CN109753806B - Server protection method and device - Google Patents

Server protection method and device Download PDF

Info

Publication number
CN109753806B
CN109753806B CN201811640471.3A CN201811640471A CN109753806B CN 109753806 B CN109753806 B CN 109753806B CN 201811640471 A CN201811640471 A CN 201811640471A CN 109753806 B CN109753806 B CN 109753806B
Authority
CN
China
Prior art keywords
preset
server
behavior
calling
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811640471.3A
Other languages
Chinese (zh)
Other versions
CN109753806A (en
Inventor
陈俊儒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Publication of CN109753806A publication Critical patent/CN109753806A/en
Application granted granted Critical
Publication of CN109753806B publication Critical patent/CN109753806B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The invention discloses a server protection method and a device, which relate to the technical field of security, and mainly aim to realize security detection on newly-added behavior of a server monitoring port, and prevent hackers from utilizing loopholes to newly-added server monitoring ports to permanently control a host server, so that the security of the server can be improved. The method comprises the following steps: acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster; detecting whether the newly added behavior information accords with a preset newly added condition; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior. The method and the device are suitable for protecting the server.

Description

Server protection method and device
Technical Field
The present invention relates to the field of security technologies, and in particular, to a method and an apparatus for protecting a server.
Background
With the rapid development of internet technology, service providers often develop service projects using large-scale server clusters to meet the diversified service demands of users. In order to ensure that a service item can normally and stably run, monitoring is generally required to be performed on each server port in a server cluster.
Currently, it is common in a server cluster to allow any setting of the listening state of a server port. However, in practical applications, a hacker typically uses a vulnerability that allows to arbitrarily set a listening state of a server port, adds a server listening port to permanently control a host server, and attacks the host server to stably run a specific service for a long period of time, thereby resulting in lower security of each server in the server cluster. Therefore, a new server protection method has been proposed as a technical problem to be solved in the field of server clusters.
Disclosure of Invention
In view of this, the present invention provides a server method and apparatus, and the main purpose of the present invention is to enable security detection of a new behavior of a server monitoring port, and to prevent a hacker from using a vulnerability to add a server monitoring port to permanently control a host server, so as to improve security of the server.
According to a first aspect of the present invention, there is provided a server protection method, including:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
detecting whether the newly added behavior information accords with a preset newly added condition;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
If the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
According to a second aspect of the present invention, there is provided a server guard comprising:
the acquisition unit is used for acquiring the newly-added behavior information of the server monitoring port in the host servers of the server cluster;
the detection unit is used for detecting whether the newly-added behavior information accords with a preset newly-added condition;
the processing unit is used for determining the newly added behavior as a safety behavior and performing release processing on the newly added behavior if the detection unit detects that the newly added behavior information accords with a preset newly added condition;
and the processing unit is further used for determining the newly added behavior as dangerous behavior and performing blocking processing on the newly added behavior if the detection unit detects that the newly added behavior information does not accord with a preset newly added condition.
According to a third aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
Detecting whether the newly added behavior information accords with a preset newly added condition;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
According to a fourth aspect of the present invention there is provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
detecting whether the newly added behavior information accords with a preset newly added condition;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
Compared with the current monitoring state which allows any server port to be set, the method and the device for protecting the server can acquire the newly-added behavior information of the server monitoring port in the host servers of the server cluster. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a schematic flow chart of a server protection method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another method for protecting a server according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a server protection device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another server protection device according to an embodiment of the present invention;
fig. 5 shows a schematic physical structure of a computer device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As described in the background, at present, it is generally allowed to arbitrarily set the listening state of a server port in a server cluster. However, in practical applications, a hacker typically uses a vulnerability that allows to arbitrarily set a listening state of a server port, adds a server listening port to permanently control a host server, and attacks the host server to stably run a specific service for a long period of time, thereby resulting in lower security of each server in the server cluster.
In order to solve the above technical problems, an embodiment of the present invention provides a server protection method, as shown in fig. 1, where the method includes:
101. and acquiring newly-added behavior information of a server monitoring port in a host server of the server cluster.
The new behavior information may be a memory call sequence corresponding to the new behavior. The memory calling sequence can be a system function interface sequence called when the server executes the new behavior, and belongs to dynamic memory data. Memory call sequences corresponding to the same new behavior in different scenes are different. In the embodiment of the invention, the preset capturing module can be injected into each server process of the server cluster through a process injection technology, then the system call of the newly added behavior is hooked through a hooking technology, and finally a memory call sequence corresponding to the newly added behavior is obtained by means of backtracking the system call through a backtracking technology. In addition, the newly added behavior information may be port information of a monitoring port of the newly added server, and the port information may be a port number of the monitoring port of the newly added server.
102. And detecting whether the newly added behavior information accords with a preset newly added condition. If yes, go to step 103; if not, step 104 is performed.
The preset newly-added condition may be a quota calling rule corresponding to an active newly-added behavior of the server monitoring port, the active newly-added behavior may be a behavior of operating the terminal device through a keyboard or a mouse, that is, the behavior of actively newly-adding the server monitoring port in the host server by the operation and maintenance personnel, and the behavior of passively newly-adding the server port is a behavior of newly-adding the server monitoring port through a program or a function relative to the active newly-added behavior. When designing a server cluster, a developer usually allows an operator to actively add a server port to be monitored, when the operator legally adds the server port to be monitored, a keyboard or a mouse is usually adopted to click the newly added server port to be monitored, the active newly added action can call a system memory according to a call rule set in a host server, and when a hacker exploits a vulnerability, a passive newly added action of a program or a function is usually used to newly add the server monitoring port, and the passive newly added action can call a system memory according to a mode or a call rule set by a virus or a malicious application program developer, so that the call mode or the call rule of the system memory set in the host server is not met. Therefore, the embodiment of the invention can detect the newly added behavior safely by detecting whether the calling rule corresponding to the memory calling sequence of the newly added behavior accords with the preset calling rule, namely, detecting whether the newly added behavior is an active newly added behavior, and if the calling rule corresponding to the memory calling sequence of the newly added behavior accords with the preset calling rule, determining that the newly added behavior is an active newly added behavior and determining that the newly added behavior is a safe behavior. And if the calling rule corresponding to the memory calling sequence of the newly-added behavior does not accord with the preset calling rule, determining that the newly-added behavior is a passive newly-added behavior and determining that the newly-added behavior is a dangerous behavior.
In addition, since the host server stably runs the specific service for a long time, the port state tends to be stable, and a monitoring port is rarely added in a new case, in order to prevent hackers from exploiting vulnerabilities, the host server may be prohibited from adding a server monitoring port again after the server is deployed, so the preset new condition may be that the newly added server monitoring port is an opened server monitoring port, that is, even if the newly added server monitoring port exists, the newly added server monitoring port should be an opened server monitoring port, and the opened server monitoring port may be collected during the deployment of the server.
103. And determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior.
