Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As described in the background, at present, it is generally allowed to arbitrarily set the listening state of a server port in a server cluster. However, in practical applications, a hacker typically uses a vulnerability that allows to arbitrarily set a listening state of a server port, adds a server listening port to permanently control a host server, and attacks the host server to stably run a specific service for a long period of time, thereby resulting in lower security of each server in the server cluster.
In order to solve the above technical problems, an embodiment of the present invention provides a server protection method, as shown in fig. 1, where the method includes:
101. and acquiring newly-added behavior information of a server monitoring port in a host server of the server cluster.
The new behavior information may be a memory call sequence corresponding to the new behavior. The memory calling sequence can be a system function interface sequence called when the server executes the new behavior, and belongs to dynamic memory data. Memory call sequences corresponding to the same new behavior in different scenes are different. In the embodiment of the invention, the preset capturing module can be injected into each server process of the server cluster through a process injection technology, then the system call of the newly added behavior is hooked through a hooking technology, and finally a memory call sequence corresponding to the newly added behavior is obtained by means of backtracking the system call through a backtracking technology. In addition, the newly added behavior information may be port information of a monitoring port of the newly added server, and the port information may be a port number of the monitoring port of the newly added server.
102. And detecting whether the newly added behavior information accords with a preset newly added condition. If yes, go to step 103; if not, step 104 is performed.
The preset newly-added condition may be a quota calling rule corresponding to an active newly-added behavior of the server monitoring port, the active newly-added behavior may be a behavior of operating the terminal device through a keyboard or a mouse, that is, the behavior of actively newly-adding the server monitoring port in the host server by the operation and maintenance personnel, and the behavior of passively newly-adding the server port is a behavior of newly-adding the server monitoring port through a program or a function relative to the active newly-added behavior. When designing a server cluster, a developer usually allows an operator to actively add a server port to be monitored, when the operator legally adds the server port to be monitored, a keyboard or a mouse is usually adopted to click the newly added server port to be monitored, the active newly added action can call a system memory according to a call rule set in a host server, and when a hacker exploits a vulnerability, a passive newly added action of a program or a function is usually used to newly add the server monitoring port, and the passive newly added action can call a system memory according to a mode or a call rule set by a virus or a malicious application program developer, so that the call mode or the call rule of the system memory set in the host server is not met. Therefore, the embodiment of the invention can detect the newly added behavior safely by detecting whether the calling rule corresponding to the memory calling sequence of the newly added behavior accords with the preset calling rule, namely, detecting whether the newly added behavior is an active newly added behavior, and if the calling rule corresponding to the memory calling sequence of the newly added behavior accords with the preset calling rule, determining that the newly added behavior is an active newly added behavior and determining that the newly added behavior is a safe behavior. And if the calling rule corresponding to the memory calling sequence of the newly-added behavior does not accord with the preset calling rule, determining that the newly-added behavior is a passive newly-added behavior and determining that the newly-added behavior is a dangerous behavior.
In addition, since the host server stably runs the specific service for a long time, the port state tends to be stable, and a monitoring port is rarely added in a new case, in order to prevent hackers from exploiting vulnerabilities, the host server may be prohibited from adding a server monitoring port again after the server is deployed, so the preset new condition may be that the newly added server monitoring port is an opened server monitoring port, that is, even if the newly added server monitoring port exists, the newly added server monitoring port should be an opened server monitoring port, and the opened server monitoring port may be collected during the deployment of the server.
103. And determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior.
104. And determining the newly added behavior as dangerous behavior, and performing blocking processing on the newly added behavior.
For the embodiment of the invention, in order to determine the accuracy of the detection of the newly added behavior, the detection result can be uploaded to a cloud control center for further judgment or processing by operation and maintenance personnel when the newly added behavior is determined to be dangerous behavior.
Compared with the current monitoring state which allows any server port to be set, the server protection method provided by the embodiment of the invention can acquire the newly-added behavior information of the server monitoring port in the host servers of the server cluster. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
Further, in order to better illustrate the above-mentioned server protection process, as a refinement and extension to the above-mentioned embodiment, another server protection method is provided in the embodiment of the present invention, as shown in fig. 2, but not limited thereto, and specifically shown as follows:
201. and acquiring newly-added behavior information of a server monitoring port in a host server of the server cluster.
The newly added behavior information may be a memory call sequence corresponding to the newly added behavior, or may be port information of a monitoring port of the newly added server.
For the embodiment of the present invention, when the new behavior information is a memory call sequence corresponding to the new behavior, in order to capture the memory call sequence, the step 201 may specifically include: injecting a preset capturing module into each server process of the server cluster, and monitoring the newly added behavior; hooking the function of the system application layer of the host server by using a preset hooking function so as to intercept the system call corresponding to the newly added behavior; and carrying out stack information backtracking on the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
The preset capturing module can be set by a technician according to a process injection technology, the preset hooking function can be written by the technician according to a hooking technology, and the preset stack information backtracking function can be written by the technician according to a backtracking technology. Different capturing modules can be set for different process behaviors, the capturing modules can be corresponding function dynamic link libraries, or different preset hook functions are written, and different preset stack information backtracking functions can be set for the process behaviors of opening files, for example, the preset hook functions can be a hookNtAddPort function, and the preset stack information backtracking functions can be RtlCaptureStackTrace functions.
202a, when the newly added behavior information is a memory calling sequence corresponding to the newly added behavior, detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule. If yes, go to step 203; if not, go to step 204.
The preset calling rule can be a calling rule of an active newly-added action of a server port, when the active newly-added action of a server monitoring port exists in a host server, namely, the server port is newly added through a mouse or a keyboard, the active newly-added action can call some system function functions or corresponding interface sequences, and therefore, the calling rule of the active newly-added action can be that a specific system function exists in the memory calling sequence; the specific system function may be a system function called by an active new behavior or a corresponding interface sequence, specifically may be a system function related to message dispatch, or other related system function called by an active new behavior, where the system function related to message dispatch may be a GetMessage function, a Translatemessage function, a DispatchMessage function, or the like. The related system function functions called by the other active newly added actions can comprise: SHELL 32-! CDefFolderMenu is an InvokeCompand function, an IFileOpenDialog interface related function, an IFileAveDialog interface related function, a DragQueryFile interface related function, and the like.
In a specific application scenario, the step of detecting whether the calling rule corresponding to the memory calling sequence accords with a preset calling rule specifically includes: detecting whether a specific system function exists in the memory call sequence; if yes, determining that a calling rule corresponding to the memory calling sequence accords with a preset calling rule; if the memory calling sequence does not exist, determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule.
For the embodiment of the invention, in order to improve the accuracy of the identification of the new behavior, the preset calling rule may specifically be that a specific system function exists in the memory calling sequence, the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence, and after detecting that the specific system function exists in the memory calling sequence, whether the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence may also be continuously detected; if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule; if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule. For example, the calling sequence of the active newly added action of the server monitoring port for calling the specific system function is as follows: getMessage function-transactemessage function, dispatchemessage function. If the detection finds that the calling sequence of the specific system function in the memory calling sequence corresponding to the newly-added behavior of the server monitoring port accords with the preset calling sequence, the newly-added behavior of the server monitoring port is determined to be an active newly-added behavior, and then the newly-added behavior is determined to be a safety behavior. If the detection finds that the calling sequence of the specific system function in the memory calling sequence corresponding to the newly-added behavior of the server monitoring port is not consistent with the preset calling sequence, the newly-added behavior of the server monitoring port is determined to be a passive newly-added behavior, and the newly-added behavior is further determined to be dangerous behavior.
Or the preset calling rule may specifically be that a specific system function exists in the memory calling sequence, and a stack position where the specific system function exists in the memory calling sequence accords with a preset stack position, and after detecting that the specific system function exists in the memory calling sequence, whether the position where the specific system function exists in the memory calling sequence accords with the preset position or not may also be continuously detected; if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule; if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule. The preset position is the position of a specific system function in a memory call sequence corresponding to the active newly-added behavior of the server monitoring port. For example, the preset position is 0x10. If the detection finds that the position of the GetMessage function in the memory call sequence of the newly added behavior is 0x08, determining that the call rule corresponding to the memory call sequence does not accord with the preset call rule, and determining that the newly added behavior of the server monitoring port is not an active newly added behavior but a passive newly added behavior of utilizing the loopholes by a hacker.
And step 202b, which is parallel to step 202a, detecting whether the port information is matched with the port information in the preset monitoring port white list when the newly added behavior information is the port information of the monitoring port of the newly added server. If so, execute step 203; if not, step 204 is performed.
And the preset monitoring port white list stores the opened server monitoring ports in the server cluster and the port information corresponding to the server monitoring ports. The port information may be a port number, for example, the port number of the opened server listening port is 8080. Specifically, if the port information of the newly added server monitoring port is matched with the port information in the preset monitoring port white list, the newly added server monitoring port is the opened server monitoring port, and the newly added server monitoring port is allowed for the host server, so that the newly added behavior is determined to be a safety behavior. If the port information of the newly added server monitoring port is not matched with the port information in the preset monitoring port white list, the newly added server monitoring port is not an opened server monitoring port, and the newly added server monitoring port is not allowed by the host server, so that the newly added behavior is determined to be dangerous.
For the embodiment of the invention, the function of setting the preset monitoring port white list is also supported, and the method further comprises the following steps: collecting the opened server ports and corresponding port information thereof during server deployment in the server cluster; and constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
Further, in order to ensure the integrity of the preset monitoring port white list, the security of the server is improved, and the method further comprises: the preset monitoring port white list is sent to a cloud control center for correction; and acquiring the corrected monitoring port white list of the cloud control center. Therefore, when a newly added server monitoring port exists, the newly added server monitoring port can be matched with the corrected monitoring port white list.
203. Determining that the newly-added behavior information accords with a preset newly-added condition, determining that the newly-added behavior is a safety behavior, and performing release processing on the newly-added behavior.
It should be noted that, after the release processing of the new behavior, there may be a new server monitoring port in the host server, and in order to perform security detection and protection on the server port better later, the preset monitoring port white list may be updated by using the new server monitoring port. Specifically, if the newly added server monitoring port does not exist in the preset monitoring port white list, the newly added server monitoring port may be added to the preset monitoring port white list.
204. Determining that the newly-added behavior information does not accord with a preset newly-added condition, determining that the newly-added behavior is an operation behavior, and performing blocking processing on the newly-added behavior.
Compared with the monitoring state which allows any server port to be set at present, the server protection method provided by the embodiment of the invention can acquire the newly-added behavior information of the server monitoring port in the host servers of the server cluster. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
Further, as a specific implementation of fig. 1, an embodiment of the present invention provides a server protection device, as shown in fig. 3, where the device includes: an acquisition unit 31, a detection unit 32, and a processing unit 33.
The obtaining unit 31 may be configured to obtain newly added behavior information of a server listening port in a host server of the server cluster. The obtaining unit 31 is a functional module in the present apparatus for obtaining the newly added behavior information of the server listening port in the host server of the server cluster.
The detecting unit 32 may be configured to detect whether the newly added behavior information meets a preset newly added condition. The detecting unit 32 is a main functional module in the device for detecting whether the newly added behavior information meets a preset newly added condition.
The processing unit 33 may be configured to determine that the new behavior is a security behavior if the detecting unit 32 detects that the new behavior information meets a preset new condition, and perform release processing on the new behavior. The processing unit 33 is a main functional module in the device, and determines the new behavior as a safe behavior if the new behavior information is detected to meet a preset new condition, and performs release processing on the new behavior.
The processing unit 33 is further configured to determine that the new behavior is dangerous behavior and perform blocking processing on the new behavior if the detecting unit 32 detects that the new behavior information does not meet a preset new condition. The processing unit 33 is a main functional module in the present device, and if detecting that the newly added behavior information does not meet a preset newly added condition, determines that the newly added behavior is dangerous, and performs a blocking process on the newly added behavior.
In a specific application scenario, the detection unit 32 may include: a first detection module 321 and a first determination module 322, as shown in fig. 4.
The first detection module 321 may be configured to detect whether a call rule corresponding to the memory call sequence meets a preset call rule when the new behavior information is a memory call sequence corresponding to the new behavior.
The first determining module 322 may be configured to determine that the newly added behavior information meets a preset newly added condition if the first detecting module 321 detects that a call rule corresponding to the memory call sequence meets a preset call rule.
The first determining module 322 may be further configured to determine that the newly added behavior information does not meet a preset newly added condition if the first detecting module 321 detects that a call rule corresponding to the memory call sequence does not meet a preset call rule.
It should be noted that, in order to determine whether the call rule corresponding to the memory call sequence meets the preset call rule, the first detection module 321 may include: the sub-module is detected and the sub-module is determined.
The detection submodule can be used for detecting whether a specific system function exists in the memory call sequence.
The determining submodule may be configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that a specific system function exists in the memory call sequence.
The determining submodule is further configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that a specific system function does not exist in the memory call sequence.
Further, in order to improve the accuracy of the new behavior recognition, the detection submodule may be further configured to detect whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence.
The determining submodule is further configured to determine that a calling rule corresponding to the memory calling sequence does not conform to a preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence does not conform to the preset calling sequence;
the determining submodule is further configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that the call sequence of the specific system function in the memory call sequence accords with the preset call sequence.
The detection sub-module may be further configured to detect whether a location of a specific system function in the memory call sequence meets a preset location.
The determining submodule is further configured to determine that a call rule corresponding to the memory call sequence does not conform to a preset call rule if the detecting submodule detects that the location of the specific system function in the memory call sequence does not conform to the preset location. The preset position may be set according to practical situations, for example, the preset position is 0x08 or 0x 10.
The determining submodule is specifically configured to determine that a call rule corresponding to the memory call sequence meets a preset call rule if the detecting submodule detects that a location of a specific system function in the memory call sequence meets a preset location.
For the embodiment of the present invention, the obtaining unit 31 includes: a monitoring module 311, a hooking module 312 and a backtracking module 313.
The monitoring module 311 may be configured to inject a preset capturing module into each server process of the server cluster, to monitor the newly added behavior.
The hooking module 312 may be configured to hook a function of a system application layer of the host server by using a preset hooking function, so as to intercept a system call corresponding to the newly added behavior.
The backtracking module 313 may be configured to backtrack stack information on the system call by using a preset stack information backtracking function, so as to obtain a memory call sequence corresponding to the new behavior.
In a specific application scenario, the detection unit 32 may include: a second detection module 323 and a second determination module 324.
The second detection module 323 may be configured to detect, when the newly added behavior information is port information of a newly added server monitoring port, whether the port information is matched with port information in a preset monitoring port white list, where the preset monitoring port white list stores an opened server monitoring port in the server cluster and port information corresponding to the opened server monitoring port;
the second determining module 324 may be configured to determine that the newly added behavior information meets a preset newly added condition if the second detecting module 323 detects that the port information matches with the port information in the preset listening port whitelist;
the second determining module 324 may be further configured to determine that the newly added behavior information does not meet a preset newly added condition if the second detecting module detects that the port information does not match the port information in the preset listening port whitelist.
In addition, in order to obtain the preset monitoring port white list, the device further comprises: a collection unit 34 and a construction unit 35.
The collecting unit 34 may be configured to collect the opened server ports and corresponding port information thereof during server deployment in the server cluster.
The construction unit 35 may be configured to construct the preset listening port whitelist according to the opened server listening port and the corresponding port information thereof.
Further, in order to ensure the integrity of the preset listening port white list, the apparatus may further improve the security of the server, and the apparatus may further include: a correction unit 36.
The correction unit 36 may be configured to send the preset monitoring port whitelist to a cloud control center for correction.
The obtaining unit 31 may be further configured to obtain the monitoring port whitelist corrected by the cloud control center.
It should be noted that, for other corresponding descriptions of each functional module related to the server protection device provided by the embodiment of the present invention, reference may be made to corresponding descriptions of the method shown in fig. 1, which are not repeated herein.
Based on the above method as shown in fig. 1, correspondingly, the embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the following steps: acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster; detecting whether the newly added behavior information accords with a preset newly added condition; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
Based on the embodiment of the method shown in fig. 1 and the server protection device shown in fig. 3, the embodiment of the invention further provides a physical structure diagram of a computer device, as shown in fig. 5, where the device includes: a processor 41, a memory 42, and a computer program stored on the memory 42 and executable on the processor, wherein the memory 42 and the processor 41 are both arranged on a bus 43, the processor 41 performing the following steps when said program is executed: acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster; detecting whether the newly added behavior information accords with a preset newly added condition; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior. The apparatus further comprises: a bus 43 configured to couple the processor 41 and the memory 42.
By the technical scheme, the newly-added behavior information of the server monitoring port in the host servers of the server cluster can be obtained. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
The embodiment of the invention also provides the following technical scheme:
a1, a server protection method comprises the following steps:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
detecting whether the newly added behavior information accords with a preset newly added condition;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
A2, the method as described in A1, wherein the new behavior information is a memory call sequence corresponding to the new behavior, and the detecting whether the new behavior information meets a preset new condition comprises:
detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule or not;
if yes, determining that the newly-added behavior information meets a preset newly-added condition;
if not, determining that the newly-added behavior information does not accord with a preset newly-added condition.
A3, the method of A2, the detecting whether the call rule corresponding to the memory call sequence accords with a preset call rule, includes:
detecting whether a specific system function exists in the memory call sequence;
If yes, determining that a calling rule corresponding to the memory calling sequence accords with a preset calling rule;
if the memory calling sequence does not exist, determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule.
A4, before the method of A3 determines that the call rule corresponding to the memory call sequence meets the preset call rule, the method further comprises:
detecting whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence;
if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule;
the determining that the call rule corresponding to the memory call sequence accords with the preset call rule comprises the following steps:
if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule.
A5, before the method of A3 determines that the call rule corresponding to the memory call sequence meets the preset call rule, the method further includes:
detecting whether the position of a specific system function in the memory call sequence accords with a preset position;
if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule;
The determining that the call rule corresponding to the memory call sequence accords with the preset call rule comprises the following steps:
if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule.
A6, the method of any one of A1-A5, wherein the obtaining the newly added behavior information of the newly added server monitoring port in the host server of the server cluster includes:
injecting a preset capturing module into each server process of the server cluster, and monitoring the newly added behavior;
hooking the function of the system application layer of the host server by using a preset hooking function so as to intercept the system call corresponding to the newly added behavior;
and carrying out stack information backtracking on the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
A7, the method as set forth in A1, wherein the newly added behavior information is port information of a newly added server monitoring port, and the detecting whether the newly added behavior information meets a preset newly added condition comprises:
detecting whether the port information is matched with port information in a preset monitoring port white list, wherein the preset monitoring port white list stores the opened server monitoring ports in the server cluster and the port information corresponding to the server monitoring ports;
If yes, determining that the newly-added behavior information meets a preset newly-added condition;
if not, determining that the newly-added behavior information does not accord with a preset newly-added condition.
A8, before the method of A7, the method further includes, before detecting whether the port information matches the port information in the preset port whitelist:
collecting the opened server ports and corresponding port information thereof during server deployment in the server cluster;
and constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
A9, after constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port, the method of A8 further comprises:
the preset monitoring port white list is sent to a cloud control center for correction;
and acquiring the corrected monitoring port white list of the cloud control center.
B10, a server guard, comprising:
the acquisition unit is used for acquiring the newly-added behavior information of the server monitoring port in the host servers of the server cluster;
The detection unit is used for detecting whether the newly-added behavior information accords with a preset newly-added condition;
the processing unit is used for determining the newly added behavior as a safety behavior and performing release processing on the newly added behavior if the detection unit detects that the newly added behavior information accords with a preset newly added condition;
and the processing unit is further used for determining the newly added behavior as dangerous behavior and performing blocking processing on the newly added behavior if the detection unit detects that the newly added behavior information does not accord with a preset newly added condition.
B11, the apparatus of B10, the detection unit comprising:
the first detection module is used for detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule or not when the newly added behavior information is the memory calling sequence corresponding to the newly added behavior;
the first determining module is used for determining that the newly-added behavior information accords with a preset newly-added condition if the first detecting module detects that the calling rule corresponding to the memory calling sequence accords with the preset calling rule;
the first determining module is further configured to determine that the newly added behavior information does not conform to a preset newly added condition if the first detecting module detects that a call rule corresponding to the memory call sequence does not conform to a preset call rule.
B12, the apparatus of B11, the first detection module comprising:
the detection submodule is used for detecting whether a specific system function exists in the memory call sequence;
the determining submodule is used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that a specific system function exists in the memory calling sequence;
and the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the specific system function does not exist in the memory calling sequence.
B13, the device as described in B12,
the detection submodule is also used for detecting whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence does not accord with the preset calling sequence;
the determining submodule is specifically configured to determine that a calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence.
B14, the device as described in B12,
the detection submodule is also used for detecting whether the position of a specific system function in the memory call sequence accords with a preset position or not;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the position of the specific system function in the memory calling sequence does not accord with the preset position;
the determining submodule is specifically configured to determine that a call rule corresponding to the memory call sequence meets a preset call rule if the detecting submodule detects that a location of a specific system function in the memory call sequence meets a preset location.
B15, the apparatus of any one of B10-B14, the acquisition unit comprising:
the monitoring module is used for injecting a preset capturing module into each server process of the server cluster and monitoring the newly-added behavior;
the hooking module is used for hooking the function of the system application layer of the host server by utilizing a preset hooking function so as to intercept the system call corresponding to the newly added behavior;
and the backtracking module is used for backtracking the stack information of the system call by utilizing a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
B16, the apparatus of B10, the detection unit comprising:
the second detection module is used for detecting whether the port information is matched with the port information in a preset monitoring port white list or not when the newly added behavior information is the port information of the monitoring port of the newly added server, and the preset monitoring port white list stores the opened server monitoring port and the port information corresponding to the opened server monitoring port in the server cluster;
the second determining module is used for determining that the newly added behavior information accords with a preset newly added condition if the second detecting module detects that the port information is matched with the port information in the preset monitoring port white list;
the second determining module is further configured to determine that the newly added behavior information does not conform to a preset newly added condition if the second detecting module detects that the port information is not matched with the port information in the preset monitoring port whitelist.
B17, the apparatus of B16, the apparatus further comprising:
a collecting unit, configured to collect, during server deployment in the server cluster, the opened server port and corresponding port information thereof;
and the construction unit is used for constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
B18, the apparatus of B16, the apparatus further comprising: a correction unit for correcting the correction value of the correction value,
the correction unit is used for sending the preset monitoring port white list to a cloud control center for correction;
the acquisition unit is further used for acquiring the monitoring port white list corrected by the cloud control center.
C19, a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method according to any of A1 to A9.
D20, a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method according to any one of A1 to A9 when the computer program is executed.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the methods and apparatus described above may be referenced to one another. In addition, the "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent the merits and merits of the embodiments.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a server guard according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.