CN114707145A - Legiong software detection method based on Fanotify mechanism - Google Patents
Legiong software detection method based on Fanotify mechanism Download PDFInfo
- Publication number
- CN114707145A CN114707145A CN202210336442.8A CN202210336442A CN114707145A CN 114707145 A CN114707145 A CN 114707145A CN 202210336442 A CN202210336442 A CN 202210336442A CN 114707145 A CN114707145 A CN 114707145A
- Authority
- CN
- China
- Prior art keywords
- fanotify
- pid
- node
- nodes
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 230000007246 mechanism Effects 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 113
- 230000008569 process Effects 0.000 claims abstract description 102
- 230000001960 triggered effect Effects 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 abstract description 7
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a Fanotify mechanism-based lasso software detection method, which comprises the following steps of: the method comprises the following steps: carrying out system initialization, calling the Fanotify _ init to create a Fanotify instance when the Fanotify is initialized, and creating a thread for reading a Fanotify event; step two: when a process creates and deletes a file, a Fanotify event is triggered, a Fanotify thread receives the event and analyzes the event to obtain a backtracking chain of the content including a process file name, a process PID, a file size and a process PID; step three: inquiring a process tree according to a process PID backtracking chain; step four: and (4) sequentially tracing back the path upwards from the process leaf node, updating the statistical information node by node, and modifying the last updating time of the node as the current time. The invention adopts a Fanotify file monitoring mechanism, judges and identifies based on the behavior characteristics of the Lego software, does not adopt a characteristic code, and can effectively identify unknown Lego software.
Description
Technical Field
The invention relates to the field of software detection, in particular to a strange software detection method based on a Fanotify mechanism.
Background
The lasso software rapidly develops to become the first threat in the current network security, and is extremely destructive, can cause heavy cost and seriously affects the safety and danger of enterprises.
The basic behavior of the lasso software is to encrypt the file in the host and delete the original file, and the proposal provides a specific implementation scheme to identify the lasso software based on the characteristic and the file monitoring mechanism Fanotify on Linux, and the scheme can identify the unknown lasso software without a characteristic code;
at present, the main detection method of the extant host security software on the extant host security software is judged by the characteristic code, a sample of the extant host security software needs to be found in advance, the characteristic code of the extant host security software needs to be analyzed, and the extant host security software or the extant host security software cannot be effectively detected.
The existing lasso software detection method has the problems of poor detection effect and low recognition rate when in use, and brings certain influence on the use of the lasso software detection method, so that the lasso software detection method based on the Fanotify mechanism is provided.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: how to solve the problems that the existing lasso software detection method has a detection effect and is low in poor recognition rate when in use and brings certain influence on the use of the lasso software detection method, and the lasso software detection method based on the Fanotify mechanism is provided.
The invention solves the technical problems through the following technical scheme, and the invention comprises the following steps:
the method comprises the following steps: carrying out system initialization, calling the Fanotify _ init to create a Fanotify instance when the Fanotify is initialized, and creating a thread for reading a Fanotify event;
step two: when a process creates and deletes a file, a Fanotify event is triggered, a Fanotify thread receives the event and analyzes the event to obtain a backtracking chain of the content including a process file name, a process PID, a file size and a process PID;
step three: inquiring a process tree according to a process PID backtracking chain;
step four: sequentially tracing back paths upwards from the process leaf nodes, updating statistical information node by node, and modifying the last updating time of the nodes as the current time;
step five: traversing the process tree in each statistical period of the timer, calculating the increment between the latest data and the data in the previous period for each node, analyzing and judging the increment data according to an algorithm, and determining whether suspected lasso software generates an alarm or not;
step six: after the alarm judgment is finished, copying the latest statistical data of each node to the statistical data of the previous statistical period, simultaneously checking the nodes which are not updated within a certain time, inquiring whether the process corresponding to the PID still exists, and deleting the nodes if the process does not exist.
Further, the process PID trace-back chain of step two refers to gradually acquiring the parent process from the current process to the root process.
Further, the specific query process of the PID backtracking chain query process tree is as follows: and sequentially taking out the PID query process tree from back to front according to the process PID backtracking chain, and if the PID query process tree cannot be searched, creating a new node according to the process parent-child relationship.
And further, the algorithms in the fifth step are various, the simplest is that the number of the deleted and added files in the statistical period exceeds M, and the difference value of the deleted and added files does not exceed N, then an alarm is triggered.
Further, the specific process of the step five is as follows: the method comprises the steps that a timer traverses a process tree, the increment between the latest data and the data in the previous period is calculated for each node, whether the increment exceeds an increment threshold value is judged, an alarm is triggered when the increment exceeds the increment threshold value, the latest data is copied to the previous statistical period after the alarm is triggered, then the PID nodes are aged, the failed PID nodes are deleted, when the increment does not exceed the increment threshold value, the alarm is not triggered, the latest data is directly copied to the previous statistical period, then the PID nodes are aged, and the failed PID nodes are deleted.
Compared with the prior art, the invention has the following advantages: the Fanotify mechanism-based lasso software detection method monitors the whole file system through Fanotify, counts the number of files created and deleted and the size and time characteristics of the files based on a process tree, judges and identifies lasso software based on the process tree, software monitors the whole file system at the background, carries out statistical recording when the files are created and deleted, a user does not sense the statistical recording, when the statistical data of the files created and deleted reach a predefined threshold value, the software is triggered to generate alarm information to prompt the user to find suspected lasso software behaviors, the user can carry out further processing, the scheme adopts a Fanotify file monitoring mechanism, judges and identifies based on the behavior characteristics of the lasso software, does not adopt feature codes, can effectively identify unknown lasso software, can better identify the lasso software through the process, and improves the identification rate of the lasso software, the harm of the lasso software is reduced, the economic loss caused by the lasso software is also reduced, and the method is more worthy of popularization and application.
Drawings
FIG. 1 is an overall flow diagram of the present invention;
FIG. 2 is a diagram illustrating a process tree based file operation statistics structure according to the present invention;
FIG. 3 is a process tree based file operation statistics flow diagram of the present invention;
FIG. 4 is a schematic diagram of adding process tree-based file operation statistics nodes according to the present invention.
Detailed Description
The following examples are given for the detailed implementation and the specific operation procedures, but the scope of the present invention is not limited to the following examples.
As shown in fig. 1 to 4, the present embodiment provides a technical solution: a Lexus software detection method based on a Fanotify mechanism comprises the following steps:
the method comprises the following steps: the system is initialized, referring to fig. 2, when a Fanotify is initialized, a Fanotify _ init is called to create a Fanotify instance, and a thread is created to read a Fanotify event.
The key behaviors of the lasso software all relate to the operation of creating and deleting files, and the step initializes a file monitoring module of Linux to monitor the operation of creating and deleting a file system.
Step two: when a process creates and deletes a file, a Fanotify event is triggered, a Fanotify thread receives the event and analyzes the event to obtain a process file name, a process PID, a file size and a process PID backtracking chain. The process PID backtracking chain refers to acquiring a parent process from a current process to a root process step by step, for example, as process PID-007 in fig. 1, where the process PID backtracking chain is "PID-007- > PID-006- > PID-005- > PID-001- > root PID", this step receives a file creation, deletion event and the process PID to which the event belongs, and then backtracks upward according to the process PID to obtain a process tree. The reason for using the process tree is that the lasso software may adopt a multi-process mode, and the Fork gives out different child processes to perform file encryption processing, so that malicious behaviors cannot be judged by depending on file addition and deletion statistical data of a single process, but the statistical data can be judged and identified by summarizing the statistical data to a parent process.
Step three: inquiring a process tree according to a process PID backtracking chain, wherein the specific inquiry process comprises the following steps: and sequentially taking out the PID query process tree from back to front according to the process PID backtracking chain, and if the PID query process tree cannot be searched, creating a new node according to the process parent-child relationship. For example, as shown in fig. 3, Fanotify reports a process PID-015, where the process PID trace-back chain is "PID-015- > PID-014- > PID-005- > PID-001- > root PID", then first finds the root node of the process tree by using the root PID, then finds PID-001 in the child nodes of the root node by using PID-001, finds PID-005 in the child nodes of PID-001, and cannot find PID-014 from the child nodes of PID-005, then adds PID-005's child node PID-014 and PID-014's child node PID-015, and this step adds the process PID that has performed file addition and deletion operations to the process tree for statistics.
Step four: and (4) sequentially tracing back the path upwards from the process leaf node, updating the statistical information node by node, and modifying the last updating time of the node as the current time. For example, as shown in fig. 3, Fanotify reports that one process PID-015 deletes one file, and the file size is S bytes, then the "total number of deleted files" of each node on the trace back path "PID-015- > PID-014- > PID-005- > PID-001- > root PID" is increased by one, and the "total size of deleted files" is increased by S, which updates the statistical data of the process tree nodes along the process PID trace back chain for the process PID that has performed the file adding and deleting operations.
Step five: and traversing the process tree in each statistical period by the timer, calculating the increment between the latest data and the data in the previous period for each node, analyzing and judging the increment data according to an algorithm, and determining whether suspected lasso software generates an alarm or not. The algorithm can be various, the simplest method is that if the number of the deleted and added files in the statistical period exceeds M and the difference value of the deleted and added files does not exceed N, an alarm is triggered, the step checks a process tree according to the set period, and judges whether a process triggers a suspected lasso software behavior alarm or not according to the algorithm.
Step six: after the alarm judgment is processed, the latest statistical data of each node is copied to the statistical data in the previous statistical period, meanwhile, the nodes which are not updated in a certain time are checked, whether the process corresponding to the PID still exists or not is inquired, if not, the nodes are deleted, and the statistical data in the previous period are updated, and the process nodes which are failed on the process tree are deleted.
The lasso software detection method based on the Fanotify mechanism monitors the whole file system through Fanotify, counts the number of files created and deleted and the size and time characteristics of the files based on a process tree, judges and identifies lasso software based on the process tree, software monitors the whole file system in the background, statistics and recording are carried out when the files are created and deleted, a user does not sense the statistics and triggers the software to generate alarm information when the statistics and data of the files created and deleted reach a predefined threshold value, the user is prompted to find suspected lasso software behaviors, the user can carry out further processing, the lasso software can be better identified through the process, the identification rate of the lasso software is improved, the harm of the lasso software is reduced, the economic loss caused by the lasso software is also reduced, the scheme can be singly used as the software or used as a functional module of a host safety protection product, fanotify is a new file monitoring technology on a Linux platform, and is often used as antivirus software or virus program malicious access control, a Fanotify mechanism provides authority check and access control functions for monitoring files, can provide PID (process number, which can uniquely determine one process) of a process for operating files, and can also provide monitoring for the whole file system.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (5)
1. A Lexus software detection method based on a Fanotify mechanism is characterized by comprising the following steps:
the method comprises the following steps: carrying out system initialization, calling the Fanotify _ init to create a Fanotify instance when the Fanotify is initialized, and creating a thread for reading a Fanotify event;
step two: when a process creates and deletes a file, a Fanotify event is triggered, a Fanotify thread receives the event and analyzes the event to obtain a backtracking chain of the content including a process file name, a process PID, a file size and a process PID;
step three: inquiring a process tree according to a process PID backtracking chain;
step four: sequentially tracing back paths upwards from the process leaf nodes, updating statistical information node by node, and modifying the last updating time of the nodes as the current time;
step five: traversing the process tree in each statistical period of the timer, calculating the increment between the latest data and the data in the previous period for each node, analyzing and judging the increment data according to an algorithm, and determining whether suspected lasso software generates an alarm or not;
step six: after the alarm judgment is finished, copying the latest statistical data of each node to the statistical data of the previous statistical period, simultaneously checking the nodes which are not updated within a certain time, inquiring whether the process corresponding to the PID still exists, and deleting the nodes if the process does not exist.
2. The Fanotify-mechanism-based lasso software detection method as claimed in claim 1, wherein: and the process PID backtracking chain of the step two refers to gradually acquiring a parent process from the current process to the root process.
3. The Fanotify-mechanism-based lasso software detection method as claimed in claim 1, wherein: the specific query process of the PID backtracking chain query process tree is as follows: and sequentially taking out the PID query process tree from back to front according to the process PID backtracking chain, and if the PID query process tree cannot be searched, creating a new node according to the process parent-child relationship.
4. The Fanotify mechanism-based lasso software detection method according to claim 1, wherein: and the algorithms in the fifth step are various, the simplest is that the number of the deleted and added files in the statistical period exceeds M, and the difference value of the deleted and added files does not exceed N, then an alarm is triggered.
5. The Fanotify mechanism-based lasso software detection method according to claim 1, wherein: the concrete process of the step five is as follows: the method comprises the steps that a timer traverses a process tree, the increment between the latest data and the data in the previous period is calculated for each node, whether the increment exceeds an increment threshold value is judged, an alarm is triggered when the increment exceeds the increment threshold value, the latest data is copied to the previous statistical period after the alarm is triggered, then the PID nodes are aged, the failed PID nodes are deleted, when the increment does not exceed the increment threshold value, the alarm is not triggered, the latest data is directly copied to the previous statistical period, then the PID nodes are aged, and the failed PID nodes are deleted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210336442.8A CN114707145A (en) | 2022-03-31 | 2022-03-31 | Legiong software detection method based on Fanotify mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210336442.8A CN114707145A (en) | 2022-03-31 | 2022-03-31 | Legiong software detection method based on Fanotify mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114707145A true CN114707145A (en) | 2022-07-05 |
Family
ID=82170992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210336442.8A Withdrawn CN114707145A (en) | 2022-03-31 | 2022-03-31 | Legiong software detection method based on Fanotify mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114707145A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115168908A (en) * | 2022-09-05 | 2022-10-11 | 深圳市科力锐科技有限公司 | File protection method, device, equipment and storage medium |
-
2022
- 2022-03-31 CN CN202210336442.8A patent/CN114707145A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115168908A (en) * | 2022-09-05 | 2022-10-11 | 深圳市科力锐科技有限公司 | File protection method, device, equipment and storage medium |
| CN115168908B (en) * | 2022-09-05 | 2022-12-06 | 深圳市科力锐科技有限公司 | File protection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111259204B (en) | APT detection correlation analysis method based on graph algorithm | |
| NL2002694C2 (en) | Method and system for alert classification in a computer network. | |
| KR102225460B1 (en) | Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| CN108520180B (en) | Multi-dimension-based firmware Web vulnerability detection method and system | |
| KR101404882B1 (en) | A system for sorting malicious code based on the behavior and a method thereof | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| US11184368B2 (en) | Systems and methods for reporting computer security incidents | |
| CN105743732B (en) | Method and system for recording transmission path and distribution condition of local area network files | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| CN113572719B (en) | Domain name detection method, device, equipment and readable storage medium | |
| CN114020735A (en) | Method, device and equipment for reducing noise of safety alarm log and storage medium | |
| CN115001753A (en) | Method and device for analyzing associated alarm, electronic equipment and storage medium | |
| CN116915484A (en) | Method for deducting threat event of meta-universe network | |
| EP2107484A2 (en) | A method and device for code audit | |
| CN114707145A (en) | Legiong software detection method based on Fanotify mechanism | |
| CN106446720B (en) | The optimization system and optimization method of IDS rule | |
| CN114844689A (en) | Website logic vulnerability detection method and system based on finite-state machine | |
| CN111104670B (en) | APT attack identification and protection method | |
| KR20070077517A (en) | Profile-based web application intrusion detection system and the method | |
| CN106899977B (en) | Abnormal flow detection method and device | |
| CN116260627A (en) | APT detecting system based on data tracing graph label | |
| CN115146263A (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220705 |