process authentication response information;
Processing rule is as follows:
Whether S3041, parsing message, the field verified in message meet rule, if required field in message or The type and value of certain fields are not inconsistent, then refuse to operate;
S3042, UserID and AppID is obtained from message, obtain corresponding visitor from database according to UserID and AppID The foundation characteristic collection BSD that family end is submitted when registering;
S3043, characteristic information collection is obtained from the assertion [] of message, it is special using cosine similarity algorithm analysis foundation Similarity between collection and characteristic information collection, similarity are greater than 0.98, then pass through verifying;
S3044, verification result is sent to client.
Compared with prior art, the present invention at least has the advantages that
A kind of software action integrity verification method of the present invention, using C/S framework, by the integrity verification of software and remotely Proof combines, and provides a kind of remote validation mode of feasible software integrity.The strategy of Server Side Include software is matched It sets, the functions such as characteristic storage, characteristic matching, is responsible for the verifying of software action feature.Client includes that the system of software calls receipts Collection can generate the behavioural characteristic collection of software according to system call sequence.The peace based on SSL is disposed between server and client side All channel, colleague both sides are interacted by corresponding communication module, realize authentication and data transmission when mutually access Encryption.
Further, client uses n-gram algorithm, requires very little for the computing capability of client, can apply On the weaker terminal device of computing capability.The system call information that this method is generated when being run using algorithm analysis software, can To be verified in real time to software, credibility when software operation ensure that a certain extent.
Further, this method gives the completeness check task of software to server to complete, and client has been merely responsible for The acquisition and communication of whole property information, doing so reduces a possibility that check results are modified after client is invaded.According to this Mechanism, each client require the process of a registration, and the basic act feature set of software is generated during registration. The process of verifying is to determine the credible of software by comparing the feature set of software implementation and the similitude of basic act feature set Property.
Further, the registration process of client includes four steps, and respectively server generates login request message, visitor Family end handles login request message, client generates registration reply message and server process registration reply message.This four steps Suddenly the registration process of client is defined, while guarantees the reliability of client registers process.
Further, the step of client process registration request is primarily to parse and verify the legal of registration message Property, while the strategy in registration message being saved in local list, in order to be saved when generating response message Collect the time of integrity information.
Further, the main body of registration reply message is the characteristic information of local software, and this feature information is that n-gram is calculated System call sequence after method is processed, the benefit that registration reply message is arranged are to be able to provide during verifying former The comparison information of beginning.
Further, server end registration response handles the setting purpose of rule and is advantageous in that the foundation characteristic of software Collection is stored in server, can be during verifying as the basis verified.
Further, the verification step of client is the key step of this method, which can guarantee every time to software Completeness check be all reliable.
Further, server generates the information and software and hardware policy information that checking request message m includes registration user.This A little information are the main bodys of verifying, are message necessary to entire verification method.Server end authentication response information processing rule is set Real-time behavioural characteristic collection and essential characteristic collection that mesh is software by comparing are set, it is reliable that the higher software of confidence level can be provided Property judgement, thus achieve the purpose that verify software integrity.
Further, client process checking request and generate auth response request, be able to verify that first server send out Secondly the feature set of local software real time execution can be sent to server, can allow clothes by the legitimacy for the checking request come Business device makes accurate judgement to the reliability in time of software.
In conclusion method proposes the software action integrity verification sides that one kind can be used in systems in practice Method solves the problems, such as the remote proving of software integrity to a certain extent.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Detailed description of the invention
Fig. 1 is the interaction diagrams during client registers between client and server;
Fig. 2 is the interaction diagrams of server authentication client.
Specific embodiment
The present invention provides a kind of software action integrity verification method, using C/S framework, Server Side Include software The functions such as tactful configuration, characteristic storage, characteristic matching, are responsible for the verifying of software action feature.Client includes the system of software It calls and collects, the behavioural characteristic collection of software can be generated according to system call sequence.Deployment is based between server and client side The safe lane of SSL, colleague both sides are interacted by corresponding communication module, realize authentication sum number when mutually access It is encrypted according to transmission.
A kind of software action integrity verification method of the present invention is divided into two steps, respectively the registration step of software and tests Demonstrate,prove step;
Firstly, in registration step, it is believed that the original state of client is believable state.
The original state of client refers to the entity (computer) of client and (networking connects not in contact with external environment is crossed Not trusted peripheral hardware), and hardware and underlying Operating System are legal believable.
Think that the running environment of client software is safe and reliable in the initial state.Initial shape of the scheme in client The characteristic information of state collection related software.
In verification step: the software verified for needs, client collect the system call information of the software first, and will Discrimination benchmark of the characteristic information being collected into the initial state as software action integrality.
Under the original state of client, client, which runs first and collects, needs the system for the software verified to call sequence Column carry out analysis modeling to system call sequence by n-gram algorithm, generate short sequence signature.
The behavior that each short sequence is regarded as to software, calculates ratio shared by each behavior.According to strategy requirement, The related hardware or system software of each behavior and client are associated, the credible platform module of computer is used (TPM) short sequence and corresponding value are done into Hash calculation, generates the characteristic behavior of software.The process can guarantee the mistake in transmission The operation information of software will not be revealed in journey.
All characteristic behaviors of software and behavior are finally sent to server than the foundation characteristic collection as software, are serviced The foundation characteristic collection received is stored as later discrimination foundation by device.
Wherein, in the verification step of software, client needs to receive verifying instruction and the software of server initiation first Strategy, according to the instruction of server end, the software systems calling sequence being collected into is carried out analysis modeling by client, generates short sequence Column feature, and Hash operation is done according to the encryption key and short sequence that store in strategy and TPM and generates characteristic behavior and behavior Feature set finally sends server end for behavioural characteristic collection.Server is by the feature set being subject to and the base stored in database Plinth feature set does similarity identification, the high behavior for thinking software of similarity be it is believable, otherwise it is assumed that software action integrality It is destroyed.The result of verifying is returned into client after server authentication.
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.The present invention being described and shown in usually here in attached drawing is real The component for applying example can be arranged and be designed by a variety of different configurations.Therefore, below to the present invention provided in the accompanying drawings The detailed description of embodiment be not intended to limit the range of claimed invention, but be merely representative of of the invention selected Embodiment.Based on the embodiments of the present invention, those of ordinary skill in the art are obtained without creative efforts The every other embodiment obtained, shall fall within the protection scope of the present invention.
The present invention is broadly divided into three processes when system is run: the starting of client, client registers and client Verifying.
The starting of S1, client
In the start-up course of client, the credibility of client environment is first verified that, according to local strategy file, with TPM and BIOS is root of trust foundation to the trust chain of relative strategy, generates relevant metric, the metric meeting and related software Short sequence features do hash algorithm to generate the feature of software.Client terminal start-up success after, can continue collection strategy System call information when software is run in file, and local is stored it in, in case can be timely when verifying integrality It takes out, generates real-time behavioural characteristic collection.
The registration of S2, client
In the registration process of client, client first uses username and password login service device first, establishes safe Communication channel.User end to server sends registration request, and server receives the legitimacy of checking request after registration request, then Search the strategy of software required for corresponding client on strategic server, strategy comprising the time required for software registration and Corresponding software and hardware information etc., and policy information is sent to client.After client receives the corresponding information of server, open Begin to run relevant software and collect the system generated when its operation to call queue, due to being in registration phase, it is desirable that collect The system arrived calls queue to have enough representativenesses, and the time collected required for each software is not also identical.Reach tactful institute After the time needed, calls queue to handle system using n-gram algorithm, analyze each system and call high frequency short Sequence (SCSj) and its corresponding accounting Rj.According to the requirement of strategy, the operating status of software will with the hardware information of computer or Person's operating system associates, and from the trust value for taking out relative strategy in the platform configuration register (PCR) of TPM, uses password Hash function is learned, the value HSCS after each short sequence is associated with strategy is calculatedj=Hash (SCSj||PCRi), every a pair (HSCSj, Rj) it is used as one group of behavioural characteristic, the behavior base feature set BSC of the behavioural characteristic composition software of all high frequencies.Client The set is sent to server end after obtaining behavioural characteristic collection by end, and server is stored in database after receiving, in case after It is used when verifying.Server returns to the successful information of client registers after storing successfully, and client believes software and its strategy Breath is stored in strategy file, and computer will be according to the movement of the information of strategy file selection starting when booting later.
S201, server issue registration request
Registration request includes two fields, and respectively message header and registration policy, the field that head includes has: message Type, User ID and machine ID.Registration policy includes the title and the set of waiting time of software.Server is receiving client After the registration operation requests of initiation, registration request is generated.The structural body of login request message is { header, policy [] }, Middle header structural body is { op, UserID, ext }, respectively indicates action type, user name additional information.Server generates note The generation of volume request message m has to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate registration request Header information header, type of message reg, ext fill in machine ID, and User ID and machine ID are obtained from the message received It arrives.
S2012, for each client, create a tactful array, which includes to test required for client device The title waiting time of all softwares of card.These dbases and waiting time can search from database according to machine ID It arrives.
S202, client process registration request
Client registers request processing rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest.
If the field in S2022, message is that empty or field type and value are not inconsistent, refuse the operation.
S2023, the dbase in strategy is added in proof listing, for the software in each list, is used The system call sequence generated when its operation of trace tool persistent collection, and be saved in temporary file.It the time of collection and sets Fixed waiting time is identical.
S203, client generate registration reply message
Client registers response message structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest UserID to RegistrationResponse head information UserID.
S2032, message header.ext be corresponding software name.
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its it is corresponding Accounting RjCharacteristic information (the HSCS of generationj, Rj)。
S2034, RegistrationResponse message is sent to server.
S204, server process register respond request
Server end registration response processing rule is as follows:
S2041, parsing message are refused if the required field of message is that the type of empty or certain fields and value are not inconsistent The exhausted operation.
S2042, from database search UserID registration information, verify header in UserID and ext whether Match, mismatch is then refused to operate.
S2043, the behavior base feature set BSC for receiving software is stored in database, verification software behavior after giving over to Whether believable foundation.
Interaction flow during client registers between client and server is as shown in Figure 1.
S3, verifying software action
During verifying, server sends verification request to client first.Client checks plan after receiving request Slightly configuration file, the PCR of relative strategy is taken out according to strategy from the PCR of TPMi, while the system for taking out persistent collection is called Queue is handled queue using n-gram algorithm, is analyzed each system and is called the short sequence (SCS of high frequencyj) and its it is right The accounting R answeredj.Finally feature, HSCS are calculated using hash algorithmj=Hash (SCSj||PCRi), by all high-frequency characteristics and its The set SC of composition is sent to server.After server receives feature set SC, foundation characteristic collection BSC is taken out from database, is made The similarity gathered with cosine similarity algorithm comparison two, if similarity is higher (99.8% or more), then it is assumed that software Behavior integrality is not destroyed, and is proved to be successful, otherwise authentication failed.After verifying, server sends out the result of verifying Give client.
S301, server generate checking request
The structural body of checking request message be { header, policy [] }, wherein header structural body be op, UserID, ext }, respectively indicate action type, user name and additional information.The generation that server generates login request message m must Following rule must be abided by:
S3011, setting action type are verification, and UserID is the ID of login user.
S3012, the software information that requests verification is filled according to the strategy in database.
S3013, checking request is sent to client.
S302, client receive and process checking request
Processing rule is as follows:
S3021, parsing message m refuse the behaviour if the field in message is that empty or field type and value are not inconsistent Make.
S3022, according to the strategy in message, parse the dbase for needing to verify.
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including, Refuse the operation.
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use The analysis of n-gram algorithm.
S303, client generate authentication response information
Client validation response message structure is { header, assertion [] }, and create-rule is as follows:
S3031, the header information of checking request is replicated to the header of authentication response information.The header.ext of message For corresponding software name.
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call high frequency short Sequence (SCSj) and its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj)。
S3033, RegistrationResponse message is sent to server.
S304, server process authentication response information
Processing rule is as follows:
Whether S3041, parsing message, the field verified in message meet rule, if required field in message or The type and value of certain fields are not inconsistent, then refuse the operation.
S3042, UserID and AppID is obtained from message, obtain corresponding visitor from database according to UserID and AppID The foundation characteristic collection BSD that family end is submitted when registering.
S3043, characteristic information collection is obtained from the assertion [] of message, it is special using cosine similarity algorithm analysis foundation Similarity between collection and characteristic information collection, similarity are greater than 0.98, then pass through verifying.
S3044, verification result is sent to client.
The interaction flow of server authentication client is as shown in Figure 2.
The above content is merely illustrative of the invention's technical idea, and this does not limit the scope of protection of the present invention, all to press According to technical idea proposed by the present invention, any changes made on the basis of the technical scheme each falls within claims of the present invention Protection scope within.

Claims (10)

1. a kind of software action integrity verification method, which is characterized in that use C/S framework, the plan of Server Side Include software Slightly configuration, characteristic storage, characteristic matching function are responsible for the verifying of software action feature;Client includes that the system of software is called It collects, the behavioural characteristic collection of software can be generated according to system call sequence;Deployment is based on SSL's between server and client side Safe lane, colleague both sides are interacted by corresponding communication module, realize that the authentication and data when mutually access pass Defeated encryption.
2. software action integrity verification method according to claim 1, which is characterized in that client includes registration step And verification step, under the original state of client, client runs first and collects the system tune for needing the software verified With sequence, analysis modeling is carried out to system call sequence by n-gram algorithm, generates short sequence signature;Each short sequence is seen A behavior for making software, calculates ratio shared by each behavior;It is according to policy mandates, each behavior is related to client Hardware or system software association, do Hash calculation for short sequence and corresponding value using the credible platform module TPM of computer, Generate the characteristic behavior of software;Finally all characteristic behaviors of software and behavior are sent to than the foundation characteristic collection as software The feature set received and the foundation characteristic collection stored in database are done similarity identification by server, server, and similarity is high Software action is believable, otherwise it is assumed that software action integrality is destroyed, is returned the result of verifying after server authentication Back to client.
3. software action integrity verification method according to claim 2, which is characterized in that the registration process of client In, client uses username and password login service device first, establishes safe communication channel;User end to server is sent Registration request, server receive the legitimacy of checking request after registration request, and corresponding client is then searched on strategic server The strategy of software required for holding, strategy include time and corresponding software and hardware information required for software registration, and by plan Slightly information is sent to client;After client receives the corresponding information of server, bring into operation software and production when collecting its operation Raw system calls queue, after reaching the time required to strategy, calls queue to handle system using n-gram algorithm, analyzes Each system calls the short sequence SCS of high frequency outjAnd its corresponding accounting Rj;According to strategy requirement, the operating status of software and The hardware information or operating system of computer are associated with, and the trust of relative strategy is taken out from the platform configuration register PCR of TPM Value calculates the value HSCS after each short sequence is associated with strategy using cryptography hash functionj=Hash (SCSj||PCRi), (the HSCS of every a pairj, Rj) it is used as one group of behavioural characteristic, the behavior base feature set of the behavioural characteristic composition software of all high frequencies BSC;The set is sent to server after obtaining behavioural characteristic collection by client, and server is stored in database after receiving;It deposits Server returns to the successful information of client registers after storing up successfully, and software and its policy information are stored in tactful text by client In part, computer will select the movement of starting according to the information of strategy file when booting.
4. software action integrity verification method according to claim 3, which is characterized in that user end to server is sent Registration request includes two fields, and respectively message header and registration policy, the field that head includes has: type of message, use Family ID and machine ID, registration policy include the title and the set of waiting time of software;Server is receiving client initiation After registering operation requests, registration request is generated;The structural body of login request message is { header, policy [] }, wherein Header structural body is { op, UserID, ext }, respectively indicates action type, user name additional information, and server generates registration The generation of request message m has to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate the head of registration request Information header, type of message reg, ext fill in machine ID, and User ID and machine ID are got from the message received;
S2012, for each client, create a tactful array, which includes the institute verified needed for client device There is the title waiting time of software, dbase and waiting time search from database according to machine ID.
5. software action integrity verification method according to claim 3, which is characterized in that client registers request processing Rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest;
If the field in S2022, message is that empty or field type and value are not inconsistent, refusal operation;
S2023, the dbase in strategy is added in proof listing, for the software in each list, uses trace tool The system call sequence generated when its operation of persistent collection, and be saved in temporary file, the time of collection and the waiting of setting Duration is identical.
6. software action integrity verification method according to claim 3, which is characterized in that client registers response message Structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest UserID to RegistrationResponse information UserID;
S2032, message header.ext be corresponding software name;
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its corresponding account for Compare RjCharacteristic information (the HSCS of generationj, Rj);
S2034, RegistrationResponse message is sent to server.
7. software action integrity verification method according to claim 3, which is characterized in that server end is registered at response Reason rule is as follows:
S2041, parsing message, if the required field of message is that the type of empty or certain fields and value are not inconsistent, refusal operation;
Whether S2042, the registration information that UserID is searched from database, the UserID and ext verified in header match, no Matching is then refused to operate;
S2043, the behavior base feature set BSC for receiving software is stored in database, whether verification software behavior after giving over to Believable foundation.
8. software action integrity verification method according to claim 2, which is characterized in that in the verification step of client In, server sends verification request to client first;Client receive request after inspection policy configuration file, according to strategy from The PCR of relative strategy is taken out in the PCR of TPMi, while the system for taking out persistent collection calls queue, uses n-gram algorithm pair Queue is handled, and is analyzed each system and is called the short sequence (SCS of high frequencyj) and its corresponding accounting Rj, finally use Hash Algorithm calculates feature, HSCSj=Hash (SCSj||PCRi), the set SC of all high-frequency characteristics and its composition is sent to service Device after server receives feature set SC, foundation characteristic collection BSC is taken out from database, uses cosine similarity algorithm comparison two The similarity of a set.
9. software action integrity verification method according to claim 8, which is characterized in that verify the structure of request message Body is { header, policy [] }, wherein header structural body is { op, UserID, ext }, respectively indicate action type, User name and additional information, the generation that server generates login request message m have to comply with following rule:
S3011, setting action type are verification, and UserID is the ID of login user;
S3012, the software information that requests verification is filled according to the strategy in database;
S3013, checking request is sent to client;
S302, client receive and handle checking request;
Processing rule is as follows:
S3021, parsing message m refuse the operation if the field in message is that empty or field type and value are not inconsistent;
S3022, according to the strategy in message, parse the dbase for needing to verify;
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including, refuse The operation;
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use n- The analysis of gram algorithm.
10. software action integrity verification method according to claim 8 or claim 9, which is characterized in that client validation response Message structure is { header, assertion [] }, and create-rule is as follows:
S3031, the header information for replicating checking request arrive the header of authentication response information, the header.ext of message for pair The software name answered;
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call the short sequence of high frequency SCSjAnd its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj);
S3033, RegistrationResponse message is sent to server;
S304, server process authentication response information;
Processing rule is as follows:
S3041, parsing message, whether the field verified in message meets rule, if the required field or certain in message The type and value of field are not inconsistent, then refuse to operate;
S3042, UserID and AppID is obtained from message, obtain corresponding client from database according to UserID and AppID The foundation characteristic collection BSD submitted when registration;
S3043, characteristic information collection is obtained from the assertion [] of message, uses cosine similarity algorithm analysis foundation feature set Similarity between characteristic information collection, similarity are greater than 0.98, then pass through verifying;
S3044, verification result is sent to client.
CN201811435451.2A 2018-11-28 2018-11-28 A kind of software action integrity verification method Pending CN109558724A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811435451.2A CN109558724A (en) 2018-11-28 2018-11-28 A kind of software action integrity verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811435451.2A CN109558724A (en) 2018-11-28 2018-11-28 A kind of software action integrity verification method

Publications (1)

Publication Number Publication Date
CN109558724A true CN109558724A (en) 2019-04-02

Family

ID=65867950

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811435451.2A Pending CN109558724A (en) 2018-11-28 2018-11-28 A kind of software action integrity verification method

Country Status (1)

Country Link
CN (1) CN109558724A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443039A (en) * 2019-08-09 2019-11-12 北京阿尔山区块链联盟科技有限公司 Detection method, device and the electronic equipment of plug-in security
CN111258295A (en) * 2020-01-15 2020-06-09 重庆长安汽车股份有限公司 System and method for verifying big data acquisition and uploading accuracy
CN111814138A (en) * 2020-06-30 2020-10-23 郑州信大先进技术研究院 Software security management system based on cloud platform
CN114385248A (en) * 2020-10-22 2022-04-22 四零四科技股份有限公司 Computing system and device for processing trust chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101520831A (en) * 2009-03-27 2009-09-02 深圳市永达电子有限公司 Safe terminal system and terminal safety method
CN102739690A (en) * 2012-07-17 2012-10-17 中国人民解放军信息工程大学 Safety data exchange process monitoring method and system
CN103577748A (en) * 2013-11-20 2014-02-12 北京可信华泰信息技术有限公司 Dynamic measuring method based on dependable computing and management system
CN103905461A (en) * 2014-04-14 2014-07-02 北京工业大学 Cloud service behavior trustworthiness attestation method and system based on trusted third party
CN104715183A (en) * 2013-12-13 2015-06-17 中国移动通信集团公司 Trusted verifying method and equipment used in running process of virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101520831A (en) * 2009-03-27 2009-09-02 深圳市永达电子有限公司 Safe terminal system and terminal safety method
CN102739690A (en) * 2012-07-17 2012-10-17 中国人民解放军信息工程大学 Safety data exchange process monitoring method and system
CN103577748A (en) * 2013-11-20 2014-02-12 北京可信华泰信息技术有限公司 Dynamic measuring method based on dependable computing and management system
CN104715183A (en) * 2013-12-13 2015-06-17 中国移动通信集团公司 Trusted verifying method and equipment used in running process of virtual machine
CN103905461A (en) * 2014-04-14 2014-07-02 北京工业大学 Cloud service behavior trustworthiness attestation method and system based on trusted third party

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443039A (en) * 2019-08-09 2019-11-12 北京阿尔山区块链联盟科技有限公司 Detection method, device and the electronic equipment of plug-in security
CN111258295A (en) * 2020-01-15 2020-06-09 重庆长安汽车股份有限公司 System and method for verifying big data acquisition and uploading accuracy
CN111814138A (en) * 2020-06-30 2020-10-23 郑州信大先进技术研究院 Software security management system based on cloud platform
CN114385248A (en) * 2020-10-22 2022-04-22 四零四科技股份有限公司 Computing system and device for processing trust chain
CN114385248B (en) * 2020-10-22 2024-04-23 四零四科技股份有限公司 Computing system and device for processing trust chain

Similar Documents

Publication Publication Date Title
Ramachandran et al. Using blockchain and smart contracts for secure data provenance management
CN110602052B (en) Micro-service processing method and server
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN109558724A (en) A kind of software action integrity verification method
CN103944722B (en) Identification method for user trusted behaviors under internet environment
CN101242267A (en) A trusted network connection method for enhancing security
AU2020414467A1 (en) Partially-ordered blockchain
CN113779605A (en) Industrial internet Handle identification system analysis authentication method based on alliance chain
CN101344903A (en) Multi-case dynamic remote certification method based on TPM
CN115618399A (en) Identity authentication method and device based on block chain, electronic equipment and readable medium
TW201909013A (en) System and method for identity verification and privacy protection in public blockchain
Mahmood et al. Systematic threat assessment and security testing of automotive over-the-air (OTA) updates
Acar et al. A privacy‐preserving multifactor authentication system
CN112383535A (en) Method and device for detecting Hash transfer attack behavior and computer equipment
Bertino et al. Web services threats, vulnerabilities, and countermeasures
CN110401640A (en) A kind of credible connection method based on trust computing binary system structure
RU2303811C1 (en) Remote user authentication method and the system for realization of the method
KR102356725B1 (en) Authentication and Policy Management Methods Using Layer Blockchain
CN116070191A (en) Information processing method and device, storage medium, and program product
Genç et al. A critical security analysis of the password-based authentication honeywords system under code-corruption attack
CN112966233A (en) User risk operation detection method and device and computer equipment
Arsac et al. Validating security protocols under the general attacker
Niemi et al. Platform attestation in consumer devices
Gaur et al. Prevention of Security Attacks in Cloud Computing
Querejeta-Azurmendi et al. ZKSENSE: A Friction-less Privacy-Preserving Human Attestation Mechanism for Mobile Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190402

RJ01 Rejection of invention patent application after publication