CN109753806A - Server protection method and device - Google Patents

Server protection method and device Download PDF

Info

Publication number
CN109753806A
CN109753806A CN201811640471.3A CN201811640471A CN109753806A CN 109753806 A CN109753806 A CN 109753806A CN 201811640471 A CN201811640471 A CN 201811640471A CN 109753806 A CN109753806 A CN 109753806A
Authority
CN
China
Prior art keywords
newly
increased
server
behavior
default
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811640471.3A
Other languages
Chinese (zh)
Other versions
CN109753806B (en
Inventor
陈俊儒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Enterprise Safety Technology (zhuhai) Co Ltd
Beijing Qianxin Technology Co Ltd
Original Assignee
360 Enterprise Safety Technology (zhuhai) Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Enterprise Safety Technology (zhuhai) Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical 360 Enterprise Safety Technology (zhuhai) Co Ltd
Publication of CN109753806A publication Critical patent/CN109753806A/en
Application granted granted Critical
Publication of CN109753806B publication Critical patent/CN109753806B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Retry When Errors Occur (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Alarm Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a kind of server protection method and devices, it is related to security technology area, main purpose is can be realized the newly-increased behavior to server listening port and carries out safety detection, and it can prevent hacker from increasing server listening port newly persistently to control host server, so as to promote the safety of server using loophole.The described method includes: obtaining the newly-increased behavioural information of the server listening port in the host server of server cluster;Detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.The present invention is suitable for the protection of server.

Description

Server protection method and device
Technical field
The present invention relates to security technology areas, more particularly to a kind of server protection method and device.
Background technique
With the rapid development of internet technology, service provider develops service entry usually using large-scale server cluster Mesh, to meet the diversified business demand of user.In order to guarantee service item can normal table operation, it usually needs to service Each Service-Port in device cluster is monitored.
Currently, allowing generally for the listening state of any setting Service-Port in server cluster.However, actually answering In, hacker would generally increase server listening port newly using the loophole for the listening state for allowing any setting Service-Port Persistently to control host server, attack host server runs special services steadily in the long term, so as to cause in server cluster The safety of each server is lower.It is therefore proposed that a kind of new server protection method has become server cluster field urgently The technical issues of solution.
Summary of the invention
In view of this, the present invention provides a kind of player method and device, main purpose are to can be realized to server The newly-increased behavior of listening port carries out safety detection, and can prevent hacker from increasing server listening port newly using loophole with lasting Host server is controlled, so as to promote the safety of server.
According to the present invention in a first aspect, providing a kind of server protection method, comprising:
Obtain the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detect whether the newly-increased behavioural information meets default newly-increased condition;
If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
Second aspect according to the present invention provides a kind of server protection device, comprising:
Acquiring unit, the newly-increased behavior for obtaining the server listening port in the host server of server cluster are believed Breath;
Detection unit, for detecting whether the newly-increased behavioural information meets default newly-increased condition;
Processing unit, if detecting the newly-increased behavioural information for the detection unit meets default newly-increased condition, really The fixed newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
The processing unit does not meet default newly-increased item if being also used to the detection unit and detecting the newly-increased behavioural information Part, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
The third aspect according to the present invention provides a kind of computer readable storage medium, is stored thereon with computer program, The program performs the steps of when being executed by processor
Obtain the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detect whether the newly-increased behavioural information meets default newly-increased condition;
If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
Fourth aspect according to the present invention, provides a kind of computer equipment, including memory, processor and is stored in storage On device and the computer program that can run on a processor, the processor perform the steps of when executing described program
Obtain the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detect whether the newly-increased behavioural information meets default newly-increased condition;
If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
The present invention provides a kind of server protection method and device, with the monitoring for allowing any setting Service-Port at present State is compared, and the present invention can obtain the newly-increased behavior letter of the server listening port in the host server of server cluster Breath.And it is able to detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, it is determined that the newly-increased behavior is Safety behavior, and clearance processing is carried out to the newly-increased behavior;If not meeting, it is determined that the newly-increased behavior is hazardous act, And prevention processing is carried out to the newly-increased behavior, so as to realize that the newly-increased behavior to server listening port carries out safe inspection It surveys, and can prevent hacker from increasing server listening port newly using loophole persistently to control host server, and then be able to ascend The safety of server.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of server protection method provided in an embodiment of the present invention;
Fig. 2 shows the flow diagrams of another server protection method provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural schematic diagram of server protection device provided in an embodiment of the present invention;
Fig. 4 shows the structural schematic diagram of another server protection device provided in an embodiment of the present invention;
Fig. 5 shows a kind of entity structure schematic diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
As stated in the background art, currently, allowing generally for the monitoring shape of any setting Service-Port in server cluster State.However, in practical applications, hacker would generally be using the loophole for the listening state for allowing any setting Service-Port, newly Increasing server listening port persistently to control host server, attack host server runs special services steadily in the long term, thus Cause the safety of each server in server cluster lower.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of server protection methods, as shown in Figure 1, The described method includes:
101, the newly-increased behavioural information of the server listening port in the host server of server cluster is obtained.
Wherein, the newly-increased behavioural information can be the newly-increased corresponding memory calling sequence of behavior.The memory calls sequence Column can execute the system function function interface sequence called when the newly-increased behavior for server, belong to dynamic memory data. The corresponding memory calling sequence of identical newly-increased behavior is different under different scenes.In the embodiment of the present invention, can be infused by process Enter technology to be injected into each server processes of the server cluster default trapping module, then be hung by hook technology The system for increasing behavior described in hook newly is called, and finally back trace technique is recycled to call the mode recalled to the system, is obtained The corresponding memory calling sequence of the newly-increased behavior.In addition, the newly-increased behavioural information can also monitor end for newly-increased server The port information of mouth, the port information can be the port numbers of newly-increased server listening port.
102, detect whether the newly-increased behavioural information meets default newly-increased condition.If meeting, 103 are thened follow the steps;If It does not meet, thens follow the steps 104.
Wherein, the default newly-increased condition can call rule for the corresponding volume of behavior that actively increases newly of server listening port Then, actively increasing behavior newly can be the behavior by keyboard or mouse action terminal device, i.e., taken by operation maintenance personnel in host The behavior for actively increasing server listening port in business device newly passively increases Service-Port newly for actively increasing behavior newly Behavior be the behavior for passing through program or function and increasing server listening port newly.Developer is led in design server cluster The operation maintenance personnel actively newly-increased Service-Port for needing to monitor can often be allowed, when operation maintenance personnel is in the legal newly-increased clothes for needing to monitor When business device port, it will usually click the newly-increased Service-Port for needing to monitor using keyboard or mouse, actively increase behavior meeting newly Installed System Memory calling is carried out according to the calling rule being arranged inside host server, and hacker is when using loophole, it will usually make With the passive newly-increased behavior of program perhaps function increase newly the passively newly-increased behavior of server listening port can according to virus or The mode or calling rule of malicious application developer setting carry out Installed System Memory calling, are arranged with inside host server Installed System Memory method of calling or calling rule do not meet.Therefore, the embodiment of the present invention can be by detecting the new line increment For the corresponding calling rule of memory calling sequence whether meet default calling rule, safe inspection is carried out to the newly-increased behavior It surveys, that is, detects whether the newly-increased behavior is actively to increase behavior newly, if the corresponding tune of memory calling sequence of the newly-increased behavior Meet default calling rule with rule, it is determined that the newly-increased behavior is actively to increase behavior newly, and be determined as safety behavior.If institute The corresponding calling rule of memory calling sequence for stating newly-increased behavior does not meet default calling rule, it is determined that the newly-increased behavior is Passively newly-increased behavior, and it is determined as hazardous act.
Further, since host server runs special services steadily in the long term, port status tends towards stability, and few situation can be new Increase listening port, hacker utilizes loophole in order to prevent, after server disposition, host server can be forbidden to increase service newly again Device listening port, therefore, the default newly-increased condition can be that the server opened is monitored for newly-increased server listening port Port, even if there is the case where newly-increased server listening port, newly-increased server listening port also should be open clothes Business device listening port, what the server listening port opened can be collected during deployment services device.
103, it determines that the newly-increased behavior is safety behavior, and clearance processing is carried out to the newly-increased behavior.
104, it determines that the newly-increased behavior is hazardous act, and prevention processing is carried out to the newly-increased behavior.
For the embodiment of the present invention, in order to determine the accuracy of the newly-increased behavioral value, the newly-increased behavior is being determined For hazardous act, result can also be will test and upload to cloud control centre, further be judged or handled by operation maintenance personnel.
A kind of server protection method provided in an embodiment of the present invention, with the prison for allowing any setting Service-Port at present State is listened to compare, the embodiment of the present invention can obtain the newly-increased of in the host server of server cluster server listening port Behavioural information.And it is able to detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, it is determined that described newly-increased Behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;If not meeting, it is determined that the newly-increased behavior is danger Behavior, and prevention processing is carried out to the newly-increased behavior, so as to realize that the newly-increased behavior to server listening port carries out Safety detection, and can prevent hacker from increasing server listening port newly using loophole persistently to control host server, Jin Erneng Enough promote the safety of server.
Further, in order to better illustrate the process of above-mentioned server protection, as to above-described embodiment refinement and Extension, the embodiment of the invention provides another server protection methods, as shown in Fig. 2, but not limited to this, institute specific as follows Show:
201, the newly-increased behavioural information of the server listening port in the host server of server cluster is obtained.
Wherein, the newly-increased behavioural information can be the newly-increased corresponding memory calling sequence of behavior, or newly-increased clothes The port information of business device listening port.
It is when newly-increased behavioural information memory calling sequence corresponding for newly-increased behavior for the embodiment of the present invention The capture memory calling sequence, the step 201 can specifically include: default trapping module is injected into the server In each server processes of cluster, the newly-increased behavior is monitored;Using default hooking function to the host server system The power function of system application layer is linked up with, and is called with intercepting the corresponding system of the newly-increased behavior;It is returned using default stack information The function that traces back, which calls the system, carries out the backtracking of stack information, obtains the corresponding memory calling sequence of the newly-increased behavior.
Wherein, the default trapping module can be arranged for technical staff according to process injection technique, the default extension Hook function can be write for technical staff according to hook technology, and stack information backtracking function is preset described in the hook technology can be with It is technical staff according to back trace technique.Different trapping modules, the trapping module can be set for different process behaviors It can be corresponding function dynamic link library, or write different default hooking functions, different default stack information recalls letter Number, for example, the default hooking function can be hookNtAddPort function, described pre- for the process behavior for opening file If it can be RtlCaptureStackBackTrace function that stack information, which recalls function,.
202a, when the newly-increased behavioural information is the corresponding memory calling sequence of newly-increased behavior, detect the memory tune Whether meet default calling rule with the corresponding calling rule of sequence.If so, thening follow the steps 203;If it is not, thening follow the steps 204。
Wherein, the default calling rule can be the calling rule for actively increasing behavior newly of Service-Port, work as host Presence server listening port actively increases behavior newly in server, i.e., when increasing Service-Port newly by mouse or keyboard, Some system function functions or corresponding interface sequence can be called by actively increasing behavior newly, therefore, described actively to increase behavior newly Calling rule can be for there are particular system power functions in the memory calling sequence;The particular system power function can be with Actively to increase the system function function or corresponding interface sequence that behavior is called newly, it is specifically as follows the relevant system of message dispatch System power function or other actively increase the related system power function that behavior is called, the relevant system of the message dispatch newly Power function can be include GetMessage function, TranslateMessage function, DispatchMessage function etc.. Other described related system power functions for actively increasing behavior calling newly may include: SHELL32!CDefFolderMenu:: The interface related function of InvokeCommand function, IFileOpenDialog, the interface related letter of IFileSaveDialog Number, the interface related function of IFileSaveDialog, the interface related function of DragQueryFile etc..
It is described to detect whether the corresponding calling rule of the memory calling sequence meets default tune in concrete application scene It with the step of rule, specifically includes: detecting in the memory calling sequence with the presence or absence of particular system power function;If it exists, Then determine that the corresponding calling rule of the memory calling sequence meets default calling rule;If it does not exist, it is determined that the memory The corresponding calling rule of calling sequence does not meet default calling rule.
For the embodiment of the present invention, in order to promote the accuracy rate of the newly-increased Activity recognition, the default calling rule tool Body can in the memory calling sequence there are particular system power function, and particular system in the memory calling sequence The calling sequence of power function meets default calling sequence, and there are particular system function letters in detecting the memory calling sequence After number, whether the calling sequence that can also continue to detect particular system power function in the memory calling sequence meets default tune With sequence;If not meeting, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule;If symbol It closes, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.For example, server listening port Actively increase the calling sequence that particular system power function is called in behavior newly are as follows: GetMessage function-TranslateMessage Function, DispatchMessage function.If by detection discovery, the corresponding memory tune of the newly-increased behavior of server listening port Met with the calling sequence and above-mentioned default calling sequence of particular system power function in sequence, it is determined that server listening port Newly-increased behavior be actively increase behavior, and then the determination newly-increased behavior is safety behavior.If by detection discovery, server The calling sequence of particular system power function and above-mentioned default tune in the corresponding memory calling sequence of the newly-increased behavior of listening port With not meeting sequentially, it is determined that the newly-increased behavior of server listening port is passively newly-increased behavior, and then described in judging to determine Newly-increased behavior is hazardous act.
Or the default calling rule is specifically as follows in the memory calling sequence that there are particular system function letters Number, and the stack location in the memory calling sequence where particular system power function meets default stack location, in detection institute State in memory calling sequence that there are after particular system power function, can also continue to detect specific system in the memory calling sequence Whether the position where system power function meets predeterminated position;If not meeting, it is determined that the corresponding tune of the memory calling sequence Default calling rule is not met with rule;If meeting, it is determined that the corresponding calling rule of the memory calling sequence meets default Calling rule.Wherein, the predeterminated position actively increasing newly in memory calling sequence corresponding to behavior for server listening port Position where particular system power function.For example, predeterminated position is 0x10.If by detection discovery, the newly-increased behavior Position in memory calling sequence where GetMessage function is 0x08, it is determined that the corresponding calling of the memory calling sequence Rule does not meet default calling rule, determines that the newly-increased behavior of server listening port is not actively to increase behavior newly, and is black Visitor increases behavior newly using the passive of loophole.
With step 202a step 202b arranged side by side, when the port that the newly-increased behavioural information is newly-increased server listening port When information, detect whether the port information matches with the port information in default listening port white list.If matching, executes Step 203;If mismatching, 204 are thened follow the steps.
Wherein, the server opened in the server cluster is preserved in the default listening port white list to monitor Port and its corresponding port information.The port information can be port numbers, the end of the server listening port such as opened Slogan is 8080.Specifically, if the port information of newly-increased server listening port and the port in default listening port white list Information matches then illustrate that newly-increased server listening port is the server listening port opened, and allow for host server Newly-increased server listening port, accordingly, it is determined that the newly-increased behavior is safety behavior.If the end of newly-increased server listening port Port information in message breath and default listening port white list mismatches, then illustrating that newly-increased server listening port is not is Open server listening port is not that host server allows newly-increased server listening port, accordingly, it is determined that described newly-increased Behavior is hazardous act.
For the embodiment of the present invention, the function that default listening port white list is set also is supported, the method also includes: During server disposition in the server cluster, the Service-Port opened and its corresponding port letter are collected Breath;According to the server listening port and its corresponding port information opened, the default white name of listening port is constructed It is single.
Further, in order to guarantee the integrality of the default listening port white list, the safety of server, institute are promoted State method further include: the default listening port white list is sent to cloud control centre and is modified;Described in acquisition The revised listening port white list of cloud control centre.It therefore, can be by institute when there is newly-increased server listening port Newly-increased server listening port is stated to be matched with revised listening port white list.
203, it determines that the newly-increased behavioural information meets default newly-increased condition, determines that the newly-increased behavior is safety behavior, And clearance processing is carried out to the newly-increased behavior.
It should be noted that can have newly-increased service in host server after to the newly-increased behavior clearance processing Device listening port preferably carries out safety detection and protection to Service-Port in order to subsequent, can use newly-increased service Device listening port updates default listening port white list.Specifically, if newly-increased server listening port is in the default monitoring It is not present in the white list of port, the newly-increased server listening port can be added to the default listening port white list In.
204, it determines that the newly-increased behavioural information does not meet default newly-increased condition, determines the newly-increased behavior for operation row For, and prevention processing is carried out to the newly-increased behavior.
Another kind server protection method provided in an embodiment of the present invention, and allows any setting Service-Port at present Listening state is compared, and the embodiment of the present invention can obtain the new of in the host server of server cluster server listening port Increase behavioural information.And it is able to detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, it is determined that described new Line increment is safety behavior, and carries out clearance processing to the newly-increased behavior;If not meeting, it is determined that the newly-increased behavior is danger Dangerous behavior, and prevention processing is carried out to the newly-increased behavior, so as to realize the newly-increased behavior to server listening port into Row safety detection, and can prevent hacker from increasing server listening port newly persistently to control host server, in turn using loophole It is able to ascend the safety of server.
Further, as the specific implementation of Fig. 1, the embodiment of the invention provides a kind of server protection device, such as Fig. 3 Shown, described device includes: acquiring unit 31, detection unit 32, processing unit 33.
The acquiring unit 31 can be used for obtaining the server listening port in the host server of server cluster Newly-increased behavioural information.The acquiring unit 31 is to obtain the server in the host server of server cluster in the present apparatus to monitor The functional module of the newly-increased behavioural information of port.
The detection unit 32, can be used for detecting whether the newly-increased behavioural information meets default newly-increased condition.It is described Detection unit 32 is the main functional modules for detecting the newly-increased behavioural information in the present apparatus and whether meeting default newly-increased condition.
The processing unit 33, if can be used for the detection unit 32 detect the newly-increased behavioural information meet it is default new Increasing condition, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior.The processing unit If 33 be to detect the newly-increased behavioural information in the present apparatus to meet default newly-increased condition, it is determined that the newly-increased behavior is security row For, and the main functional modules of clearance processing are carried out to the newly-increased behavior.
The processing unit 33, if be also used to the detection unit 32 detect the newly-increased behavioural information do not meet it is default new Increasing condition, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.The processing unit If 33 be to detect the newly-increased behavioural information in the present apparatus not meeting default newly-increased condition, it is determined that the newly-increased behavior is danger Behavior, and prevent to the newly-increased behavior main functional modules of processing.
In concrete application scene, the detection unit 32 may include: first detection module 321 and the first determining module 322, as shown in Figure 4.
The first detection module 321 can be used for when the newly-increased behavioural information being the newly-increased corresponding memory tune of behavior With sequence, detect whether the corresponding calling rule of the memory calling sequence meets default calling rule.
First determining module 322, if can be used for the first detection module 321 detects the memory calling sequence Corresponding calling rule meets default calling rule, it is determined that the newly-increased behavioural information meets default newly-increased condition.
First determining module 322 calls sequence if can be also used for the first detection module 321 and detect the memory It arranges corresponding calling rule and does not meet default calling rule, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
It should be noted that being advised to determine whether the corresponding calling rule of the memory calling sequence meets default call Then, the first detection module 321 may include: detection sub-module and determining submodule.
The detection sub-module can be used for detecting in the memory calling sequence with the presence or absence of particular system function letter Number.
The determining submodule, if can be used in the detection sub-module detection memory calling sequence, there are specific System function function, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
The determining submodule is not present in the memory calling sequence if can be also used for the detection sub-module and detect Particular system power function, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
Further, in order to promote the accuracy rate of the newly-increased Activity recognition, the detection sub-module can be also used for examining Whether the calling sequence for surveying particular system power function in the memory calling sequence meets default calling sequence.
The determining submodule, if can be also used for the detection sub-module detects specific system in the memory calling sequence The calling sequence of power function of uniting does not meet default calling sequence, it is determined that the corresponding calling rule of the memory calling sequence is not Meet default calling rule;
The determining submodule, if specifically can be also used for the detection sub-module detects spy in the memory calling sequence The calling sequence for determining system function function meets default calling sequence, it is determined that the corresponding calling rule of the memory calling sequence Meet default calling rule.
The detection sub-module can be also used for the place for detecting particular system power function in the memory calling sequence Whether position meets predeterminated position.
The determining submodule, if can be also used for the detection sub-module detects specific system in the memory calling sequence The position of system power function does not meet predeterminated position, it is determined that the corresponding calling rule of the memory calling sequence is not met Default calling rule.Wherein, the predeterminated position can according to actual conditions be arranged, such as the predeterminated position be 0x08 Or 0x10 etc..
The determining submodule, if being specifically also used to the detection sub-module detects specific system in the memory calling sequence The position of system power function meets predeterminated position, it is determined that the corresponding calling rule of the memory calling sequence meets default Calling rule.
For the embodiment of the present invention, the acquiring unit 31 includes: monitoring module 311, Hooking module 312 and backtracking module 313。
The monitoring module 311 can be used for for default trapping module being injected into each service of the server cluster In device process, the newly-increased behavior is monitored.
The Hooking module 312 can be used for the system application layer using default hooking function to the host server Power function linked up with, called with intercepting the corresponding system of the newly-increased behavior.
The backtracking module 313 can be used for being recalled using default stack information function and call progress stack letter to the system Breath backtracking, obtains the corresponding memory calling sequence of the newly-increased behavior.
In concrete application scene, the detection unit 32 may include: the second detection module 323 and the second determining module 324。
Second detection module 323 can be used for when the newly-increased behavioural information being newly-increased server listening port When port information, detect whether the port information matches with the port information in default listening port white list, it is described default The server listening port opened in the server cluster and its corresponding port letter are preserved in listening port white list Breath;
Second determining module 324, if can be used for second detection module 323 detects port information and default prison The port information in the white list of port is listened to match, it is determined that the newly-increased behavioural information meets default newly-increased condition;
Second determining module 324, if can be also used for the second detection module detection port information and default prison The port information in the white list of port is listened to mismatch, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
In addition, in order to obtain default listening port white list, described device further include: collector unit 34 and construction unit 35。
The collector unit 34 can be used for during the server disposition in the server cluster, and collection is described Open Service-Port and its corresponding port information.
The construction unit 35 can be used for according to the server listening port opened and its corresponding port letter Breath constructs the default listening port white list.
Further, in order to guarantee the integrality of the default listening port white list, the safety of server is promoted, Described device can also include: amending unit 36.
The amending unit 36 can be used for the default listening port white list being sent to cloud control centre It is modified.
The acquiring unit 31 can be also used for obtaining the revised listening port white list of the cloud control centre.
It should be noted that its of each functional module involved by a kind of server protection device provided in an embodiment of the present invention He accordingly describes, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the invention also provides a kind of computer-readable storage mediums Matter is stored thereon with computer program, which performs the steps of the master obtained in server cluster when being executed by processor The newly-increased behavioural information of server listening port in machine server;Detect whether the newly-increased behavioural information meets default newly-increased item Part;If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;If not meeting, It then determines that the newly-increased behavior is hazardous act, and prevention processing is carried out to the newly-increased behavior.
Embodiment based on above-mentioned method as shown in Figure 1 and server protection device as shown in Figure 3, the embodiment of the present invention is also A kind of entity structure diagram of computer equipment is provided, as shown in figure 5, the equipment includes: processor 41, memory 42 and deposits The computer program that can be run on memory 42 and on a processor is stored up, wherein memory 42 and processor 41 are arranged at always Acquisition is performed the steps of when the processor 41 executes described program on line 43 to take in the host server of server cluster The newly-increased behavioural information of business device listening port;Detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, It determines that the newly-increased behavior is safety behavior, and clearance processing is carried out to the newly-increased behavior;If not meeting, it is determined that described new Line increment is hazardous act, and carries out prevention processing to the newly-increased behavior.The equipment further include: bus 43 is configured as coupling Connect processor 41 and memory 42.
According to the technical solution of the present invention, the server listening port in the host server of server cluster can be obtained Newly-increased behavioural information.And it is able to detect whether the newly-increased behavioural information meets default newly-increased condition;If meeting, it is determined that institute Stating newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;If not meeting, it is determined that the newly-increased behavior For hazardous act, and prevention processing is carried out to the newly-increased behavior, so as to realize the new line increment to server listening port To carry out safety detection, and hacker can be prevented using the newly-increased server listening port of loophole persistently to control host server, And then it is able to ascend the safety of server.
The embodiment of the present invention also provides the following technical solutions:
A1, a kind of server protection method, comprising:
Obtain the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detect whether the newly-increased behavioural information meets default newly-increased condition;
If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
A2, method as described in a1, the newly-increased behavioural information are the newly-increased corresponding memory calling sequence of behavior, the inspection Survey whether the newly-increased behavioural information meets default newly-increased condition, comprising:
Detect whether the corresponding calling rule of the memory calling sequence meets default calling rule;
If meeting, it is determined that the newly-increased behavioural information meets default newly-increased condition;
If not meeting, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
A3, as described in A2 method, it is default whether the corresponding calling rule of the detection memory calling sequence meets Calling rule, comprising:
It detects in the memory calling sequence with the presence or absence of particular system power function;
If it exists, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule;
If it does not exist, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule.
A4, the method as described in A3, the corresponding calling rule of the determination memory calling sequence meet default calling Before rule, the method also includes:
Whether the calling sequence for detecting particular system power function in the memory calling sequence meets default calling sequence;
If not meeting, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule;
The corresponding calling rule of the determination memory calling sequence meets default calling rule, comprising:
If meeting, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
A5, the method as described in A3, the corresponding calling rule of the determination memory calling sequence meet default calling Before rule, the method also includes:
Whether the position for detecting particular system power function in the memory calling sequence meets predeterminated position;
If not meeting, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule;
The corresponding calling rule of the determination memory calling sequence meets default calling rule, comprising:
If meeting, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
The described in any item methods of A6, such as A1-A5, the acquisition increase service newly in the host server of server cluster The newly-increased behavioural information of device listening port, comprising:
Default trapping module is injected into each server processes of the server cluster, the new line increment is monitored For;
It is linked up with using power function of the default hooking function to the system application layer of the host server, to intercept The corresponding system of the newly-increased behavior is called;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the newly-increased behavior pair The memory calling sequence answered.
A7, method as described in a1, the newly-increased behavioural information is the port information of newly-increased server listening port, described Detect whether the newly-increased behavioural information meets default newly-increased condition, comprising:
Detect whether the port information matches with the port information in default listening port white list, the default monitoring The server listening port and its corresponding port information opened in the server cluster is preserved in the white list of port;
If meeting, it is determined that the newly-increased behavioural information meets default newly-increased condition;
If not meeting, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
Whether A8, the method as described in A7, the detection port information are believed with the port in default port white list Before breath matching, the method also includes:
During the server disposition in the server cluster, the Service-Port opened and its correspondence are collected Port information;
According to the server listening port and its corresponding port information opened, the default listening port is constructed White list.
A9, the method as described in A8, the server listening port opened according to and its corresponding port letter Breath, after constructing the default listening port white list, the method also includes:
The default listening port white list is sent to cloud control centre to be modified;
Obtain the revised listening port white list of the cloud control centre.
B10, a kind of server protection device, comprising:
Acquiring unit, the newly-increased behavior for obtaining the server listening port in the host server of server cluster are believed Breath;
Detection unit, for detecting whether the newly-increased behavioural information meets default newly-increased condition;
Processing unit, if detecting the newly-increased behavioural information for the detection unit meets default newly-increased condition, really The fixed newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
The processing unit does not meet default newly-increased item if being also used to the detection unit and detecting the newly-increased behavioural information Part, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
B11, the device as described in B10, the detection unit include:
First detection module, for being the newly-increased corresponding memory calling sequence of behavior, detection when the newly-increased behavioural information Whether the corresponding calling rule of the memory calling sequence meets default calling rule;
First determining module, if detecting the corresponding calling rule of the memory calling sequence for the first detection module Meet default calling rule, it is determined that the newly-increased behavioural information meets default newly-increased condition;
First determining module, if being also used to the first detection module detects the corresponding tune of the memory calling sequence Default calling rule is not met with rule, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
B12, device as described in b11, the first detection module include:
Detection sub-module, for detecting in the memory calling sequence with the presence or absence of particular system power function;
Determine submodule, there are particular system functions if detecting in the memory calling sequence for the detection sub-module Function, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule;
The determining submodule, if being also used in the detection sub-module detection memory calling sequence, there is no specific System function function, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
B13, as described in B12 device,
The detection sub-module is also used to detect the calling sequence of particular system power function in the memory calling sequence Whether default calling sequence is met;
The determining submodule, if being also used to the detection sub-module detects particular system function in the memory calling sequence Can the calling sequence of function do not meet default calling sequence, it is determined that the corresponding calling rule of the memory calling sequence is not met Default calling rule;
The determining submodule, if being specifically also used to the detection sub-module detects specific system in the memory calling sequence The calling sequence of power function of uniting meets default calling sequence, it is determined that the corresponding calling rule of the memory calling sequence meets Default calling rule.
B14, as described in B12 device,
The detection sub-module is also used to detect the position of particular system power function in the memory calling sequence Whether predeterminated position is met;
The determining submodule, if being also used to the detection sub-module detects particular system function in the memory calling sequence Can the position of function do not meet predeterminated position, it is determined that the corresponding calling rule of the memory calling sequence does not meet default Calling rule;
The determining submodule, if being specifically also used to the detection sub-module detects specific system in the memory calling sequence The position of system power function meets predeterminated position, it is determined that the corresponding calling rule of the memory calling sequence meets default Calling rule.
The described in any item devices of B15, such as B10-B14, the acquiring unit include:
Monitoring module is supervised for default trapping module to be injected into each server processes of the server cluster Control the newly-increased behavior;
Hooking module, for using default hooking function to the power function of the system application layer of the host server into Row hook is called with intercepting the corresponding system of the newly-increased behavior;
Backtracking module is carried out the backtracking of stack information for being called using default stack information backtracking function to the system, obtained The corresponding memory calling sequence of the newly-increased behavior.
B16, the device as described in B10, the detection unit include:
Second detection module, for when the newly-increased behavioural information is the port information of newly-increased server listening port, Detect whether the port information matches with the port information in default listening port white list, the default white name of listening port The server listening port and its corresponding port information opened in the server cluster is preserved in list;
Second determining module, if in second detection module detection port information and default listening port white list Port information matching, it is determined that the newly-increased behavioural information meets default newly-increased condition;
Second determining module, if being also used to, second detection module detects port information and default listening port is white Port information in list mismatches, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
B17, the device as described in B16, described device further include:
Collector unit, for during the server disposition in the server cluster, collecting the service opened Device port and its corresponding port information;
Construction unit, for constructing institute according to the server listening port and its corresponding port information opened State default listening port white list.
B18, the device as described in B16, described device further include: amending unit,
The amending unit is repaired for the default listening port white list to be sent to cloud control centre Just;
The acquiring unit is also used to obtain the revised listening port white list of the cloud control centre.
C19, a kind of computer readable storage medium, are stored thereon with computer program, and the computer program is processed The step of method as described in any one of A1 to A9 is realized when device executes.
D20, a kind of computer equipment, including memory, processor and storage can transport on a memory and on a processor Capable computer program, the processor realize the step such as any one of A1 to A9 the method when executing the computer program Suddenly.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) are some in server protection device according to an embodiment of the present invention to realize Or some or all functions of whole components.The present invention is also implemented as one for executing method as described herein Partly or completely device or device program (for example, computer program and computer program product).Such realization is originally The program of invention can store on a computer-readable medium, or may be in the form of one or more signals.In this way Signal can be downloaded from an internet website to obtain, be perhaps provided on the carrier signal or be provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

Claims (10)

1. a kind of server protection method characterized by comprising
Obtain the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detect whether the newly-increased behavioural information meets default newly-increased condition;
If meeting, it is determined that the newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
If not meeting, it is determined that the newly-increased behavior is hazardous act, and carries out prevention processing to the newly-increased behavior.
2. the method according to claim 1, wherein the newly-increased behavioural information is the newly-increased corresponding memory of behavior Whether calling sequence, the detection newly-increased behavioural information meet default newly-increased condition, comprising:
Detect whether the corresponding calling rule of the memory calling sequence meets default calling rule;
If meeting, it is determined that the newly-increased behavioural information meets default newly-increased condition;
If not meeting, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
3. according to the method described in claim 2, it is characterized in that, the corresponding calling rule of the detection memory calling sequence Then whether meet default calling rule, comprising:
It detects in the memory calling sequence with the presence or absence of particular system power function;
If it exists, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule;
If it does not exist, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule.
4. according to the method described in claim 3, it is characterized in that, the corresponding calling rule of the determination memory calling sequence Before then meeting default calling rule, the method also includes:
Whether the calling sequence for detecting particular system power function in the memory calling sequence meets default calling sequence;
If not meeting, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule;
The corresponding calling rule of the determination memory calling sequence meets default calling rule, comprising:
If meeting, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
5. according to the method described in claim 3, it is characterized in that, the corresponding calling rule of the determination memory calling sequence Before then meeting default calling rule, the method also includes:
Whether the position for detecting particular system power function in the memory calling sequence meets predeterminated position;
If not meeting, it is determined that the corresponding calling rule of the memory calling sequence does not meet default calling rule;
The corresponding calling rule of the determination memory calling sequence meets default calling rule, comprising:
If meeting, it is determined that the corresponding calling rule of the memory calling sequence meets default calling rule.
6. method according to claim 1-5, which is characterized in that the host clothes obtained in server cluster It is engaged in increasing the newly-increased behavioural information of server listening port in device newly, comprising:
Default trapping module is injected into each server processes of the server cluster, the newly-increased behavior is monitored;
It is linked up with using power function of the default hooking function to the system application layer of the host server, described in intercepting The corresponding system of the behavior of increasing newly is called;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, it is corresponding to obtain the newly-increased behavior Memory calling sequence.
7. the method according to claim 1, wherein the newly-increased behavioural information is newly-increased server listening port Port information, whether the detection newly-increased behavioural information meet default newly-increased condition, comprising:
Detect whether the port information matches with the port information in default listening port white list, the default listening port The server listening port and its corresponding port information opened in the server cluster is preserved in white list;
If meeting, it is determined that the newly-increased behavioural information meets default newly-increased condition;
If not meeting, it is determined that the newly-increased behavioural information does not meet default newly-increased condition.
8. a kind of server protection device characterized by comprising
Acquiring unit, for obtaining the newly-increased behavioural information of the server listening port in the host server of server cluster;
Detection unit, for detecting whether the newly-increased behavioural information meets default newly-increased condition;
Processing unit, if detecting the newly-increased behavioural information for the detection unit meets default newly-increased condition, it is determined that institute Stating newly-increased behavior is safety behavior, and carries out clearance processing to the newly-increased behavior;
The processing unit does not meet default newly-increased condition if being also used to the detection unit and detecting the newly-increased behavioural information, It then determines that the newly-increased behavior is hazardous act, and prevention processing is carried out to the newly-increased behavior.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt The step of processor realizes method described in any one of claims 1 to 7 when executing.
10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, it is characterised in that the processor is realized described in any one of claims 1 to 7 when executing the computer program The step of method.
CN201811640471.3A 2018-06-26 2018-12-29 Server protection method and device Active CN109753806B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810668277X 2018-06-26
CN201810668277.XA CN108846287A (en) 2018-06-26 2018-06-26 A kind of method and device of detection loophole attack

Publications (2)

Publication Number Publication Date
CN109753806A true CN109753806A (en) 2019-05-14
CN109753806B CN109753806B (en) 2024-01-19

Family

ID=64202031

Family Applications (10)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811640471.3A Active CN109753806B (en) 2018-06-26 2018-12-29 Server protection method and device
CN201811645681.1A Pending CN109766698A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device

Family Applications Before (7)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN201811645681.1A Pending CN109766698A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device

Country Status (1)

Country Link
CN (10) CN108846287A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115051905A (en) * 2022-07-19 2022-09-13 广东泓胜科技股份有限公司 Port security monitoring and analyzing method, device and related equipment

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109711166B (en) * 2018-12-17 2020-12-11 北京知道创宇信息技术股份有限公司 Vulnerability detection method and device
CN109800576B (en) * 2018-12-29 2021-07-23 360企业安全技术(珠海)有限公司 Monitoring method and device for unknown program exception request and electronic device
CN109558730B (en) * 2018-12-29 2020-10-16 360企业安全技术(珠海)有限公司 Safety protection method and device for browser
CN112395585B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Database service login method, device, equipment and readable storage medium
CN112398789A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Remote login control method, device, system, storage medium and electronic device
CN112398784B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Method and device for defending vulnerability attack, storage medium and computer equipment
CN112395604B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 System monitoring login protection method, client, server and storage medium
CN112395617A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for protecting docker escape vulnerability, storage medium and computer equipment
CN112398787B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 Mailbox login verification method and device, computer equipment and storage medium
CN110610086B (en) * 2019-08-30 2021-06-18 北京卓识网安技术股份有限公司 Illegal code identification method, system, device and storage medium
CN113632432B (en) * 2019-09-12 2023-09-19 奇安信安全技术(珠海)有限公司 Method and device for judging attack behaviors and computer storage medium
CN110505247B (en) * 2019-09-27 2022-05-17 百度在线网络技术(北京)有限公司 Attack detection method and device, electronic equipment and storage medium
CN111209559B (en) * 2019-12-23 2022-02-15 东软集团股份有限公司 Permission processing method and device of application program, storage medium and electronic equipment
CN111046377B (en) * 2019-12-25 2023-11-14 五八同城信息技术有限公司 Method and device for loading dynamic link library, electronic equipment and storage medium
CN111382076B (en) * 2020-03-10 2023-04-25 抖音视界有限公司 Application program testing method and device, electronic equipment and computer storage medium
CN113626296A (en) * 2020-05-09 2021-11-09 深圳云天励飞技术有限公司 Method and device for detecting system stability and terminal
CN111884884B (en) * 2020-07-31 2022-05-31 北京明朝万达科技股份有限公司 Method, system and device for monitoring file transmission
CN111859405A (en) * 2020-07-31 2020-10-30 深信服科技股份有限公司 Threat immunization framework, method, equipment and readable storage medium
CN112069505B (en) * 2020-09-15 2021-11-23 北京微步在线科技有限公司 Audit information processing method and electronic equipment
US12039031B2 (en) * 2020-09-16 2024-07-16 Cisco Technology, Inc. Security policies for software call stacks
CN112910868A (en) * 2021-01-21 2021-06-04 平安信托有限责任公司 Enterprise network security management method and device, computer equipment and storage medium
CN113392416B (en) * 2021-06-28 2024-03-22 北京恒安嘉新安全技术有限公司 Method, device, equipment and storage medium for acquiring application program encryption and decryption data
CN113742726B (en) * 2021-08-27 2024-10-15 恒安嘉新(北京)科技股份公司 Program identification model training and program identification method, device, equipment and medium
CN113779561B (en) * 2021-09-09 2024-03-01 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN116707929B (en) * 2023-06-16 2024-07-05 广州市玄武无线科技股份有限公司 Mobile phone photographing and faking detection method and device based on call stack information acquisition, terminal equipment and computer readable storage medium
CN118226795B (en) * 2024-05-23 2024-08-13 山东颐阳生物科技集团股份有限公司 Production line safety supervision system and method for wine raw material processing workshop

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002006928A2 (en) * 2000-07-14 2002-01-24 Vcis, Inc. Computer immune system and method for detecting unwanted code in a computer system
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
US20090083522A1 (en) * 2007-09-21 2009-03-26 Siemens Energy & Automation, Inc. Systems, Devices, and/or Methods for Managing Programmable Logic Controller Processing
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
US7891000B1 (en) * 2005-08-05 2011-02-15 Cisco Technology, Inc. Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN103631712A (en) * 2013-10-23 2014-03-12 北京信息控制研究所 Modeled software key behavior tracking method based on memory management
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US20150220707A1 (en) * 2014-02-04 2015-08-06 Pegasus Media Security, Llc System and process for monitoring malicious access of protected content
CN106203092A (en) * 2016-06-30 2016-12-07 北京金山安全软件有限公司 Method and device for intercepting shutdown of malicious program and electronic equipment
US20170032118A1 (en) * 2015-07-31 2017-02-02 Digital Guardian, Inc. Systems and methods of protecting data from injected malware
CN106411588A (en) * 2016-09-29 2017-02-15 锐捷网络股份有限公司 Network device management method, master device and management server
US9807104B1 (en) * 2016-04-29 2017-10-31 STEALTHbits Technologies, Inc. Systems and methods for detecting and blocking malicious network activity
CN107483274A (en) * 2017-09-25 2017-12-15 北京全域医疗技术有限公司 Service item running state monitoring method and device
CN107959595A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 The method, apparatus and system of a kind of abnormality detection

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7546587B2 (en) * 2004-03-01 2009-06-09 Microsoft Corporation Run-time call stack verification
KR100843701B1 (en) * 2006-11-07 2008-07-04 소프트캠프(주) Confirmation method of API by the information at Call-stack
CN101059829A (en) * 2007-05-16 2007-10-24 珠海金山软件股份有限公司 Device and method for automatically analyzing course risk grade
CN101373501B (en) * 2008-05-12 2010-06-02 公安部第三研究所 Method for capturing dynamic behavior aiming at computer virus
US9110801B2 (en) * 2009-02-10 2015-08-18 International Business Machines Corporation Resource integrity during partial backout of application updates
CN103136472B (en) * 2011-11-29 2016-08-31 腾讯科技(深圳)有限公司 A kind of anti-application program steals method and the mobile device of privacy
CN103368904B (en) * 2012-03-27 2016-12-28 百度在线网络技术(北京)有限公司 The detection of mobile terminal, questionable conduct and decision-making system and method
CN104246693B (en) * 2012-04-20 2018-09-04 恩智浦美国有限公司 Information processing unit for protecting the data in call stack and method
CN102750475B (en) * 2012-06-07 2017-08-15 中国电子科技集团公司第三十研究所 Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine
CN103778375B (en) * 2012-10-24 2017-11-17 腾讯科技(深圳)有限公司 The apparatus and method for preventing user equipment from loading illegal dynamic link library file
US9558347B2 (en) * 2013-08-27 2017-01-31 Globalfoundries Inc. Detecting anomalous user behavior using generative models of user actions
CN103761472B (en) * 2014-02-21 2017-05-24 北京奇虎科技有限公司 Application program accessing method and device based on intelligent terminal
US9652328B2 (en) * 2014-05-12 2017-05-16 International Business Machines Corporation Restoring an application from a system dump file
CN105335654B (en) * 2014-06-27 2018-12-14 北京金山安全软件有限公司 Android malicious program detection and processing method, device and equipment
CN104268471B (en) * 2014-09-10 2017-04-26 珠海市君天电子科技有限公司 Method and device for detecting return-oriented programming attack
US9721112B2 (en) * 2014-09-29 2017-08-01 Airwatch Llc Passive compliance violation notifications
EP3225010B1 (en) * 2014-11-25 2018-09-26 Ensilo Ltd. Systems and methods for malicious code detection accuracy assurance
CN104484599B (en) * 2014-12-16 2017-12-12 北京奇虎科技有限公司 A kind of behavior treating method and apparatus based on application program
CN105224862B (en) * 2015-09-25 2018-03-27 北京北信源软件股份有限公司 A kind of hold-up interception method and device of office shear plates
CN105279432B (en) * 2015-10-12 2018-11-23 北京金山安全软件有限公司 Software monitoring processing method and device
CN105678168A (en) * 2015-12-29 2016-06-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for detecting Shellcode based on stack frame abnormity
WO2017166037A1 (en) * 2016-03-29 2017-10-05 深圳投之家金融信息服务有限公司 Data tampering detection device and method
CN107330320B (en) * 2016-04-29 2020-06-05 腾讯科技(深圳)有限公司 Method and device for monitoring application process
CN105956462B (en) * 2016-06-29 2019-05-10 珠海豹趣科技有限公司 A kind of method, apparatus and electronic equipment preventing malicious loading driving
CN106201811B (en) * 2016-07-06 2019-03-26 青岛海信宽带多媒体技术有限公司 The fault recovery method and terminal of application program
CN108171056A (en) * 2016-12-08 2018-06-15 武汉安天信息技术有限责任公司 It is a kind of to automate the malicious detection method of judgement sample and device
CN106708734B (en) * 2016-12-13 2020-01-10 腾讯科技(深圳)有限公司 Software anomaly detection method and device
CN108280346B (en) * 2017-01-05 2022-05-31 腾讯科技(深圳)有限公司 Application protection monitoring method, device and system
CN106991324B (en) * 2017-03-30 2020-02-14 兴华永恒(北京)科技有限责任公司 Malicious code tracking and identifying method based on memory protection type monitoring
CN107358071A (en) * 2017-06-07 2017-11-17 武汉斗鱼网络科技有限公司 Prevent the method and device that function illegally calls in Flash application programs
CN107704356B (en) * 2017-06-12 2019-06-28 平安科技(深圳)有限公司 Exception stack information acquisition method, device and computer readable storage medium
CN108052431A (en) * 2017-12-08 2018-05-18 北京奇虎科技有限公司 Terminal program exception closing information processing method, device, terminal

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002006928A2 (en) * 2000-07-14 2002-01-24 Vcis, Inc. Computer immune system and method for detecting unwanted code in a computer system
US7891000B1 (en) * 2005-08-05 2011-02-15 Cisco Technology, Inc. Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers
US20090083522A1 (en) * 2007-09-21 2009-03-26 Siemens Energy & Automation, Inc. Systems, Devices, and/or Methods for Managing Programmable Logic Controller Processing
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN103631712A (en) * 2013-10-23 2014-03-12 北京信息控制研究所 Modeled software key behavior tracking method based on memory management
US20150220707A1 (en) * 2014-02-04 2015-08-06 Pegasus Media Security, Llc System and process for monitoring malicious access of protected content
US20170032118A1 (en) * 2015-07-31 2017-02-02 Digital Guardian, Inc. Systems and methods of protecting data from injected malware
US9807104B1 (en) * 2016-04-29 2017-10-31 STEALTHbits Technologies, Inc. Systems and methods for detecting and blocking malicious network activity
CN106203092A (en) * 2016-06-30 2016-12-07 北京金山安全软件有限公司 Method and device for intercepting shutdown of malicious program and electronic equipment
CN106411588A (en) * 2016-09-29 2017-02-15 锐捷网络股份有限公司 Network device management method, master device and management server
CN107959595A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 The method, apparatus and system of a kind of abnormality detection
CN107483274A (en) * 2017-09-25 2017-12-15 北京全域医疗技术有限公司 Service item running state monitoring method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XUYANG ZHU;HAI ZHANG: "Detection Based on Perflow Packet Count and Entropy", 2009 INTGERNATIONAL CONFERENCE ON ELECTRONIC COMPUTER TECHNOLOGY, pages 524 - 528 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115051905A (en) * 2022-07-19 2022-09-13 广东泓胜科技股份有限公司 Port security monitoring and analyzing method, device and related equipment

Also Published As

Publication number Publication date
CN109753806B (en) 2024-01-19
CN109766701B (en) 2021-04-27
CN109766701A (en) 2019-05-17
CN109711168A (en) 2019-05-03
CN109711168B (en) 2021-01-15
CN109711172A (en) 2019-05-03
CN108846287A (en) 2018-11-20
CN109766698A (en) 2019-05-17
CN109829307A (en) 2019-05-31
CN109829309A (en) 2019-05-31
CN109871691B (en) 2021-07-20
CN109726560A (en) 2019-05-07
CN109871691A (en) 2019-06-11

Similar Documents

Publication Publication Date Title
CN109753806A (en) Server protection method and device
CN113661693B (en) Detecting sensitive data exposure via log
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
KR102017756B1 (en) Apparatus and method for detecting abnormal behavior
US11556636B2 (en) Malicious enterprise behavior detection tool
CN108664793B (en) Method and device for detecting vulnerability
CN110138727A (en) The information searching method and device that the shell that rebounds is connected to the network
US10666666B1 (en) Security intelligence automation platform using flows
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN105429826A (en) Fault detection method and device for database cluster
CN111447167A (en) Safety protection method and device for vehicle-mounted system
CN109815697A (en) Wrong report behavior processing method and processing device
CN110166420A (en) Rebound shell blocking-up method and device
CN109753791A (en) Malware detection methods and device
WO2017095727A1 (en) Systems and methods for software security scanning employing a scan quality index
CN109032629A (en) A kind of code update method and device
CN108763062A (en) Bury the filter method and terminal device of a title
EP4276665A1 (en) Analyzing scripts to create and enforce security policies in dynamic development pipelines
CN105447348B (en) A kind of hidden method of display window, device and user terminal
Kim et al. Detection and blocking method against dll injection attack using peb-ldr of ics ews in smart iot environments
CN106650410A (en) Method and device for android application permission control
CN104010078B (en) Method and device for processing intercepted information through terminal
US10572661B2 (en) Automated blackbox inference of external origin user behavior
CN104484608A (en) Application-based message processing method and application-based message processing device
CN109815696A (en) Terminal device system protection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd.

Applicant after: QAX Technology Group Inc.

Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant