CN110516444B - Cross-terminal and cross-version Root attack detection and protection system based on kernel - Google Patents
Cross-terminal and cross-version Root attack detection and protection system based on kernel Download PDFInfo
- Publication number
- CN110516444B CN110516444B CN201910664335.6A CN201910664335A CN110516444B CN 110516444 B CN110516444 B CN 110516444B CN 201910664335 A CN201910664335 A CN 201910664335A CN 110516444 B CN110516444 B CN 110516444B
- Authority
- CN
- China
- Prior art keywords
- root
- attack
- module
- monitoring
- subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention discloses a kernel-based cross-terminal cross-version Root attack detection and protection system, which comprises a Root monitoring subsystem for monitoring and detecting Root attack, a Root protection subsystem connected with the Root monitoring subsystem and stopping the Root attack through system management, and a private data protection module connected with the Root protection subsystem and hiding private data which are required to be read by a malicious program; the Root monitoring subsystem comprises a monitoring control module for monitoring Root attack, and a file operation monitoring module, a process operation monitoring module and a memory operation monitoring module which are respectively connected with the monitoring control module. Through the scheme, the method and the device achieve the purpose of protecting the Android system when the Root attack of the malicious program occurs, and have high practical value and popularization value.
Description
Technical Field
The invention belongs to the technical field of Android, and particularly relates to a kernel-based cross-terminal cross-version Root attack detection and protection system.
Background
With the continuous development of science and technology, smart phones have been deeply inserted into the lives of people. As a representative of the mobile phone operating system, the Android system has occupied 86.4% of the chinese smartphone market share by the first quarter of 2017. Meanwhile, as the Root attack on the Android system increases day by day, the Android system attacked by the Root often has information leakage, wherein the information leakage is a very bad thing for a user, and if one of the mobile phones of the same Android system and the same brand of mobile phone is successfully attacked by the Root, other mobile phones of the same Android system and the same brand of mobile phone have a high possibility of being attacked, so that the user and the mobile phone manufacturer are both damaged, and how to detect the Root attack to remind other Android system users and prevent the Root attack of malicious programs is an urgent problem to be solved by technical personnel in the field.
Disclosure of Invention
The invention aims to provide a kernel-based cross-terminal cross-version Root attack detection and protection system, and mainly solves the problem that Root attacks of malicious programs cause loss to Android users and developers in the prior art.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
the kernel-based cross-terminal cross-version Root attack detection and protection system comprises a Root monitoring subsystem for monitoring and detecting the Root attack, a Root protection subsystem connected with the Root monitoring subsystem and stopping the Root attack through system management, and a private data protection module connected with the Root protection subsystem and hiding private data which are required to be read by a malicious program; the Root monitoring subsystem comprises a monitoring control module for monitoring Root attack, and a file operation monitoring module, a process operation monitoring module and a memory operation monitoring module which are respectively connected with the monitoring control module, wherein the Root protection subsystem is connected with the process operation monitoring module.
Further, the Root protection subsystem comprises an attack behavior recording module for recording Root attacks, an attack mode receiving module for receiving the monitoring condition of the Root monitoring subsystem, an attack mode extracting module and an attack mode database which are respectively used for receiving feedback information of the mobile phone terminal attack behavior recording module and the attack mode receiving module and are located at the cloud end, an attack mode comparing module for receiving the attack mode receiving module, and an attack mode intercepting module connected with the attack mode comparing module.
Compared with the prior art, the invention has the following beneficial effects:
(1) The method is based on Android kernel, the Root attack is detected and intercepted on the kernel layer surface, the behavior characteristics of the Root attack are mined by analyzing the behavior of the Root attack, the attack mode is extracted, the attack mode is uploaded to the cloud, and the Root attack mode database is updated for other Android mobile phone users to download and use, so that the mode can be identified in time and protected; the Root Defender provides a private data protection function, adopts an active response mode, and provides false data for lawbreakers in a mode of forging and hiding the private data of a user, thereby protecting the private data to the maximum extent. The invention detects, intercepts and protects the existing Root attack behavior, thereby effectively protecting the user information security; unknown Root behaviors are learned, so that the further damage to the information safety of more users is effectively avoided; for the user attacked by Root, the system can also prevent and protect the information security of the user, and the Root Defender supports cross-terminal and cross-version protection of Root attack, thereby well protecting the Android system.
(2) The invention detects the Root attack through the Root monitoring subsystem, detects the Root behavior of the mobile phone through the monitoring control module APK with the Root function, can effectively detect the Root behavior and display the record of the Root attack behavior. A Root attack behavior recording module in a Root protection subsystem records the detected Root attack behavior after the Root monitoring subsystem detects the attack behavior and uploads the recorded Root attack behavior to a cloud end to be analyzed and extracted; the Root attack mode extraction module analyzes the core behavior of the Root attack, extracts the attack mode, can analyze and extract the Root attack behavior and records the Root attack behavior; root attack pattern database: the method comprises the steps that a database of known Root attack modes, which is gathered at a cloud end, can contain all known Root attack modes; the Root attack mode receiving module downloads a new database of the Root attack behavior to different clients and updates the old database; the method comprises the following steps of intercepting a Root attack mode, wherein when the Root behavior of a known attack mode occurs, the interception can be effectively carried out;
(3) The Root Defender provides a whole set of 'nurse type service' for detecting the malicious Root attack program, intercepting the malicious Root attack program and protecting private data for each Android mobile terminal, identifies the attack behavior of the malicious Root program and prompts the attack behavior to a user, and provides protection for preventing the malicious Root program from operating the private data for each user using the system.
(4) After a Root monitoring subsystem at the current stage of the private data protection module detects a Root attack behavior, the private data which a malicious program wants to read is hidden, the malicious program is protected without response, or fake data is displayed to the malicious program, so that the Android system can be protected.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention.
Detailed Description
The present invention is further illustrated by the following figures and examples, which include, but are not limited to, the following examples.
Examples
As shown in fig. 1, the kernel-based cross-terminal cross-version Root attack detection and protection system includes a Root monitoring subsystem for monitoring and detecting a Root attack, a Root protection subsystem connected to the Root monitoring subsystem and terminating the Root attack through system administration, and a private data protection module connected to the Root protection subsystem and hiding private data that a malicious program wants to read.
The invention is divided into two steps of detection and protection when realizing the Root attack detection and protection system, wherein, the specific step of the Root attack detection is as follows:
early preparation: cfg in a monitoring control module in the Root monitoring subsystem obtains the uid of the APK to be monitored and maintains a dynamic linked list consisting of pids of processes generated by the uid, and filters the content which does not need to be monitored.
The first step is as follows: after the monitoring control module operates, the file operation monitoring module is carried out, and firstly, a user calls the sys _ ioctl system to obtain the current processes uid and pid. If the uid is the execution uid, recording an operation timestamp, calling a d _ path function to find a file path by the file descriptor fd and recording, recording a log file.log opened by a program obtained by the parameter cmd to the equipment, if the log file.log is successfully written, executing orig _ sys _ ioctl, saving a return value, performing integrity check and returning the orig _ sys _ ioctl return value, and finishing the execution.
The second step is that: if the uid is not the designated uid, and the pid is in the monitoring list, the execution can be completed normally. And if the pid is not summarized in the monitoring list, executing the orig _ sys _ ioctl, saving a return value, returning the orig _ sys _ ioctl return value, and finishing the execution.
The third step: and if the log file.log is failed to be opened in the first step, creating the log file.log, writing the log file.log into the log file.log, and finishing the execution.
The fourth step: and calling a sys _ fchmodat system by a user to acquire the uid and the pid of the current process, recording an operation timestamp if the uid is designated, recording the changed read-write execution attribute obtained by the parameter mode, recording the file path of the target file or the folder if the pathname is an absolute path, writing the log file log if the log file log is successfully opened, executing orig _ sys _ fchmodat, storing a return value, checking the critted integrity, and returning the orig _ sys _ fchmodat return value.
The fifth step: if the uid is not formulated, but the pid is in the monitoring list, the operation timestamp is recorded and execution is completed as described above. If the pid is not in the monitoring list, the orig _ sys _ fchmoat is executed, the return value is saved, the orig _ sys _ fchmoat is returned, and the execution is completed.
And a sixth step: if the pathname in the fourth step is not an absolute path, calling a dirfd function to find a file path through a file path descriptor dfd, recording the file path of the target file or the folder, and then opening a log file.
The seventh step: and if the log file.log is failed to be opened in the fourth step, the log file.log needs to be created, written into the log file.log, and the execution is finished.
Eighth step: and calling the sys _ lseek system by the user to acquire the uid and the pid of the current process, recording the operation timestamp if the uid is specified, recording the in-file offset obtained by the parameter offset, recording the file offset obtained by the parameter while calling the d _ path function to find the file path from the file descriptor fd and recording the file path. And opening a log file.log, if the log file.log is successful, writing the file.log, executing the orig _ sys _ lseek, saving a return value, performing a secret integrity check, returning the orig _ sys _ lseek return value, and finishing the execution.
The ninth step: as in the second step, the third step, where the file name is orig _ sys _ lseek.
The tenth step: after the monitoring control main module operation and the file operation monitoring module operation are completed, the process operation monitoring module operation is carried out, a user firstly calls sys _ execute to obtain the current process uid and pid, if the current process uid and pid are appointed, an operation timestamp is recorded, a file path obtained by a parameter filename is recorded, an execution parameter obtained by a parameter argv is recorded, an execution environment variable obtained by a parameter envp is recorded, and a log proc. And if the log is successfully opened, writing the log proc.
The eleventh step: if in the tenth step, the uid is not the specified uid, and the pid is in the monitoring list, execution can be completed normally. If the pid is not in the monitoring execution list, the orig _ sys _ execute is executed, the orig _ sys _ execute return value is returned, and the execution is finished.
The twelfth step: if the log proc.log fails to be opened in the tenth step, the log proc.log is created and the execution is completed.
The thirteenth step: and after the user calls the sys _ setup system, acquiring and storing the current process uid and pid, executing the orig _ sys _ setup, storing a return value, recording an operation timestamp if the uid is established, recording the current process remote uid, recording a new uid, opening a log proc.
A fourteenth step of: if not, and pid is in the monitoring list, then normal execution is complete. If not, and pid is not in the monitoring list, then directly return the orig _ sys _ setup return value, and finish the execution.
The fifteenth step: after a user calls a sys _ mmap system, a kernel space acquires a current process uid and pid, executes orig _ sys _ mmap, saves a return value, specifies the uid, records an operation time stamp if the uid is specified, records a start address obtained by a parameter addr, records a memory protection mark and a mapping object type obtained by parameters prot and files, records a file path obtained by parameters fd and offset and a start position of starting mapping in the file, opens a log memory.
Sixteenth, step: if not, and pid exists in the monitoring list, then execution is completed normally. If not, and pid does not exist in the monitoring list, directly returning orig _ sys _ mmap return value, and ending execution. And if the log memory.log is failed to be opened, creating the log memory.log and finishing the execution.
Seventeenth step: the user calls a sys _ mprotect system call to obtain a current process uid and pid, an orig _ sys _ mprotect is executed, a return value is stored, the uid is appointed, if the uid is appointed, an operation timestamp is recorded, a memory area starting address obtained by calling a parameter start is recorded, a memory area length and a memory protection mark obtained by calling parameters len and prot are recorded, log memory.
And eighteenth step: if not, and pid is in the monitoring list, then execution is completed normally. If not, and pid is not in the monitoring list, directly returning orig _ sys _ mprotect return value, and ending execution.
The specific steps of the Root protection subsystem for realizing protection are as follows:
the first step is as follows: the information detected by the Root detection subsystem is recorded and uploaded by an uploading module of the Root attack mode (the attack behavior recording module actually realizes the behaviors of recording and uploading). The uploading module of the Root attack module is completed locally, the characteristics of the 'so' file of the Root program are extracted, and the uploading of the Root attack behavior is recorded. So file is run by calling dlopen (xxx. So), and used so file is saved and uploaded to the cloud.
The second step is that: and the Root attack behavior recording module records the uploaded information and the attack mode extraction module extracts attack characteristics. A malicious software carries out random file access operation in file operation, firstly modifies the timestamp, then randomly modifies the path of the file, carries out the operation of offset in the file, and finally carries out network operation to transmit the file. This sequence of actions is monitored and recorded by the system. And then the recorded attack behavior is uploaded to the cloud end for calling and comparing after all the mobile terminals are connected. After detecting that the application process is malicious Root software, extracting the content in the 'elf' file of the software. Extracting a Section header table part from the elf file, wherein the Section header table part stores information of a file Section of an application process, and extracting parts of the Section name, the Section size and the like which can be used as characteristics for identifying a malicious process. And uploading the extracted characteristics of the 'elf' files to the cloud, and calling and comparing the characteristics after all the mobile terminals are connected.
The third step: the attack features extracted by the attack pattern extraction module are compared and intercepted by the attack pattern comparison module. The Root Defender in the attack mode comparison module can intercept the attack of the malicious Root software. The Root Defender records the attack behaviors of each step of the software currently running, extracts the attack modes, compares the cloud mode with the mode locally to finish all malicious behaviors at a certain specific moment, compares the characteristic information in the Section header table in the 'elf', and immediately intercepts the program if the similarity is high, so as to terminate the program. If the feature information in the Section header table in the 'elf' file is compared with the corresponding information in the cloud end once the software is installed, and the similarity is extremely high, the software is directly cleaned, and any malicious behavior cannot be performed on the software.
The fourth step: the privacy data protection module belongs to the privacy protection subsystem, but operates together with the Root protection subsystem. The attack behavior recording module records the attack behaviors and simultaneously notifies the privacy data protection module positioned in the frame layer. The privacy protection module modifies the corresponding key function to forge the key privacy data, so that an attacker cannot read or read the forged privacy data, and Root attack is protected.
The above embodiments are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention, but all changes that can be made by applying the principles of the present invention and performing non-inventive work on the basis of the principles shall fall within the scope of the present invention.
Claims (1)
1. The kernel-based cross-terminal cross-version Root attack detection and protection system is characterized by comprising a Root monitoring subsystem for monitoring and detecting the Root attack, a Root protection subsystem which is connected with the Root monitoring subsystem and terminates the Root attack through system management, and a private data protection module which is connected with the Root protection subsystem and hides private data which is required to be read by a malicious program; the Root monitoring subsystem comprises a monitoring control module for monitoring Root attack, and a file operation monitoring module, a process operation monitoring module and a memory operation monitoring module which are respectively connected with the monitoring control module, wherein the Root protection subsystem is connected with the process operation monitoring module;
the Root protection subsystem comprises an attack behavior recording module for recording Root attack, an attack mode receiving module for receiving the monitoring condition of the Root monitoring subsystem, an attack mode extracting module and an attack mode database which are respectively used for receiving feedback information of the attack behavior recording module and the attack mode receiving module at a mobile phone end, an attack mode comparing module for receiving the attack mode receiving module and an attack mode intercepting module connected with the attack mode comparing module;
the specific steps of the Root protection subsystem for realizing protection are as follows:
the first step is as follows: information detected by the Root monitoring subsystem is recorded by the attack behavior recording module and uploaded to the cloud;
the second step is that: the attack behavior recording module records the uploaded information and the attack pattern extraction module extracts attack characteristics;
the third step: the attack features extracted by the attack pattern extraction module are compared and intercepted by the attack pattern comparison module;
the fourth step: the private data protection module and the Root protection subsystem operate together, the attack behavior recording module can inform the private data protection module located on a frame layer while recording attack behaviors, and the private data protection module modifies corresponding key functions to forge key private data, so that an attacker cannot read or read forged private data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910664335.6A CN110516444B (en) | 2019-07-23 | 2019-07-23 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910664335.6A CN110516444B (en) | 2019-07-23 | 2019-07-23 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110516444A CN110516444A (en) | 2019-11-29 |
| CN110516444B true CN110516444B (en) | 2023-04-07 |
Family
ID=68623861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910664335.6A Active CN110516444B (en) | 2019-07-23 | 2019-07-23 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110516444B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111797067B (en) * | 2020-09-10 | 2020-12-08 | 北京志翔科技股份有限公司 | Method and device for acquiring file path for file read-write operation |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9825989B1 (en) * | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877039A (en) * | 2009-11-23 | 2010-11-03 | 浪潮电子信息产业股份有限公司 | Fault detection technology of server operating system |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
| CN103561004B (en) * | 2013-10-22 | 2016-10-12 | 西安交通大学 | Cooperating type Active Defending System Against based on honey net |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
| CN107016283B (en) * | 2017-02-15 | 2019-09-10 | 中国科学院信息工程研究所 | Android privilege-escalation attack safety defense method and device based on integrity verification |
| CN106921666B (en) * | 2017-03-06 | 2020-10-02 | 中山大学 | DDoS attack defense system and method based on cooperative theory |
| CN107204982B (en) * | 2017-06-13 | 2019-02-05 | 成都四方伟业软件股份有限公司 | Interactive data system universal safety guard system |
| CN108347430B (en) * | 2018-01-05 | 2021-01-12 | 国网山东省电力公司济宁供电公司 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
| CN108197468A (en) * | 2018-01-25 | 2018-06-22 | 郑州云海信息技术有限公司 | A kind of Intranet attack intelligent protection system of mobile memory medium |
-
2019
- 2019-07-23 CN CN201910664335.6A patent/CN110516444B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9825989B1 (en) * | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110516444A (en) | 2019-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103198255B (en) | Method and system for monitoring and intercepting sensitive behaviour of Android software | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN107766728A (en) | Mobile application security managing device, method and mobile operation safety protection system | |
| CN104182688A (en) | Android malicious code detection device and method based on dynamic activation and behavior monitoring | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN103442361B (en) | Method for detecting safety of mobile application, and mobile terminal | |
| CN103780450B (en) | The detection method and system of browser access network address | |
| CN109800577B (en) | Method and device for identifying escape safety monitoring behavior | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN104239797B (en) | Active defense method and device | |
| CN104361281B (en) | A kind of solution of Android platform phishing attack | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN103428212A (en) | Malicious code detection and defense method | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN111241545A (en) | Software processing method, system, device and medium | |
| CN110516444B (en) | Cross-terminal and cross-version Root attack detection and protection system based on kernel | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN111967044A (en) | Method and system for tracking leaked private data suitable for cloud environment | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN105550573B (en) | The method and apparatus for intercepting bundled software | |
| CN105243328A (en) | Behavioral characteristic based Ferry horse defense method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |