CN111901306A - Method for detecting and blocking rebound shell attack and related equipment - Google Patents
Method for detecting and blocking rebound shell attack and related equipment Download PDFInfo
- Publication number
- CN111901306A CN111901306A CN202010605065.4A CN202010605065A CN111901306A CN 111901306 A CN111901306 A CN 111901306A CN 202010605065 A CN202010605065 A CN 202010605065A CN 111901306 A CN111901306 A CN 111901306A
- Authority
- CN
- China
- Prior art keywords
- attack
- shell
- rebound
- rebound shell
- blocking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 230000000903 blocking effect Effects 0.000 title claims abstract description 34
- 230000008569 process Effects 0.000 claims abstract description 85
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000000694 effects Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and related equipment for detecting and blocking rebound shell attacks, the invention designs a reasonable detection method and a reasonable blocking mechanism, can dynamically add the characteristics or attack modes of a rebound shell into a rule base, match the process characteristics in a local host with rules in the rule base so as to achieve the purpose of reducing the missing report, if the rebound shell occurs, provides the related information of the rebound shell for a user, can stop the attack of the rebound shell according to the ID of the provided rebound shell process, and can add a remote attacker IP into a blacklist according to quadruple information, thereby effectively improving the detection rate of the rebound shell attack.
Description
Technical Field
The invention relates to the technical field of intrusion detection, in particular to a method and related equipment for detecting and blocking rebound shell attacks.
Background
The rebound shell attack means that a control end monitors a certain port, a controlled end actively initiates a connection request to the port, and the input and the output of a command line of the controlled end are transferred to the control end. Generally speaking, a bounce shell is an intrusion behavior, which is mainly expressed by that a local host is actively connected with a remote attacker, so that the remote attacker can obtain an execution environment of the local host and can randomly execute a command. Currently, many researchers research how to detect the bounce shell, but the detection has no universality, more report missing situations exist, and an effective blocking method is not provided even if the bounce shell is detected.
In the prior art, a technical scheme is adopted to judge whether a redirection file corresponding to a bash process is a socket file and whether a socket file descriptor has network connection by monitoring the creation of the bash process, and if the conditions are met, the server is considered to have a rebound shell attack and is prevented. However, the method is too single in the mode of judging the rebound shell, and only the rebound shell based on the bash process can be detected and prevented.
In another technical scheme, whether the process of the shell program is detected to have a terminal attribute is judged by capturing the action of executing the shell program, if not, the shell program is a rebound shell, and a termination signal is sent to the rebound shell process. The method only judges whether the shell process has the terminal attribute to be used as a basis for determining the rebound shell and terminates the process of the rebound shell, and the rebound shell based on the awk has the terminal attribute, so that the rebound shell based on the awk cannot be detected and terminated.
Disclosure of Invention
The invention aims to provide a method and related equipment for detecting and blocking rebound shell attacks, and aims to solve the problems that the rebound shell attacks in the prior art are low in detection rate and have more report missing situations, realize the combination of detection and blocking, improve the detection rate and reduce the occurrence of the report missing situations.
In order to achieve the technical purpose, the invention provides a method for detecting and blocking the rebound shell attack, which comprises the following operations:
constructing a rebound shell attack characteristic library, which comprises a rebound shell attack mode and characteristics;
capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is performed;
and when the rebound shell attack is judged to occur, providing relevant information of the rebound shell for a user, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
Preferably, the rules of the feature library are divided into two types, one type is the characteristics of a unified process possessed by most rebounding shell attack modes, and the characteristics comprise the directions of standard input and standard output of the process, the terminal attribute of the process and the establishment condition of socket connection; another category is the bounce shell attack style, which is not significantly different from the normal process, including awk based attacks.
Preferably, the bounce shell related information includes a process of establishing an external network connection in the local host, and related quadruplet information, and the local host executes a command of connecting a remote attacker.
The invention also provides a system for detecting and blocking the rebound shell attack, which comprises:
the rule base establishing module is used for constructing a rebound shell attack characteristic base, and comprises a rebound shell attack mode and characteristics;
the attack detection module is used for capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is carried out;
and the attack blocking module is used for providing relevant rebound shell information for a user when the rebound shell attack is judged to occur, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
Preferably, the rules of the feature library are divided into two types, one type is the characteristics of a unified process possessed by most rebounding shell attack modes, and the characteristics comprise the directions of standard input and standard output of the process, the terminal attribute of the process and the establishment condition of socket connection; another category is the bounce shell attack style, which is not significantly different from the normal process, including awk based attacks.
Preferably, the bounce shell related information includes a process of establishing an external network connection in the local host, and related quadruplet information, and the local host executes a command of connecting a remote attacker.
The present invention also provides a computer apparatus comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method for detecting and blocking a bouncing shell attack.
The present invention also provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the method for detecting and blocking a resilient shell attack.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
compared with the prior art, the detection method and the blocking mechanism which are reasonably designed can dynamically add the characteristics or attack modes of the rebound shell into the rule base, match the process characteristics in the local host with the rules in the rule base to achieve the purpose of reducing the missing report, provide the relevant information of the rebound shell for a user if the rebound shell occurs, terminate the attack of the rebound shell according to the ID of the provided rebound shell process, add the IP of a remote attacker into the blacklist according to the quadruple information, and effectively improve the detection rate of the rebound shell attack.
Drawings
Fig. 1 is a flowchart of a method for detecting and blocking a resilient shell attack according to an embodiment of the present invention;
fig. 2 is a block diagram of a system for detecting and blocking a bounce shell attack according to an embodiment of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The following describes a method and related devices for detecting and blocking a bounce shell attack according to an embodiment of the present invention in detail with reference to the accompanying drawings.
As shown in fig. 1, the present invention discloses a method for detecting and blocking a bounce shell attack, which comprises the following operations:
constructing a rebound shell attack characteristic library, which comprises a rebound shell attack mode and characteristics;
capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is performed;
and when the rebound shell attack is judged to occur, providing relevant information of the rebound shell for a user, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
And constructing a feature library, wherein the feature library comprises a rebound shell attack mode and features (the direction of standard input and standard output of a process, the terminal attribute of the process and the establishment condition of socket connection).
Dividing the characteristic library rule into two types, wherein one type is the characteristic of a unified process possessed by most rebounding shell attack modes, such as the direction of standard input and standard output of the process, the terminal attribute of the process and the establishment condition of socket connection; the other type is a rebound shell attack mode which has no obvious difference from the common process, such as an awk-based attack. For the rules in the feature library, the features or attack modes of the rebound shell can be dynamically added into the rule library so as to achieve the purpose of reducing the false negative.
Capturing the process of the current host, extracting the characteristics of the current process, matching the characteristics of the current process with a characteristic library, if the standard input and the standard output of the process point, the terminal attribute of the process and the establishment condition of socket connection, firstly matching the characteristics, if all the characteristics are matched, indicating that a rebound shell occurs, if the characteristics are not matched, continuing to match an attack mode, namely, an executed command is matched with the attack mode in the characteristic library, and if the attack mode is matched, indicating that the rebound shell occurs.
If a rebound shell is found, blocking is needed. And providing relevant information of the rebound shell for a user, wherein the relevant information comprises a process for establishing an external network connection in the local host and relevant four-tuple information, and the local host executes a command for connecting a remote attacker. And according to the provided rebound shell information, sending a termination signal to a process for establishing external network connection and adding the IP of the remote attacker into a blacklist.
The embodiment of the invention designs a reasonable detection method and a blocking mechanism, can dynamically add the characteristics or attack modes of the rebound shell into the rule base, match the process characteristics in the local host with the rules in the rule base to achieve the aim of reducing the missing report, provide the relevant information of the rebound shell for a user if the rebound shell occurs, terminate the attack of the rebound shell according to the ID of the provided rebound shell process, add the IP of a remote attacker into a blacklist according to the quadruple information, and effectively improve the detection rate of the rebound shell attack.
As shown in fig. 2, an embodiment of the present invention further discloses a system for detecting and blocking a bounce shell attack, where the system includes:
the rule base establishing module is used for constructing a rebound shell attack characteristic base, and comprises a rebound shell attack mode and characteristics;
the attack detection module is used for capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is carried out;
and the attack blocking module is used for providing relevant rebound shell information for a user when the rebound shell attack is judged to occur, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
And constructing a feature library, wherein the feature library comprises a rebound shell attack mode and features (the direction of standard input and standard output of a process, the terminal attribute of the process and the establishment condition of socket connection).
Dividing the characteristic library rule into two types, wherein one type is the characteristic of a unified process possessed by most rebounding shell attack modes, such as the direction of standard input and standard output of the process, the terminal attribute of the process and the establishment condition of socket connection; the other type is a rebound shell attack mode which has no obvious difference from the common process, such as an awk-based attack. For the rules in the feature library, the features or attack modes of the rebound shell can be dynamically added into the rule library so as to achieve the purpose of reducing the false negative.
Capturing the process of the current host, extracting the characteristics of the current process, matching the characteristics of the current process with a characteristic library, if the standard input and the standard output of the process point, the terminal attribute of the process and the establishment condition of socket connection, firstly matching the characteristics, if all the characteristics are matched, indicating that a rebound shell occurs, if the characteristics are not matched, continuing to match an attack mode, namely, an executed command is matched with the attack mode in the characteristic library, and if the attack mode is matched, indicating that the rebound shell occurs.
If a rebound shell is found, blocking is needed. And providing relevant information of the rebound shell for a user, wherein the relevant information comprises a process for establishing an external network connection in the local host and relevant four-tuple information, and the local host executes a command for connecting a remote attacker. And according to the provided rebound shell information, sending a termination signal to a process for establishing external network connection and adding the IP of the remote attacker into a blacklist.
The embodiment of the invention also discloses a computer device, which comprises:
a memory for storing a computer program;
a processor for executing the computer program to implement the method for detecting and blocking a bouncing shell attack.
The embodiment of the invention also discloses a readable storage medium for storing a computer program, wherein the computer program realizes the method for detecting and blocking the rebound shell attack when being executed by a processor.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A method for detecting and blocking a bounce shell attack, the method comprising the operations of:
constructing a rebound shell attack characteristic library, which comprises a rebound shell attack mode and characteristics;
capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is performed;
and when the rebound shell attack is judged to occur, providing relevant information of the rebound shell for a user, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
2. The method for detecting and blocking the rebound shell attack according to claim 1, wherein the rules of the feature library are divided into two categories, one category is the unified process feature of most rebound shell attack modes, and the unified process feature comprises the direction of the standard input and the standard output of the process, the terminal attribute of the process and the establishment condition of the socket connection; another category is the bounce shell attack style, which is not significantly different from the normal process, including awk based attacks.
3. The method for detecting and blocking the bouncing shell attack as claimed in claim 1, wherein the bouncing shell related information includes a process of establishing an external network connection in the local host and related quadruplet information, and the local host executes a command of connecting a remote attacker.
4. A system for detecting and blocking a bounce shell attack, the system comprising:
the rule base establishing module is used for constructing a rebound shell attack characteristic base, and comprises a rebound shell attack mode and characteristics;
the attack detection module is used for capturing the process of the current host, extracting the characteristics of the current process, and matching the characteristics of the current process with rules in a rebound shell attack characteristic library, wherein if all the characteristics are matched or the attack modes are matched, the rebound shell attack is carried out;
and the attack blocking module is used for providing relevant rebound shell information for a user when the rebound shell attack is judged to occur, sending a termination signal to a process for establishing external network connection according to the provided rebound shell information, and adding the IP of a remote attacker into a blacklist.
5. The system for detecting and blocking the rebound shell attack as claimed in claim 4, wherein the rules of the feature library are divided into two categories, one category is the unified process feature of most rebound shell attack modes, and the unified process feature includes the direction of the standard input and standard output of the process, the terminal attribute of the process and the establishment condition of the socket connection; another category is the bounce shell attack style, which is not significantly different from the normal process, including awk based attacks.
6. The system for detecting and blocking the bouncing shell attack as claimed in claim 4, wherein the bouncing shell related information includes the process of establishing the external network connection in the local host and the related quadruplet information, and the local host executes the command of connecting the remote attacker.
7. A computer device, comprising:
a memory for storing a computer program;
a processor for executing said computer program for implementing a method for detecting and blocking a bouncing shell attack according to any of the claims 1-3.
8. A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the method for detecting and blocking a bouncing shell attack according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010605065.4A CN111901306A (en) | 2020-06-29 | 2020-06-29 | Method for detecting and blocking rebound shell attack and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010605065.4A CN111901306A (en) | 2020-06-29 | 2020-06-29 | Method for detecting and blocking rebound shell attack and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111901306A true CN111901306A (en) | 2020-11-06 |
Family
ID=73207149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010605065.4A Withdrawn CN111901306A (en) | 2020-06-29 | 2020-06-29 | Method for detecting and blocking rebound shell attack and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901306A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301697A (en) * | 2021-12-29 | 2022-04-08 | 山石网科通信技术股份有限公司 | Data attack detection method and device |
| WO2022156197A1 (en) * | 2021-01-21 | 2022-07-28 | 华为技术有限公司 | Attack success identification method and protection device |
-
2020
- 2020-06-29 CN CN202010605065.4A patent/CN111901306A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022156197A1 (en) * | 2021-01-21 | 2022-07-28 | 华为技术有限公司 | Attack success identification method and protection device |
| CN114301697A (en) * | 2021-12-29 | 2022-04-08 | 山石网科通信技术股份有限公司 | Data attack detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11985163B2 (en) | Security appliance | |
| US11886731B2 (en) | Hot data migration method, apparatus, and system | |
| US12081682B2 (en) | Method for determining main chain of blockchain, device, and storage medium | |
| CN108667853B (en) | Malicious attack detection method and device | |
| WO2017088326A1 (en) | Tcp connection processing method, device and system | |
| US20040123142A1 (en) | Detecting a network attack | |
| CN111901306A (en) | Method for detecting and blocking rebound shell attack and related equipment | |
| US7987307B2 (en) | Interrupt coalescing control scheme | |
| CN107193673B (en) | Message processing method and device | |
| WO2021189257A1 (en) | Malicious process detection method and apparatus, electronic device, and storage medium | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| WO2019085923A1 (en) | Data processing method and device, and computer | |
| CN101778059A (en) | Mail processing method, gateway equipment and network system | |
| CN111988302A (en) | Method, system, terminal and storage medium for detecting rebound program | |
| CN114448830A (en) | Equipment detection system and method | |
| CN112039887A (en) | CC attack defense method and device, computer equipment and storage medium | |
| CN115334156A (en) | Message processing method, device, equipment and storage medium | |
| US20070294359A1 (en) | System and method of implementing remote access and control of registered personal appliances via instant messaging | |
| CN111641659A (en) | Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked | |
| CN112732560A (en) | Method and device for detecting file descriptor leakage risk | |
| CN113872931B (en) | Port scanning behavior detection method and system, server and proxy node | |
| CN115495406A (en) | Message transmission method, device, equipment and storage medium based on PCIe | |
| CN104410643A (en) | Statistic-based anti-attack method of SDN (Soft Defined Network) controller | |
| CN101547157B (en) | Method, device and system for detecting overload | |
| KR20220014796A (en) | System and Method for Identifying Compromised Electronic Controller Using Intentionally Induced Error |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20201106 |
|
| WW01 | Invention patent application withdrawn after publication |