104. And determining the newly added behavior as dangerous behavior, and performing blocking processing on the newly added behavior.
For the embodiment of the invention, in order to determine the accuracy of the detection of the newly added behavior, the detection result can be uploaded to a cloud control center for further judgment or processing by operation and maintenance personnel when the newly added behavior is determined to be dangerous behavior.
Compared with the current monitoring state which allows any server port to be set, the server protection method provided by the embodiment of the invention can acquire the newly-added behavior information of the server monitoring port in the host servers of the server cluster. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
Further, in order to better illustrate the above-mentioned server protection process, as a refinement and extension to the above-mentioned embodiment, another server protection method is provided in the embodiment of the present invention, as shown in fig. 2, but not limited thereto, and specifically shown as follows:
201. and acquiring newly-added behavior information of a server monitoring port in a host server of the server cluster.
The newly added behavior information may be a memory call sequence corresponding to the newly added behavior, or may be port information of a monitoring port of the newly added server.
For the embodiment of the present invention, when the new behavior information is a memory call sequence corresponding to the new behavior, in order to capture the memory call sequence, the step 201 may specifically include: injecting a preset capturing module into each server process of the server cluster, and monitoring the newly added behavior; hooking the function of the system application layer of the host server by using a preset hooking function so as to intercept the system call corresponding to the newly added behavior; and carrying out stack information backtracking on the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
The preset capturing module can be set by a technician according to a process injection technology, the preset hooking function can be written by the technician according to a hooking technology, and the preset stack information backtracking function can be written by the technician according to a backtracking technology. Different capturing modules can be set for different process behaviors, the capturing modules can be corresponding function dynamic link libraries, or different preset hook functions are written, and different preset stack information backtracking functions can be set for the process behaviors of opening files, for example, the preset hook functions can be a hookNtAddPort function, and the preset stack information backtracking functions can be RtlCaptureStackTrace functions.
202a, when the newly added behavior information is a memory calling sequence corresponding to the newly added behavior, detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule. If yes, go to step 203; if not, go to step 204.
The preset calling rule can be a calling rule of an active newly-added action of a server port, when the active newly-added action of a server monitoring port exists in a host server, namely, the server port is newly added through a mouse or a keyboard, the active newly-added action can call some system function functions or corresponding interface sequences, and therefore, the calling rule of the active newly-added action can be that a specific system function exists in the memory calling sequence; the specific system function may be a system function called by an active new behavior or a corresponding interface sequence, specifically may be a system function related to message dispatch, or other related system function called by an active new behavior, where the system function related to message dispatch may be a GetMessage function, a Translatemessage function, a DispatchMessage function, or the like. The related system function functions called by the other active newly added actions can comprise: SHELL 32-! CDefFolderMenu is an InvokeCompand function, an IFileOpenDialog interface related function, an IFileAveDialog interface related function, a DragQueryFile interface related function, and the like.
In a specific application scenario, the step of detecting whether the calling rule corresponding to the memory calling sequence accords with a preset calling rule specifically includes: detecting whether a specific system function exists in the memory call sequence; if yes, determining that a calling rule corresponding to the memory calling sequence accords with a preset calling rule; if the memory calling sequence does not exist, determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule.
For the embodiment of the invention, in order to improve the accuracy of the identification of the new behavior, the preset calling rule may specifically be that a specific system function exists in the memory calling sequence, the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence, and after detecting that the specific system function exists in the memory calling sequence, whether the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence may also be continuously detected; if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule; if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule. For example, the calling sequence of the active newly added action of the server monitoring port for calling the specific system function is as follows: getMessage function-transactemessage function, dispatchemessage function. If the detection finds that the calling sequence of the specific system function in the memory calling sequence corresponding to the newly-added behavior of the server monitoring port accords with the preset calling sequence, the newly-added behavior of the server monitoring port is determined to be an active newly-added behavior, and then the newly-added behavior is determined to be a safety behavior. If the detection finds that the calling sequence of the specific system function in the memory calling sequence corresponding to the newly-added behavior of the server monitoring port is not consistent with the preset calling sequence, the newly-added behavior of the server monitoring port is determined to be a passive newly-added behavior, and the newly-added behavior is further determined to be dangerous behavior.
Or the preset calling rule may specifically be that a specific system function exists in the memory calling sequence, and a stack position where the specific system function exists in the memory calling sequence accords with a preset stack position, and after detecting that the specific system function exists in the memory calling sequence, whether the position where the specific system function exists in the memory calling sequence accords with the preset position or not may also be continuously detected; if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule; if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule. The preset position is the position of a specific system function in a memory call sequence corresponding to the active newly-added behavior of the server monitoring port. For example, the preset position is 0x10. If the detection finds that the position of the GetMessage function in the memory call sequence of the newly added behavior is 0x08, determining that the call rule corresponding to the memory call sequence does not accord with the preset call rule, and determining that the newly added behavior of the server monitoring port is not an active newly added behavior but a passive newly added behavior of utilizing the loopholes by a hacker.
And step 202b, which is parallel to step 202a, detecting whether the port information is matched with the port information in the preset monitoring port white list when the newly added behavior information is the port information of the monitoring port of the newly added server. If so, execute step 203; if not, step 204 is performed.
And the preset monitoring port white list stores the opened server monitoring ports in the server cluster and the port information corresponding to the server monitoring ports. The port information may be a port number, for example, the port number of the opened server listening port is 8080. Specifically, if the port information of the newly added server monitoring port is matched with the port information in the preset monitoring port white list, the newly added server monitoring port is the opened server monitoring port, and the newly added server monitoring port is allowed for the host server, so that the newly added behavior is determined to be a safety behavior. If the port information of the newly added server monitoring port is not matched with the port information in the preset monitoring port white list, the newly added server monitoring port is not an opened server monitoring port, and the newly added server monitoring port is not allowed by the host server, so that the newly added behavior is determined to be dangerous.
For the embodiment of the invention, the function of setting the preset monitoring port white list is also supported, and the method further comprises the following steps: collecting the opened server ports and corresponding port information thereof during server deployment in the server cluster; and constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
Further, in order to ensure the integrity of the preset monitoring port white list, the security of the server is improved, and the method further comprises: the preset monitoring port white list is sent to a cloud control center for correction; and acquiring the corrected monitoring port white list of the cloud control center. Therefore, when a newly added server monitoring port exists, the newly added server monitoring port can be matched with the corrected monitoring port white list.
203. Determining that the newly-added behavior information accords with a preset newly-added condition, determining that the newly-added behavior is a safety behavior, and performing release processing on the newly-added behavior.
It should be noted that, after the release processing of the new behavior, there may be a new server monitoring port in the host server, and in order to perform security detection and protection on the server port better later, the preset monitoring port white list may be updated by using the new server monitoring port. Specifically, if the newly added server monitoring port does not exist in the preset monitoring port white list, the newly added server monitoring port may be added to the preset monitoring port white list.
204. Determining that the newly-added behavior information does not accord with a preset newly-added condition, determining that the newly-added behavior is an operation behavior, and performing blocking processing on the newly-added behavior.
Compared with the monitoring state which allows any server port to be set at present, the server protection method provided by the embodiment of the invention can acquire the newly-added behavior information of the server monitoring port in the host servers of the server cluster. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
Further, as a specific implementation of fig. 1, an embodiment of the present invention provides a server protection device, as shown in fig. 3, where the device includes: an acquisition unit 31, a detection unit 32, and a processing unit 33.
The obtaining unit 31 may be configured to obtain newly added behavior information of a server listening port in a host server of the server cluster. The obtaining unit 31 is a functional module in the present apparatus for obtaining the newly added behavior information of the server listening port in the host server of the server cluster.
The detecting unit 32 may be configured to detect whether the newly added behavior information meets a preset newly added condition. The detecting unit 32 is a main functional module in the device for detecting whether the newly added behavior information meets a preset newly added condition.
The processing unit 33 may be configured to determine that the new behavior is a security behavior if the detecting unit 32 detects that the new behavior information meets a preset new condition, and perform release processing on the new behavior. The processing unit 33 is a main functional module in the device, and determines the new behavior as a safe behavior if the new behavior information is detected to meet a preset new condition, and performs release processing on the new behavior.
The processing unit 33 is further configured to determine that the new behavior is dangerous behavior and perform blocking processing on the new behavior if the detecting unit 32 detects that the new behavior information does not meet a preset new condition. The processing unit 33 is a main functional module in the present device, and if detecting that the newly added behavior information does not meet a preset newly added condition, determines that the newly added behavior is dangerous, and performs a blocking process on the newly added behavior.
In a specific application scenario, the detection unit 32 may include: a first detection module 321 and a first determination module 322, as shown in fig. 4.
The first detection module 321 may be configured to detect whether a call rule corresponding to the memory call sequence meets a preset call rule when the new behavior information is a memory call sequence corresponding to the new behavior.
The first determining module 322 may be configured to determine that the newly added behavior information meets a preset newly added condition if the first detecting module 321 detects that a call rule corresponding to the memory call sequence meets a preset call rule.
The first determining module 322 may be further configured to determine that the newly added behavior information does not meet a preset newly added condition if the first detecting module 321 detects that a call rule corresponding to the memory call sequence does not meet a preset call rule.
It should be noted that, in order to determine whether the call rule corresponding to the memory call sequence meets the preset call rule, the first detection module 321 may include: the sub-module is detected and the sub-module is determined.
The detection submodule can be used for detecting whether a specific system function exists in the memory call sequence.
The determining submodule may be configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that a specific system function exists in the memory call sequence.
The determining submodule is further configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that a specific system function does not exist in the memory call sequence.
Further, in order to improve the accuracy of the new behavior recognition, the detection submodule may be further configured to detect whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence.
The determining submodule is further configured to determine that a calling rule corresponding to the memory calling sequence does not conform to a preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence does not conform to the preset calling sequence;
the determining submodule is further configured to determine that a call rule corresponding to the memory call sequence accords with a preset call rule if the detecting submodule detects that the call sequence of the specific system function in the memory call sequence accords with the preset call sequence.
The detection sub-module may be further configured to detect whether a location of a specific system function in the memory call sequence meets a preset location.
The determining submodule is further configured to determine that a call rule corresponding to the memory call sequence does not conform to a preset call rule if the detecting submodule detects that the location of the specific system function in the memory call sequence does not conform to the preset location. The preset position may be set according to practical situations, for example, the preset position is 0x08 or 0x 10.
The determining submodule is specifically configured to determine that a call rule corresponding to the memory call sequence meets a preset call rule if the detecting submodule detects that a location of a specific system function in the memory call sequence meets a preset location.
For the embodiment of the present invention, the obtaining unit 31 includes: a monitoring module 311, a hooking module 312 and a backtracking module 313.
The monitoring module 311 may be configured to inject a preset capturing module into each server process of the server cluster, to monitor the newly added behavior.
The hooking module 312 may be configured to hook a function of a system application layer of the host server by using a preset hooking function, so as to intercept a system call corresponding to the newly added behavior.
The backtracking module 313 may be configured to backtrack stack information on the system call by using a preset stack information backtracking function, so as to obtain a memory call sequence corresponding to the new behavior.
In a specific application scenario, the detection unit 32 may include: a second detection module 323 and a second determination module 324.
The second detection module 323 may be configured to detect, when the newly added behavior information is port information of a newly added server monitoring port, whether the port information is matched with port information in a preset monitoring port white list, where the preset monitoring port white list stores an opened server monitoring port in the server cluster and port information corresponding to the opened server monitoring port;
the second determining module 324 may be configured to determine that the newly added behavior information meets a preset newly added condition if the second detecting module 323 detects that the port information matches with the port information in the preset listening port whitelist;
the second determining module 324 may be further configured to determine that the newly added behavior information does not meet a preset newly added condition if the second detecting module detects that the port information does not match the port information in the preset listening port whitelist.
In addition, in order to obtain the preset monitoring port white list, the device further comprises: a collection unit 34 and a construction unit 35.
The collecting unit 34 may be configured to collect the opened server ports and corresponding port information thereof during server deployment in the server cluster.
The construction unit 35 may be configured to construct the preset listening port whitelist according to the opened server listening port and the corresponding port information thereof.
Further, in order to ensure the integrity of the preset listening port white list, the apparatus may further improve the security of the server, and the apparatus may further include: a correction unit 36.
The correction unit 36 may be configured to send the preset monitoring port whitelist to a cloud control center for correction.
The obtaining unit 31 may be further configured to obtain the monitoring port whitelist corrected by the cloud control center.
It should be noted that, for other corresponding descriptions of each functional module related to the server protection device provided by the embodiment of the present invention, reference may be made to corresponding descriptions of the method shown in fig. 1, which are not repeated herein.
Based on the above method as shown in fig. 1, correspondingly, the embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the following steps: acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster; detecting whether the newly added behavior information accords with a preset newly added condition; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
Based on the embodiment of the method shown in fig. 1 and the server protection device shown in fig. 3, the embodiment of the invention further provides a physical structure diagram of a computer device, as shown in fig. 5, where the device includes: a processor 41, a memory 42, and a computer program stored on the memory 42 and executable on the processor, wherein the memory 42 and the processor 41 are both arranged on a bus 43, the processor 41 performing the following steps when said program is executed: acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster; detecting whether the newly added behavior information accords with a preset newly added condition; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior. The apparatus further comprises: a bus 43 configured to couple the processor 41 and the memory 42.
By the technical scheme, the newly-added behavior information of the server monitoring port in the host servers of the server cluster can be obtained. Whether the newly added behavior information accords with a preset newly added condition or not can be detected; if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior; if the new behavior is not met, determining that the new behavior is dangerous behavior, and performing blocking processing on the new behavior, so that safety detection on the new behavior of the server monitoring port can be realized, a hacker can be prevented from utilizing a vulnerability to newly increase the server monitoring port to permanently control the host server, and further the safety of the server can be improved.
The embodiment of the invention also provides the following technical scheme:
a1, a server protection method comprises the following steps:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
detecting whether the newly added behavior information accords with a preset newly added condition;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
A2, the method as described in A1, wherein the new behavior information is a memory call sequence corresponding to the new behavior, and the detecting whether the new behavior information meets a preset new condition comprises:
detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule or not;
if yes, determining that the newly-added behavior information meets a preset newly-added condition;
if not, determining that the newly-added behavior information does not accord with a preset newly-added condition.
A3, the method of A2, the detecting whether the call rule corresponding to the memory call sequence accords with a preset call rule, includes:
detecting whether a specific system function exists in the memory call sequence;
If yes, determining that a calling rule corresponding to the memory calling sequence accords with a preset calling rule;
if the memory calling sequence does not exist, determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule.
A4, before the method of A3 determines that the call rule corresponding to the memory call sequence meets the preset call rule, the method further comprises:
detecting whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence;
if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule;
the determining that the call rule corresponding to the memory call sequence accords with the preset call rule comprises the following steps:
if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule.
A5, before the method of A3 determines that the call rule corresponding to the memory call sequence meets the preset call rule, the method further includes:
detecting whether the position of a specific system function in the memory call sequence accords with a preset position;
if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule;
The determining that the call rule corresponding to the memory call sequence accords with the preset call rule comprises the following steps:
if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule.
A6, the method of any one of A1-A5, wherein the obtaining the newly added behavior information of the newly added server monitoring port in the host server of the server cluster includes:
injecting a preset capturing module into each server process of the server cluster, and monitoring the newly added behavior;
hooking the function of the system application layer of the host server by using a preset hooking function so as to intercept the system call corresponding to the newly added behavior;
and carrying out stack information backtracking on the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
A7, the method as set forth in A1, wherein the newly added behavior information is port information of a newly added server monitoring port, and the detecting whether the newly added behavior information meets a preset newly added condition comprises:
detecting whether the port information is matched with port information in a preset monitoring port white list, wherein the preset monitoring port white list stores the opened server monitoring ports in the server cluster and the port information corresponding to the server monitoring ports;
If yes, determining that the newly-added behavior information meets a preset newly-added condition;
if not, determining that the newly-added behavior information does not accord with a preset newly-added condition.
A8, before the method of A7, the method further includes, before detecting whether the port information matches the port information in the preset port whitelist:
collecting the opened server ports and corresponding port information thereof during server deployment in the server cluster;
and constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
A9, after constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port, the method of A8 further comprises:
the preset monitoring port white list is sent to a cloud control center for correction;
and acquiring the corrected monitoring port white list of the cloud control center.
B10, a server guard, comprising:
the acquisition unit is used for acquiring the newly-added behavior information of the server monitoring port in the host servers of the server cluster;
The detection unit is used for detecting whether the newly-added behavior information accords with a preset newly-added condition;
the processing unit is used for determining the newly added behavior as a safety behavior and performing release processing on the newly added behavior if the detection unit detects that the newly added behavior information accords with a preset newly added condition;
and the processing unit is further used for determining the newly added behavior as dangerous behavior and performing blocking processing on the newly added behavior if the detection unit detects that the newly added behavior information does not accord with a preset newly added condition.
B11, the apparatus of B10, the detection unit comprising:
the first detection module is used for detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule or not when the newly added behavior information is the memory calling sequence corresponding to the newly added behavior;
the first determining module is used for determining that the newly-added behavior information accords with a preset newly-added condition if the first detecting module detects that the calling rule corresponding to the memory calling sequence accords with the preset calling rule;
the first determining module is further configured to determine that the newly added behavior information does not conform to a preset newly added condition if the first detecting module detects that a call rule corresponding to the memory call sequence does not conform to a preset call rule.
B12, the apparatus of B11, the first detection module comprising:
the detection submodule is used for detecting whether a specific system function exists in the memory call sequence;
the determining submodule is used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that a specific system function exists in the memory calling sequence;
and the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the specific system function does not exist in the memory calling sequence.
B13, the device as described in B12,
the detection submodule is also used for detecting whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence does not accord with the preset calling sequence;
the determining submodule is specifically configured to determine that a calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence.
B14, the device as described in B12,
the detection submodule is also used for detecting whether the position of a specific system function in the memory call sequence accords with a preset position or not;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the position of the specific system function in the memory calling sequence does not accord with the preset position;
the determining submodule is specifically configured to determine that a call rule corresponding to the memory call sequence meets a preset call rule if the detecting submodule detects that a location of a specific system function in the memory call sequence meets a preset location.
B15, the apparatus of any one of B10-B14, the acquisition unit comprising:
the monitoring module is used for injecting a preset capturing module into each server process of the server cluster and monitoring the newly-added behavior;
the hooking module is used for hooking the function of the system application layer of the host server by utilizing a preset hooking function so as to intercept the system call corresponding to the newly added behavior;
and the backtracking module is used for backtracking the stack information of the system call by utilizing a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior.
B16, the apparatus of B10, the detection unit comprising:
the second detection module is used for detecting whether the port information is matched with the port information in a preset monitoring port white list or not when the newly added behavior information is the port information of the monitoring port of the newly added server, and the preset monitoring port white list stores the opened server monitoring port and the port information corresponding to the opened server monitoring port in the server cluster;
the second determining module is used for determining that the newly added behavior information accords with a preset newly added condition if the second detecting module detects that the port information is matched with the port information in the preset monitoring port white list;
the second determining module is further configured to determine that the newly added behavior information does not conform to a preset newly added condition if the second detecting module detects that the port information is not matched with the port information in the preset monitoring port whitelist.
B17, the apparatus of B16, the apparatus further comprising:
a collecting unit, configured to collect, during server deployment in the server cluster, the opened server port and corresponding port information thereof;
and the construction unit is used for constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
B18, the apparatus of B16, the apparatus further comprising: a correction unit for correcting the correction value of the correction value,
the correction unit is used for sending the preset monitoring port white list to a cloud control center for correction;
the acquisition unit is further used for acquiring the monitoring port white list corrected by the cloud control center.
C19, a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method according to any of A1 to A9.
D20, a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method according to any one of A1 to A9 when the computer program is executed.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the methods and apparatus described above may be referenced to one another. In addition, the "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent the merits and merits of the embodiments.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a server guard according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.

Claims (16)

1. A method for protecting a server, comprising:
acquiring newly-added behavior information of a server monitoring port in a host server of a server cluster;
the step of obtaining the newly-added behavior information of the server monitoring port in the host server of the server cluster comprises the following steps: injecting a preset capturing module into each server process of the server cluster, and monitoring the newly added behavior; hooking the function of the system application layer of the host server by using a preset hooking function so as to intercept the system call corresponding to the newly added behavior; performing stack information backtracking on the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior;
detecting whether a calling rule corresponding to the memory calling sequence accords with a preset calling rule or not;
if yes, determining the newly added behavior as a safety behavior, and performing release processing on the newly added behavior;
if the new behavior is not met, determining that the new behavior is dangerous, and performing blocking processing on the new behavior.
2. The method of claim 1, wherein the detecting whether the call rule corresponding to the memory call sequence meets a preset call rule comprises:
Detecting whether a specific system function exists in the memory call sequence;
if yes, determining that a calling rule corresponding to the memory calling sequence accords with a preset calling rule;
if the memory calling sequence does not exist, determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule.
3. The method according to claim 2, wherein before determining that the call rule corresponding to the memory call sequence meets the preset call rule, the method further comprises:
detecting whether the calling sequence of the specific system function in the memory calling sequence accords with a preset calling sequence;
if not, determining that the calling rule corresponding to the memory calling sequence does not accord with a preset calling rule;
the determining that the call rule corresponding to the memory call sequence accords with the preset call rule comprises the following steps:
if yes, determining that the calling rule corresponding to the memory calling sequence meets the preset calling rule.
4. The method according to claim 2, wherein before determining that the call rule corresponding to the memory call sequence meets the preset call rule, the method further comprises:
and detecting whether the position of the specific system function in the memory call sequence accords with a preset position.
5. The method of claim 1, wherein the newly added behavior information is port information of a newly added server listening port, further comprising:
detecting whether the port information is matched with port information in a preset monitoring port white list, wherein the preset monitoring port white list stores the opened server monitoring ports in the server cluster and the port information corresponding to the server monitoring ports;
if yes, determining that the newly-added behavior information meets a preset newly-added condition;
if not, determining that the newly-added behavior information does not accord with a preset newly-added condition.
6. The method of claim 5, wherein before detecting whether the port information matches port information in a preset port whitelist, the method further comprises:
collecting the opened server ports and corresponding port information thereof during server deployment in the server cluster;
and constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
7. The method according to claim 6, wherein after the preset listening port whitelist is constructed according to the opened server listening port and the corresponding port information thereof, the method further comprises:
The preset monitoring port white list is sent to a cloud control center for correction;
and acquiring the corrected monitoring port white list of the cloud control center.
8. A server guard, comprising:
the acquisition unit is used for acquiring the newly-added behavior information of the server monitoring port in the host servers of the server cluster;
wherein the acquisition unit includes: the monitoring module is used for injecting a preset capturing module into each server process of the server cluster and monitoring the newly-added behavior; the hooking module is used for hooking the function of the system application layer of the host server by utilizing a preset hooking function so as to intercept the system call corresponding to the newly added behavior; the backtracking module is used for backtracking the stack information of the system call by using a preset stack information backtracking function to obtain a memory call sequence corresponding to the newly added behavior;
the detection unit is used for detecting whether the calling rule corresponding to the memory calling sequence accords with a preset calling rule;
the processing unit is used for determining the newly added behavior to be a safety behavior if the newly added behavior is in accordance with the safety behavior, and carrying out release processing on the newly added behavior;
and the processing unit is further used for determining the newly added behavior to be dangerous if the newly added behavior is not met, and performing blocking processing on the newly added behavior.
9. The apparatus of claim 8, wherein the detection unit comprises:
the detection submodule is used for detecting whether a specific system function exists in the memory call sequence;
the determining submodule is used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that a specific system function exists in the memory calling sequence;
and the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the specific system function does not exist in the memory calling sequence.
10. The apparatus of claim 9, wherein the detection submodule is further configured to detect whether a calling order of a specific system function in the memory calling sequence accords with a preset calling order;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence does not accord with the preset calling sequence;
The determining submodule is specifically configured to determine that a calling rule corresponding to the memory calling sequence accords with a preset calling rule if the detecting submodule detects that the calling sequence of the specific system function in the memory calling sequence accords with the preset calling sequence.
11. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the detection submodule is also used for detecting whether the position of a specific system function in the memory call sequence accords with a preset position or not;
the determining submodule is further used for determining that the calling rule corresponding to the memory calling sequence does not accord with the preset calling rule if the detecting submodule detects that the position of the specific system function in the memory calling sequence does not accord with the preset position;
the determining submodule is specifically configured to determine that a call rule corresponding to the memory call sequence meets a preset call rule if the detecting submodule detects that a location of a specific system function in the memory call sequence meets a preset location.
12. The apparatus as recited in claim 8, further comprising:
the second detection module is used for detecting whether the port information is matched with the port information in a preset monitoring port white list or not when the newly added behavior information is the port information of the monitoring port of the newly added server, and the preset monitoring port white list stores the opened server monitoring port and the port information corresponding to the opened server monitoring port in the server cluster;
The second determining module is used for determining that the newly added behavior information accords with a preset newly added condition if the second detecting module detects that the port information is matched with the port information in the preset monitoring port white list; the second determining module is further configured to determine that the newly added behavior information does not conform to a preset newly added condition if the second detecting module detects that the port information is not matched with the port information in the preset monitoring port whitelist.
13. The apparatus of claim 12, wherein the apparatus further comprises:
a collecting unit, configured to collect, during server deployment in the server cluster, the opened server port and corresponding port information thereof;
and the construction unit is used for constructing the preset monitoring port white list according to the opened server monitoring port and the port information corresponding to the opened server monitoring port.
14. The apparatus of claim 12, wherein the apparatus further comprises: a correction unit for correcting the correction value of the correction value,
the correction unit is used for sending the preset monitoring port white list to a cloud control center for correction;
the acquisition unit is further used for acquiring the monitoring port white list corrected by the cloud control center.
15. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
16. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 7 when the computer program is executed by the processor.
CN201811640471.3A 2018-06-26 2018-12-29 Server protection method and device Active CN109753806B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810668277X 2018-06-26
CN201810668277.XA CN108846287A (en) 2018-06-26 2018-06-26 A kind of method and device of detection loophole attack

Publications (2)

Publication Number Publication Date
CN109753806A CN109753806A (en) 2019-05-14
CN109753806B true CN109753806B (en) 2024-01-19

Family

ID=64202031

Family Applications (10)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811645681.1A Pending CN109766698A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811640471.3A Active CN109753806B (en) 2018-06-26 2018-12-29 Server protection method and device
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium

Family Applications Before (3)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811645681.1A Pending CN109766698A (en) 2018-06-26 2018-12-29 Data prevention method and device

Family Applications After (6)

Application Number Title Priority Date Filing Date
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium

Country Status (1)

Country Link
CN (10) CN108846287A (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109711166B (en) * 2018-12-17 2020-12-11 北京知道创宇信息技术股份有限公司 Vulnerability detection method and device
CN109558730B (en) * 2018-12-29 2020-10-16 360企业安全技术(珠海)有限公司 Safety protection method and device for browser
CN109800576B (en) * 2018-12-29 2021-07-23 360企业安全技术(珠海)有限公司 Monitoring method and device for unknown program exception request and electronic device
CN112395585B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Database service login method, device, equipment and readable storage medium
CN112395604B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 System monitoring login protection method, client, server and storage medium
CN112398789A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Remote login control method, device, system, storage medium and electronic device
CN112398784B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Method and device for defending vulnerability attack, storage medium and computer equipment
CN112398787B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 Mailbox login verification method and device, computer equipment and storage medium
CN112395617A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for protecting docker escape vulnerability, storage medium and computer equipment
CN110610086B (en) * 2019-08-30 2021-06-18 北京卓识网安技术股份有限公司 Illegal code identification method, system, device and storage medium
WO2021046811A1 (en) * 2019-09-12 2021-03-18 奇安信安全技术(珠海)有限公司 Attack behavior determination method and apparatus, and computer storage medium
CN110505247B (en) * 2019-09-27 2022-05-17 百度在线网络技术(北京)有限公司 Attack detection method and device, electronic equipment and storage medium
CN111209559B (en) * 2019-12-23 2022-02-15 东软集团股份有限公司 Permission processing method and device of application program, storage medium and electronic equipment
CN111046377B (en) * 2019-12-25 2023-11-14 五八同城信息技术有限公司 Method and device for loading dynamic link library, electronic equipment and storage medium
CN111382076B (en) * 2020-03-10 2023-04-25 抖音视界有限公司 Application program testing method and device, electronic equipment and computer storage medium
CN111884884B (en) * 2020-07-31 2022-05-31 北京明朝万达科技股份有限公司 Method, system and device for monitoring file transmission
CN111859405A (en) * 2020-07-31 2020-10-30 深信服科技股份有限公司 Threat immunization framework, method, equipment and readable storage medium
CN112069505B (en) * 2020-09-15 2021-11-23 北京微步在线科技有限公司 Audit information processing method and electronic equipment
US20220083644A1 (en) * 2020-09-16 2022-03-17 Cisco Technology, Inc. Security policies for software call stacks
CN112910868A (en) * 2021-01-21 2021-06-04 平安信托有限责任公司 Enterprise network security management method and device, computer equipment and storage medium
CN113392416B (en) * 2021-06-28 2024-03-22 北京恒安嘉新安全技术有限公司 Method, device, equipment and storage medium for acquiring application program encryption and decryption data
CN113742726A (en) * 2021-08-27 2021-12-03 恒安嘉新(北京)科技股份公司 Program recognition model training and program recognition method, device, equipment and medium
CN113779561B (en) * 2021-09-09 2024-03-01 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN115051905A (en) * 2022-07-19 2022-09-13 广东泓胜科技股份有限公司 Port security monitoring and analyzing method, device and related equipment
CN116707929A (en) * 2023-06-16 2023-09-05 广州市玄武无线科技股份有限公司 Mobile phone photographing and faking detection method and device based on call stack information acquisition

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002006928A2 (en) * 2000-07-14 2002-01-24 Vcis, Inc. Computer immune system and method for detecting unwanted code in a computer system
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
US7891000B1 (en) * 2005-08-05 2011-02-15 Cisco Technology, Inc. Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN103631712A (en) * 2013-10-23 2014-03-12 北京信息控制研究所 Modeled software key behavior tracking method based on memory management
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN106203092A (en) * 2016-06-30 2016-12-07 北京金山安全软件有限公司 Method and device for intercepting shutdown of malicious program and electronic equipment
CN106411588A (en) * 2016-09-29 2017-02-15 锐捷网络股份有限公司 Network device management method, master device and management server
US9807104B1 (en) * 2016-04-29 2017-10-31 STEALTHbits Technologies, Inc. Systems and methods for detecting and blocking malicious network activity
CN107483274A (en) * 2017-09-25 2017-12-15 北京全域医疗技术有限公司 Service item running state monitoring method and device
CN107959595A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 The method, apparatus and system of a kind of abnormality detection

Family Cites Families (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7546587B2 (en) * 2004-03-01 2009-06-09 Microsoft Corporation Run-time call stack verification
KR100843701B1 (en) * 2006-11-07 2008-07-04 소프트캠프(주) Confirmation method of API by the information at Call-stack
CN101059829A (en) * 2007-05-16 2007-10-24 珠海金山软件股份有限公司 Device and method for automatically analyzing course risk grade
US8117424B2 (en) * 2007-09-21 2012-02-14 Siemens Industry, Inc. Systems, devices, and/or methods for managing programmable logic controller processing
CN101373501B (en) * 2008-05-12 2010-06-02 公安部第三研究所 Method for capturing dynamic behavior aiming at computer virus
US9110801B2 (en) * 2009-02-10 2015-08-18 International Business Machines Corporation Resource integrity during partial backout of application updates
CN103136472B (en) * 2011-11-29 2016-08-31 腾讯科技(深圳)有限公司 A kind of anti-application program steals method and the mobile device of privacy
CN103368904B (en) * 2012-03-27 2016-12-28 百度在线网络技术(北京)有限公司 The detection of mobile terminal, questionable conduct and decision-making system and method
US10037212B2 (en) * 2012-04-20 2018-07-31 Nxp Usa, Inc. Information processing device and method for protecting data in a call stack
CN102750475B (en) * 2012-06-07 2017-08-15 中国电子科技集团公司第三十研究所 Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine
CN103778375B (en) * 2012-10-24 2017-11-17 腾讯科技(深圳)有限公司 The apparatus and method for preventing user equipment from loading illegal dynamic link library file
US9558347B2 (en) * 2013-08-27 2017-01-31 Globalfoundries Inc. Detecting anomalous user behavior using generative models of user actions
US9519758B2 (en) * 2014-02-04 2016-12-13 Pegasus Media Security, Llc System and process for monitoring malicious access of protected content
CN103761472B (en) * 2014-02-21 2017-05-24 北京奇虎科技有限公司 Application program accessing method and device based on intelligent terminal
US9652328B2 (en) * 2014-05-12 2017-05-16 International Business Machines Corporation Restoring an application from a system dump file
CN105335654B (en) * 2014-06-27 2018-12-14 北京金山安全软件有限公司 Android malicious program detection and processing method, device and equipment
CN104268471B (en) * 2014-09-10 2017-04-26 珠海市君天电子科技有限公司 Method and device for detecting return-oriented programming attack
US9721112B2 (en) * 2014-09-29 2017-08-01 Airwatch Llc Passive compliance violation notifications
JP6334069B2 (en) * 2014-11-25 2018-05-30 エンサイロ リミテッドenSilo Ltd. System and method for accuracy assurance of detection of malicious code
CN104484599B (en) * 2014-12-16 2017-12-12 北京奇虎科技有限公司 A kind of behavior treating method and apparatus based on application program
US10614210B2 (en) * 2015-07-31 2020-04-07 Digital Guardian, Inc. Systems and methods of protecting data from injected malware
CN105224862B (en) * 2015-09-25 2018-03-27 北京北信源软件股份有限公司 A kind of hold-up interception method and device of office shear plates
CN105279432B (en) * 2015-10-12 2018-11-23 北京金山安全软件有限公司 Software monitoring processing method and device
CN105678168A (en) * 2015-12-29 2016-06-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for detecting Shellcode based on stack frame abnormity
WO2017166037A1 (en) * 2016-03-29 2017-10-05 深圳投之家金融信息服务有限公司 Data tampering detection device and method
CN107330320B (en) * 2016-04-29 2020-06-05 腾讯科技(深圳)有限公司 Method and device for monitoring application process
CN105956462B (en) * 2016-06-29 2019-05-10 珠海豹趣科技有限公司 A kind of method, apparatus and electronic equipment preventing malicious loading driving
CN106201811B (en) * 2016-07-06 2019-03-26 青岛海信宽带多媒体技术有限公司 The fault recovery method and terminal of application program
CN108171056A (en) * 2016-12-08 2018-06-15 武汉安天信息技术有限责任公司 It is a kind of to automate the malicious detection method of judgement sample and device
CN106708734B (en) * 2016-12-13 2020-01-10 腾讯科技(深圳)有限公司 Software anomaly detection method and device
CN108280346B (en) * 2017-01-05 2022-05-31 腾讯科技(深圳)有限公司 Application protection monitoring method, device and system
CN106991324B (en) * 2017-03-30 2020-02-14 兴华永恒(北京)科技有限责任公司 Malicious code tracking and identifying method based on memory protection type monitoring
CN107358071A (en) * 2017-06-07 2017-11-17 武汉斗鱼网络科技有限公司 Prevent the method and device that function illegally calls in Flash application programs
CN107704356B (en) * 2017-06-12 2019-06-28 平安科技(深圳)有限公司 Exception stack information acquisition method, device and computer readable storage medium
CN108052431A (en) * 2017-12-08 2018-05-18 北京奇虎科技有限公司 Terminal program exception closing information processing method, device, terminal

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002006928A2 (en) * 2000-07-14 2002-01-24 Vcis, Inc. Computer immune system and method for detecting unwanted code in a computer system
US7891000B1 (en) * 2005-08-05 2011-02-15 Cisco Technology, Inc. Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers
CN101286995A (en) * 2008-05-23 2008-10-15 北京锐安科技有限公司 Long-range control method and system
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN103631712A (en) * 2013-10-23 2014-03-12 北京信息控制研究所 Modeled software key behavior tracking method based on memory management
US9807104B1 (en) * 2016-04-29 2017-10-31 STEALTHbits Technologies, Inc. Systems and methods for detecting and blocking malicious network activity
CN106203092A (en) * 2016-06-30 2016-12-07 北京金山安全软件有限公司 Method and device for intercepting shutdown of malicious program and electronic equipment
CN106411588A (en) * 2016-09-29 2017-02-15 锐捷网络股份有限公司 Network device management method, master device and management server
CN107959595A (en) * 2016-10-14 2018-04-24 腾讯科技(深圳)有限公司 The method, apparatus and system of a kind of abnormality detection
CN107483274A (en) * 2017-09-25 2017-12-15 北京全域医疗技术有限公司 Service item running state monitoring method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Detection Based on Perflow Packet Count and Entropy;Xuyang Zhu;Hai Zhang;2009 Intgernational Conference on Electronic Computer Technology;524-528 *

Also Published As

Publication number Publication date
CN109711168A (en) 2019-05-03
CN109753806A (en) 2019-05-14
CN109871691B (en) 2021-07-20
CN108846287A (en) 2018-11-20
CN109829307A (en) 2019-05-31
CN109766701B (en) 2021-04-27
CN109711168B (en) 2021-01-15
CN109829309A (en) 2019-05-31
CN109871691A (en) 2019-06-11
CN109726560A (en) 2019-05-07
CN109711172A (en) 2019-05-03
CN109766698A (en) 2019-05-17
CN109766701A (en) 2019-05-17

Similar Documents

Publication Publication Date Title
CN109753806B (en) Server protection method and device
US10467406B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US8959641B2 (en) Foiling a document exploit attack
KR101265173B1 (en) Apparatus and method for inspecting non-portable executable files
EP3462358B1 (en) System and method for detection of malicious code in the address space of processes
US9183392B2 (en) Anti-malware tool for mobile apparatus
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
US10839074B2 (en) System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
US10055251B1 (en) Methods, systems, and media for injecting code into embedded devices
CN102984134B (en) Safety defense system
CN109784051B (en) Information security protection method, device and equipment
US11003772B2 (en) System and method for adapting patterns of malicious program behavior from groups of computer systems
CN102984135B (en) Safety defense method, equipment and system
US9785775B1 (en) Malware management
CN110348180B (en) Application program starting control method and device
CN112395603B (en) Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment
CN105791221B (en) Rule issuing method and device
CN114417326A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN106203189A (en) Equipment data acquisition method and device and terminal equipment
WO2014123314A1 (en) System and method for tracking remote access server accessed by mallicious code
CN113504971B (en) Security interception method and system based on container
CN116738427B (en) Terminal safety protection method, device, equipment and storage medium
US11886585B1 (en) System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
EP3522058B1 (en) System and method of creating antivirus records
CN117914582A (en) Method, device, equipment and storage medium for detecting process hollowing attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd.

Applicant after: Qianxin Technology Group Co.,Ltd.

Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant