CN112307482A - Intrusion kernel detection method and device based on target range and computing equipment - Google Patents
Intrusion kernel detection method and device based on target range and computing equipment Download PDFInfo
- Publication number
- CN112307482A CN112307482A CN201910691025.3A CN201910691025A CN112307482A CN 112307482 A CN112307482 A CN 112307482A CN 201910691025 A CN201910691025 A CN 201910691025A CN 112307482 A CN112307482 A CN 112307482A
- Authority
- CN
- China
- Prior art keywords
- detection
- kernel
- intrusion
- attack
- invading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 313
- 238000000034 method Methods 0.000 claims abstract description 342
- 230000008569 process Effects 0.000 claims abstract description 308
- 230000006399 behavior Effects 0.000 claims description 30
- 238000004891 communication Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 7
- 238000004088 simulation Methods 0.000 claims description 5
- 238000005507 spraying Methods 0.000 claims description 4
- 238000002513 implantation Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000007921 spray Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an intrusion kernel detection method and device based on a target range, computing equipment and a computer storage medium, wherein the method comprises the following steps: implanting preset vulnerability codes into equipment provided with an intrusion kernel detection system to build a target range; simulating and operating a process for invading the kernel in a shooting range to attack a preset bug code; and acquiring a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result. By setting up a target range on real equipment and simulating the process of running the invading kernel, whether the invading kernel detection system is effective or not can be detected, and the detection effect of the invading kernel detection system is evaluated.
Description
Technical Field
The invention relates to the field of software, in particular to an intrusion kernel detection method and device based on a target range, computing equipment and a computer storage medium.
Background
The goal of the attacker to invade the kernel is to acquire the ROOT authority of the device so as to control the whole device by using the ROOT authority. Based on the safety consideration of the kernel, the process invading the kernel is detected so as to quickly and timely discover whether the process attacks the ROOT.
And whether the detection of the invading kernel is effective or not can detect the attack of the process to the ROOT, and the detection effect can not be ensured only by carrying out verification in actual equipment. Therefore, there is a need for a target range for detecting an intrusion kernel to evaluate the detection effect of the intrusion kernel.
Disclosure of Invention
In view of the above, the present invention has been developed to provide a method and apparatus, a computing device, and a computer storage medium for range-based intrusion kernel detection that overcome, or at least partially address, the above-identified problems.
According to one aspect of the invention, an intrusion kernel detection method based on a target range is provided, which comprises the following steps:
implanting preset vulnerability codes into equipment provided with an intrusion kernel detection system to build a target range;
simulating and operating a process for invading the kernel in a shooting range to attack a preset bug code;
and acquiring a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
According to another aspect of the present invention, there is provided a range-based intrusion kernel detection apparatus, comprising:
the implantation module is suitable for implanting preset vulnerability codes into equipment with an intrusion kernel detection system to build a target range;
the simulation module is suitable for simulating and operating a process for invading the kernel to attack the preset bug codes in a shooting range;
and the acquisition module is suitable for acquiring the detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
According to yet another aspect of the present invention, there is provided a computing device comprising: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the intrusion kernel detection method based on the target range.
According to yet another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to perform an operation corresponding to the above-mentioned method for detecting an intrusion into a kernel based on an aperture range.
According to the intrusion kernel detection method and device based on the shooting range, the computing equipment and the computer storage medium, preset vulnerability codes are implanted into the equipment provided with the intrusion kernel detection system to build the shooting range; simulating and operating a process for invading the kernel in a shooting range to attack a preset bug code; and acquiring a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result. By setting up a target range on real equipment and simulating the process of running the invading kernel, whether the invading kernel detection system is effective or not can be detected, and the detection effect of the invading kernel detection system is evaluated.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method for enclave-based intrusion kernel detection according to one embodiment of the present invention;
FIG. 2 illustrates a flow diagram of detection of a process by an intrusion kernel detection system according to one embodiment of the invention;
FIG. 3 shows a functional block diagram of an enclave-based intrusion kernel detection apparatus according to one embodiment of the present invention;
FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a flow diagram of a method for enclave-based intrusion kernel detection according to one embodiment of the present invention. As shown in fig. 1, the intrusion kernel detection method based on the target range specifically includes the following steps:
step S101, implanting preset vulnerability codes into equipment with an intrusion kernel detection system to build a target range.
In order to detect the effectiveness of the intrusion kernel detection system and ensure that the intrusion kernel detection system can accurately and timely detect the process of the intrusion kernel, the embodiment builds a target range in real equipment, and utilizes the target range to simulate various attack operations of the process of the intrusion kernel so as to obtain the detection effect of the intrusion kernel detection system.
The target range is built in real equipment provided with the intrusion kernel detection system, so that the detection effect of the intrusion kernel detection system under the real equipment can be simulated. The construction of the target range requires that preset bug codes are implanted into the equipment, and provides an object which can be attacked by a process invading the kernel. The preset vulnerability codes are set for various vulnerability types of the intrusion kernel, and include stack overflow vulnerability codes (stack overflow), heap overflow vulnerability codes (heap overflow), reusable vulnerability codes After release (user After Free, UFA), arbitrary write vulnerability codes (arbitrary write), 1Day vulnerability codes (1Day) and the like. When the preset bug code is implanted into the equipment, the preset bug code can be directly implanted into the native code of the equipment, or the repair patch corresponding to the bug is shielded or removed, so that the repair patch cannot take effect, and the corresponding bug exists in the equipment.
And S102, simulating and operating a process for invading the kernel in a shooting range to attack the preset bug codes.
After the shooting range is built, simulating the process operation of the invading kernel, so that the process can attack the preset bug codes, and realizing the operation of invading the kernel by simulating the process in the shooting range and utilizing the bug.
Step S103, obtaining the detection result of the intrusion kernel detection system to the process, so as to determine whether the detection of the intrusion kernel detection system is effective according to the detection result.
The intrusion kernel detection system in the device can detect the process of the intrusion kernel, and when the process of the shooting range simulation operation attacks the ROOT, the detection result of the intrusion kernel detection system on the process is obtained. And judging the detection result, and if the detection result is that the process is the process invading the kernel, indicating that the invading kernel detection system can correctly detect the process invading the kernel, determining that the detection of the invading kernel detection system is effective. Further, if the detection result is that the process is not the process for invading the kernel, which indicates that the invading kernel detection system cannot correctly detect the process for invading the kernel, it is determined that the detection of the invading kernel detection system is invalid, and the invading kernel detection system needs to be corrected, etc., so as to improve the detection accuracy of the invading kernel detection system.
According to the intrusion kernel detection method based on the shooting range, provided by the invention, a preset bug code is implanted into equipment provided with an intrusion kernel detection system to build the shooting range; simulating and operating a process for invading the kernel in a shooting range to attack a preset bug code; and acquiring a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result. By setting up a target range on real equipment and simulating the process of running the invading kernel, whether the invading kernel detection system is effective or not can be detected, and the detection effect of the invading kernel detection system is evaluated.
FIG. 2 illustrates a flow diagram of an intrusion detection system detection process according to one embodiment of the invention. As shown in fig. 2, the intrusion detection system detection process specifically includes the following steps:
step S201, setting multi-level detection at different module layers of the device to detect a process.
The device needs to limit the access capability between different programs, so that the problems of data leakage and the like caused by the fact that programs mutually acquire memory data of other programs or acquire data of hardware equipment and the like are prevented. Different module layers are divided in the device: a user mode layer and a kernel mode layer. The intrusion kernel detection system sets different detection conditions on different module layers of the equipment according to the characteristics of the module layers respectively to realize multistage detection on the process.
The detection condition needs to extract characteristic information of the process invading the kernel on the ROOT attack behavior in advance, and determine the detection condition corresponding to the characteristic information. The process of the invading kernel is different from the normal process, and the characteristic information of the process of the invading kernel on the ROOT attack behavior is extracted, so that the detection can be correspondingly carried out according to the characteristic information to determine whether the process is attacked by the ROOT. Analyzing the attack behavior of the ROOT by the process invading the kernel, and extracting the characteristic information of the ROOT comprises the following contents: 1. reading system information, searching for system bugs, and performing early preparation work; 2. triggering the vulnerability by using modes of competition among processes, special system calling and the like; 3. using special functions such as the heap spray heap injection function to carry out vulnerability attack and the like so as to control the PC register; 4. the authority for executing any code is acquired by bypassing safety mechanisms such as PAN/PXN/CFI and the like through an attack method based on a code multiplexing technology, such as a Return-oriented Programming (ROP) method; 5. and modifying the process information, and promoting the own authority to the ROOT authority.
Based on the extracted characteristic information, the attack behavior of the process invading the kernel to the ROOT can be divided into suspicious attack behavior and confirmed attack behavior, and different detection conditions are respectively set for different attack behaviors. The suspicious attack detection condition corresponding to the suspicious attack behavior is mainly used for detecting preparation work of the process before the process attacks the ROOT, whether the process searches for a system bug, triggering the system bug and the like so as to attack the ROOT. The method is mainly used for detecting the specific behavior of the process invading the kernel on the ROOT attack for determining the attack detection condition corresponding to the determined attack behavior.
Specific suspected attack detection conditions include, for example: whether the number of the created processes in the time window is larger than a preset threshold value and the processes are in conditional competition with each other is detected. The number of normal processes in the time window generally does not exceed a preset threshold, and when the number of processes is greater than the preset threshold, the problems of slow running of equipment, large occupation of internal memory, downtime and the like may be caused. And when conditional competition exists among the processes, such as mutual resource preemption and the like, problems such as deadlock and the like are easily caused, system loopholes are easily triggered, and ROOT attack is caused. Or whether the thread is bound with the specified CPU to be executed by the process is detected, and when the thread is bound to the specified special CPU to be executed, the thread can read the system information, so that the ROOT attack is facilitated. Or, detecting whether the process reads the kernel version, that is, whether the process reads the system information, and preparing for the ROOT attack; or, detecting whether the process causes system crash restart or not so as to carry out ROOT attack and the like; or detecting whether the process triggers kernel warning information, attacking the kernel and the like; or detecting whether the process calls a specified system call to trigger a system bug and the like; or detecting whether the process causes system calling parameter abnormity; carrying out vulnerability attack and the like; or detecting whether the process calls a specified system function to carry out heap spraying and memory layout, carrying out vulnerability attack and the like; or, detecting whether the process creates the designated ports with the number larger than the preset threshold value in the time window, and carrying out vulnerability attack and the like. The various suspicious attack detection conditions can be used for detecting the ROOT before the ROOT is subjected to specific attack behavior by the process, so that the process invading the kernel can be detected more effectively. Furthermore, corresponding weight values can be set for the suspicious attack detection conditions, and when the accumulated weight values meet the suspicious attack detection conditions, such as a suspicious attack threshold value is reached, suspicious attack behaviors of the process on the ROOT are determined.
Determining attack detection conditions includes, for example: detecting whether the process modifies a data structure related to the process permission; detecting whether the process modifies the process access address range; detecting whether the process reads and writes any address by using the calling characteristic of the pipeline system; detecting whether the process modifies the kernel memory attribute; detecting whether a process calls a registration malicious node or not; detecting whether the process modifies a specific pointer to point to a non-read-only segment; detecting whether the process modifies the security policy configuration file, and the like. The process in each determined attack detection condition maliciously modifies the system kernel, the access address, the node and the like of the equipment, so that the determined attack on the ROOT is caused.
The kernel-state layer is a lightweight engine, high-real-time detection can be performed on the kernel-state layer based on performance reasons, and the method is suitable for determining the attack behavior of the process on the ROOT more quickly. In the embodiment, the condition for determining the attack detection is set in the kernel mode layer, so that the determination of the attack behavior is detected in high real-time, and whether the process is the process for determining the attack behavior is found in time.
When a process executes its own code, it is typically at the user-mode level. The user mode layer can detect the process more accurately and more complicatedly than the kernel mode layer. In the embodiment, the suspicious attack detection condition is set in the user mode layer, and the detection is performed based on the process, so that whether suspicious attack behaviors exist in the process or not can be conveniently found.
And step S202, determining whether the process is a process invading the kernel or not according to the detection result of the multi-stage detection.
When the process runs in the device, specifically, when the process is executed in the user mode layer, the intrusion kernel detection system detects the process according to suspicious attack detection conditions preset in the user mode layer. If the process meets the suspicious attack detection condition, setting corresponding weight values for various suspicious attack detection conditions, performing accumulation calculation according to the weight values of the suspicious attack detection condition met by the process, and if the accumulated weight values meet the suspicious attack detection condition, determining the process as a suspicious process invading the kernel if a suspicious attack threshold value is reached. And for the suspicious process, stopping the process by sending a SIGTOP signal, and prompting the user that the process is the suspicious process. The user is prompted, such as by means of a pop-up dialog box, to select whether to continue execution of the process or to stop execution of the process. And if the user selects to continue executing the process, monitoring the subsequent execution of the process, and recording the subsequent system call of the process. When the process is executed in the kernel mode layer, the intrusion kernel detection system detects the process according to the determined attack detection conditions preset in the kernel mode layer, and if the process meets any one of the determined attack detection conditions, the process is determined to be the determined process for invading the kernel. For the determined process, it is necessary to stop the process immediately and prevent the attack behavior of the process, for example, stop the process by sending a sigtop signal and prevent the process from modifying kernel memory, address, node, file, etc.
Further, the present embodiment further includes the following steps:
step S203, reporting the process event information of the process to the server, and acquiring a process policy for the process issued by the server to update the detection condition.
The user mode layer monitors the suspicious process invading the kernel after detecting the suspicious process invading the kernel, records the suspicious system calling sequence in the process executing process, the suspicious information of the process, the process name, the device version information and other process event information, and the kernel mode layer sends the rule triggered by the process, the pid/uid/tgid relevant to the process and other process event information to the user mode layer after detecting the determined process invading the kernel. And the user mode layer reports the process event information to the server. Specifically, the user mode layer may report the process event information to the server through a third-party program such as a cloud interface, and the server analyzes the process event information to determine a corresponding processing policy. According to the processing strategy of the process issued by the server, suspicious attack detection conditions in the detection conditions are further updated, the attack detection conditions are determined, and the detection conditions are continuously updated, so that the detection accuracy is provided, and the attack behavior of the process invading the kernel is responded.
Further, when the behavior of the process is not included in the detection conditions and whether the behavior is a ROOT attack cannot be determined or the process invades the kernel to perform the ROOT attack but is not detected, the user mode layer collects process event information such as a system call sequence, a device version, an application list and the like of the process, reports the process event information to the server, analyzes and acquires a corresponding process processing strategy to perform the following, updates the detection conditions according to the process processing strategy, ensures real-time update of the detection conditions and deals with different attack behaviors of the process invading the kernel.
According to the detection process of the intrusion kernel detection system provided by the invention, the characteristic information of the process of the intrusion kernel on ROOT attack behavior is extracted, and the detection condition corresponding to the characteristic information is determined; wherein the detection conditions include suspicious attack detection conditions and deterministic attack detection conditions; setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions respectively; and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection. The corresponding detection conditions are determined through the characteristic information extracted from the process invading the kernel, and the detection to be detected is pertinently carried out through the multi-stage detection arranged in different module layers of the equipment, so that the attack behavior of the process can be effectively detected before or during the process attacking the ROOT, thereby preventing the process from being executed and avoiding the process invading the kernel.
FIG. 3 shows a functional block diagram of an enclave-based intrusion kernel detection apparatus according to one embodiment of the present invention. As shown in fig. 3, the intrusion kernel detection apparatus based on the range includes the following modules:
the implant module 310 is adapted to: and implanting preset vulnerability codes into the equipment provided with the intrusion kernel detection system to build a target range.
The simulation module 320 is adapted to: and simulating and operating a process for invading the kernel in the shooting range to attack the preset bug codes.
The acquisition module 330 is adapted to: and acquiring a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
Optionally, the obtaining module 330 is further adapted to: acquiring a detection result of the intrusion kernel detection system on the process; and if the detection result is that the process is the process invading the kernel, determining that the detection of the invading kernel detection system is effective.
Optionally, the intrusion kernel detection system includes the following modules: an extraction module 340, a multi-level detection module 350, and a determination module 360.
The extraction module 340 is adapted to: extracting characteristic information of a process invading the kernel to ROOT attack behavior, and determining a detection condition corresponding to the characteristic information; wherein the detection conditions include suspected attack detection conditions and determined attack detection conditions.
The multi-stage detection module 350 is adapted to: and setting multi-stage detection at different module layers of the equipment to detect the process, wherein each stage of detection corresponds to different detection conditions respectively.
The determination module 360 is adapted to: and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
Optionally, the multi-stage detection module 350 is further adapted to: setting suspicious attack detection conditions for the user mode layer and setting determined attack detection conditions for the kernel mode layer.
Optionally, the determining module 360 is further adapted to: detecting the process according to the suspicious attack detection condition at the user state layer; if the process meets the suspicious attack detection condition, determining the process as a suspicious process invading the kernel; and stopping the process and prompting the user that the process is a suspicious process.
Optionally, the determining module 360 is further adapted to: detecting the progress according to the determined attack detection condition in the kernel mode layer; if the process meets the attack detection condition, determining the process as a determination process for invading the kernel; stopping the process and preventing the attack behavior of the process.
Optionally, the intrusion kernel detection system further includes: and a reporting module 370.
The reporting module 370 is adapted to: and reporting the process event information of the process to the server, and acquiring a process processing strategy issued by the server to update the detection condition.
The descriptions of the modules refer to the corresponding descriptions in the method embodiments, and are not repeated herein.
The present application further provides a non-volatile computer storage medium having at least one executable instruction stored thereon, where the computer executable instruction can execute the intrusion kernel detection method based on the target range in any of the above method embodiments.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein:
the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically execute relevant steps in the above embodiment of the method for detecting an intrusion based on an end-of-range.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the enclave-based intrusion kernel detection method in any of the above-described method embodiments. For specific implementation of each step in the program 410, reference may be made to corresponding steps and corresponding descriptions in units in the above intrusion kernel detection embodiment based on the target range, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the range-based intrusion core detection apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention discloses: A1. an intrusion kernel detection method based on an end-shooter, comprising:
implanting preset vulnerability codes into equipment provided with an intrusion kernel detection system to build a target range;
simulating a process of running an invading kernel in the target range to attack the preset vulnerability code;
and acquiring the detection result of the process by the intrusion kernel detection system so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
A2. The method according to a1, wherein the preset bug codes include stack overflow bug codes, heap overflow bug codes, reusable bug codes after release, arbitrary write bug codes, and/or 1day bug codes.
A3. The method according to a1, wherein the obtaining a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is valid according to the detection result further includes:
acquiring a detection result of the intrusion kernel detection system on the process;
and if the detection result is that the process is the process invading the kernel, determining that the detection of the invading kernel detection system is effective.
A4. The method according to a1, wherein the detection of the intrusion kernel detection system on the process specifically includes:
setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions respectively; the detection condition is determined according to the characteristic information of the process invading the kernel on the ROOT attack behavior; the detection conditions comprise suspicious attack detection conditions and confirmed attack detection conditions;
and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
A5. The method of a4, wherein the suspected attack detection condition includes one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
A6. The method of a4, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the setting of multilevel detection at different module layers of the device to detect the process further comprises:
setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
A7. The method according to a6, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the process according to the suspicious attack detection condition at the user state layer;
if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel;
and stopping the process and prompting the user that the process is a suspicious process.
A8. The method according to a6, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the progress at the kernel state layer according to the determined attack detection condition;
if the process meets the determined attack detection condition, determining that the process is a determined process for invading the kernel;
stopping the process and preventing the attack behavior of the process.
A9. The method of a7 or A8, wherein the detection of a process by the intrusion kernel detection system further comprises:
and reporting the process event information of the process to a server, and acquiring a processing strategy of the process issued by the server so as to update the detection condition.
The invention also discloses: B10. an intrusion kernel detection device based on an aperture ground, comprising:
the implantation module is suitable for implanting preset vulnerability codes into equipment with an intrusion kernel detection system to build a target range;
the simulation module is suitable for simulating and running a process of invading a kernel in the shooting range to attack the preset vulnerability code;
and the acquisition module is suitable for acquiring the detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
B11. The apparatus of B10, wherein the preset vulnerability code includes stack overflow vulnerability code, heap overflow vulnerability code, post-release reusable vulnerability code, any write vulnerability code, and/or 1day vulnerability code.
B12. The apparatus of B10, wherein the acquisition module is further adapted to:
acquiring a detection result of the intrusion kernel detection system on the process;
and if the detection result is that the process is the process invading the kernel, determining that the detection of the invading kernel detection system is effective.
B13. The apparatus of B10, wherein the intrusion kernel detection system comprises:
the extraction module is suitable for extracting the characteristic information of the ROOT attack behavior of the process invading the kernel and determining the corresponding detection condition; wherein the detection conditions include suspected attack detection conditions and determined attack detection conditions;
the multi-stage detection module is suitable for setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions;
and the determining module is suitable for determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
B14. The apparatus of B13, wherein the suspected attack detection condition includes one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
B15. The apparatus of B13, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the multi-stage detection module is further adapted to: setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
B16. The apparatus of B15, wherein the determination module is further adapted to: detecting the process according to the suspicious attack detection condition at the user state layer;
if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel;
and stopping the process and prompting the user that the process is a suspicious process.
B17. The apparatus of B15, wherein the determination module is further adapted to: detecting the progress at the kernel state layer according to the determined attack detection condition;
if the process meets the determined attack detection condition, determining that the process is a determined process for invading the kernel;
stopping the process and preventing the attack behavior of the process.
B18. The apparatus of B16 or B17, wherein the intrusion kernel detection system further comprises:
and the reporting module is suitable for reporting the process event information of the process to a server and acquiring a processing strategy of the process issued by the server so as to update the detection condition.
The invention also discloses: C19. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the enclave based intrusion kernel detection method of any one of a1-a 9.
The invention also discloses: D20. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method for scope-based intrusion kernel detection as described in any one of a1-a 9.
Claims (10)
1. An intrusion kernel detection method based on an end-shooter, comprising:
implanting preset vulnerability codes into equipment provided with an intrusion kernel detection system to build a target range;
simulating a process of running an invading kernel in the target range to attack the preset vulnerability code;
and acquiring the detection result of the process by the intrusion kernel detection system so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
2. The method of claim 1, wherein the preset vulnerability code comprises stack overflow vulnerability code, heap overflow vulnerability code, post-release reusable vulnerability code, any write vulnerability code, and/or 1day vulnerability code.
3. The method of claim 1, wherein the obtaining a detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is valid according to the detection result further comprises:
acquiring a detection result of the intrusion kernel detection system on the process;
and if the detection result is that the process is the process invading the kernel, determining that the detection of the invading kernel detection system is effective.
4. The method according to claim 1, wherein the detection of the process by the intrusion kernel detection system is specifically:
setting multi-stage detection on different module layers of equipment to detect a process, wherein each stage of detection corresponds to different detection conditions respectively; the detection condition is determined according to the characteristic information of the process invading the kernel on the ROOT attack behavior; the detection conditions comprise suspicious attack detection conditions and confirmed attack detection conditions;
and determining whether the process is the process invading the kernel or not according to the detection result of the multi-stage detection.
5. The method of claim 4, wherein the suspected attack detection condition comprises one or more of the following detections:
whether the number of the created processes in the time window is larger than a preset threshold value and condition competition is carried out among the processes; whether the process binds the thread with the specified CPU for execution or not; whether the process reads the kernel version; whether the process causes system crash and restart; whether the process triggers kernel warning information; whether the process calls a specified system call; whether the process causes system call parameter exception or not; whether a process calls a specified system function to carry out heap spraying and memory layout or not; and/or whether the process creates the designated ports with the number larger than the preset threshold value in the time window;
the determining attack detection conditions includes one or more of the following detections: whether the process modifies the permission-related data structure; whether the process modifies the access address range; whether the process reads and writes any address by using the calling characteristic of the pipeline system; whether the process modifies the kernel memory attribute or not; whether a process calls a registered malicious node or not; whether the process modifies the specific pointer to point to the non-read-only segment; and/or whether the process modified the security policy configuration file.
6. The method of claim 4, wherein the different module layers of the device include a user mode layer and a kernel mode layer;
the setting of multilevel detection at different module layers of the device to detect the process further comprises:
setting the suspicious attack detection condition for the user mode layer, and setting the determined attack detection condition for the kernel mode layer.
7. The method of claim 6, wherein the determining whether the process is a process that invades the kernel according to the detection result of the multi-level detection further comprises:
detecting the process according to the suspicious attack detection condition at the user state layer;
if the process meets the suspicious attack detection condition, determining that the process is a suspicious process invading the kernel;
and stopping the process and prompting the user that the process is a suspicious process.
8. An intrusion kernel detection device based on an aperture ground, comprising:
the implantation module is suitable for implanting preset vulnerability codes into equipment with an intrusion kernel detection system to build a target range;
the simulation module is suitable for simulating and running a process of invading a kernel in the shooting range to attack the preset vulnerability code;
and the acquisition module is suitable for acquiring the detection result of the intrusion kernel detection system on the process so as to determine whether the detection of the intrusion kernel detection system is effective or not according to the detection result.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the aperture-based intrusion kernel detection method according to any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the aperture-based intrusion kernel detection method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691025.3A CN112307482A (en) | 2019-07-29 | 2019-07-29 | Intrusion kernel detection method and device based on target range and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691025.3A CN112307482A (en) | 2019-07-29 | 2019-07-29 | Intrusion kernel detection method and device based on target range and computing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112307482A true CN112307482A (en) | 2021-02-02 |
Family
ID=74329990
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910691025.3A Pending CN112307482A (en) | 2019-07-29 | 2019-07-29 | Intrusion kernel detection method and device based on target range and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307482A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113779561A (en) * | 2021-09-09 | 2021-12-10 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN114040408A (en) * | 2021-11-02 | 2022-02-11 | 恒安嘉新(北京)科技股份公司 | Shooting range system based on 4G mobile network simulation environment |
| CN117852048A (en) * | 2024-03-08 | 2024-04-09 | 华中科技大学 | Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070256059A1 (en) * | 2005-09-30 | 2007-11-01 | Sullivan Suzanne J | Abstract platform to facilitate the interoperability of information |
| US20070294253A1 (en) * | 2006-06-20 | 2007-12-20 | Lyle Strub | Secure domain information protection apparatus and methods |
| CN103368972A (en) * | 2013-07-26 | 2013-10-23 | 国家计算机网络与信息安全管理中心 | Induced analysis based advanced network attack detection and analysis method and system thereof |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| US20160283304A1 (en) * | 2013-12-20 | 2016-09-29 | Hitachi, Ltd. | Performance prediction method, performance prediction system and program |
| CN106991328A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| CN109298855A (en) * | 2018-10-16 | 2019-02-01 | 国网河北省电力有限公司电力科学研究院 | A kind of network target range management system and its implementation, device, storage medium |
-
2019
- 2019-07-29 CN CN201910691025.3A patent/CN112307482A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070256059A1 (en) * | 2005-09-30 | 2007-11-01 | Sullivan Suzanne J | Abstract platform to facilitate the interoperability of information |
| US20070294253A1 (en) * | 2006-06-20 | 2007-12-20 | Lyle Strub | Secure domain information protection apparatus and methods |
| CN103368972A (en) * | 2013-07-26 | 2013-10-23 | 国家计算机网络与信息安全管理中心 | Induced analysis based advanced network attack detection and analysis method and system thereof |
| US20160283304A1 (en) * | 2013-12-20 | 2016-09-29 | Hitachi, Ltd. | Performance prediction method, performance prediction system and program |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN106991328A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| CN109298855A (en) * | 2018-10-16 | 2019-02-01 | 国网河北省电力有限公司电力科学研究院 | A kind of network target range management system and its implementation, device, storage medium |
Non-Patent Citations (3)
| Title |
|---|
| ZHENGCHAO CHEN等: "Automatic Detection of Track and Fields in China from High-Resolution Satellite Images Using Multi-Scale-Fused Single Shot MultiBox Detector", pages 1 - 22, Retrieved from the Internet <URL:《网页在线公开:https://www.mdpi.com/2072-4292/11/11/1377》> * |
| 安睿等: "基于ARM7的动态模拟源通信控制器设计 安", 《电子测量技术》, vol. 37, no. 1, 11 March 2014 (2014-03-11), pages 49 - 53 * |
| 陈灏: "基于虚拟化和蜜罐技术的网络靶场研究与实现", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》, vol. 139, no. 3, 15 March 2018 (2018-03-15), pages 3 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113779561A (en) * | 2021-09-09 | 2021-12-10 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN114040408A (en) * | 2021-11-02 | 2022-02-11 | 恒安嘉新(北京)科技股份公司 | Shooting range system based on 4G mobile network simulation environment |
| CN114040408B (en) * | 2021-11-02 | 2024-05-28 | 恒安嘉新(北京)科技股份公司 | Target range system based on 4G mobile network simulation environment |
| CN117852048A (en) * | 2024-03-08 | 2024-04-09 | 华中科技大学 | Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method |
| CN117852048B (en) * | 2024-03-08 | 2024-06-07 | 华中科技大学 | Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625485B2 (en) | Method of malware detection and system thereof | |
| US10460099B2 (en) | System and method of detecting malicious code in files | |
| RU2645268C2 (en) | Complex classification for detecting malware | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| US10534915B2 (en) | System for virtual patching security vulnerabilities in software containers | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US9117079B1 (en) | Multiple application versions in a single virtual machine | |
| CN112307482A (en) | Intrusion kernel detection method and device based on target range and computing equipment | |
| CN107315961B (en) | Program vulnerability detection method and device, computing equipment and storage medium | |
| CN108810014B (en) | Attack event warning method and device | |
| CN112307469A (en) | Kernel intrusion prevention method and device, computing equipment and computer storage medium | |
| CN112231198B (en) | Malicious process debugging method and device, electronic equipment and medium | |
| CN106156621A (en) | A kind of method and device detecting virtual machine escape | |
| CN103970574B (en) | The operation method and device of office programs, computer system | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| US20220391507A1 (en) | Malware identification | |
| CN112307470A (en) | Method and device for detecting intrusion kernel, computing equipment and computer storage medium | |
| CN113704749B (en) | Malicious mining detection processing method and device | |
| JP2006053760A (en) | Buffer overflow vulnerability analysis method, data processor, analysis information providing device, program for extracting analysis information, and program for providing analysis information | |
| CN111291368A (en) | Method and system for defending CPU bug | |
| EP3293660A1 (en) | System and method of detecting malicious code in files | |
| CN116204883B (en) | Method and system for detecting and blocking file self-deletion based on Linux kernel | |
| Lee et al. | The study of response model & mechanism against windows kernel compromises | |
| CN118331680A (en) | Safety protection method and device and electronic equipment | |
| CN111444508A (en) | CPU bug detection device and method based on virtual machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |