CN114416464A - Trusted process supervision method and storage medium - Google Patents
Trusted process supervision method and storage medium Download PDFInfo
- Publication number
- CN114416464A CN114416464A CN202111493631.8A CN202111493631A CN114416464A CN 114416464 A CN114416464 A CN 114416464A CN 202111493631 A CN202111493631 A CN 202111493631A CN 114416464 A CN114416464 A CN 114416464A
- Authority
- CN
- China
- Prior art keywords
- process file
- fingerprint
- trusted
- management server
- increment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3017—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is implementing multitasking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The utility model relates to the field of network information security, and discloses a method for monitoring trusted processes and a storage medium, wherein the method is applied to a node server and comprises the following steps: determining a process file corresponding to a process file path, calculating a trusted process file fingerprint of the process file according to a preset period, calculating the trusted process file fingerprint when a Linux system tool monitors that the process file is changed, comparing the calculated trusted process file fingerprint with an original trusted process file fingerprint, determining a fingerprint increment based on a comparison result, pausing the process file if the fingerprint of the process file is represented by the fingerprint increment, judging whether the fingerprint increment is within a preset increment range, so that a management server generates feedback information based on the judgment result, determining whether the process file is operated based on the feedback information of the management server, and ensuring the safety of the process file by using the method for monitoring whether the content corresponding to the process file is tampered.
Description
Technical Field
The application relates to the technical field of network information security, and provides a method for monitoring a trusted process and a storage medium.
Background
In practical applications, the content in the Linux system web page is generally popular, so that the Linux system web page cannot be prevented from being tampered with maliciously. The webpage tamper-resistant product is tamper-resistant mainly based on a kernel-driven mode, and many products can be configured with a trusted process, namely, products in a webpage are protected and monitored through the trusted process. However, currently only one process file path can be protected and monitored. When a file tampering event occurs, the kernel driver only judges whether the path of the trusted process is changed, and cannot track whether the file content corresponding to the trusted process changes.
For example, when a user configures a trusted process to be: and/usr/bin/touch, the driving layer only judges the process path, and certain safety risk exists. A hacker is likely to have replaced the file under the process path/usr/bin/touch with his own program, and it is then clear that the decision is made only by the process file path to behave as a dummy.
In summary, at present, there is no effective solution for monitoring whether the trusted process in the Linux system web page is tampered, so that the security of the trusted process cannot be guaranteed.
Disclosure of Invention
The embodiment of the application provides a method for monitoring a trusted process and a storage medium, which are used for monitoring whether the content corresponding to a process file is tampered or not, so that the security of the process file is guaranteed.
The specific technical scheme provided by the disclosure is as follows:
in a first aspect, an embodiment of the present application provides a method for monitoring a trusted process, where the method is applied to a node server, where the node server is a Linux system, and includes:
determining a process file corresponding to a process file path aiming at any one process file path, and calculating a credible process file fingerprint of the process file according to a preset period; calculating a trusted process file fingerprint when the Linux system tool monitors that the process file is changed, wherein a process file path is configured for each process file running on the node server by the management server;
executing every time a trusted process file fingerprint is calculated: comparing the calculated credible process file fingerprint with the original credible process file fingerprint, and determining a fingerprint increment based on the comparison result; the original credible process file fingerprint is a fingerprint corresponding to the process file when the process file is not attacked illegally;
if the fingerprint of the fingerprint increment representation process file changes, the process file is paused to be operated, whether the fingerprint increment is in a preset increment range is judged, and the judgment result is notified to the management server, so that the management server generates feedback information based on the judgment result;
and determining whether to run the process file based on the feedback information of the management server.
Optionally, before determining, for any process file path, a process file corresponding to the process file path, the method further includes:
when it is monitored that a process file path is created and it is determined that a process file corresponding to the process file path is not attacked illegally, calculating an original credible process file fingerprint of the process file; or when a fingerprint acquisition instruction of the management server is received and the process file corresponding to the process file path is confirmed not to be attacked illegally, calculating an original credible process file fingerprint of the process file;
and sending the original trusted process file fingerprint to a management server.
Optionally, the determining whether the fingerprint increment is within a preset increment range includes:
judging whether the fingerprint increment is within a preset increment range, wherein the fingerprint increment is the difference or quotient between the trusted process file fingerprint and the original trusted process file fingerprint;
if the fingerprint increment does not exceed the preset increment range, generating a white list confirmation result;
if the fingerprint increment exceeds the preset increment range, generating a blacklist confirmation result;
and taking the white list confirmation result or the black list confirmation result as a judgment result.
Optionally, determining whether to run the process file based on the feedback information of the management server includes:
if the received feedback information of the management server is white list feedback information, determining an operation process file;
and if the received feedback information of the management server is blacklist feedback information, the process file is prohibited to run. In a second aspect, an embodiment of the present application provides a method for supervising a trusted process, where the method is applied to a management server, where the management server is a Linux system, and includes:
receiving a judgment result sent by the node server, wherein the judgment result is generated by comparing a trusted process file fingerprint of the process file corresponding to the process file path with an original trusted process file fingerprint by the node server, and the original trusted process file fingerprint is a fingerprint corresponding to the process file when the process file is not attacked illegally;
verifying the process file based on the judgment result, determining whether the process file is a process file prohibited from being tampered, and generating feedback information according to the determination result;
and sending the feedback information to the node server so that the node server determines whether to run the process file based on the feedback information.
Optionally, the process file path is created by:
and acquiring each process file in a running state on the node server, and respectively creating a process file path for each process file, so that the node server determines the process file corresponding to the process file path based on any one process file path.
Optionally, verifying the process file based on the determination result, and determining whether the process file is a tamper-prohibited process file, including:
analyzing the judgment result to obtain a white list confirmation result or a black list confirmation result;
sending the process file path of the process file corresponding to the white list confirmation result or the black list confirmation result and the original credible process file fingerprint to the user side, and receiving a fingerprint verification result returned by the user side, wherein the fingerprint verification result is generated by the user side after the user side compares the credible process file fingerprint with the original credible process file fingerprint, and the credible process file fingerprint is obtained by the user side through calculation according to the received process file path;
if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is within the acceptance range, determining that the process file is not a process file prohibited from being tampered;
and if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is not in the acceptance range, determining that the process file is a process file which is forbidden to be tampered.
In a third aspect, a node server comprises:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement a method as in any one of the first aspect.
In a fourth aspect, a management server comprises:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any of the second aspects.
In a fifth aspect, a computer-readable storage medium, wherein instructions, when executed by a processor, enable the processor to perform the method of any of the first and second aspects.
The beneficial effect of this application is as follows:
in summary, in the embodiments of the present disclosure, a method for monitoring a trusted process and a storage medium are provided, where the method is applied to a node server, where the node server is a Linux system, and includes: determining a process file corresponding to a process file path aiming at any process file path, calculating a trusted process file fingerprint of the process file according to a preset period, calculating the trusted process file fingerprint when a Linux system tool monitors that the process file is changed, and executing aiming at each calculated trusted process file fingerprint: comparing the calculated credible process file fingerprint with an original credible process file fingerprint, and determining a fingerprint increment based on a comparison result, wherein the original credible process file fingerprint is a fingerprint corresponding to the process file when the process file is not illegally attacked, if the fingerprint of the process file is represented by the fingerprint increment, the process file is paused to be operated, whether the fingerprint increment is within a preset increment range is judged, the judgment result is notified to a management server, so that the management server generates feedback information based on the judgment result, whether the process file is operated is determined based on the feedback information of the management server, and compared with a mode of monitoring whether the process file has a safety risk only through a process path, the method for monitoring whether the corresponding content of the process file is tampered effectively guarantees the safety of the process file.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of a system architecture for supervising a trusted process in an embodiment of the present application;
fig. 2 is a schematic flow chart illustrating a process of a node server supervising a trusted process in an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating a process of a node server acquiring an original trusted process file fingerprint in an embodiment of the present application;
fig. 4 is a schematic flow chart illustrating a process of acquiring a determination result by a node server in the embodiment of the present application;
fig. 5 is a schematic flowchart illustrating a process of supervising a trusted process by a management server in an embodiment of the present application;
fig. 6 is a schematic flowchart illustrating a process of determining, by a management server, whether a process file is a tamper-prohibited process file according to an embodiment of the present application;
FIG. 7 is a block diagram of a node server according to an embodiment of the present disclosure;
fig. 8 is a schematic physical architecture diagram of a management server according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present application. All other embodiments obtained by a person skilled in the art without any inventive step based on the embodiments described in the present application are within the scope of the protection of the present application.
The terms "first," "second," and the like in the description and in the claims, and in the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, in the embodiment of the present disclosure, the system includes at least one node server and a management server, and in an implementation process, the node server and the management server can interact with each other to supervise a trusted process.
The following first introduces a case of a method for monitoring a trusted process executed by a node server, wherein the node server is a Linux system, and the Linux system is an operating system which supports multiple users, multiple tasks, multiple threads and multiple central processing units, and has stable performance, high flexibility and powerful functions. Referring to fig. 2, in the embodiment of the present disclosure, a specific process of the node server supervising the trusted process is as follows:
step 201: determining a process file corresponding to a process file path aiming at any one process file path, and calculating a credible process file fingerprint of the process file according to a preset period; and calculating the fingerprint of the credible process file when the Linux system tool monitors that the process file is changed.
It should be noted that the process file path is configured by the management server for each process file running on the node server. Generally, a plurality of process files are simultaneously run on a node server, and in order to facilitate searching for any one process file, a management server may respectively configure a process file path (e.g.,/user/bin/touch) for each process file, and may search for a corresponding process file through the process file path.
Considering that only the path of the process file is monitored, and whether the content of the process file is tampered cannot be effectively monitored, in the embodiment of the application, whether the content of the process file is tampered is determined by calculating the fingerprint of the process file. Algorithms for computing fingerprints include, but are not limited to, the sha256 algorithm, and the like.
Since the process file is likely to be attacked by hackers at any time during the operation process, in order to effectively monitor the process file, a mode of combining periodic polling and real-time monitoring by using a Linux system tool is adopted during the specific implementation process.
On one hand, in order to effectively monitor whether the content of the process file is tampered, the process file corresponding to the process file path is determined for any process file path, and the trusted process file fingerprint of the process file is calculated according to a preset period, wherein the preset period can be flexibly set according to an actual scene, and a specific algorithm for calculating the trusted process file fingerprint is not specifically limited.
On the other hand, in order to avoid a situation that a hacker attacks at a switching time point of a period for calculating the trusted process file fingerprint, for any process file path, the trusted process file fingerprint is calculated when a Linux system tool monitors that a process file is changed, wherein the Linux system tool is bpftrace or ebpfrace and the like, the bpftrace and the ebpfrace are powerful tracking tools under the Linux system, and a file writing operation tracking point can be locked by using the bpftrace and the ebpfrace to write custom logic to track whether a specified process file is tampered. Therefore, the method for calculating the trusted process file fingerprint of the process file in the embodiment of the application can give consideration to the monitoring efficiency and the monitoring strength of the process file.
Step 202: executing every time a trusted process file fingerprint is calculated: comparing the calculated credible process file fingerprint with the original credible process file fingerprint, and determining a fingerprint increment based on the comparison result; the original credible process file fingerprint is a corresponding fingerprint of the process file when the process file is not attacked illegally.
Because the trusted process file fingerprint can uniquely identify the content of the process file, in order to monitor the change of the content of the process file most quickly, in the implementation process, every time one trusted process file fingerprint is calculated, the following steps are executed: and comparing the calculated credible process file fingerprint with the original credible process file fingerprint, wherein the comparison mode comprises making a difference or a quotient and the like, and determining the fingerprint increment based on the comparison result.
Before determining the process file corresponding to the process file path for any process file path, as shown in fig. 3, the method further includes:
step 101: when it is monitored that a process file path is created and it is determined that a process file corresponding to the process file path is not attacked illegally, calculating an original credible process file fingerprint of the process file; or when receiving the fingerprint acquisition instruction of the management server and confirming that the process file corresponding to the process file path is not attacked illegally, calculating the original credible process file fingerprint of the process file.
Specifically, when it is monitored that a process file path is created, and an original trusted process file fingerprint is calculated at the same time when a user uploads and starts to run a process file, or when a fingerprint acquisition instruction of a management server is received, that is, the management server sends feedback information indicating that the process file runs to a node server, the original trusted process file fingerprint is calculated at the same time, that is, the process file is a process file which is just verified by the management server, so that the original trusted process file fingerprint is effectively guaranteed to be a corresponding fingerprint of the process file when the process file is not attacked illegally.
Step 102: and sending the original trusted process file fingerprint to a management server.
In the implementation process, after calculating the original trusted process file fingerprint, the node server sends the original trusted process file fingerprint to the management server, so that the management server marks the corresponding process file with the original trusted process file fingerprint, that is, the management server stores the original trusted process file fingerprint for the process file.
Step 203: if the fingerprint of the fingerprint increment representation process file changes, the process file is paused to be operated, whether the fingerprint increment is within a preset increment range is judged, and the judgment result is notified to the management server, so that the management server generates feedback information based on the judgment result.
In the implementation process, the fingerprint of the process file is represented by the fingerprint increment obtained after fingerprint comparison, that is, the calculated fingerprint of the trusted process file is different from the original fingerprint of the trusted process file, and in this case, it cannot be determined whether the change is caused by the user side or a hacker changing the content of the process file, so that the node server firstly suspends the operation of the process file. And restarting or continuing to pause the process file after receiving the feedback information of the management server.
After the fingerprint of the process file changes, the node server determines whether the fingerprint increment is within a preset increment range, as shown in fig. 4, specifically including:
step 2031: judging whether the fingerprint increment is within a preset increment range, wherein the fingerprint increment is the difference or quotient between the trusted process file fingerprint and the original trusted process file fingerprint; if the fingerprint increment does not exceed the preset increment range, executing step 2032; if the fingerprint increment exceeds the preset increment range, step 2033 is executed.
It should be noted that the preset increment range is a range in which the node server determines that the change of the fingerprint of the trusted process file is not a fingerprint change range caused by a hacker or the like, that is, the node server determines that the fingerprint of the trusted process file is acceptable.
In the implementation process, the node server obtains the fingerprint increment by calculating the difference or quotient between the trusted process file fingerprint and the original trusted process file fingerprint, and judges whether the fingerprint increment is within the preset increment range.
Step 2032: and generating a white list confirmation result.
In the implementation process, the node server determines that the difference or the quotient is within the preset increment range, and generates a white list confirmation result, namely the node server judges that the change of the fingerprint of the trusted process file is acceptable, and the process file is not attacked by a hacker.
Step 2033: and generating a blacklist confirmation result.
In the implementation process, the node server generates a blacklist confirmation result under the condition that the difference or the quotient exceeds the preset increment range, namely the node server judges that the change of the fingerprint of the credible process file is unacceptable, and the process file is attacked by a hacker.
Step 2034: and taking the white list confirmation result or the black list confirmation result as a judgment result.
And after the node server obtains a white list confirmation result or a black list confirmation result, taking the white list confirmation result or the black list confirmation result as a judgment result. Since the node server is also not trusted even in the case of hacking, it cannot be determined whether to run the process file or not from the determination result of the node server itself. Further, the node server notifies the management server of the determination result so that the management server generates feedback information based on the determination result, that is, the management server determines whether the process file can be run.
Step 204: and determining whether to run the process file based on the feedback information of the management server.
In the implementation process, after receiving the feedback information of the management server, the node server determines whether to run the process file, which specifically includes:
case (1): and if the received feedback information of the management server is the white list feedback information, determining to run the process file.
In this case, the management server verifies that the difference between the trusted process file fingerprint and the original trusted process file fingerprint is acceptable, that is, the process file is determined not to be attacked by a hacker, and then the generated white list feedback information is sent to the node server, and the node server determines to run the suspended process file based on the white list feedback information.
Case (2): and if the received feedback information of the management server is blacklist feedback information, the process file is prohibited to run.
In this case, the management server verifies that the difference between the trusted process file fingerprint and the original trusted process file fingerprint is unacceptable, that is, the process file is determined to be attacked by a hacker, and then the generated blacklist feedback information is sent to the node server, and the node server determines that the operation of the process file which is suspended is forbidden based on the blacklist feedback information.
After the condition that the node server executes the supervision method of the trusted process is introduced, the supervision method that the management server executes the trusted process is continuously introduced, wherein the management server is a Linux system. Referring to fig. 5, in the embodiment of the present disclosure, a specific process of the management server supervising the trusted process is as follows:
step 301: and receiving a judgment result sent by the node server, wherein the judgment result is generated after the node server compares the credible process file fingerprint of the process file corresponding to the process file path with the original credible process file fingerprint, and the original credible process file fingerprint is the fingerprint corresponding to the process file when the process file is not subjected to illegal attack.
It should be noted here that, before interacting with the node server, the management server first creates a process file path for the process file, where the process file path is created in the following manner:
and acquiring each process file in a running state on the node server, and respectively creating a process file path for each process file, so that the node server determines the process file corresponding to the process file path based on any one process file path.
Because a plurality of process files may be simultaneously run on the node server, in order to uniquely identify each process file and to facilitate finding any one process file, the management server may respectively configure a process file path (e.g.,/user/bin/touch) for each process file, so that the node server can find the corresponding process file through the process file path, and on this basis, the node server calculates the fingerprint of the process file.
In the implementation process, the trusted process file fingerprint of the process file corresponding to the process file path is calculated by the node server, and after the trusted process file fingerprint and the original trusted process file fingerprint are compared to generate a judgment result, the judgment result is sent to the management server. And the management server receives the judgment result sent by the node server.
Step 302: and verifying the process file based on the judgment result, determining whether the process file is a process file prohibited to be tampered, and generating feedback information according to the determination result.
In the implementation process, the management server verifies the process file on the basis of the received determination result to finally determine whether the process file is a tamper-prohibited process file, as shown in fig. 6, specifically including:
step 3021: and analyzing the judgment result to obtain a white list confirmation result or a black list confirmation result.
After calculating the trusted process file fingerprint of the process file, the node server is compared with the original trusted process file fingerprint, and a white list confirmation result or a black list confirmation result is generated. Therefore, in the implementation process, the management server analyzes the received determination result, and performs verification in combination with the white list confirmation result or the black list confirmation result in the determination result.
Step 3022: and sending the process file path of the process file corresponding to the white list confirmation result or the black list confirmation result and the original credible process file fingerprint to the user side, and receiving a fingerprint verification result returned by the user side, wherein the fingerprint verification result is generated by comparing the credible process file fingerprint with the original credible process file fingerprint on the basis of the user side, and the credible process file fingerprint is obtained by calculating the user side according to the received process file path.
In the implementation process, the management server delivers the verification operation to the user side for execution, namely, the management server sends the process file path of the process file corresponding to the white list confirmation result or the black list confirmation result to the user side. The process file path is sent to the user side, so that the user side can directly calculate the trusted process file fingerprint according to the process file path. It should be added that the method for computing the trusted process file fingerprint by the user side is consistent with the node server, and the method is unified among the node server, the management server and the user side. And then, the user terminal compares the calculated trusted process file fingerprint with the original trusted process file fingerprint, and sends the comparison result as a fingerprint verification result to the management server.
In addition, the management server sends the stored original credible process file fingerprint of the process file corresponding to the white list confirmation result or the black list confirmation result to the user side.
Step 3023: and if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is within the acceptance range, determining that the process file is not the process file prohibited from being tampered.
And the management server verifies the process file according to the fingerprint verification result, and if the fingerprint verification result shows that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is within an acceptance range, the fingerprint change of the process file is determined not to be caused by a hacker.
Step 3024: and if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is not in the acceptance range, determining that the process file is a process file which is forbidden to be tampered.
And the management server verifies the process file according to the fingerprint verification result, and if the fingerprint verification result shows that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is not in the acceptance range, the fingerprint change of the process file is determined to be caused by a hacker, under the condition, the management server determines that the process file is a tamper-forbidden process file, namely determines that the node server does not operate the process file.
After the management server performs verification, the management server generates feedback information according to a result of the determination, and specifically, the management server determines that the process file is not a tamper-prohibited process file, and generates feedback information according to a result of the determination that the process file is a tamper-prohibited process file.
Step 303: and sending the feedback information to the node server so that the node server determines whether to run the process file based on the feedback information.
In the implementation process, the management server sends the feedback information to the node server, so that the node server receives an indication that the process file is a process file which is not forbidden to be tampered, and thus the node server can determine whether to run the process file according to the feedback information, and specifically, after receiving the indication that the process file is not the process file which is forbidden to be tampered, the node server continues to run the process file which is paused before; and after receiving the indication that the process file is the tamper-prohibited process file, the node server still suspends the process file which is suspended before.
Based on the same inventive concept, referring to fig. 7, an embodiment of the present disclosure provides a node server, including: a memory 701 for storing executable instructions; a processor 702 configured to read and execute executable instructions stored in a memory, and perform any one of the methods of the first aspect.
Based on the same inventive concept, referring to fig. 8, an embodiment of the present disclosure provides a management server, including: a memory 801 for storing executable instructions; a processor 802 for reading and executing executable instructions stored in the memory, and performing any of the methods of the second aspect described above.
Based on the same inventive concept, embodiments of the present application provide a computer-readable storage medium, wherein instructions of the storage medium, when executed by a processor, enable the processor to perform the method of any one of the first aspect.
Based on the same inventive concept, the present application provides a computer-readable storage medium, wherein when the instructions in the storage medium are executed by a processor, the processor is enabled to execute the method according to any one of the second aspect.
In summary, in the embodiments of the present disclosure, a method for monitoring a trusted process and a storage medium are provided, where the method is applied to a node server, and includes: determining a process file corresponding to a process file path aiming at any process file path, calculating a trusted process file fingerprint of the process file according to a preset period, calculating the trusted process file fingerprint when a Linux system tool monitors that the process file is changed, and executing aiming at each calculated trusted process file fingerprint: comparing the calculated credible process file fingerprint with an original credible process file fingerprint, and determining a fingerprint increment based on a comparison result, wherein the original credible process file fingerprint is a fingerprint corresponding to the process file when the process file is not illegally attacked, if the fingerprint of the process file is represented by the fingerprint increment, the process file is paused to be operated, whether the fingerprint increment is within a preset increment range is judged, the judgment result is notified to a management server, so that the management server generates feedback information based on the judgment result, whether the process file is operated is determined based on the feedback information of the management server, and compared with a mode of monitoring whether the process file has a safety risk only through a process path, the method for monitoring whether the corresponding content of the process file is tampered effectively guarantees the safety of the process file.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product system. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product system embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program product systems according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for supervising a trusted process is applied to a node server, wherein the node server is a Linux system and comprises the following steps:
determining a process file corresponding to any process file path, and calculating a trusted process file fingerprint of the process file according to a preset period; calculating a trusted process file fingerprint when the Linux system tool monitors that the process file is changed, wherein a process file path is configured for each process file running on the node server by the management server;
executing every time a trusted process file fingerprint is calculated: comparing the calculated credible process file fingerprint with the original credible process file fingerprint, and determining a fingerprint increment based on the comparison result; the original credible process file fingerprint is a fingerprint corresponding to the process file when the process file is not attacked illegally;
if the fingerprint increment represents that the fingerprint of the process file changes, the process file is suspended from running, whether the fingerprint increment is in a preset increment range is judged, and a judgment result is notified to a management server so that the management server generates feedback information based on the judgment result;
and determining whether to run the process file based on the feedback information of the management server.
2. The method of claim 1, wherein before determining the process file corresponding to the process file path for any one process file path, further comprising:
when it is monitored that the process file path is created and the process file corresponding to the process file path is determined not to be attacked illegally, calculating an original credible process file fingerprint of the process file; or when a fingerprint acquisition instruction of a management server is received and the process file corresponding to the process file path is confirmed not to be attacked illegally, calculating an original credible process file fingerprint of the process file;
and sending the original trusted process file fingerprint to a management server.
3. The method of claim 1, wherein the determining whether the fingerprint increment is within a preset increment range comprises:
judging whether the fingerprint increment is within a preset increment range, wherein the fingerprint increment is the difference or quotient between the trusted process file fingerprint and the original trusted process file fingerprint;
if the fingerprint increment does not exceed the preset increment range, generating a white list confirmation result;
if the fingerprint increment exceeds the preset increment range, generating a blacklist confirmation result;
and taking the white list confirmation result or the black list confirmation result as the judgment result.
4. The method of claim 3, wherein the determining whether to run the process file based on the feedback information of the management server comprises:
if the received feedback information of the management server is white list feedback information, determining to operate the process file;
and if the received feedback information of the management server is blacklist feedback information, the process file is prohibited to run.
5. A method for supervising a trusted process is applied to a management server, wherein the management server is a Linux system and comprises the following steps:
receiving a judgment result sent by a node server, wherein the judgment result is generated by comparing a trusted process file fingerprint of a process file corresponding to a process file path with an original trusted process file fingerprint by the node server, and the original trusted process file fingerprint is a fingerprint corresponding to the process file when the process file is not attacked illegally;
verifying the process file based on the judgment result, determining whether the process file is a process file prohibited from being tampered, and generating feedback information according to the determination result;
and sending the feedback information to a node server so that the node server determines whether to run the process file based on the feedback information.
6. The method of claim 5, wherein the process file path is created by:
and acquiring each process file in a running state on the node server, and respectively creating a process file path for each process file, so that the node server determines the process file corresponding to the process file path based on any one process file path.
7. The method of claim 5, wherein the verifying the process file based on the determination result to determine whether the process file is a tamper-prohibited process file comprises:
analyzing the judgment result to obtain a white list confirmation result or a black list confirmation result;
sending the process file path of the process file corresponding to the white list confirmation result or the black list confirmation result and the original credible process file fingerprint to a user side, and receiving a fingerprint verification result returned by the user side, wherein the fingerprint verification result is generated by comparing the credible process file fingerprint with the original credible process file fingerprint on the basis of the user side, and the credible process file fingerprint is obtained by calculating the user side according to the received process file path;
if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is within an acceptance range, determining that the process file is not a process file prohibited from being tampered;
and if the fingerprint verification result represents that the fingerprint change of the process file corresponding to the white list confirmation result or the black list confirmation result is not in the acceptance range, determining that the process file is a process file prohibited from being tampered.
8. A node server, comprising:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 1-4.
9. A management server, comprising:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 5-7.
10. A computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor, cause the processor to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111493631.8A CN114416464A (en) | 2021-12-08 | 2021-12-08 | Trusted process supervision method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111493631.8A CN114416464A (en) | 2021-12-08 | 2021-12-08 | Trusted process supervision method and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114416464A true CN114416464A (en) | 2022-04-29 |
Family
ID=81265754
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111493631.8A Pending CN114416464A (en) | 2021-12-08 | 2021-12-08 | Trusted process supervision method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114416464A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115510427A (en) * | 2022-11-21 | 2022-12-23 | 博智安全科技股份有限公司 | Cross-platform process running credible monitoring method and system |
-
2021
- 2021-12-08 CN CN202111493631.8A patent/CN114416464A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115510427A (en) * | 2022-11-21 | 2022-12-23 | 博智安全科技股份有限公司 | Cross-platform process running credible monitoring method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chen et al. | Stormdroid: A streaminglized machine learning-based system for detecting android malware | |
| CN106156628B (en) | User behavior analysis method and device | |
| EP3350741B1 (en) | Detecting software attacks on processes in computing devices | |
| EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
| EP3270317B1 (en) | Dynamic security module server device and operating method thereof | |
| CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
| CN108256325A (en) | A kind of method and apparatus of the detection of malicious code mutation | |
| CN111400723A (en) | TEE extension-based operating system kernel mandatory access control method and system | |
| CN106650438A (en) | Method and device for detecting baleful programs | |
| JP2023523079A (en) | Endpoint security using behavior prediction model | |
| CN114528602B (en) | Security chip operation method and device based on attack detection behavior | |
| CN114416464A (en) | Trusted process supervision method and storage medium | |
| CN114969712A (en) | Trusted program dynamic measurement method and device based on LSM framework | |
| CN112035839B (en) | Method and device for detecting competitive condition vulnerability exploitation | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| KR20130053008A (en) | Surveillance system and method for authentication procedure based by unique identifier | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| CN115017500A (en) | Alarm method, device and equipment based on data block detection | |
| CN113709153A (en) | Log merging method and device and electronic equipment | |
| CN113094699A (en) | Safety monitoring method, electronic equipment and computer readable storage medium | |
| CN116484364B (en) | Hidden port detection method and device based on Linux kernel | |
| CN114297647B (en) | Program security detection method and related device | |
| US12001545B2 (en) | Detecting stack pivots using stack artifact verification | |
| WO2022091232A1 (en) | Monitoring range determination device, monitoring range determination method, and computer-readable medium | |
| CN116418593A (en) | Dynamic credibility measuring method, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |