CN112398784B - Method and device for defending vulnerability attack, storage medium and computer equipment - Google Patents
Method and device for defending vulnerability attack, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112398784B CN112398784B CN201910755419.0A CN201910755419A CN112398784B CN 112398784 B CN112398784 B CN 112398784B CN 201910755419 A CN201910755419 A CN 201910755419A CN 112398784 B CN112398784 B CN 112398784B
- Authority
- CN
- China
- Prior art keywords
- operation request
- stack
- function call
- call stack
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The application discloses a method and a device for defending vulnerability attack, a storage medium and computer equipment, wherein the method comprises the following steps: monitoring key functions in a software framework; when the key function is called, capturing an operation request for calling the key function through a hook function, and acquiring an actual function call stack corresponding to the operation request; and if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, intercepting the operation request. When a key function is called, the key function in the monitoring software framework is matched with an actual function call stack of an operation request for calling the key function, and when the actual function call stack is inconsistent with a preset standard function call stack corresponding to the operation request, the operation request is intercepted. According to the embodiment of the application, interception of the attack request can be realized, even if the website has a bug, the bug can be guaranteed not to be utilized to realize website attack, and a safety protection effect is achieved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for defending against vulnerability attacks, a storage medium, and a computer device.
Background
In recent years, intranet security events frequently occur, important data or sensitive data in enterprises or organizations are lost, and loss and influence on governments and enterprises are serious. In order to prevent the harmful effect of vulnerability attack on the user terminal or the website server, in the prior art, the vulnerability of the application program or the operating system is mainly found in a vulnerability detection mode, and the found vulnerability is repaired, so that a hacker is prevented from attacking the vulnerability based on unrepaired vulnerability. Generally, vulnerability detection can be divided into detection of known vulnerabilities and detection of unknown vulnerabilities. The known vulnerability detection mainly detects whether the system has a published security vulnerability through a security scanning technology; and the purpose of unknown vulnerability detection is to discover vulnerabilities that may exist but have not yet been discovered in a software system. The existing unknown vulnerability detection technology comprises active code scanning, disassembling scanning, environment error injection and the like.
In the above way of defending against the vulnerability attack, the principle of attack defense is mainly to repair the vulnerability, and the possibility of hacking is reduced by the way of repairing the vulnerability. In real life, bugs in an application program or an operating system cannot be searched and exhausted, and new bugs may appear along with the repair of the bugs. This defense is therefore relatively passive. In addition, along with the continuous improvement of hacker technology, the automation degree and the attack speed of the vulnerability attack are gradually improved, and if the vulnerability attack is generated and then operation processing such as patch compiling and patching is performed, the vulnerability attack can be widely spread in a large range, and more user terminals or servers are affected. Therefore, how to design a rapid and efficient attack defense mechanism to defend the vulnerability attack in time after the vulnerability attack is generated becomes a difficult problem to be put in front of technicians in the field.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for defending against a vulnerability attack, a storage medium, and a computer device, which can ensure that even if a website has a vulnerability, the vulnerability cannot be utilized to realize the website attack, and thus, a security protection effect is achieved.
According to one aspect of the application, a method for defending vulnerability attacks is provided, which is characterized by comprising the following steps:
monitoring key functions in a software framework;
when the key function is called, capturing an operation request for calling the key function through a hook function, and acquiring an actual function call stack corresponding to the operation request;
and if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, intercepting the operation request.
Specifically, after obtaining the actual function call stack corresponding to the operation request, the method further includes:
and querying the standard function call stack matched with the captured operation request in a key function standard operation call white stack.
Specifically, the obtaining of the actual function call stack corresponding to the operation request specifically includes:
inquiring whether the key function standard operation call white stack contains the captured operation request or not;
if the key function standard operation call white stack contains the captured operation request, acquiring an actual function call stack corresponding to the operation request;
and if the key function standard operation call white stack does not contain the captured operation request, intercepting the operation request.
Specifically, before monitoring the key function in the language parser, the method further includes:
capturing a normal operation request for calling the key function at least once through the hook function, and acquiring a normal function call stack corresponding to the normal operation request;
and establishing the key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
Specifically, the method further comprises:
and if the actual function call stack is consistent with the standard function call stack, releasing the operation request.
According to another aspect of the present application, there is provided an apparatus for defending against a vulnerability attack, comprising:
the monitoring module is used for monitoring key functions in the software framework;
the actual call stack acquisition module is used for capturing an operation request for calling the key function through a hook function when the key function is called, and acquiring an actual function call stack corresponding to the operation request;
and the intercepting module is used for intercepting the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request.
Specifically, the apparatus further comprises:
and the standard call stack acquisition module is used for inquiring the standard function call stack matched with the captured operation request in a key function standard operation call white stack after acquiring the actual function call stack corresponding to the operation request.
Specifically, the actual call stack obtaining module specifically includes:
a white stack query unit, configured to query whether the key function standard operation call white stack includes the captured operation request;
an actual call stack obtaining unit, configured to obtain an actual function call stack corresponding to the operation request if the key function standard operation call white stack contains the captured operation request;
a first intercepting unit, configured to intercept the operation request if the key function standard operation call white stack does not contain the captured operation request.
Specifically, the apparatus further comprises:
the normal call stack acquisition module is used for capturing a normal operation request for calling the key function at least once through the hook function before monitoring the key function in the language parser and acquiring a normal function call stack corresponding to the normal operation request;
and the white stack establishing module is used for establishing the key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
Specifically, the apparatus further comprises:
and the releasing module is used for releasing the operation request if the actual function call stack is consistent with the standard function call stack.
According to yet another aspect of the application, a storage medium is provided, on which a computer program is stored, which program, when being executed by a processor, carries out the above-mentioned method of defending against vulnerability attacks.
According to yet another aspect of the present application, there is provided a computer device, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method for defending against a vulnerability attack when executing the program.
By means of the technical scheme, the method and the device for defending the vulnerability attack, the storage medium and the computer equipment provided by the application monitor the key function in the software framework, match the actual function call stack of the operation request for calling the key function when the key function is called, and intercept the operation request when the actual function call stack is inconsistent with the preset standard function call stack corresponding to the operation request. According to the embodiment of the application, interception of the attack request can be realized, even if the website has a bug, the bug can be guaranteed not to be utilized to realize website attack, and a safety protection effect is achieved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for defending against a vulnerability attack according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another method for defending against a vulnerability attack according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating an apparatus for defending against a vulnerability attack according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another apparatus for defending against a vulnerability attack according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for defending against a vulnerability attack is provided, as shown in fig. 1, the method includes:
At present, most development websites are developed by adopting a framework, the development websites have a fixed mode, the bottom layer functions are packaged into the framework, and developers only need to complete service codes.
It should be noted that, in the embodiment of the present application, the monitoring is mainly performed on a key function in a software framework of an intranet server, where the key function mainly refers to a call function related to a database access operation request, a file access operation request, and a network access operation request, and certainly is not limited to the above type of function, and in addition, multiple key functions may be monitored at the same time.
In addition, it should be noted that the embodiment of the present application may be used for defense against infrastructures of languages such as PHP, python, and Java, and may specifically monitor a key function in a language parser, where the language parser may specifically include a PHP language parser, a Python language parser, and a Java language parser.
And step 102, when the key function is called, capturing an operation request for calling the key function through the hook function, and acquiring an actual function call stack corresponding to the operation request.
When the intranet server detects that a pre-designated key function is called, the corresponding hook function is used for capturing an operation request for calling the key function, before the system does not call the function and executes the request, the hook program captures the message, the hook function obtains control right first, so that after the security of the operation request is analyzed, the processing mode of the operation request is determined, and the specific hook function can process (change) the execution behavior of the function and also can forcibly end the transfer of the message.
In addition, when the hook function captures that the key function is called by the operation request, the execution flow of the operation request is collected, that is, the actual function call stack corresponding to the operation request is obtained, so that the function called by the request and the sequence of the calling function are obtained.
And 103, intercepting the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request.
Comparing the actual function call stack with a preset normal standard function call stack corresponding to the operation request, if the actual function call stack is not consistent with the preset normal standard function call stack, it indicates that the execution flow of the operation request is deviated from the preset normal execution flow, and if the request is executed continuously, there may be a risk, at this time, the transmission of the operation request should be forcibly ended, that is, the operation request is intercepted. Because the function call stack is required to be changed in the vulnerability attack process, the website vulnerability can be prevented from being attacked even if the vulnerability exists in the developed website by performing standard matching on the function call stack requested by the key function, and the security protection of vulnerability attack is realized.
For example, a deserialization function is implemented in the framework, functions a, B and C need to be called in normal operation, and then java.io.objectinputstream.resoldvlass is called, but when a server is attacked through a deserialization vulnerability, a function call stack of the operation becomes a function call stack that calls java.io.objectinputstream.resoldvlass after a function call stack of the operation and a function call stack of the operation become a function call stack, B call stack and D.
By applying the technical scheme of the embodiment, the key functions in the software framework are monitored, when the key functions are called, the actual function call stacks of the operation requests for calling the key functions are matched, and when the actual function call stacks are inconsistent with the preset standard function call stacks corresponding to the operation requests, the operation requests are intercepted. According to the embodiment of the application, interception of the attack request can be realized, even if the website has a bug, the bug can be guaranteed not to be utilized to realize website attack, and a safety protection effect is achieved.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of the embodiment, another method for defending against a vulnerability attack is provided, as shown in fig. 2, the method includes:
In the embodiment of the application, in order to analyze whether the actual operation request is generated by malicious attack, before monitoring the key function, a standard function call stack corresponding to a normal operation request of the key function is predetermined, and a key function standard operation call white stack is established, wherein the key function standard operation call white stack is obtained by extracting a function call stack corresponding to multiple normal call operation behaviors of the key function.
Specifically, as step 201 and step 202, a technician may initiate a related normal operation for calling a key function, capture a normal operation request for calling the key function through a hook technology (hook function), extract a function call stack corresponding to the normal operation request, and use the function call stack corresponding to the normal operation request as a standard function call stack corresponding to the operation request, thereby establishing a key function standard operation call white stack, where the key function standard operation call white stack stores a standard operation request corresponding to a corresponding key function and a corresponding standard function call stack thereof.
The method and the device for processing the operation request can collect standard function call stacks corresponding to various normal operation requests needing to call the key function, and in addition, the key function can also comprise a plurality of key functions, so that the actual function call stack corresponding to the actual operation request is compared with the standard function call stack in the white stack when the corresponding actual operation request is monitored in the follow-up process, and the processing scheme of the operation request is determined.
In step 203, key functions in the software framework are monitored.
And step 204, when the key function is called, capturing an operation request for calling the key function through the hook function.
After the key function standard operation call white stack is established, the key function in the software framework is monitored, and therefore the key function is captured when being called.
When capturing a calling operation request of a key function, inquiring whether the operation request belongs to a predefined standard operation request in a pre-established key function standard operation call white stack. For example, the deserialization operation needs to call a key function java.io.objectinputstream.resolvleclass, and the deserialization operation and a function call stack corresponding to the deserialization operation are stored in a standard operation call white stack corresponding to the key function, so that when the key function java.io.objectinputstream.resolvleclass is monitored to be called and a deserialization request calling the key function is captured, the standard operation call white stack of the key function can be known to contain the operation request.
In step 206, if the key function standard operation call white stack contains the captured operation request, the actual function call stack corresponding to the operation request is obtained.
If the captured actual operation request belongs to the standard operation request recorded in the key function standard operation call white stack, which indicates that the request belongs to the standard operation request agreed in advance and capable of calling the key function, the actual function call stack corresponding to the request is further acquired, whether the operation request is a bug attack or not is judged, and thus a processing scheme for the operation request is determined.
If the captured actual operation request does not belong to the standard operation request recorded in the key function standard operation call white stack, which indicates that the operation request does not belong to the pre-agreed standard operation request capable of calling the key function and may be a vulnerability attack behavior on the website, the operation request is intercepted to prevent the vulnerability attack behavior from being further executed, which is beneficial to effectively preventing the vulnerability attack behavior on the website.
And step 208, inquiring a standard function call stack matched with the captured operation request in the key function standard operation call white stack.
And 209, intercepting the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request.
And step 210, if the actual function call stack is consistent with the standard function call stack, releasing the operation request.
If the actual function call stack of the operation request is consistent with the preset safe standard function call stack, which indicates that the request is a safe request, the request can be released.
As another embodiment of the present application, in step 209, when the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, the following scheme may also be adopted:
step 2091, query whether the key function call black stack contains the actual function call stack corresponding to the operation request.
After obtaining the actual function call stack corresponding to the actual operation request, the standard function call stack corresponding to the actual operation request should be queried in the key function standard operation call white stack. And comparing the consistency of the actual function call stack with the standard function call stack, if the consistency of the actual function call stack and the standard function call stack is not consistent, indicating that the execution flow of the operation request is different from the execution flow of the original standard operation request recorded in the key function standard operation call white stack, and further judging whether the request belongs to an attack request recorded in the key function call black stack in advance, specifically, a function call stack corresponding to a known attack request for the key function is stored in the key function call black stack in advance, so that whether the actual function call stack corresponding to the operation request of the time is contained in the key function call black stack should be inquired in the key function call black stack.
In step 2092, if the key function call black stack includes an actual function call stack, the operation request is intercepted.
If the actual function call stack of the request conforms to the record in the key function call black stack, the request belongs to an attack request, and if the request is released, the website is attacked, so that the operation request should be intercepted, and website attack is avoided.
Step 2093, if the key function call black stack does not include the actual function call stack, recording and reporting the actual function call stack.
If the actual function call stack of the request does not conform to the record in the key function call black stack, the request does not belong to the known attack request, the security is unknown, and an administrator or an expert system and the like can further report to analyze the security of the operation request, so that the operation request and the corresponding actual function call stack are recorded and reported, and the error interception is avoided.
Step 2094, receiving the request processing feedback information corresponding to the reported actual function call stack.
After analyzing the reported operation request and the corresponding actual function call stack, the administrator or the expert system can feed back the reported information, and the server can receive the corresponding feedback information so as to process the operation request according to the feedback information.
Step 2095, if the request processing feedback information is an interception operation request, intercepting the operation request, and adding the actual function call stack to the key function call black stack.
If feedback information for intercepting the operation request is received, the fact that the operation request belongs to the attack request is judged by an administrator or an expert system, the operation request is intercepted according to the received feedback information, attack behaviors are prevented, the actual function call stack is added into the key function call black stack, the next website is attacked, the attack can be intercepted quickly according to the black stack, and the website safety and the protection efficiency are improved.
By applying the technical scheme of the embodiment, function call stacks of common operations are collected in advance to form a key function standard operation call white stack, when a key function is monitored to be called, an actual function call stack corresponding to a call operation request is matched with a standard function call stack in the white stack, if the actual function call stack is consistent with the standard function call stack in the white stack, the actual function call stack is released, otherwise, whether the actual function call stack is matched with a function call stack corresponding to a known attack request in a key function call black stack or not is further judged, if the actual function call stack is matched with the known attack request in the key function call black stack, the operation request is intercepted directly, otherwise, the operation request is reported and processed according to feedback information, and in addition, when the feedback information is intercepted, the actual function call stack is added into the key function call black stack. According to the method and the system, interception of the attack request can be achieved, even if the website has the bug, the bug can not be utilized, vulnerability attack is prevented, collection and induction of the attack request can be achieved, and attack protection efficiency is improved.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides a device for defending against a vulnerability attack, and as shown in fig. 3, the device includes: a monitoring module 31, an actual call stack acquiring module 32, and an intercepting module 33.
A monitoring module 31, configured to monitor a key function in a software framework;
an actual call stack obtaining module 32, configured to, when the key function is called, capture an operation request for calling the key function through the hook function, and obtain an actual function call stack corresponding to the operation request;
and the intercepting module 33 is configured to intercept the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: the standard call stack retrieval module 34.
And the standard call stack acquiring module 34 is configured to, after acquiring the actual function call stack corresponding to the operation request, query a standard function call stack matched with the captured operation request in the key function standard operation call white stack.
In a specific application scenario, as shown in fig. 4, the actual call stack obtaining module 32 specifically includes: a white stack query unit 321, an actual call stack acquisition unit 322, and a first interception unit 323.
A white stack querying unit 321, configured to query whether the key function standard operation call white stack includes the captured operation request;
an actual call stack obtaining unit 322, configured to obtain an actual function call stack corresponding to the operation request if the key function standard operation call white stack contains the captured operation request;
the first intercepting unit 323 is configured to intercept the operation request if the key function standard operation call white stack does not contain the captured operation request.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a normal call stack acquisition module 35 and a white stack establishment module 36.
A normal call stack obtaining module 35, configured to capture, by a hook function, a normal operation request for calling a key function at least once before monitoring the key function in the language parser, and obtain a normal function call stack corresponding to the normal operation request;
and a white stack establishing module 36, configured to establish a key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: and a release block 37.
And a releasing module 37, configured to release the operation request if the actual function call stack is consistent with the standard function call stack.
In a specific application scenario, the intercepting module 33 specifically includes: a black stack query unit 331, a second interception unit 332, and a reporting unit 333.
A black stack querying unit 331, configured to query whether the key function call black stack includes an actual function call stack corresponding to the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request;
the second intercepting unit 332 is configured to intercept the operation request if the key function call black stack includes an actual function call stack;
a reporting unit 333, configured to record and report the actual function call stack if the key function call black stack does not include the actual function call stack.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a feedback information receiving module 38 and a black stack establishing module 39.
A feedback information receiving module 38, configured to receive request processing feedback information corresponding to the reported actual function call stack;
and the black stack establishing module 39 is configured to intercept the operation request if the request processing feedback information is an interception operation request, and add the actual function call stack to the key function call black stack.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for defending against a vulnerability attack provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, an embodiment of the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for defending against a vulnerability attack as shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the above-described method of defending against a vulnerability attack as shown in fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device structure that is not limited to the computer device, and may include more or less components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can monitor a key function in a software framework by hardware, when a key function call occurs, match an actual function call stack of an operation request for calling the key function, and intercept the operation request when the actual function call stack is inconsistent with a standard function call stack corresponding to the preset operation request. According to the embodiment of the application, interception of the attack request can be realized, even if the website has a bug, the bug can be guaranteed not to be utilized to realize website attack, and a safety protection effect is achieved.
The embodiment of the invention provides the following technical scheme:
1. a method of defending against vulnerability attacks, comprising:
monitoring key functions in a software framework;
when the key function is called, capturing an operation request for calling the key function through a hook function, and acquiring an actual function call stack corresponding to the operation request;
and if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, intercepting the operation request.
2. According to the method of 1, after the actual function call stack corresponding to the operation request is obtained, the method further includes:
and inquiring the standard function call stack matched with the captured operation request in a key function standard operation call white stack.
3. According to the method of 2, the obtaining of the actual function call stack corresponding to the operation request specifically includes:
inquiring whether the key function standard operation call white stack contains the captured operation request or not;
if the key function standard operation call white stack contains the captured operation request, acquiring an actual function call stack corresponding to the operation request;
and if the key function standard operation call white stack does not contain the captured operation request, intercepting the operation request.
4. The method of 2 or 3, prior to monitoring the key function in the language parser, further comprising:
capturing a normal operation request for calling the key function at least once through the hook function, and acquiring a normal function call stack corresponding to the normal operation request;
and establishing the key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
5. The method of 4, further comprising:
and if the actual function call stack is consistent with the standard function call stack, releasing the operation request.
6. An apparatus for defending against vulnerability attacks, comprising:
the monitoring module is used for monitoring key functions in the software framework;
the actual call stack acquisition module is used for capturing an operation request for calling the key function through a hook function when the key function is called, and acquiring an actual function call stack corresponding to the operation request;
and the intercepting module is used for intercepting the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request.
7. The apparatus of claim 6, further comprising:
and the standard call stack acquisition module is used for inquiring the standard function call stack matched with the captured operation request in a key function standard operation call white stack after acquiring the actual function call stack corresponding to the operation request.
8. According to the apparatus of claim 7, the actual call stack obtaining module specifically includes:
a white stack query unit, configured to query whether the key function standard operation call white stack contains the captured operation request;
an actual call stack obtaining unit, configured to obtain, if the key function standard operation call white stack includes the captured operation request, an actual function call stack corresponding to the operation request;
the first intercepting unit is used for intercepting the operation request if the key function standard operation call white stack does not contain the captured operation request.
9. The apparatus of claim 7 or 8, further comprising:
the normal call stack acquisition module is used for capturing a normal operation request for calling the key function at least once through the hook function before monitoring the key function in the language parser and acquiring a normal function call stack corresponding to the normal operation request;
and the white stack establishing module is used for establishing the key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
10. The apparatus of claim 9, the apparatus further comprising:
and the releasing module is used for releasing the operation request if the actual function call stack is consistent with the standard function call stack.
11. A storage medium having stored thereon a computer program which, when executed by a processor, implements the method of protecting against vulnerability attacks of any one of claims 1 to 5.
12. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the method of defending against vulnerability attacks described in any one of 1 to 5 when executing the program.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art can understand that the modules in the device in the implementation scenario may be distributed in the device in the implementation scenario according to the implementation scenario description, and may also be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method of defending against vulnerability attacks, comprising:
monitoring key functions in a software framework;
when the key function is called, capturing an operation request for calling the key function through a hook function, and acquiring an actual function call stack corresponding to the operation request, wherein the operation request comprises at least one of a database access operation request, a file access operation request and a network access operation request;
if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, intercepting the operation request;
if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, intercepting the operation request, including:
if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request, inquiring whether a key function call black stack contains the actual function call stack corresponding to the operation request;
if the actual function call stack is contained in the key function call black stack, intercepting the operation request;
and if the actual function call stack is not contained in the key function call black stack, recording and reporting the actual function call stack.
2. The method of claim 1, wherein after obtaining the actual function call stack corresponding to the operation request, the method further comprises:
and inquiring the standard function call stack matched with the captured operation request in a key function standard operation call white stack.
3. The method according to claim 2, wherein the obtaining the actual function call stack corresponding to the operation request specifically includes:
inquiring whether the key function standard operation call white stack contains the captured operation request or not;
if the key function standard operation call white stack contains the captured operation request, acquiring an actual function call stack corresponding to the operation request;
and if the key function standard operation call white stack does not contain the captured operation request, intercepting the operation request.
4. The method of claim 2 or 3, wherein the monitoring of the critical function in the software framework is preceded by:
capturing a normal operation request for calling the key function at least once through the hook function, and acquiring a normal function call stack corresponding to the normal operation request;
and establishing the key function standard operation call white stack according to the normal operation request and the corresponding normal function call stack.
5. The method of claim 4, further comprising:
and if the actual function call stack is consistent with the standard function call stack, releasing the operation request.
6. An apparatus for defending against vulnerability attacks, comprising:
the monitoring module is used for monitoring key functions in the software framework;
an actual call stack obtaining module, configured to capture, by a hook function, an operation request for calling the key function when the key function is called, and obtain an actual function call stack corresponding to the operation request, where the operation request includes at least one of a database access operation request, a file access operation request, and a network access operation request;
the intercepting module is used for intercepting the operation request if the actual function call stack is inconsistent with the standard function call stack corresponding to the operation request;
the interception module comprises: the system comprises a black stack query unit, a second interception unit and a reporting unit;
the black stack query unit is configured to query whether a key function call black stack includes an actual function call stack corresponding to the operation request if the actual function call stack is inconsistent with a standard function call stack corresponding to the operation request;
the second intercepting unit is configured to intercept the operation request if the key function call black stack includes the actual function call stack;
and the reporting unit is used for recording and reporting the actual function call stack if the actual function call stack is not contained in the key function call black stack.
7. The apparatus of claim 6, further comprising:
and the standard call stack acquisition module is used for inquiring the standard function call stack matched with the captured operation request in a key function standard operation call white stack after acquiring the actual function call stack corresponding to the operation request.
8. The apparatus according to claim 7, wherein the actual call stack retrieving module specifically includes:
a white stack query unit, configured to query whether the key function standard operation call white stack includes the captured operation request;
an actual call stack obtaining unit, configured to obtain an actual function call stack corresponding to the operation request if the key function standard operation call white stack contains the captured operation request;
the first intercepting unit is used for intercepting the operation request if the key function standard operation call white stack does not contain the captured operation request.
9. A storage medium on which a computer program is stored, which program, when executed by a processor, implements the method of defending against vulnerability attacks of any of claims 1 to 5.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method of defending against a vulnerability attack according to any one of claims 1 to 5 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755419.0A CN112398784B (en) | 2019-08-15 | 2019-08-15 | Method and device for defending vulnerability attack, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755419.0A CN112398784B (en) | 2019-08-15 | 2019-08-15 | Method and device for defending vulnerability attack, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112398784A CN112398784A (en) | 2021-02-23 |
| CN112398784B true CN112398784B (en) | 2023-01-06 |
Family
ID=74601751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755419.0A Active CN112398784B (en) | 2019-08-15 | 2019-08-15 | Method and device for defending vulnerability attack, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112398784B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115935341B (en) * | 2022-11-10 | 2023-09-19 | 杭州孝道科技有限公司 | Vulnerability defense method, vulnerability defense system, vulnerability defense server and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7930744B2 (en) * | 2008-07-02 | 2011-04-19 | Check Point Software Technologies Ltd. | Methods for hooking applications to monitor and prevent execution of security-sensitive operations |
-
2019
- 2019-08-15 CN CN201910755419.0A patent/CN112398784B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
Non-Patent Citations (1)
| Title |
|---|
| 针对未知PHP反序列化漏洞利用的检测拦截系统研究;陈震杭等;《信息网络安全》;20180410(第04期);第51-52页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112398784A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831420B (en) | Method and device for determining kernel process permission | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| KR101266037B1 (en) | Method and apparatus for treating malicious action in mobile terminal | |
| CN112395597A (en) | Method and device for detecting website application vulnerability attack and storage medium | |
| CN109600387B (en) | Attack event tracing method and device, storage medium and computer equipment | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| US8838094B2 (en) | Acquiring information from volatile memory of a mobile device | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| CN109815700B (en) | Application program processing method and device, storage medium and computer equipment | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN112417444A (en) | Attack trapping system based on firmware simulation | |
| CN109241730B (en) | Container risk defense method, device, equipment and readable storage medium | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| CN112787985B (en) | Vulnerability processing method, management equipment and gateway equipment | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| JP2012083909A (en) | Application characteristic analysis device and program | |
| CN112580041A (en) | Malicious program detection method and device, storage medium and computer equipment | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN115174192A (en) | Application security protection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |