CN111090855A - Intrusion detection method and device based on Linux host - Google Patents

Intrusion detection method and device based on Linux host Download PDF

Info

Publication number
CN111090855A
CN111090855A CN201911363006.4A CN201911363006A CN111090855A CN 111090855 A CN111090855 A CN 111090855A CN 201911363006 A CN201911363006 A CN 201911363006A CN 111090855 A CN111090855 A CN 111090855A
Authority
CN
China
Prior art keywords
hook
intrusion
network
behavior
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911363006.4A
Other languages
Chinese (zh)
Inventor
王彦杰
胡建勋
肖树根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongke Information Security Common Technology National Engineering Research Center Co ltd
Original Assignee
Zhongke Information Security Common Technology National Engineering Research Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongke Information Security Common Technology National Engineering Research Center Co ltd filed Critical Zhongke Information Security Common Technology National Engineering Research Center Co ltd
Priority to CN201911363006.4A priority Critical patent/CN111090855A/en
Publication of CN111090855A publication Critical patent/CN111090855A/en
Priority to PCT/CN2020/127778 priority patent/WO2021129201A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A Linux host-based intrusion detection method is characterized in that three HOOK monitors, namely a network HOOK monitor, a process HOOK monitor and a file HOOK monitor, are started in a Linux kernel layer; and respectively discovering intrusion from a network layer, discovering intrusion executed based on a process, and analyzing malicious behaviors of a matched file. Meanwhile, when the feature matching module is used as a feature library in any one of matching uplinks of a network, a process and a file, the feature library is regarded as an intrusion behavior and is reported to an intrusion detection management center. Has the advantages that: the method and the device solve the technical defects of insufficient timeliness and low sensitivity existing in the detection based on the host, and effectively improve the timeliness and the sensitivity of the detection based on the host.

Description

Intrusion detection method and device based on Linux host
Technical Field
The invention relates to the technical field of intrusion detection, in particular to an intrusion detection method and device based on a Linux host.
Background
With the development of network technology, a hacker attack method is more and more comprehensive, network attack cannot be completely resisted by only relying on access control equipment such as a firewall and the like, obvious defects and weaknesses are exposed in the firewall technology, a security backdoor cannot be found, and network internal attack cannot be found. The intrusion detection system can make up the defects of the firewall and provide real-time intrusion detection for network security, such as evidence recording, intrusion tracking and the like. Intrusion detection is the detection of intrusion behavior by collecting and analyzing information from key points of a computer network or computer system to discover behavior and signs of attack in the network or system that violate security policies. And can be divided into host-based intrusion detection and network-based intrusion detection according to information sources. The intrusion detection based on the host can only detect the intrusion on the host generally, and the input data mainly comes from the audit log, network connection, process information and the like of the system. The intrusion detection based on the host computer at present is more accurate but not enough in timeliness for the detection after the intrusion occurs, and is not high in detection sensitivity for the intrusion.
Disclosure of Invention
The invention provides an intrusion detection method and device based on a Linux host, aiming at the defects of the prior art, and the technical defects of insufficient timeliness and low sensitivity existing in the detection based on the host are overcome by the application of the method and device.
Based on the aim of the invention, the invention provides an intrusion detection device based on a Linux host, which comprises an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor, a feature matching module, a network attack behavior feature library, a process malicious behavior feature library and a file malicious behavior feature library, wherein the intrusion detection management center is connected with the network HOOK monitor;
the intrusion detection management center is mainly responsible for managing and maintaining a network attack behavior feature library, a process malicious behavior feature library and a file malicious behavior feature library and receiving intrusion behaviors discovered by the feature matching module;
the network HOOK monitor monitors network activities of a network connected to a Linux host and transmits monitoring data to the feature matching module;
the process HOOK monitor is mainly used for monitoring the creation of a system process and transmitting monitoring data to a feature matching module;
the HOOK monitor is mainly used for monitoring specific files such as system log files, application log files, login logs and the like and directory read-write operations, and transmitting monitoring data to the feature matching module;
the characteristic matching module is mainly used for processing data from a network HOOK monitor, a process HOOK monitor and a file HOOK monitor, finding an intrusion behavior by matching a corresponding behavior characteristic library and reporting the intrusion behavior to an intrusion detection management center;
the network attack behavior characteristic library is used for storing network attack behavior characteristics based on a host and is managed and maintained by an intrusion detection management center; the process malicious behavior feature library is used for storing process malicious behaviors and is managed and maintained by an intrusion detection management center; and the file malicious behavior feature library is used for storing malicious behavior features based on a system and an application and is managed and maintained by an intrusion detection management center.
Further, the network HOOK monitor registers a HOOK point at NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN.
Further, the process HOOK monitor registers a HOOK point with the do _ fork () function.
Further, the file HOOK monitor registers a HOOK point for the read (), write () functions.
Based on the technical purpose of the invention, the invention also provides an intrusion detection method based on the Linux host, which comprises the following steps:
the method comprises the following steps: when the Linux host is started, starting an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor and a feature matching module along with a kernel module;
step two: the network HOOK monitor registers HOOK points IN NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN, when the network is connected to the host, the registered HOOK points are triggered, a matching feature module is called to be matched with a network attack behavior feature library, an intrusion row based on unauthorized access of each network protocol and abnormal access data of a specific network protocol is monitored and found, and when the intrusion behavior is found, the execution is carried out IN the fifth step;
step three: and the process HOOK monitor registers a HOOK point for the do _ fork () function, triggers the registered HOOK point when the process is created, calls a matching feature module to match with the process malicious behavior feature library, monitors and finds the intrusion behavior executed based on the command, and transfers to the step five for execution when finding the intrusion behavior.
Step four: the HOOK monitor registers HOOK points for read () and write () functions, when there is file reading and modifying on the host computer, the registered HOOK points are triggered, the matching characteristic module is called to match with the file malicious behavior characteristic library, the intrusion behaviors of executing commands and illegal logging are monitored and found, and when the intrusion behaviors are found, the operation is transferred to the fifth step for execution.
Step five: after finding the intrusion behavior, the matching characteristic module reports the intrusion behavior to an intrusion detection management center;
step six: and the intrusion detection management center carries out early warning on the intrusion behavior.
The technical scheme of the invention has the beneficial effects that: the method and the device solve the technical defects of insufficient timeliness and low sensitivity existing in the detection based on the host, and effectively improve the timeliness and the sensitivity of the detection based on the host.
Drawings
Fig. 1 is a schematic layout diagram of an intrusion detection device based on a Linux host according to the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood by those skilled in the art, the present invention will be further described in detail with reference to specific examples.
The basic principle of the invention is as follows: three HOOK monitors, namely a network HOOK monitor, a process HOOK monitor and a file HOOK monitor, are started in the Linux kernel layer. The network HOOK monitor is mainly used for monitoring the network activity of a network connected to a Linux host, calling a feature matching module, analyzing and matching unauthorized network connection and discovering intrusion from a network layer. The process HOOK monitor is mainly used for monitoring the creation of a system process, calling a feature matching module, analyzing a matching process malicious behavior feature library and finding invasion executed based on the process. The HOOK monitor monitors specific files such as system log files, application log files, log logs and the like and directory read-write operations, calls a feature matching module, and analyzes and matches a file malicious behavior feature library. When the feature matching module is used as a feature library in any one of matching uplinks of a network, a process and a file, the feature library is regarded as an intrusion behavior and is reported to an intrusion detection management center.
The technical solution of the present invention is described in further detail as follows.
As shown in fig. 1, the present invention provides an intrusion detection device based on a Linux host, where the intrusion detection device includes an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor, a feature matching module, a network attack behavior feature library, a process malicious behavior feature library, and a file malicious behavior feature library;
the intrusion detection management center is mainly responsible for managing and maintaining a network attack behavior feature library, a process malicious behavior feature library and a file malicious behavior feature library and receiving intrusion behaviors discovered by the feature matching module;
the network HOOK monitor monitors network activities of a network connected to a Linux host and transmits monitoring data to the feature matching module;
the process HOOK monitor is mainly used for monitoring the creation of a system process and transmitting monitoring data to a feature matching module;
the HOOK monitor is mainly used for monitoring specific files such as system log files, application log files, login logs and the like and directory read-write operations, and transmitting monitoring data to the feature matching module;
the characteristic matching module is mainly used for processing data from a network HOOK monitor, a process HOOK monitor and a file HOOK monitor, finding an intrusion behavior by matching a corresponding behavior characteristic library and reporting the intrusion behavior to an intrusion detection management center;
the network attack behavior characteristic library is used for storing network attack behavior characteristics based on a host and is managed and maintained by an intrusion detection management center; the process malicious behavior feature library is used for storing process malicious behaviors and is managed and maintained by an intrusion detection management center; and the file malicious behavior feature library is used for storing malicious behavior features based on a system and an application and is managed and maintained by an intrusion detection management center.
Further, the network HOOK monitor registers a HOOK point at NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN.
Further, the process HOOK monitor registers a HOOK point with the do _ fork () function.
Further, the file HOOK monitor registers a HOOK point for the read (), write () functions.
Based on the technical purpose of the invention, the invention also provides an intrusion detection method based on the Linux host, which comprises the following steps:
the method comprises the following steps: when the Linux host is started, starting an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor and a feature matching module along with a kernel module;
step two: the network HOOK monitor registers HOOK points IN NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN, when the network is connected to the host, the registered HOOK points are triggered, a matching feature module is called to be matched with a network attack behavior feature library, an intrusion row based on unauthorized access of each network protocol and abnormal access data of a specific network protocol is monitored and found, and when the intrusion behavior is found, the execution is carried out IN the fifth step;
step three: and the process HOOK monitor registers a HOOK point for the do _ fork () function, triggers the registered HOOK point when the process is created, calls a matching feature module to match with the process malicious behavior feature library, monitors and finds the intrusion behavior executed based on the command, and transfers to the step five for execution when finding the intrusion behavior.
Step four: the HOOK monitor registers HOOK points for read () and write () functions, when there is file reading and modifying on the host computer, the registered HOOK points are triggered, the matching characteristic module is called to match with the file malicious behavior characteristic library, the intrusion behaviors of executing commands and illegal logging are monitored and found, and when the intrusion behaviors are found, the operation is transferred to the fifth step for execution.
Step five: after finding the intrusion behavior, the matching characteristic module reports the intrusion behavior to an intrusion detection management center;
step six: and the intrusion detection management center carries out early warning on the intrusion behavior.
The intrusion detection method and device based on the Linux host provided by the invention are introduced in detail, and the principle and the implementation mode of the method are explained by applying the embodiments in the text, and the description of the embodiments is only used for helping to understand the method and the core idea of the method; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (5)

1. The utility model provides an intrusion detection device based on Linux host computer which characterized in that: the intrusion detection device comprises an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor, a feature matching module, a network attack behavior feature library, a process malicious behavior feature library and a file malicious behavior feature library;
the intrusion detection management center is mainly responsible for managing and maintaining a network attack behavior feature library, a process malicious behavior feature library and a file malicious behavior feature library and receiving intrusion behaviors discovered by the feature matching module;
the network HOOK monitor monitors network activities of a network connected to a Linux host and transmits monitoring data to the feature matching module;
the process HOOK monitor is mainly used for monitoring the creation of a system process and transmitting monitoring data to a feature matching module;
the HOOK monitor is mainly used for monitoring specific files such as system log files, application log files, login logs and the like and directory read-write operations, and transmitting monitoring data to the feature matching module;
the characteristic matching module is mainly used for processing data from a network HOOK monitor, a process HOOK monitor and a file HOOK monitor, finding an intrusion behavior by matching a corresponding behavior characteristic library and reporting the intrusion behavior to an intrusion detection management center;
the network attack behavior characteristic library is used for storing network attack behavior characteristics based on a host and is managed and maintained by an intrusion detection management center; the process malicious behavior feature library is used for storing process malicious behaviors and is managed and maintained by an intrusion detection management center; and the file malicious behavior feature library is used for storing malicious behavior features based on a system and an application and is managed and maintained by an intrusion detection management center.
2. The Linux host based intrusion detection device of claim 1, wherein: the network HOOK monitor registers a HOOK point at NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN.
3. The Linux host based intrusion detection device of claim 1, wherein: the process HOOK monitor registers the HOOK point for the do _ fork () function.
4. The Linux host based intrusion detection device of claim 1, wherein: the file HOOK monitor registers the HOOK point for the read (), write () functions.
5. A Linux host based intrusion detection method is characterized in that: the intrusion detection method specifically comprises the following steps:
the method comprises the following steps: when the Linux host is started, starting an intrusion detection management center, a network HOOK monitor, a process HOOK monitor, a file HOOK monitor and a feature matching module along with a kernel module;
step two: the network HOOK monitor registers HOOK points IN NF _ IP _ LOCAL _ IN and NF _ INET _ LOCAL _ IN, when the network is connected to the host, the registered HOOK points are triggered, a matching feature module is called to be matched with a network attack behavior feature library, an intrusion row based on unauthorized access of each network protocol and abnormal access data of a specific network protocol is monitored and found, and when the intrusion behavior is found, the execution is carried out IN the fifth step;
step three: registering a HOOK point for the do _ fork () function by the process HOOK monitor, triggering the registered HOOK point when the process is established, calling a matching feature module to match with a process malicious behavior feature library, monitoring and finding an intrusion behavior executed based on a command, and turning to the fifth step for execution when the intrusion behavior is found;
step four: the file HOOK monitor registers HOOK points for read () and write () functions, triggers the registered HOOK points when the file reading and modifying behaviors exist on the host computer, calls a matching feature module to match with a file malicious behavior feature library, monitors and finds the intrusion behaviors of executing commands and illegal logging, and transfers to the fifth step for execution when finding the intrusion behaviors;
step five: after finding the intrusion behavior, the matching characteristic module reports the intrusion behavior to an intrusion detection management center;
step six: and the intrusion detection management center carries out early warning on the intrusion behavior.
CN201911363006.4A 2019-12-26 2019-12-26 Intrusion detection method and device based on Linux host Pending CN111090855A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201911363006.4A CN111090855A (en) 2019-12-26 2019-12-26 Intrusion detection method and device based on Linux host
PCT/CN2020/127778 WO2021129201A1 (en) 2019-12-26 2020-11-10 Intrusion detection method and device based on linux host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911363006.4A CN111090855A (en) 2019-12-26 2019-12-26 Intrusion detection method and device based on Linux host

Publications (1)

Publication Number Publication Date
CN111090855A true CN111090855A (en) 2020-05-01

Family

ID=70396832

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911363006.4A Pending CN111090855A (en) 2019-12-26 2019-12-26 Intrusion detection method and device based on Linux host

Country Status (2)

Country Link
CN (1) CN111090855A (en)
WO (1) WO2021129201A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021129201A1 (en) * 2019-12-26 2021-07-01 中科信息安全共性技术国家工程研究中心有限公司 Intrusion detection method and device based on linux host

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103745154A (en) * 2013-12-27 2014-04-23 柳州职业技术学院 Intrusion detection system and detection method with self-learning capability
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
CN109344622A (en) * 2018-09-26 2019-02-15 杭州迪普科技股份有限公司 The intrusion detection method and relevant device of loophole attack
CN110535854A (en) * 2019-08-28 2019-12-03 南京市晨枭软件技术有限公司 One kind being used for industrial control system intrusion detection method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634264A (en) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 Active trapping method based on behavior analysis
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN106709334A (en) * 2015-11-17 2017-05-24 阿里巴巴集团控股有限公司 Method, device and system for detecting intrusive script files
CN108062475A (en) * 2016-11-08 2018-05-22 武汉安天信息技术有限责任公司 A kind of malicious code identification device and method
CN108111503A (en) * 2017-12-15 2018-06-01 安徽长泰信息安全服务有限公司 Based on the information safety protection host machine for accessing limitation
CN111090855A (en) * 2019-12-26 2020-05-01 中科信息安全共性技术国家工程研究中心有限公司 Intrusion detection method and device based on Linux host

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103745154A (en) * 2013-12-27 2014-04-23 柳州职业技术学院 Intrusion detection system and detection method with self-learning capability
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
CN109344622A (en) * 2018-09-26 2019-02-15 杭州迪普科技股份有限公司 The intrusion detection method and relevant device of loophole attack
CN110535854A (en) * 2019-08-28 2019-12-03 南京市晨枭软件技术有限公司 One kind being used for industrial control system intrusion detection method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021129201A1 (en) * 2019-12-26 2021-07-01 中科信息安全共性技术国家工程研究中心有限公司 Intrusion detection method and device based on linux host

Also Published As

Publication number Publication date
WO2021129201A1 (en) 2021-07-01

Similar Documents

Publication Publication Date Title
CN108121914B (en) Document divulgence protection tracking system
Tien et al. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches
US9853994B2 (en) Attack analysis system, cooperation apparatus, attack analysis cooperation method, and program
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US10986117B1 (en) Systems and methods for providing an integrated cyber threat defense exchange platform
US20200387597A1 (en) System and method of detecting unauthorized access to computing resources for cryptomining
US20040111637A1 (en) Method and system for responding to a computer intrusion
WO2017185827A1 (en) Method and apparatus for determining suspicious activity of application program
CN111885210A (en) Cloud computing network monitoring system based on end user environment
CN113032793A (en) Intelligent reinforcement system and method for data security
US20210226981A1 (en) Detecting untracked software components on an asset
CN110879889A (en) Method and system for detecting malicious software of Windows platform
CN105378745A (en) Disabling and initiating nodes based on security issue
CN106339629A (en) Application management method and device
CN111611590A (en) Method and device for data security related to application program
Fatemi et al. Threat hunting in windows using big security log data
CN113596044B (en) Network protection method and device, electronic equipment and storage medium
CN114707144A (en) Virtual machine escape behavior detection method and device
KR102381150B1 (en) Security management system and method for remote working environment
CN111090855A (en) Intrusion detection method and device based on Linux host
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
AU2021104060A4 (en) Linux host-based intrusion detection method and apparatus
Wang et al. IoT‐DeepSense: Behavioral Security Detection of IoT Devices Based on Firmware Virtualization and Deep Learning
Xing [Retracted] Design of a Network Security Audit System Based on Log Data Mining
KR20000040269A (en) Method for realtime invasion detection using agent structure in realtime invasion detection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200501