CN112084091B - System behavior auditing method, device, terminal and storage medium - Google Patents
System behavior auditing method, device, terminal and storage medium Download PDFInfo
- Publication number
- CN112084091B CN112084091B CN202010942657.5A CN202010942657A CN112084091B CN 112084091 B CN112084091 B CN 112084091B CN 202010942657 A CN202010942657 A CN 202010942657A CN 112084091 B CN112084091 B CN 112084091B
- Authority
- CN
- China
- Prior art keywords
- uuid
- session
- behavior
- audit
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3055—Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3089—Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
Abstract
The invention discloses a system behavior auditing method, a device, a terminal and a storage medium, wherein the method comprises the following steps: loading a kernel module and calling a hook system; when the system call is executed and audited, behavior content corresponding to the system call is obtained according to preset configuration; recording a process UUID and a session UUID of a current process; reporting the behavior content, the process UUID and the session UUID as audit contents; the kernel module capable of being dynamically loaded is adopted, the system kernel does not need to be compiled again, and no influence is caused on upper-layer application.
Description
Technical Field
The invention relates to the field of computer security, in particular to a system behavior auditing method, a system behavior auditing device, a terminal and a storage medium.
Background
The behavior audit of the Linux system is always a basic data source on which various security software depends, and a certain program can be judged to belong to a malicious program through behavior and can be traced; for example, if a process creates a network connection and downloads a program, then the program is run, the behavior audit records the series of actions, if the finally downloaded program is a malicious program, the source tracing can be performed, and the problem is solved from the source of downloading the malicious program. With the development of the cloud platform, the audited data are more and more, so that good data support is provided for the subsequent audit content analysis;
the Linux system has certain behavior auditing capability, Linux audio is provided with the function, the operation behavior can be recorded only according to configuration and then written into a log file of a local machine, the original Linux audio only can provide pid and the like of a process as process identification, but one server has long running time, and the pid, the name and the like are easy to repeat; in addition, under the large environment of the current cloud platform, when log analysis is carried out, processes among different devices have great similarity, only one process can be uniquely determined through a plurality of fields, and query is inconvenient.
Disclosure of Invention
The invention aims to solve the technical problem of the prior art, and provides a system behavior auditing method, a device, a terminal and a storage medium, wherein behavior content, process UUID and session UUID are bound to be used as auditing content, the auditing content is suitable for various scenes, the process UUID and the session UUID can be used as index values of analysis actions such as inquiry or behavior association during upper-layer analysis, and association support can be better performed on subsequent audit content analysis, and the method, the device, the terminal and the storage medium are convenient and quick.
The technical scheme for solving the technical problems is as follows: a system behavior auditing method comprising the steps of:
loading a kernel module and calling a hook system;
when the system call is executed and audited, behavior content corresponding to the system call is obtained according to preset configuration;
recording a process UUID and a session UUID of a current process;
and reporting the behavior content, the process UUID and the session UUID as audit contents.
In order to solve the above technical problem, an embodiment of the present invention further provides a system behavior auditing apparatus, including a hook module, an obtaining module, a recording module, and a reporting module;
the hook module is used for loading the kernel module and calling a hook system;
the acquisition module is used for acquiring behavior content corresponding to the system call according to preset configuration when the system call is executed and audited;
the recording module is used for recording the process UUID and the session UUID of the current process;
and the reporting module is used for reporting the behavior content, the process UUID and the session UUID as audit contents.
In order to solve the above technical problem, an embodiment of the present invention further provides a terminal, where the terminal includes a processor, a memory, and a communication bus;
the communication bus is used for realizing connection communication between the processor and the memory;
the processor is configured to execute one or more computer programs stored in the memory to implement the steps of the system behavior auditing method described above.
To solve the above technical problem, an embodiment of the present invention further provides a storage medium storing one or more computer programs, where the one or more computer programs are executable by one or more processors to implement the steps of the system behavior auditing method described above.
