CN109558724A - A kind of software action integrity verification method - Google Patents
A kind of software action integrity verification method Download PDFInfo
- Publication number
- CN109558724A CN109558724A CN201811435451.2A CN201811435451A CN109558724A CN 109558724 A CN109558724 A CN 109558724A CN 201811435451 A CN201811435451 A CN 201811435451A CN 109558724 A CN109558724 A CN 109558724A
- Authority
- CN
- China
- Prior art keywords
- software
- client
- message
- server
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Abstract
The invention discloses a kind of software action integrity verification methods, and using C/S framework, the verifying of software action feature is responsible in the tactful configuration, characteristic storage, characteristic matching function of Server Side Include software;Client includes that the system of software calls collection, and the behavioural characteristic collection of software can be generated according to system call sequence;The safe lane based on SSL is disposed between server and client side, colleague both sides are interacted by corresponding communication module, realize authentication and data transmission encryption when mutually access.The present invention solves the problems, such as the remote proving of software integrity.
Description
Technical field
The invention belongs to field of information security technology, and in particular to a kind of software action integrity verification method.
Background technique
Software is the foundation stone of Internet application, and the dependence to software is presented as to the dependence of computer system in modern society,
And the defect of computer system is largely also in that software issue generated.It is more next especially under current background
The shape of the Open Dynamic under the closed state programming internet environment of traditional static state is rushed in more software operations and exploitation environment
State.More and more software vulnerabilities and defect are found and are utilized by malicious attacker.
In security fields, the integrality of software provides an angle different from the past operating status current to software
It is assessed.The integrality of software represents the confidence level of software.Currently, there are two ways to software integrity is verified,
Static authentication mode and dynamic authentication mode.Static authentication passes through the state of analysis verification software program file and data file,
So that it is guaranteed that the original state of software is reliable, but this trust state cannot be during software be run under transmitting
It goes, this is a major challenge that software integrity ensures.
One definition being widely recognized as of trusted software is: operation action and its result always meet people and are expected, and
It remains to provide the software continuously serviced when receiving interference.The integrality of software action refers to: software is in actual moving process
The anticipatory behavior rule of generated behavior trace and software matches.
The more software dynamic behaviour integrity verification methods studied at present there are many software called based on system
Behavior model.System dependent on software calls relevant information and certain modeling method, establishes the normal row for being used for characterization software
The behavior model being characterized.Program, which executes at place in system calling situation after being invaded, to be embodied, therefore is based on system
The software action model of calling can be used for the behavior integrity verification of software.
Summary of the invention
In view of the above-mentioned deficiencies in the prior art, the technical problem to be solved by the present invention is that providing a kind of software action
Integrity verification method can verify its integrality during software is run, to guarantee the credible of runs software in real time
Property.
The invention adopts the following technical scheme:
A kind of software action integrity verification method, using C/S framework, the strategy configuration of Server Side Include software, spy
Sign storage, characteristic matching function, are responsible for the verifying of software action feature;Client includes that the system of software calls collection, can
The behavioural characteristic collection of software is generated according to system call sequence;The safe lane based on SSL is disposed between server and client side,
Colleague both sides are interacted by corresponding communication module, realize authentication and data transmission encryption when mutually access.
Specifically, client includes registration step and verification step, under the original state of client, client is transported first
Row and the system call sequence for collecting the software that needs are verified carry out analysis to system call sequence by n-gram algorithm and build
Mould generates short sequence signature;The behavior that each short sequence is regarded as to software, calculates ratio shared by each behavior;According to
Each behavior is associated with the related hardware of client or system software, uses the credible platform mould of computer by policy mandates
Short sequence and corresponding value are done Hash calculation by block TPM, generate the characteristic behavior of software;Finally by all characteristic behaviors of software
With behavior server is sent to than the foundation characteristic collection as software, server is stored the feature set received and in database
Foundation characteristic collection does similarity identification, the high software action of similarity be it is believable, otherwise it is assumed that software action integrality by
It destroys, the result of verifying is returned into client after server authentication.
Further, in the registration process of client, client uses username and password login service device first, establishes
The communication channel of safety;User end to server sends registration request, and server receives the legal of checking request after registration request
Property, the strategy of software required for corresponding client is then searched on strategic server, strategy is comprising required for software registration
Time and corresponding software and hardware information, and policy information is sent to client;Client receives the corresponding letter of server
After breath, the system that the software and collecting of bringing into operation generates when its operation calls queue, after reaching the time required to strategy, uses n-
Gram algorithm calls queue to handle system, analyzes each system and calls the short sequence SCS of high frequencyjAnd its it corresponding accounts for
Compare Rj;According to the requirement of strategy, the operating status of software is associated with the hardware information of computer or operating system, from the flat of TPM
The trust value that relative strategy is taken out in platform configuration register PCR calculates each short sequence and plan using cryptography hash function
Value HSCS after being slightly associated withj=Hash (SCSj||PCRi), (HSCS of every a pairj, Rj) it is used as one group of behavioural characteristic, all high frequencies
Behavioural characteristic composition software behavior base feature set BSC;The set is sent to by client after obtaining behavioural characteristic collection
Server, server are stored in database after receiving;Server returns to the successful information of client registers after storing successfully, visitor
Software and its policy information are stored in strategy file by family end, and computer will select to open according to the information of strategy file when booting
Dynamic movement.
Further, it includes two fields, respectively message header and note that user end to server, which sends registration request,
Volume strategy, the field that head includes have: type of message, User ID and machine ID, and registration policy includes the title and waiting of software
The set of duration;Server generates registration request after the registration operation requests for receiving client initiation;Login request message
Structural body is { header, policy [] }, and wherein header structural body is { op, UserID, ext }, respectively indicates operation class
Type, user name additional information, the generation that server generates login request message m have to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate registration request
Header information header, type of message reg, ext fill in machine ID, and User ID and machine ID are obtained from the message received
It arrives;
S2012, for each client, create a tactful array, which includes verifying needed for client device
All softwares title waiting time, dbase and waiting time search from database according to machine ID.
Further, client registers request processing rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest;
If the field in S2022, message is that empty or field type and value are not inconsistent, refusal operation;
S2023, the dbase in strategy is added in proof listing, for the software in each list, uses trace
The system call sequence generated when its operation of tool persistent collection, and be saved in temporary file, time and the setting of collection
Waiting time is identical.
Further, client registers response message structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest
UserID to RegistrationResponse head information UserID;
S2032, message header.ext be corresponding software name;
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its it is corresponding
Accounting RjCharacteristic information (the HSCS of generationj, Rj);
S2034, RegistrationResponse message is sent to server.
Further, server end registration response processing rule is as follows:
S2041, parsing message refuse if the required field of message is that the type of empty or certain fields and value are not inconsistent
Operation;
S2042, from database search UserID registration information, verify header in UserID and ext whether
Match, mismatch is then refused to operate;
S2043, the behavior base feature set BSC for receiving software is stored in database, verification software behavior after giving over to
Whether believable foundation.
Further, in the verification step of client, server sends verification request to client first;Client is received
Inspection policy configuration file after to request takes out the PCR of relative strategy according to strategy from the PCR of TPMi, while taking out and continuing
The system of collection calls queue, is handled using n-gram algorithm queue, analyzes each system and calls the short sequence of high frequency
Arrange (SCSj) and its corresponding accounting Rj, finally feature, HSCS are calculated using hash algorithmj=Hash (SCSj||PCRi), by institute
There are high-frequency characteristic and its set SC of composition to be sent to server and takes out base from database after server receives feature set SC
Plinth feature set BSC, the similarity gathered using cosine similarity algorithm comparison two.
Further, the structural body for verifying request message is { header, policy [] }, wherein header structural body is
Op, and UserID, ext }, action type, user name and additional information are respectively indicated, server generates login request message m's
Generation has to comply with following rule:
S3011, setting action type are verification, and UserID is the ID of login user;
S3012, the software information that requests verification is filled according to the strategy in database;
S3013, checking request is sent to client;
S302, client receive and handle checking request;
Processing rule is as follows:
S3021, parsing message m refuse the behaviour if the field in message is that empty or field type and value are not inconsistent
Make;
S3022, according to the strategy in message, parse the dbase for needing to verify;
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including,
Refuse the operation;
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use
The analysis of n-gram algorithm.
Further, client validation response message structure is { header, assertion [] }, and create-rule is as follows:
S3031, header, the header.ext of message of the header information of checking request to authentication response information are replicated
For corresponding software name;
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call high frequency short
Sequence SCSjAnd its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj);
S3033, RegistrationResponse message is sent to server;
S304, server process authentication response information;
Processing rule is as follows:
Whether S3041, parsing message, the field verified in message meet rule, if required field in message or
The type and value of certain fields are not inconsistent, then refuse to operate;
S3042, UserID and AppID is obtained from message, obtain corresponding visitor from database according to UserID and AppID
The foundation characteristic collection BSD that family end is submitted when registering;
S3043, characteristic information collection is obtained from the assertion [] of message, it is special using cosine similarity algorithm analysis foundation
Similarity between collection and characteristic information collection, similarity are greater than 0.98, then pass through verifying;
S3044, verification result is sent to client.
Compared with prior art, the present invention at least has the advantages that
A kind of software action integrity verification method of the present invention, using C/S framework, by the integrity verification of software and remotely
Proof combines, and provides a kind of remote validation mode of feasible software integrity.The strategy of Server Side Include software is matched
It sets, the functions such as characteristic storage, characteristic matching, is responsible for the verifying of software action feature.Client includes that the system of software calls receipts
Collection can generate the behavioural characteristic collection of software according to system call sequence.The peace based on SSL is disposed between server and client side
All channel, colleague both sides are interacted by corresponding communication module, realize authentication and data transmission when mutually access
Encryption.
Further, client uses n-gram algorithm, requires very little for the computing capability of client, can apply
On the weaker terminal device of computing capability.The system call information that this method is generated when being run using algorithm analysis software, can
To be verified in real time to software, credibility when software operation ensure that a certain extent.
Further, this method gives the completeness check task of software to server to complete, and client has been merely responsible for
The acquisition and communication of whole property information, doing so reduces a possibility that check results are modified after client is invaded.According to this
Mechanism, each client require the process of a registration, and the basic act feature set of software is generated during registration.
The process of verifying is to determine the credible of software by comparing the feature set of software implementation and the similitude of basic act feature set
Property.
Further, the registration process of client includes four steps, and respectively server generates login request message, visitor
Family end handles login request message, client generates registration reply message and server process registration reply message.This four steps
Suddenly the registration process of client is defined, while guarantees the reliability of client registers process.
Further, the step of client process registration request is primarily to parse and verify the legal of registration message
Property, while the strategy in registration message being saved in local list, in order to be saved when generating response message
Collect the time of integrity information.
Further, the main body of registration reply message is the characteristic information of local software, and this feature information is that n-gram is calculated
System call sequence after method is processed, the benefit that registration reply message is arranged are to be able to provide during verifying former
The comparison information of beginning.
Further, server end registration response handles the setting purpose of rule and is advantageous in that the foundation characteristic of software
Collection is stored in server, can be during verifying as the basis verified.
Further, the verification step of client is the key step of this method, which can guarantee every time to software
Completeness check be all reliable.
Further, server generates the information and software and hardware policy information that checking request message m includes registration user.This
A little information are the main bodys of verifying, are message necessary to entire verification method.Server end authentication response information processing rule is set
Real-time behavioural characteristic collection and essential characteristic collection that mesh is software by comparing are set, it is reliable that the higher software of confidence level can be provided
Property judgement, thus achieve the purpose that verify software integrity.
Further, client process checking request and generate auth response request, be able to verify that first server send out
Secondly the feature set of local software real time execution can be sent to server, can allow clothes by the legitimacy for the checking request come
Business device makes accurate judgement to the reliability in time of software.
In conclusion method proposes the software action integrity verification sides that one kind can be used in systems in practice
Method solves the problems, such as the remote proving of software integrity to a certain extent.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Detailed description of the invention
Fig. 1 is the interaction diagrams during client registers between client and server;
Fig. 2 is the interaction diagrams of server authentication client.
Specific embodiment
The present invention provides a kind of software action integrity verification method, using C/S framework, Server Side Include software
The functions such as tactful configuration, characteristic storage, characteristic matching, are responsible for the verifying of software action feature.Client includes the system of software
It calls and collects, the behavioural characteristic collection of software can be generated according to system call sequence.Deployment is based between server and client side
The safe lane of SSL, colleague both sides are interacted by corresponding communication module, realize authentication sum number when mutually access
It is encrypted according to transmission.
A kind of software action integrity verification method of the present invention is divided into two steps, respectively the registration step of software and tests
Demonstrate,prove step;
Firstly, in registration step, it is believed that the original state of client is believable state.
The original state of client refers to the entity (computer) of client and (networking connects not in contact with external environment is crossed
Not trusted peripheral hardware), and hardware and underlying Operating System are legal believable.
Think that the running environment of client software is safe and reliable in the initial state.Initial shape of the scheme in client
The characteristic information of state collection related software.
In verification step: the software verified for needs, client collect the system call information of the software first, and will
Discrimination benchmark of the characteristic information being collected into the initial state as software action integrality.
Under the original state of client, client, which runs first and collects, needs the system for the software verified to call sequence
Column carry out analysis modeling to system call sequence by n-gram algorithm, generate short sequence signature.
The behavior that each short sequence is regarded as to software, calculates ratio shared by each behavior.According to strategy requirement,
The related hardware or system software of each behavior and client are associated, the credible platform module of computer is used
(TPM) short sequence and corresponding value are done into Hash calculation, generates the characteristic behavior of software.The process can guarantee the mistake in transmission
The operation information of software will not be revealed in journey.
All characteristic behaviors of software and behavior are finally sent to server than the foundation characteristic collection as software, are serviced
The foundation characteristic collection received is stored as later discrimination foundation by device.
Wherein, in the verification step of software, client needs to receive verifying instruction and the software of server initiation first
Strategy, according to the instruction of server end, the software systems calling sequence being collected into is carried out analysis modeling by client, generates short sequence
Column feature, and Hash operation is done according to the encryption key and short sequence that store in strategy and TPM and generates characteristic behavior and behavior
Feature set finally sends server end for behavioural characteristic collection.Server is by the feature set being subject to and the base stored in database
Plinth feature set does similarity identification, the high behavior for thinking software of similarity be it is believable, otherwise it is assumed that software action integrality
It is destroyed.The result of verifying is returned into client after server authentication.
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.The present invention being described and shown in usually here in attached drawing is real
The component for applying example can be arranged and be designed by a variety of different configurations.Therefore, below to the present invention provided in the accompanying drawings
The detailed description of embodiment be not intended to limit the range of claimed invention, but be merely representative of of the invention selected
Embodiment.Based on the embodiments of the present invention, those of ordinary skill in the art are obtained without creative efforts
The every other embodiment obtained, shall fall within the protection scope of the present invention.
The present invention is broadly divided into three processes when system is run: the starting of client, client registers and client
Verifying.
The starting of S1, client
In the start-up course of client, the credibility of client environment is first verified that, according to local strategy file, with
TPM and BIOS is root of trust foundation to the trust chain of relative strategy, generates relevant metric, the metric meeting and related software
Short sequence features do hash algorithm to generate the feature of software.Client terminal start-up success after, can continue collection strategy
System call information when software is run in file, and local is stored it in, in case can be timely when verifying integrality
It takes out, generates real-time behavioural characteristic collection.
The registration of S2, client
In the registration process of client, client first uses username and password login service device first, establishes safe
Communication channel.User end to server sends registration request, and server receives the legitimacy of checking request after registration request, then
Search the strategy of software required for corresponding client on strategic server, strategy comprising the time required for software registration and
Corresponding software and hardware information etc., and policy information is sent to client.After client receives the corresponding information of server, open
Begin to run relevant software and collect the system generated when its operation to call queue, due to being in registration phase, it is desirable that collect
The system arrived calls queue to have enough representativenesses, and the time collected required for each software is not also identical.Reach tactful institute
After the time needed, calls queue to handle system using n-gram algorithm, analyze each system and call high frequency short
Sequence (SCSj) and its corresponding accounting Rj.According to the requirement of strategy, the operating status of software will with the hardware information of computer or
Person's operating system associates, and from the trust value for taking out relative strategy in the platform configuration register (PCR) of TPM, uses password
Hash function is learned, the value HSCS after each short sequence is associated with strategy is calculatedj=Hash (SCSj||PCRi), every a pair
(HSCSj, Rj) it is used as one group of behavioural characteristic, the behavior base feature set BSC of the behavioural characteristic composition software of all high frequencies.Client
The set is sent to server end after obtaining behavioural characteristic collection by end, and server is stored in database after receiving, in case after
It is used when verifying.Server returns to the successful information of client registers after storing successfully, and client believes software and its strategy
Breath is stored in strategy file, and computer will be according to the movement of the information of strategy file selection starting when booting later.
S201, server issue registration request
Registration request includes two fields, and respectively message header and registration policy, the field that head includes has: message
Type, User ID and machine ID.Registration policy includes the title and the set of waiting time of software.Server is receiving client
After the registration operation requests of initiation, registration request is generated.The structural body of login request message is { header, policy [] },
Middle header structural body is { op, UserID, ext }, respectively indicates action type, user name additional information.Server generates note
The generation of volume request message m has to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate registration request
Header information header, type of message reg, ext fill in machine ID, and User ID and machine ID are obtained from the message received
It arrives.
S2012, for each client, create a tactful array, which includes to test required for client device
The title waiting time of all softwares of card.These dbases and waiting time can search from database according to machine ID
It arrives.
S202, client process registration request
Client registers request processing rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest.
If the field in S2022, message is that empty or field type and value are not inconsistent, refuse the operation.
S2023, the dbase in strategy is added in proof listing, for the software in each list, is used
The system call sequence generated when its operation of trace tool persistent collection, and be saved in temporary file.It the time of collection and sets
Fixed waiting time is identical.
S203, client generate registration reply message
Client registers response message structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest
UserID to RegistrationResponse head information UserID.
S2032, message header.ext be corresponding software name.
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its it is corresponding
Accounting RjCharacteristic information (the HSCS of generationj, Rj)。
S2034, RegistrationResponse message is sent to server.
S204, server process register respond request
Server end registration response processing rule is as follows:
S2041, parsing message are refused if the required field of message is that the type of empty or certain fields and value are not inconsistent
The exhausted operation.
S2042, from database search UserID registration information, verify header in UserID and ext whether
Match, mismatch is then refused to operate.
S2043, the behavior base feature set BSC for receiving software is stored in database, verification software behavior after giving over to
Whether believable foundation.
Interaction flow during client registers between client and server is as shown in Figure 1.
S3, verifying software action
During verifying, server sends verification request to client first.Client checks plan after receiving request
Slightly configuration file, the PCR of relative strategy is taken out according to strategy from the PCR of TPMi, while the system for taking out persistent collection is called
Queue is handled queue using n-gram algorithm, is analyzed each system and is called the short sequence (SCS of high frequencyj) and its it is right
The accounting R answeredj.Finally feature, HSCS are calculated using hash algorithmj=Hash (SCSj||PCRi), by all high-frequency characteristics and its
The set SC of composition is sent to server.After server receives feature set SC, foundation characteristic collection BSC is taken out from database, is made
The similarity gathered with cosine similarity algorithm comparison two, if similarity is higher (99.8% or more), then it is assumed that software
Behavior integrality is not destroyed, and is proved to be successful, otherwise authentication failed.After verifying, server sends out the result of verifying
Give client.
S301, server generate checking request
The structural body of checking request message be { header, policy [] }, wherein header structural body be op,
UserID, ext }, respectively indicate action type, user name and additional information.The generation that server generates login request message m must
Following rule must be abided by:
S3011, setting action type are verification, and UserID is the ID of login user.
S3012, the software information that requests verification is filled according to the strategy in database.
S3013, checking request is sent to client.
S302, client receive and process checking request
Processing rule is as follows:
S3021, parsing message m refuse the behaviour if the field in message is that empty or field type and value are not inconsistent
Make.
S3022, according to the strategy in message, parse the dbase for needing to verify.
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including,
Refuse the operation.
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use
The analysis of n-gram algorithm.
S303, client generate authentication response information
Client validation response message structure is { header, assertion [] }, and create-rule is as follows:
S3031, the header information of checking request is replicated to the header of authentication response information.The header.ext of message
For corresponding software name.
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call high frequency short
Sequence (SCSj) and its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj)。
S3033, RegistrationResponse message is sent to server.
S304, server process authentication response information
Processing rule is as follows:
Whether S3041, parsing message, the field verified in message meet rule, if required field in message or
The type and value of certain fields are not inconsistent, then refuse the operation.
S3042, UserID and AppID is obtained from message, obtain corresponding visitor from database according to UserID and AppID
The foundation characteristic collection BSD that family end is submitted when registering.
S3043, characteristic information collection is obtained from the assertion [] of message, it is special using cosine similarity algorithm analysis foundation
Similarity between collection and characteristic information collection, similarity are greater than 0.98, then pass through verifying.
S3044, verification result is sent to client.
The interaction flow of server authentication client is as shown in Figure 2.
The above content is merely illustrative of the invention's technical idea, and this does not limit the scope of protection of the present invention, all to press
According to technical idea proposed by the present invention, any changes made on the basis of the technical scheme each falls within claims of the present invention
Protection scope within.
Claims (10)
1. a kind of software action integrity verification method, which is characterized in that use C/S framework, the plan of Server Side Include software
Slightly configuration, characteristic storage, characteristic matching function are responsible for the verifying of software action feature;Client includes that the system of software is called
It collects, the behavioural characteristic collection of software can be generated according to system call sequence;Deployment is based on SSL's between server and client side
Safe lane, colleague both sides are interacted by corresponding communication module, realize that the authentication and data when mutually access pass
Defeated encryption.
2. software action integrity verification method according to claim 1, which is characterized in that client includes registration step
And verification step, under the original state of client, client runs first and collects the system tune for needing the software verified
With sequence, analysis modeling is carried out to system call sequence by n-gram algorithm, generates short sequence signature;Each short sequence is seen
A behavior for making software, calculates ratio shared by each behavior;It is according to policy mandates, each behavior is related to client
Hardware or system software association, do Hash calculation for short sequence and corresponding value using the credible platform module TPM of computer,
Generate the characteristic behavior of software;Finally all characteristic behaviors of software and behavior are sent to than the foundation characteristic collection as software
The feature set received and the foundation characteristic collection stored in database are done similarity identification by server, server, and similarity is high
Software action is believable, otherwise it is assumed that software action integrality is destroyed, is returned the result of verifying after server authentication
Back to client.
3. software action integrity verification method according to claim 2, which is characterized in that the registration process of client
In, client uses username and password login service device first, establishes safe communication channel;User end to server is sent
Registration request, server receive the legitimacy of checking request after registration request, and corresponding client is then searched on strategic server
The strategy of software required for holding, strategy include time and corresponding software and hardware information required for software registration, and by plan
Slightly information is sent to client;After client receives the corresponding information of server, bring into operation software and production when collecting its operation
Raw system calls queue, after reaching the time required to strategy, calls queue to handle system using n-gram algorithm, analyzes
Each system calls the short sequence SCS of high frequency outjAnd its corresponding accounting Rj;According to strategy requirement, the operating status of software and
The hardware information or operating system of computer are associated with, and the trust of relative strategy is taken out from the platform configuration register PCR of TPM
Value calculates the value HSCS after each short sequence is associated with strategy using cryptography hash functionj=Hash (SCSj||PCRi),
(the HSCS of every a pairj, Rj) it is used as one group of behavioural characteristic, the behavior base feature set of the behavioural characteristic composition software of all high frequencies
BSC;The set is sent to server after obtaining behavioural characteristic collection by client, and server is stored in database after receiving;It deposits
Server returns to the successful information of client registers after storing up successfully, and software and its policy information are stored in tactful text by client
In part, computer will select the movement of starting according to the information of strategy file when booting.
4. software action integrity verification method according to claim 3, which is characterized in that user end to server is sent
Registration request includes two fields, and respectively message header and registration policy, the field that head includes has: type of message, use
Family ID and machine ID, registration policy include the title and the set of waiting time of software;Server is receiving client initiation
After registering operation requests, registration request is generated;The structural body of login request message is { header, policy [] }, wherein
Header structural body is { op, UserID, ext }, respectively indicates action type, user name additional information, and server generates registration
The generation of request message m has to comply with following rule:
S2011, creation RegistrationRequest message, the message sent according to client generate the head of registration request
Information header, type of message reg, ext fill in machine ID, and User ID and machine ID are got from the message received;
S2012, for each client, create a tactful array, which includes the institute verified needed for client device
There is the title waiting time of software, dbase and waiting time search from database according to machine ID.
5. software action integrity verification method according to claim 3, which is characterized in that client registers request processing
Rule is as follows:
S2021, selection simultaneously parse message RegistrationRequest;
If the field in S2022, message is that empty or field type and value are not inconsistent, refusal operation;
S2023, the dbase in strategy is added in proof listing, for the software in each list, uses trace tool
The system call sequence generated when its operation of persistent collection, and be saved in temporary file, the time of collection and the waiting of setting
Duration is identical.
6. software action integrity verification method according to claim 3, which is characterized in that client registers response message
Structure is { header, assertion [] }, and create-rule is as follows:
S2031, creation RegistrationResponse message, are replicated in the head information of RegistrationRequest
UserID to RegistrationResponse information UserID;
S2032, message header.ext be corresponding software name;
S2033, message assertion [] include that all system of software calls the short sequence (SCS of high frequencyj) and its corresponding account for
Compare RjCharacteristic information (the HSCS of generationj, Rj);
S2034, RegistrationResponse message is sent to server.
7. software action integrity verification method according to claim 3, which is characterized in that server end is registered at response
Reason rule is as follows:
S2041, parsing message, if the required field of message is that the type of empty or certain fields and value are not inconsistent, refusal operation;
Whether S2042, the registration information that UserID is searched from database, the UserID and ext verified in header match, no
Matching is then refused to operate;
S2043, the behavior base feature set BSC for receiving software is stored in database, whether verification software behavior after giving over to
Believable foundation.
8. software action integrity verification method according to claim 2, which is characterized in that in the verification step of client
In, server sends verification request to client first;Client receive request after inspection policy configuration file, according to strategy from
The PCR of relative strategy is taken out in the PCR of TPMi, while the system for taking out persistent collection calls queue, uses n-gram algorithm pair
Queue is handled, and is analyzed each system and is called the short sequence (SCS of high frequencyj) and its corresponding accounting Rj, finally use Hash
Algorithm calculates feature, HSCSj=Hash (SCSj||PCRi), the set SC of all high-frequency characteristics and its composition is sent to service
Device after server receives feature set SC, foundation characteristic collection BSC is taken out from database, uses cosine similarity algorithm comparison two
The similarity of a set.
9. software action integrity verification method according to claim 8, which is characterized in that verify the structure of request message
Body is { header, policy [] }, wherein header structural body is { op, UserID, ext }, respectively indicate action type,
User name and additional information, the generation that server generates login request message m have to comply with following rule:
S3011, setting action type are verification, and UserID is the ID of login user;
S3012, the software information that requests verification is filled according to the strategy in database;
S3013, checking request is sent to client;
S302, client receive and handle checking request;
Processing rule is as follows:
S3021, parsing message m refuse the operation if the field in message is that empty or field type and value are not inconsistent;
S3022, according to the strategy in message, parse the dbase for needing to verify;
S3023, check in local proof listing whether the software comprising institute's verifying in need, own if not including, refuse
The operation;
S3024, from use that trace tool collects zero when file in obtain the system call sequence of corresponding software, use n-
The analysis of gram algorithm.
10. software action integrity verification method according to claim 8 or claim 9, which is characterized in that client validation response
Message structure is { header, assertion [] }, and create-rule is as follows:
S3031, the header information for replicating checking request arrive the header of authentication response information, the header.ext of message for pair
The software name answered;
S3032, message assertion [] include that all systems of the software that analyzes of n-gram algorithm call the short sequence of high frequency
SCSjAnd its corresponding accounting RjCharacteristic information (the HSCS of generationj, Rj);
S3033, RegistrationResponse message is sent to server;
S304, server process authentication response information;
Processing rule is as follows:
S3041, parsing message, whether the field verified in message meets rule, if the required field or certain in message
The type and value of field are not inconsistent, then refuse to operate;
S3042, UserID and AppID is obtained from message, obtain corresponding client from database according to UserID and AppID
The foundation characteristic collection BSD submitted when registration;
S3043, characteristic information collection is obtained from the assertion [] of message, uses cosine similarity algorithm analysis foundation feature set
Similarity between characteristic information collection, similarity are greater than 0.98, then pass through verifying;
S3044, verification result is sent to client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811435451.2A CN109558724A (en) | 2018-11-28 | 2018-11-28 | A kind of software action integrity verification method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811435451.2A CN109558724A (en) | 2018-11-28 | 2018-11-28 | A kind of software action integrity verification method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109558724A true CN109558724A (en) | 2019-04-02 |
Family
ID=65867950
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811435451.2A Pending CN109558724A (en) | 2018-11-28 | 2018-11-28 | A kind of software action integrity verification method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109558724A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110443039A (en) * | 2019-08-09 | 2019-11-12 | 北京阿尔山区块链联盟科技有限公司 | Detection method, device and the electronic equipment of plug-in security |
CN111258295A (en) * | 2020-01-15 | 2020-06-09 | 重庆长安汽车股份有限公司 | System and method for verifying big data acquisition and uploading accuracy |
CN111814138A (en) * | 2020-06-30 | 2020-10-23 | 郑州信大先进技术研究院 | Software security management system based on cloud platform |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101520831A (en) * | 2009-03-27 | 2009-09-02 | 深圳市永达电子有限公司 | Safe terminal system and terminal safety method |
CN102739690A (en) * | 2012-07-17 | 2012-10-17 | 中国人民解放军信息工程大学 | Safety data exchange process monitoring method and system |
CN103577748A (en) * | 2013-11-20 | 2014-02-12 | 北京可信华泰信息技术有限公司 | Dynamic measuring method based on dependable computing and management system |
CN103905461A (en) * | 2014-04-14 | 2014-07-02 | 北京工业大学 | Cloud service behavior trustworthiness attestation method and system based on trusted third party |
CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
-
2018
- 2018-11-28 CN CN201811435451.2A patent/CN109558724A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101520831A (en) * | 2009-03-27 | 2009-09-02 | 深圳市永达电子有限公司 | Safe terminal system and terminal safety method |
CN102739690A (en) * | 2012-07-17 | 2012-10-17 | 中国人民解放军信息工程大学 | Safety data exchange process monitoring method and system |
CN103577748A (en) * | 2013-11-20 | 2014-02-12 | 北京可信华泰信息技术有限公司 | Dynamic measuring method based on dependable computing and management system |
CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
CN103905461A (en) * | 2014-04-14 | 2014-07-02 | 北京工业大学 | Cloud service behavior trustworthiness attestation method and system based on trusted third party |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110443039A (en) * | 2019-08-09 | 2019-11-12 | 北京阿尔山区块链联盟科技有限公司 | Detection method, device and the electronic equipment of plug-in security |
CN111258295A (en) * | 2020-01-15 | 2020-06-09 | 重庆长安汽车股份有限公司 | System and method for verifying big data acquisition and uploading accuracy |
CN111814138A (en) * | 2020-06-30 | 2020-10-23 | 郑州信大先进技术研究院 | Software security management system based on cloud platform |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114385248B (en) * | 2020-10-22 | 2024-04-23 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ramachandran et al. | Using blockchain and smart contracts for secure data provenance management | |
CN110602052B (en) | Micro-service processing method and server | |
CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
CN109558724A (en) | A kind of software action integrity verification method | |
CN103944722B (en) | Identification method for user trusted behaviors under internet environment | |
CN101242267A (en) | A trusted network connection method for enhancing security | |
AU2020414467A1 (en) | Partially-ordered blockchain | |
CN113779605A (en) | Industrial internet Handle identification system analysis authentication method based on alliance chain | |
CN101344903A (en) | Multi-case dynamic remote certification method based on TPM | |
CN115618399A (en) | Identity authentication method and device based on block chain, electronic equipment and readable medium | |
TW201909013A (en) | System and method for identity verification and privacy protection in public blockchain | |
Mahmood et al. | Systematic threat assessment and security testing of automotive over-the-air (OTA) updates | |
Acar et al. | A privacy‐preserving multifactor authentication system | |
CN112383535A (en) | Method and device for detecting Hash transfer attack behavior and computer equipment | |
Bertino et al. | Web services threats, vulnerabilities, and countermeasures | |
CN110401640A (en) | A kind of credible connection method based on trust computing binary system structure | |
RU2303811C1 (en) | Remote user authentication method and the system for realization of the method | |
KR102356725B1 (en) | Authentication and Policy Management Methods Using Layer Blockchain | |
CN116070191A (en) | Information processing method and device, storage medium, and program product | |
Genç et al. | A critical security analysis of the password-based authentication honeywords system under code-corruption attack | |
CN112966233A (en) | User risk operation detection method and device and computer equipment | |
Arsac et al. | Validating security protocols under the general attacker | |
Niemi et al. | Platform attestation in consumer devices | |
Gaur et al. | Prevention of Security Attacks in Cloud Computing | |
Querejeta-Azurmendi et al. | ZKSENSE: A Friction-less Privacy-Preserving Human Attestation Mechanism for Mobile Devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190402 |
|
RJ01 | Rejection of invention patent application after publication |