CN112699369A - Method and device for detecting abnormal login through stack backtracking - Google Patents

Method and device for detecting abnormal login through stack backtracking Download PDF

Info

Publication number
CN112699369A
CN112699369A CN202110032887.2A CN202110032887A CN112699369A CN 112699369 A CN112699369 A CN 112699369A CN 202110032887 A CN202110032887 A CN 202110032887A CN 112699369 A CN112699369 A CN 112699369A
Authority
CN
China
Prior art keywords
login
information
stack
backtracking
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110032887.2A
Other languages
Chinese (zh)
Inventor
朱燕涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anxin Wangdun Beijing Technology Co ltd
Original Assignee
Anxin Wangdun Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anxin Wangdun Beijing Technology Co ltd filed Critical Anxin Wangdun Beijing Technology Co ltd
Priority to CN202110032887.2A priority Critical patent/CN112699369A/en
Publication of CN112699369A publication Critical patent/CN112699369A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method and a device for detecting abnormal login through stack backtracking, wherein the method comprises the following steps: step S1, when the user login behavior is monitored, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence; step S2, comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance; in step S3, if the comparison result is inconsistent, an abnormal login behavior is detected. The scheme of the invention has the characteristics of high detection rate, low false alarm, real-time property and the like.

Description

Method and device for detecting abnormal login through stack backtracking
Technical Field
The invention relates to the field of computer information security, in particular to a method and a device for detecting abnormal login through stack backtracking.
Background
The detection of abnormal login behaviors is an important link for asset risk management of an administrator, the abnormal login includes abnormal behaviors such as abnormal address login, login using illegal authentication information, blasting attempt and the like, and the current method for detecting the abnormal login of the host mainly comprises the following detection mechanisms.
And (4) judging based on a simple rule: the login behavior is analyzed by recording the login history information of the account, and a login detection frequency rule is set, so that a white list library is established based on the common IP address, and the login behaviors which are not in the white list library are all defined as abnormal login. The detection mechanism has obvious false alarm and missing alarm conditions.
And (3) matching and judging based on manual rules: the method comprises the steps of manually setting rules such as common IP, common addresses and common time, establishing a white list library and a black list library to set abnormal login rules, and identifying abnormal login behaviors based on a rule matching mode. Since the detection mechanism needs to set rules manually, it is a time-consuming and labor-consuming process for the administrator in the operation and maintenance stage, and the higher the identification accuracy requirement, the more complicated the maintenance.
And judging based on machine learning: by establishing an abnormal probability model, detecting information such as IP addresses, users, time, service types and the like, calculating the occurrence probability or access relation of the login to the target IP, and counting information such as login failure rate, failure mean value and the like. And automatically identifying the access relation in the network and detecting abnormal login behaviors by an intelligent analysis method. The detection mechanism is a detection method based on log analysis, and the original data is infected, so that the false alarm problem exists, and the legality of the login source cannot be detected.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method and a device for detecting abnormal login through stack backtracking, which are used for solving the technical problems that the abnormal login cannot be effectively detected, time and labor are consumed in an operation and maintenance stage, and the legality of a login source cannot be detected in the prior art.
According to a first aspect of the present invention, there is provided a method for detecting abnormal login by stack backtracking, the method comprising the steps of:
step S1, when the user login behavior is monitored, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence;
step S2, comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance;
in step S3, if the comparison result is inconsistent, an abnormal login behavior is detected.
Further, in step S2, the method for obtaining the white list of the API call sequence includes: collecting login information of a legal login source to obtain a white list of an API (application program interface) calling sequence corresponding to the legal login behavior; the collecting the login information of the legal login source comprises the following steps: automatically learning a legal login source to obtain login information of the legal login source; and/or, manually inputting the login information of the legal login source.
Further, the login information of the legal login source includes: login address information, login source service information, login source process information, login destination service information, function call chain, and values of function-related registers.
Further, the backtracking stack information corresponding to the thread of the login behavior in step S1 to obtain an API call sequence specifically includes: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence.
Further, after detecting the abnormal login behavior, the method further includes step S4, which immediately blocks the abnormal login behavior, automatically adds the access source IP address to the blacklist, and records the information when the abnormal login occurs.
Further, the information when the abnormal login occurs includes: the method comprises the following steps of abnormal login task name, login user name, abnormal login function name, API calling sequence, abnormal login service type and abnormal login time.
According to a second aspect of the present invention, there is provided an apparatus for detecting abnormal login through stack backtracking, the apparatus comprising:
the backtracking module is used for backtracking stack information corresponding to the thread of the login behavior when the login behavior of the user is monitored to obtain an API (application program interface) calling sequence;
the comparison module is used for comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance;
and the detection module is used for detecting the abnormal login behavior if the comparison result is inconsistent.
Further, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence, specifically including: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence.
According to a third aspect of the present invention, there is provided a system for detecting an abnormal login through stack backtracking, comprising a processor and a memory, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting an abnormal login through stack backtracking as described above.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having stored therein a computer program for being loaded by a processor and for executing the method for detecting an abnormal login through stack backtracking as described above.
According to the above scheme of the invention, the following technical effects can be obtained: the problem that the legality of login sources cannot be verified by a traditional protection means is solved, abnormal login behaviors can be found in time and effectively intercepted in real time without configuring a complex detection strategy, and operation and maintenance burdens are greatly reduced through automatic learning capacity. The detection method has the characteristics of high detection rate, low false alarm, instantaneity and the like.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flowchart of a method for detecting abnormal login via stack backtracking according to an embodiment of the present invention;
fig. 2 is a block diagram of an apparatus for detecting abnormal login through stack backtracking according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the specific embodiments of the present invention and the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
First, a flowchart of a method for detecting abnormal login through stack backtracking according to an embodiment of the present invention is described with reference to fig. 1. As shown in fig. 1, the method comprises the steps of:
and step S1, when the user login behavior is monitored, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence.
In this step, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence, specifically including: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence. The stack is traced back by monitoring the stack information during logging, so that the logging stack information of programs such as a system, middleware, a database, a remote desktop and the like can be obtained, and an API (application program interface) calling sequence is obtained by the stack tracing back. Therefore, the legality of the login source is analyzed and judged, the abnormal login behavior is accurately judged, and the login behavior of the user mainly comprises remote login, local login, interactive login such as SSH (secure messaging and resource description) and RDP (remote desktop protocol) and non-interactive login such as SMB (shared message block) file sharing.
And step S2, comparing the obtained API calling sequence with a white list of the API calling sequences collected in advance.
In this step, the method for obtaining the white list of the API call sequence includes: and collecting login information of a legal login source to obtain a white list of an API (application program interface) calling sequence corresponding to the legal login behavior. Collecting the login information of legal login source, mainly including two ways: automatically learning a legal login source to obtain login information of the legal login source; and manually entering login information of the legal login source. These two methods may be used alone or in combination. The collected login information of the legal login source comprises: login address information, login source service information, login source process information, login destination service information, function call chain, and values of function-related registers. After the white list of the API calling sequence is obtained, the logging behavior can be intercepted and analyzed, and whether the logging behavior is abnormal or not is judged by searching whether the logging behavior is consistent with the white list recording information of the API calling sequence collected in advance or not according to the context information and the register data stored in the stack.
In step S3, if the comparison result is inconsistent, an abnormal login behavior is detected.
If the obtained API calling sequence is not in a white list of the API calling sequence collected in advance, the login behavior can be determined to be abnormal login. After detecting the abnormal login behavior, in one embodiment, the method further includes step S4, immediately blocking the abnormal login behavior, automatically adding the access source IP address into the blacklist, and recording the information when the abnormal login occurs. The recorded information when the abnormal login occurs includes: and information such as an abnormal login task name, a login user name, an abnormal login function name, an API (application programming interface) calling sequence, an abnormal login service type, abnormal login time and the like is convenient for safe operation and maintenance management.
Most of the existing detection means are analyzed based on a log mode, so that the obvious hysteresis exists, and the possibility of tampering the log information also exists. The mechanism for detecting the login information in the login process can realize real-time detection and a login information verification mechanism, and can improve the detection real-time property while ensuring the credibility of the login behavior.
The detection method provided by the embodiment of the invention can solve the problem that the traditional protection means can not verify the legality of the login source, can timely find abnormal login behaviors and effectively intercept the abnormal login behaviors in real time without configuring a complex detection strategy, has the automatic learning capability, greatly reduces the operation and maintenance burden, and has the characteristics of high detection rate, low false alarm, real-time property and the like.
An embodiment of the present invention further provides a device for detecting abnormal login through stack backtracking, as shown in fig. 2, the device includes:
the backtracking module is used for backtracking stack information corresponding to the thread of the login behavior when the login behavior of the user is monitored to obtain an API (application program interface) calling sequence;
the comparison module is used for comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance;
and the detection module is used for detecting the abnormal login behavior if the comparison result is inconsistent.
Further, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence, specifically including: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence.
The functions executed by each functional module of the apparatus for detecting abnormal login through stack backtracking in this embodiment correspond to the steps of the method for detecting abnormal login through stack backtracking in the foregoing two embodiments, and are not described herein again.
The embodiment of the present invention further provides a system for detecting an abnormal login through stack backtracking, which includes a processor and a memory, where the memory stores a computer program, and the processor is configured to run the computer program to execute the method for detecting an abnormal login through stack backtracking as described above.
An embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, where the computer program is used for being loaded by a processor and executing the method for detecting abnormal login through stack backtracking as described above.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes a computer program for enabling a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, and needs to install operating systems of all versions of Windows, Windows Server, and Linux) to perform some steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are still within the scope of the technical solution of the present invention.

Claims (10)

1. A method for detecting abnormal login through stack backtracking is characterized by comprising the following steps:
step S1, when the user login behavior is monitored, backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence;
step S2, comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance;
in step S3, if the comparison result is inconsistent, an abnormal login behavior is detected.
2. The method for detecting abnormal login through stack backtracking according to claim 1, wherein in step S2, the method for obtaining the white list of the API call sequence comprises: collecting login information of a legal login source to obtain a white list of an API (application program interface) calling sequence corresponding to the legal login behavior; the collecting the login information of the legal login source comprises the following steps: automatically learning a legal login source to obtain login information of the legal login source; and/or, manually inputting the login information of the legal login source.
3. The method for detecting abnormal login via stack backtracking as claimed in claim 2, wherein the login information of the legal login source comprises: login address information, login source service information, login source process information, login destination service information, function call chain, and values of function-related registers.
4. The method for detecting abnormal login through stack backtracking according to any one of claims 1 to 3, wherein the backtracking of the stack information corresponding to the thread of the login behavior in step S1 to obtain the API call sequence specifically includes: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence.
5. The method for detecting abnormal login through stack backtracking as claimed in claim 4, wherein after detecting abnormal login behavior, further comprising step S4, immediately blocking the abnormal login behavior, and simultaneously automatically adding the access source IP address into the blacklist, and recording the information when abnormal login occurs.
6. The method for detecting abnormal login via stack backtracking as recited in claim 5, wherein the information when the abnormal login occurs comprises: the method comprises the following steps of abnormal login task name, login user name, abnormal login function name, API calling sequence, abnormal login service type and abnormal login time.
7. An apparatus for detecting abnormal logins through stack backtracking, the apparatus comprising:
the backtracking module is used for backtracking stack information corresponding to the thread of the login behavior when the login behavior of the user is monitored to obtain an API (application program interface) calling sequence;
the comparison module is used for comparing the obtained API calling sequence with a white list of the API calling sequence collected in advance;
and the detection module is used for detecting the abnormal login behavior if the comparison result is inconsistent.
8. The method for stack backtracking to detect abnormal login according to claim 7, wherein backtracking stack information corresponding to the thread of the login behavior to obtain an API call sequence specifically comprises: and analyzing context information of the current function call site of the thread of the login behavior, recording the position of a stack pointer, determining function call chain information before the current function call, and obtaining an API call sequence.
9. A system for detecting an abnormal login through stack backtracking, comprising a processor and a memory, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting an abnormal login through stack backtracking according to any one of claims 1 to 6.
10. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is adapted to be loaded by a processor and to carry out the method for detecting an abnormal login via stack backtracking according to any one of claims 1 to 6.
CN202110032887.2A 2021-01-12 2021-01-12 Method and device for detecting abnormal login through stack backtracking Pending CN112699369A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110032887.2A CN112699369A (en) 2021-01-12 2021-01-12 Method and device for detecting abnormal login through stack backtracking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110032887.2A CN112699369A (en) 2021-01-12 2021-01-12 Method and device for detecting abnormal login through stack backtracking

Publications (1)

Publication Number Publication Date
CN112699369A true CN112699369A (en) 2021-04-23

Family

ID=75513920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110032887.2A Pending CN112699369A (en) 2021-01-12 2021-01-12 Method and device for detecting abnormal login through stack backtracking

Country Status (1)

Country Link
CN (1) CN112699369A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115373834A (en) * 2021-05-27 2022-11-22 北京火山引擎科技有限公司 Intrusion detection method based on process call chain
CN115859268A (en) * 2022-12-14 2023-03-28 中国电信股份有限公司 RASP white list matching method and device, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN104301286A (en) * 2013-07-15 2015-01-21 中国移动通信集团黑龙江有限公司 User login authentication method and device
CN108200053A (en) * 2017-12-30 2018-06-22 成都亚信网络安全产业技术研究院有限公司 Record the method and device of APT attack operations
CN109784062A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Leak detection method and device
CN109815701A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Detection method, client, system and the storage medium of software security
CN110300027A (en) * 2019-06-29 2019-10-01 西安交通大学 A kind of abnormal login detecting method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN104301286A (en) * 2013-07-15 2015-01-21 中国移动通信集团黑龙江有限公司 User login authentication method and device
CN108200053A (en) * 2017-12-30 2018-06-22 成都亚信网络安全产业技术研究院有限公司 Record the method and device of APT attack operations
CN109784062A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Leak detection method and device
CN109815701A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Detection method, client, system and the storage medium of software security
CN110300027A (en) * 2019-06-29 2019-10-01 西安交通大学 A kind of abnormal login detecting method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115373834A (en) * 2021-05-27 2022-11-22 北京火山引擎科技有限公司 Intrusion detection method based on process call chain
CN115373834B (en) * 2021-05-27 2024-08-20 北京火山引擎科技有限公司 Intrusion detection method based on process call chain
CN115859268A (en) * 2022-12-14 2023-03-28 中国电信股份有限公司 RASP white list matching method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN108989150B (en) Login abnormity detection method and device
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN110417778B (en) Access request processing method and device
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN108833185B (en) Network attack route restoration method and system
CN110943984B (en) Asset safety protection method and device
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
CN104067283A (en) Identifying trojanized applications for mobile environments
CN109815702B (en) Software behavior safety detection method, device and equipment
CN112163198B (en) Host login security detection method, system, device and storage medium
CN112699369A (en) Method and device for detecting abnormal login through stack backtracking
CN111404937A (en) Method and device for detecting server vulnerability
CN113114680A (en) Detection method and detection device for file uploading vulnerability
US11863577B1 (en) Data collection and analytics pipeline for cybersecurity
CN112565278A (en) Attack capturing method and honeypot system
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN113987508A (en) Vulnerability processing method, device, equipment and medium
CN115398431A (en) User information violation acquisition detection method and related equipment
CN115296895B (en) Request response method and device, storage medium and electronic equipment
CN116846644A (en) Unauthorized access detection method and device
CN115859298A (en) Dynamic trusted computing environment architecture and method for power master station system
CN115643044A (en) Data processing method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210423

RJ01 Rejection of invention patent application after publication