The invention has the beneficial effects that: the method comprises the steps of loading a kernel module, carrying out hook system call, further carrying out system call, auditing the system call, obtaining behavior content corresponding to the system call according to a preset configuration strategy, recording process UUID and session UUID of a current process, behavior content, the process UUID and the session UUID, adopting the dynamically-loadable kernel module, not needing to compile a system kernel again, having no influence on upper-layer application, binding the behavior content, the process UUID and the session UUID as audit content, adapting the audit content to various scenes, using the process UUID and the session UUID as index values of analysis actions such as inquiry or behavior association during upper-layer analysis, being capable of better making associative support for subsequent audit content analysis, being convenient and fast, and being suitable for current big data and cloud platform environment.
Drawings
FIG. 1 is a flow chart of a system behavior auditing method according to an embodiment of the present invention;
fig. 2 is a flowchart of generating a process UUID and a session UUID according to an embodiment of the present invention;
FIG. 3 is a flow chart of a system behavior auditing method according to another embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a system behavior auditing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
Referring to fig. 1, a system behavior auditing method includes the following steps:
s101: loading a kernel module and calling a hook system;
s102: when the system call is executed and audited, behavior content corresponding to the system call is obtained according to a preset configuration strategy;
s103: recording a process UUID and a session UUID of a current process;
s104: and reporting the behavior content, the process UUID and the session UUID as audit contents.
In the embodiment, a kernel module is loaded, a hook system call is performed, and then the system call is executed, the system call can be audited, behavior content corresponding to the system call is obtained according to a preset configuration strategy, the behavior content, the process UUID and the session UUID of the current process are recorded, the kernel module capable of being dynamically loaded is adopted, the system kernel does not need to be recompiled, no influence is caused on upper-layer application, the behavior content, the process UUID and the session UUID are bound to serve as audit content, the audit content adapts to various scenes, the process UUID and the session UUID serve as index values of analysis actions such as query or behavior association during upper-layer analysis, association support can be better performed on subsequent audit content analysis, convenience and rapidness are achieved, and the method is suitable for current big data and cloud platform environment.
It can be understood that the Hook function is a code segment for processing a message, and the Hook function can Hook the target function, and at this time, if there is another function to send a message to the target function, the target function is not run first, but the Hook function is run first, and in the process of running the Hook function, the message transferred to the target function can be processed first and then transferred to the target function, or the message can be directly transferred to the target function, or the transfer of the message can be terminated forcibly.
In this embodiment, specifically, step S101 includes: loading a kernel module, and searching a system call table and hook related system calls, wherein the system calls related to files are open, chmod, unlink and the like, and the system calls related to processes comprise execute, fork and the like; for example, after loading the kernel module, hook is performed for fork system call.
Furthermore, in this embodiment, when it is determined that the system call is executed and audited, the corresponding behavior content is obtained, in this embodiment, it may be preset which system calls are audited, and the system call to be audited is cached in the configuration, so that when a certain system call is executed, the configuration cache is checked, and whether the system call is audited is indeed determined; in some embodiments, it may also be determined whether the system call is executed according to preset configuration policies, for example, if one of the preset configuration policies is an auditing program execution behavior, the system call execute is audited.
The step S102 of obtaining behavior content corresponding to the system call according to the preset configuration policy includes: recording operation behaviors corresponding to system call according to the configured preset audit behaviors; acquiring a content field of an operation behavior according to the configured custom audit field; in this embodiment, not only the configuration of the required behavior but also the configuration of the required field is provided; the configured preset auditing behavior can determine which behaviors are audited, for example, if a certain process creates a network connection and downloads a program, and then the program is run, the series of operation behaviors are recorded; the configured custom audit field can determine what contents of the behavior are collected; for example, a process creation behavior, where an original linux audio report only provides the pid of a parent process, and in this embodiment, an audit field may be customized, a path of the parent process may be added, and the like; for example, the process creation behavior can be acquired according to a preset configuration policy, and the pid, the path and the like of the parent process of the process creation behavior are acquired; in this embodiment, the original linux audio reports some fsuid and other information, and some similar fields do not need to be focused, and the custom audit field in this embodiment can be configured without generating the part of data, so that the audit content is reduced, and the efficiency is improved; in this embodiment, the preset audit behavior and the custom audit field may be configured by the user and may be flexibly adjusted.
In this embodiment, recording the process UUID and the session UUID, so that the process UUID and the session UUID inevitably exist, before step S103, the method includes:
each process is configured with a unique process UUID and the same session is configured with a unique session UUID. In other words, in this embodiment, each process generates a UUID, uniquely identifies a process in any environment, provides support for subsequent analysis and behavior association, and provides a unique session UUID for each login, the processes in each session have the same session UUID, and all operations after the login behavior can be quickly queried through the unique session UUID, thereby facilitating subsequent investigation and behavior association.
It should be noted that configuring a process UUID and a session UUID for a process includes the following two cases:
for already existing processes: scanning the existing processes, generating a process UUID for each process, and generating the same session UUID for the process chain when the process is determined to be on the process chain of the same login process according to the process tree relation, namely all the processes on the process chain use the session UUID.
For the newly created process: traversing the process tree to obtain a PID; when the PID is newly generated, generating a process UUID for a new process corresponding to the PID; judging whether the parent process is a login process; if yes, generating a new session UUID for the new process; if not, inheriting the session UUID of the parent process. In this embodiment, a hook has been made to the fork system call through the kernel module, when the system call fork is executed and a new pid is generated, a unique UUID is generated for the new pid through the UUID algorithm that is mature at present, whether the parent process is a login process such as sshd or login is further determined, and the session UUID of the new process is determined. In order to ensure the uniqueness of the UUID, the specification defines elements including a network card MAC address, a timestamp, a Namespace (Namespace), a random or pseudo-random number, a timing sequence, and an algorithm for generating the UUID from the elements.
As shown in fig. 2, first, to create a process UUID and a session UUID array, generate a process UUID and a session UUID for process 1, store the process UUID and the session UUID into the array, compile a process tree, obtain a PID, further determine whether the PID exists in the array, and if so, continue traversing the process tree; if not, the process is represented as a newly generated process, a process UUID is generated, whether a parent process is a login process or not is further judged, if yes, a new session UUID is generated, if not, the new process and the parent process are represented on one process chain, the session UUID of the parent process is inherited, the same session UUID is used, the process tree is continuously traversed or a fork system call event is monitored, when the system call fork is executed, a new PID is obtained, and the process UUID is continuously generated for the new PID.
In this embodiment, step S104 specifically includes: acquiring a mandatory access control strategy according to a custom function; determining whether to block the system call according to a mandatory access control policy; if not, after reporting the audit content, executing the original system call; if so, reporting the audit content.
That is, in this embodiment, a custom function may also be inserted, for example, the custom function is a log obtaining function, and when the HOOK-related system is called, the inserted custom content is a mandatory access control policy; monitoring the behaviors by the custom function according to preset configuration, providing a mandatory access control capability when the behaviors are discovered to have threats, reporting audit contents, and preventing system call from being continuously executed; and of course, the behavior is found to be free from threat, and after the audit content is reported, the system call is continuously executed. For example, when an operation behavior corresponding to a system call is recorded according to a configured preset audit behavior, when a certain behavior is configured as not allowed to be executed by the preset audit behavior, a mandatory access control policy corresponding to a custom function may block the operation of the behavior according to the configuration. In the embodiment, the audit content is reported, wherein the behavior content, the process UUID and the session UUID are reported as the audit content; the behavior content is generated by the system, and the process UUID and the session UUID are generated after the system behavior is captured. And binding the UUID and the behavior information, and reporting the UUID and the behavior information as audit information uniformly. During upper-layer analysis, the UUID can be used as an index value of analysis actions such as query or behavior association, and the analysis is convenient. For example, a session UUID is generated by a certain login, all actions after the login have a uniform session UUID, and all actions performed by the login can be checked only according to the session UUID during analysis. Similarly, the same process has the same process UUID, and the actions of the process, such as network connection of the process, file modification and the like, can be queried through the process UUID; therefore, the subsequent log analysis is more convenient by a method of correlating various behaviors and process identifications; the reporting mode can specifically use a socket netlink mode to report the audit content to the application layer. It is understood that netlink is a technology for communication between application layer and kernel, and is a special inter-process communication (IPC) for communication between user process and kernel process, and is the most common interface for network application to communicate with kernel.
For convenience of understanding, the present embodiment provides a specific application layer command auditing method, which includes, as shown in fig. 3:
s301, loading a kernel module and calling a hook system.
S302, the system call is executed.
S303, checking the configuration cache.
In this embodiment, a system call to be audited is preset in the configuration cache; there are also audit behavior and custom fields for configurations that can be flexibly set by the user. .
S304, judging whether the system call is audited, if so, turning to S305, and if not, turning to S310.
When the executed system call matches in the configuration cache, it is determined that the system call is audited.
S305, acquiring behavior content according to the configured preset audit behavior and the custom field.
The configured preset auditing behaviors can determine which behaviors are audited; the configured custom audit field can determine what contents of the behavior are collected; assuming that the system call is fork, the auditing process creates behavior and collects the PID of the parent process and the path of the parent process.
S306, inquiring and recording the process UUID and the session UUID of the current process.
In this embodiment, a unique process UUID is configured for each process, a session UUID is configured, the processes in each session have the same UUID, and the process UUID and the session UUID of the current process corresponding to the system call can be queried.
S307, acquiring a mandatory access control strategy.
In this embodiment, a mandatory access control policy also exists in the configuration cache, and when the system call is audited, and a certain behavior in the configured preset audit behavior is configured not to be allowed to be executed, the system call may be blocked from being continuously executed, or the mandatory access control policy includes a mandatory control behavior, and when the acquired behavior content matches the mandatory access control policy, the system call is prevented from being continuously executed, and the audit content is directly reported.
S308, judging whether the system call is blocked, if not, turning to S309, and if so, turning to S311.
And S309, reporting the audit content to an application layer.
And S310, executing the original system call.
And S311, reporting the audit content to an application layer.
And after the audit is finished, reporting the audit content to an application layer by using a netlink mode (a technology for communication between the application layer and a kernel), wherein the audit content at least comprises behavior content, process UUID and session UUID.
According to the application layer command auditing method provided by the embodiment, the kernel module audits system behaviors without recompiling the system kernel, the upper-layer application is not influenced, the audited fields can be flexibly defined, and more accurate required field contents are provided, so that the auditing content efficiency is improved, a unique process UUID is configured for each process, session UUIDs are configured, the processes in each session have the same UUID, the analysis and association of a large amount of data are facilitated, and a stronger event support is provided for the subsequent auditing content analysis.
As shown in fig. 4, the present embodiment provides a system behavior auditing apparatus, which includes a hook module 401, an obtaining module 402, a recording module 403, and a reporting module 404;
the hook module 401 is used for loading a kernel module and calling a hook system; the obtaining module 402 is configured to obtain behavior content corresponding to the system call according to a preset configuration when it is determined that the system call is executed and audited; the recording module 403 is configured to record a process UUID and a session UUID of a current process; the reporting module 404 is configured to report the behavior content, the process UUID, and the session UUID as audit contents.
The obtaining module 402 is specifically configured to: recording operation behaviors corresponding to system call according to the configured preset audit behaviors; and collecting the content field of the operation behavior according to the configured custom audit field. The application layer command auditing device further comprises a generating module: configuring a unique process UUID for each process and configuring a unique session UUID for the same session;
specifically, existing processes are scanned, a process UUID is generated for each process, and the same session UUID is generated for a process chain when the process is determined to be on the process chain of the same login process according to the process tree relation.
Traversing the process tree to obtain a PID; when the PID is newly generated, generating a process UUID for a new process corresponding to the PID; judging whether the parent process is a login process; if yes, generating a new session UUID for the new process; if not, inheriting the session UUID of the parent process.
In this embodiment, the reporting module 404 is specifically configured to obtain a mandatory access control policy according to a custom function; determining whether to block the system call according to a mandatory access control policy; if not, after reporting the audit content, executing the original system call; if so, reporting the audit content.
Reporting the audit content comprises the following steps: and reporting the audit content to an application layer by using a socket netlink mode.
An embodiment of the present invention further provides a terminal, as shown in fig. 5, where the terminal includes a processor 501, a memory 502, and a communication bus 503;
the communication bus 503 is used for realizing connection communication between the processor 501 and the memory 502;
the processor 501 is configured to execute one or more computer programs stored in the memory 502 to implement the steps of the container behavior auditing method in the foregoing embodiments, which are not described in detail herein.
An embodiment of the present invention further provides a storage medium, where the storage medium stores one or more computer programs, and the one or more computer programs can be executed by one or more processors to implement the steps of the application layer command auditing method in the foregoing embodiments, which are not described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The technical solutions provided by the embodiments of the present invention are described in detail above, and the principles and embodiments of the present invention are explained in this patent by applying specific examples, and the descriptions of the embodiments above are only used to help understanding the principles of the embodiments of the present invention; the above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (8)
1. A system behavior auditing method, characterized in that the system behavior auditing method comprises:
loading a kernel module, and hooking a hook system call;
when the system call is executed and audited, behavior content corresponding to the system call is obtained according to preset configuration;
recording a process UUID and a session UUID of a current process;
reporting the behavior content, the process UUID and the session UUID as audit contents;
the reporting the behavior content, the process UUID and the session UUID as audit contents comprises the following steps:
acquiring a mandatory access control strategy according to a custom function;
determining whether to block the system call according to the mandatory access control policy;
if not, after reporting the audit content, executing the system call;
if yes, reporting the audit content;
the behavior content is generated by a system, the process UUID and the session UUID are generated after the system behavior is captured, and the process UUID and/or the session UUID and the system behavior information are bound and reported uniformly as audit information;
the method further comprises the following steps: creating a process UUID and a session UUID array, generating the process UUID and the session UUID for a process, storing the process UUID and the session UUID into the array, compiling a process tree, acquiring a PID, further judging whether the PID exists in the array, and if so, continuously traversing the process tree; if the process UUID does not exist, the process UUID is represented as a newly generated process, the process UUID is generated, whether a parent process is a login process or not is further judged, if yes, a new session UUID is generated, if not, the new process and the parent process are represented on a process chain, the session UUID of the parent process is inherited, the same session UUID is used, the process tree is continuously traversed or a fork system call event is monitored, when a system call fork is executed, a new PID is obtained, and the process UUID is continuously generated for the new PID.
2. The system behavior auditing method according to claim 1, where the obtaining behavior content corresponding to the system call according to a preset configuration comprises:
recording an operation behavior corresponding to the system call according to the configured preset audit behavior;
and collecting the content field of the operation behavior according to the configured custom audit field.
3. The system behavior auditing method of claim 2 where recording the process UUID and session UUID of the current process is preceded by:
each process is configured with a unique process UUID and the same session is configured with a unique session UUID.
4. The system behavior auditing method of claim 3 where configuring each process with a unique process UUID and configuring the same session with a unique session UUID comprises:
scanning the existing processes, generating a process UUID for each process, and generating the same session UUID for the process chain when the process is determined to be on the process chain of the same login process according to the process tree relation.
5. The system behavior auditing method of claim 4 where configuring each process with a unique process UUID and configuring the same session with a unique session UUID further comprises:
traversing the process tree to obtain a PID;
when the PID is newly generated, generating a process UUID for a new process corresponding to the PID;
judging whether the parent process is a login process; if yes, generating a new session UUID for the new process; if not, inheriting the session UUID of the parent process.
6. The system behavior auditing method of claim 1, where reporting the audit content comprises:
and reporting the audit content to an application layer by using a socket netlink mode.
7. A terminal, characterized in that the terminal comprises a processor, a memory and a communication bus;
the communication bus is used for realizing connection communication between the processor and the memory;
the processor is operable to execute one or more computer programs stored in the memory to implement the steps of the system behaviour auditing method according to any one of claims 1 to 6.
8. A storage medium storing one or more computer programs executable by one or more processors to perform the steps of a system behavior auditing method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010942657.5A CN112084091B (en) | 2020-09-09 | 2020-09-09 | System behavior auditing method, device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010942657.5A CN112084091B (en) | 2020-09-09 | 2020-09-09 | System behavior auditing method, device, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112084091A CN112084091A (en) | 2020-12-15 |
| CN112084091B true CN112084091B (en) | 2021-07-30 |
Family
ID=73733021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010942657.5A Active CN112084091B (en) | 2020-09-09 | 2020-09-09 | System behavior auditing method, device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112084091B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948822A (en) * | 2021-03-04 | 2021-06-11 | 中电鹰硕(深圳)智慧互联有限公司 | Big data audit scene analysis method and system applied to intelligent education system |
| CN114710364A (en) * | 2022-05-19 | 2022-07-05 | 北京奇虎科技有限公司 | Network behavior auditing method, device, equipment and storage medium |
| CN115065558A (en) * | 2022-08-11 | 2022-09-16 | 北京未来智安科技有限公司 | Attack flow tracing method and device for APT attack |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107003889A (en) * | 2014-12-24 | 2017-08-01 | 英特尔公司 | System and method for providing the compatible credible performing environment of global platform |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20000000648U (en) * | 1998-06-15 | 2000-01-15 | 최찬두 | Prefabricated device using cap |
| CN101222349B (en) * | 2007-01-12 | 2010-09-29 | 中国电信股份有限公司 | Method and system for collecting web user action and performance data |
| CN105068916B (en) * | 2015-08-28 | 2017-12-08 | 福建六壬网安股份有限公司 | A kind of process behavior monitoring method based on kernel hook |
| US10282268B1 (en) * | 2016-10-31 | 2019-05-07 | Cisco Technology, Inc. | Software flow execution tracing |
| CN109101341B (en) * | 2017-06-21 | 2022-02-22 | 阿里巴巴集团控股有限公司 | Distribution method and equipment of distributed lock |
| US10545853B2 (en) * | 2017-11-06 | 2020-01-28 | Oracle International Corporation | Stateless debugging of a script injected into a web application that is located in a mult-node cloud system |
| CN108279994B (en) * | 2018-01-22 | 2021-04-16 | 北京仿真中心 | Automatic solution method for connection Citrix published application exception |
| CN110351255B (en) * | 2019-06-25 | 2021-07-20 | 北京永信至诚科技股份有限公司 | Data acquisition method and data acquisition system in network target range system |
| CN111177665B (en) * | 2019-12-27 | 2022-02-11 | 浙大网新科技股份有限公司 | Safety tracing method for newly generated executable file |
| CN111241546B (en) * | 2020-01-12 | 2022-06-21 | 苏州浪潮智能科技有限公司 | Malicious software behavior detection method and device |
-
2020
- 2020-09-09 CN CN202010942657.5A patent/CN112084091B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107003889A (en) * | 2014-12-24 | 2017-08-01 | 英特尔公司 | System and method for providing the compatible credible performing environment of global platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112084091A (en) | 2020-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112084091B (en) | System behavior auditing method, device, terminal and storage medium | |
| US9813450B1 (en) | Metadata-based verification of artifact quality policy compliance | |
| JP2008509494A (en) | Apparatus, system, and method for automatically discovering and classifying resources used in business processes | |
| CN108255708B (en) | Method, device, storage medium and equipment for accessing production file in test environment | |
| US20200314135A1 (en) | Method for determining duplication of security vulnerability and analysis apparatus using same | |
| CN113496032A (en) | Big data operation abnormity monitoring system based on distributed computation and rule engine | |
| Duarte et al. | An empirical study of docker vulnerabilities and of static code analysis applicability | |
| CN111241545A (en) | Software processing method, system, device and medium | |
| JP2016099857A (en) | Fraudulent program handling system and fraudulent program handling method | |
| CN113419935B (en) | Mobile terminal performance monitoring method, device, equipment and storage medium | |
| CN114968494A (en) | Container escape detection method and system | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN111435327B (en) | Log record processing method, device and system | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN101695031B (en) | Upgrading method and device of intrusion prevention system | |
| CN113031995B (en) | Rule updating method and device, storage medium and electronic equipment | |
| CN113254941A (en) | Linux kernel source code processing method, device and equipment | |
| CN111258871B (en) | Verification method, device, equipment and storage medium of distributed file system | |
| CN114895852A (en) | Data processing method, system, device, storage medium and electronic equipment | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN108897873B (en) | Method and device for generating job file, storage medium and processor | |
| CN112084005A (en) | Container behavior auditing method, device, terminal and storage medium | |
| CN111475783A (en) | Data detection method, system and equipment | |
| JP2017168146A (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN115296844A (en) | Safety protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |