CN115695011A - Mimicry defense method and device - Google Patents
Mimicry defense method and device Download PDFInfo
- Publication number
- CN115695011A CN115695011A CN202211362347.1A CN202211362347A CN115695011A CN 115695011 A CN115695011 A CN 115695011A CN 202211362347 A CN202211362347 A CN 202211362347A CN 115695011 A CN115695011 A CN 115695011A
- Authority
- CN
- China
- Prior art keywords
- target
- output
- mimicry
- container
- target software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses a mimicry defense method and a mimicry defense device. And then constructing a target mimicry container mirror image by using the target heterogeneous variants, and further operating the target mimicry container based on the target mimicry container mirror image. And controlling the target software to run in the target mimicry container to obtain the target output of the target software running in the target mimicry container, wherein the target output comprises the first output of the first execution region of the target mimicry container, the second output of the second execution region of the target mimicry container and the third output of the third execution region of the target mimicry container. And determining the output state of the target output according to the three outputs. And if the output state of the target output is an abnormal output state, blocking the target output, stopping the running of target software, and cleaning the three execution areas based on a preset cleaning strategy. Thus, vulnerability attacks can be defended in time.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to a mimicry defense method, a mimicry defense device, mimicry defense equipment and a readable storage medium.
Background
The rapid development of the network space technology brings convenience, rapidness, high efficiency and convenience to all aspects of the modern society, and simultaneously brings huge potential safety hazards, such as privacy disclosure, data tampering, data stealing and the like. Under the condition of high dependence on internet information technology, the traditional network security defense mode can not adapt to the ever-changing vulnerability attack mode of hackers gradually.
The existing defense mode defends control flow hijacking based on code reuse through control flow integrity, so that defense is performed, vulnerability attack is difficult to find in time and defense is performed.
Disclosure of Invention
In view of this, the present application provides a mimicry defense method and apparatus, which can defend against vulnerability attacks in time.
In a first aspect, the present application provides a mimicry defense method, the method comprising:
acquiring target software data;
carrying out isomerization processing on the target software data to obtain a target heterogeneous variant;
constructing a target mimicry container mirror image by using the target heterogeneous variants;
running a target-mimetic container based on the target-mimetic container mirror;
controlling the target software to run in the target mimicry container;
acquiring target output of target software running in the target mimicry container, wherein the target output comprises first output of a first execution area of the target mimicry container, second output of a second execution area of the target mimicry container and third output of a third execution area of the target mimicry container, and the first execution area, the second execution area and the third execution area are heterogeneous and functionally equivalent;
determining an output state of the target output according to the first output, the second output, and the third output;
and if the output state of the target output is an abnormal output state, blocking the target output and stopping the operation of the target software, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy.
In one possible implementation manner, the isomerizing the target software data includes:
and if the target software data comprises the source code of the target software, performing isomerization processing on the target software data by using diversified compilation.
In a possible implementation manner, the performing the isomerization processing on the target software data includes:
and if the target software data does not comprise the source code of the target software, carrying out isomerization processing on the target software by utilizing binary obfuscation or disassembly recompilation.
In one possible implementation, the determining an output state of the target output according to the first output, the second output, and the third output includes:
and if the first output, the second output and the third output are determined to be different based on a preset voting algorithm, determining that the output state of the target output is an abnormal output state.
In one possible implementation, the method further includes:
and if the output state of the target output is a normal output state, performing redundancy removal on the first output, the second output and the third output, and determining the target output.
In a second aspect, the present application also provides a mimicry defense device, the device comprising:
a first acquisition unit configured to acquire target software data;
the processing unit is used for carrying out isomerization processing on the target software data to obtain a target heterogeneous variant;
a construction unit, configured to construct a target mimicry container mirror image using the target heterogeneous variant;
a running unit for running a target mimicry container based on the target mimicry container mirror image;
the control unit is used for controlling the target software to run in the target mimicry container;
a second obtaining unit, configured to obtain a target output of target software running on the target mimicry container, where the target output includes a first output of a first execution region of the target mimicry container, a second output of a second execution region of the target mimicry container, and a third output of a third execution region of the target mimicry container, and the first execution region, the second execution region, and the third execution region are heterogeneous and functionally equivalent;
a determination unit configured to determine an output state of the target output according to the first output, the second output, and the third output;
and the cleaning unit is used for blocking the target output and stopping the running of the target software if the output state of the target output is an abnormal output state, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy.
In a possible implementation manner, the processing unit is configured to perform an isomerization process on the target software data, and includes:
the processing unit is further configured to perform isomerization processing on the target software data by using diversified compilation if the target software data includes a source code of the target software.
In a possible implementation manner, the processing unit is configured to perform an isomerization process on the target software data, and includes:
and the processing unit is used for carrying out isomerization processing on the target software by utilizing binary confusion or disassembling and recompiling if the target software data does not comprise the source code of the target software.
In a possible implementation manner, the determining unit includes:
and if the first output, the second output and the third output are determined to be different based on a preset voting algorithm, determining that the output state of the target output is an abnormal output state.
In one possible implementation, the apparatus further includes:
and the redundancy removing unit is used for removing redundancy of the first output, the second output and the third output and determining the target output if the output state of the target output is a normal output state.
Therefore, the application has the following beneficial effects:
the application provides a mimicry defense method and a mimicry defense device. And then, constructing a target mimicry container mirror image by using the target heterogeneous variant, further operating the target mimicry container based on the target mimicry container mirror image, and then controlling the target software to operate in the target mimicry container. The method comprises the steps of obtaining target output of target software running in a target mimicry container, wherein the target output comprises first output of a first execution area of the target mimicry container, second output of a second execution area of the target mimicry container and third output of a third execution area of the target mimicry container, the first execution area, the second execution area and the third execution area are heterogeneous and functionally equivalent, and determining the output state of the target output according to the first output, the second output and the third output. And judging the output state of the target output, blocking the target output and stopping the operation of the target software if the output state of the target output is an abnormal output state, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy. Thus, vulnerability attacks can be defended in time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a mimicry defense method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a mimicry defense device according to an embodiment of the present disclosure.
Detailed Description
In order to facilitate understanding and explaining the technical solutions provided by the embodiments of the present application, the following description will first describe the background art of the present application.
Mimicry defense: the mimicry defense is an active defense idea aiming at backdoors of unknown vulnerabilities and is proposed by scientific research teams in China, and the core of the mimicry defense is a Dynamic Heterogeneous Redundancy (DHR) structure. The functions of the executors are equivalent, but behaviors after attack are different, and the voter judges whether the attacks are carried out or not by comparing whether the behaviors of the executors in the online executors are consistent or not. Once the voter is judged to be attacked, a dynamic selection algorithm is called to select a proper component from an offline heterogeneous component set to replace an online executive body, and the process is called mimicry transformation. The portion in between the input agent and the voter is called the mimicry world. The DHR construction and voting mechanism of the mimicry world is the root of the endogenously secure capability of the mimicry defense system.
In order to defend the hijacking attack of the process control flow based on the binary vulnerability, the dynamic heterogeneous redundancy mode is adopted to execute the program under the inspiration of the mimicry defense idea. On the basis of heterogeneous redundancy, the attack behavior is effectively discovered by combining a voting mechanism, then the attack is blocked, and an alarm and a feedback are given. Finally, the endogenous safe running environment of the software is realized.
Redundancy: everything within the mimicry boundary needs to be transparent outside the mimicry boundary, which is an inherent requirement of mimicry. This requires that: the input of the mimicry software is automatically redundant, the output of the mimicry software is automatically de-redundant, and one software executive body does not know the existence of other software executive bodies.
Isomerization: heterogeneity is derived from two dimensions, one of which is the difference in operating environment. Another dimension is the isomerization process of the software itself.
Mimicry container mirroring: the pseudo container mirror is different from the traditional container mirror, the traditional container mirror only comprises the running environment required by the container, and the pseudo container mirror comprises redundancy information of the pseudo container and the running environment required by each redundancy (area), so that when the software runs in the pseudo container mirror, the running environments of the software are heterogeneous.
The existing defense mode defends control flow hijacking based on code reuse through control flow integrity, so that defense is performed, vulnerability attack is difficult to find in time and defense is performed.
Based on the above, the application provides a mimicry defense method and device, and the method comprises the steps of firstly obtaining target software data, and then carrying out isomerization processing on the target software data to obtain a target heterogeneous variant. And then, constructing a target mimicry container mirror image by using the target heterogeneous variant, further operating the target mimicry container based on the target mimicry container mirror image, and then controlling the target software to operate in the target mimicry container. The method comprises the steps of obtaining target output of target software running in a target mimicry container, wherein the target output comprises first output of a first execution area of the target mimicry container, second output of a second execution area of the target mimicry container and third output of a third execution area of the target mimicry container, the first execution area, the second execution area and the third execution area are heterogeneous and functionally equivalent, and determining the output state of the target output according to the first output, the second output and the third output. And judging the output state of the target output, blocking the target output and stopping the operation of the target software if the output state of the target output is an abnormal output state, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy. Thus, vulnerability attacks can be defended in time.
In order to facilitate understanding of the technical solutions provided in the embodiments of the present application, a mimicry defense method and apparatus provided in the embodiments of the present application are described below with reference to the accompanying drawings.
S101: target software data is acquired.
In the embodiment of the application, the target software data can be acquired through a crawler technology. The target software data can also be directly obtained through a database. The manner in which the target software data is obtained is not limited herein.
S102: and carrying out isomerization processing on the target software data to obtain a target heterogeneous variant.
It will be appreciated that the target software data may include, among other things, the operating data of the target software and the source code of the target software. After the target software data is obtained, whether the target software data comprises the source code of the target software is judged, if the target software data comprises the source code of the target software, the target software data can be subjected to isomerization processing by utilizing diversified compilation, and a target heterogeneous variant is obtained. If the target software data does not comprise the source code of the target software, the target software can be subjected to isomerization processing by binary confusion or disassembling and recompiling to obtain a target heterogeneous variant.
S103: and constructing a target mimicry container mirror image by using the target heterogeneous variant.
After the target heterogeneous variant is obtained, a preset mimicry container mirror image construction method can be used for constructing a target mimicry container mirror image by using the target heterogeneous variant.
S104: running a target-mimetic container based on the target-mimetic container mirror.
In the embodiment of the application, the constructed target mimicry container mirror image is used as the running environment of the target mimicry container, so that the target mimicry container can run in the mimicry container mirror image.
S105: and controlling the target software to run in the target mimicry container.
And after the target mimicry container is successfully operated in the mimicry container mirror image, controlling the target software to operate in the target mimicry container.
S106: obtaining target output of target software running in the target mimicry container, wherein the target output comprises first output of a first execution area of the target mimicry container, second output of a second execution area of the target mimicry container and third output of a third execution area of the target mimicry container, and the first execution area, the second execution area and the third execution area are heterogeneous and functionally equivalent.
After the target software is run in the target mimicry container, a first output of the target software in a first execution region of the target mimicry container, a second output of the target software in a second execution region of the target mimicry container, and a third output of the target software in a third execution region of the target mimicry container may be obtained. The first execution area, the second execution area and the third execution area are heterogeneous and functionally equivalent.
S107: determining an output state of the target output according to the first output, the second output, and the third output.
It is understood that after the first output, the second output, and the third output are obtained. And judging whether the first output, the second output and the third output are the same or not based on a preset voting algorithm, and if the first output, the second output and the third output are completely the same based on the preset voting algorithm, judging that the output state of the target output is a normal output state. If it is determined that the first output is the same as the second output but the first and second outputs are different from the third output based on the preset decision, the output state of the target output is an abnormal output state. Alternatively, the output state of the target output is determined to be an abnormal output state based on the preset table decision, in which the second output is the same as the third output, but the second and third outputs are different from the first output. Alternatively, the output state of the target output is determined to be an abnormal output state if the first output is the same as the third output but the first and third outputs are different from the second output based on the preset voting calculation. Or if the first output, the second output and the third output are determined to be different based on the preset voting calculation, the output state of the target output is an abnormal output state.
S108: and if the output state of the target output is an abnormal output state, blocking the target output, stopping the operation of the target software, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy.
After the output state of the target output is determined to be an abnormal output state, the target output can be considered to be attacked, the target output is blocked and the running of target software is stopped, and the data is stopped from being transmitted due to the blockage of the target output, so that an attack chain is cut off. And after the running of the target software is stopped, cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy. Therefore, after the execution area is cleaned, even if vulnerability attack is defended, the safety of data transmission is improved.
Based on the related contents of S101-S108, the vulnerability attack can be defended in time, and the security of data transmission is improved.
The specific implementation procedures of the above embodiments and their derivatives are all within the protection scope of the present application.
Corresponding to the method described in fig. 1, an embodiment of the present application further provides a mimicry defense apparatus, which is used for specifically implementing the method in fig. 1, where the mimicry defense apparatus provided in the embodiment of the present application may be applied to a computer terminal or various mobile devices, and a schematic structural diagram of the mimicry defense apparatus is shown in fig. 2, where the mimicry defense apparatus specifically includes:
a first acquisition unit 201 for acquiring target software data;
a processing unit 202, configured to perform isomerization processing on the target software data to obtain a target heterogeneous variant;
a constructing unit 203, configured to construct a target pseudo container image using the target heterogeneous variant;
a running unit 204 for running a target mimicry container based on the target mimicry container mirror;
a control unit 205, configured to control the target software to run in the target mimicry container;
a second obtaining unit 206, configured to obtain a target output of target software running in the target mimicry container, where the target output includes a first output of a first execution region of the target mimicry container, a second output of a second execution region of the target mimicry container, and a third output of a third execution region of the target mimicry container, and the first execution region, the second execution region, and the third execution region are heterogeneous and functionally equivalent;
a determining unit 207, configured to determine an output state of the target output according to the first output, the second output, and the third output;
a cleaning unit 208, configured to block the target output and stop running of the target software if the output state of the target output is an abnormal output state, and clean the first execution area, the second execution area, and the third execution area based on a preset cleaning policy.
In a possible implementation manner, the processing unit 202 is configured to perform isomerization processing on the target software data, and includes:
the processing unit is further configured to perform an isomerization process on the target software data by using diversified compilation if the target software data includes a source code of the target software.
In a possible implementation manner, the processing unit 202 is configured to perform isomerization processing on the target software data, and includes:
the processing unit 202 is configured to perform an isomerization process on the target software by using binary obfuscation or disassembly and recompilation if the target software data does not include the source code of the target software.
In a possible implementation manner, the determining unit 207 includes:
and if the first output, the second output and the third output are determined to be different based on a preset voting algorithm, determining that the output state of the target output is an abnormal output state.
In one possible implementation, the apparatus further includes:
and the redundancy removing unit is used for removing redundancy of the first output, the second output and the third output and determining the target output if the output state of the target output is a normal output state.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the system or the device disclosed by the embodiment, the description is simple because the system or the device corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A mimicry defense method, the method comprising:
acquiring target software data;
carrying out isomerization processing on the target software data to obtain a target heterogeneous variant;
constructing a target mimicry container mirror image by using the target heterogeneous variant;
running a target-mimetic container based on the target-mimetic container mirror;
controlling the target software to run in the target mimicry container;
obtaining a target output of target software running on the target mimicry container, the target output including a first output of a first execution region of the target mimicry container, a second output of a second execution region of the target mimicry container, and a third output of a third execution region of the target mimicry container, the first, second, and third execution regions being heterogeneous and functionally equivalent;
determining an output state of the target output according to the first output, the second output, and the third output;
and if the output state of the target output is an abnormal output state, blocking the target output and stopping the operation of the target software, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy.
2. The method according to claim 1, wherein the isomerizing the target software data comprises:
and if the target software data comprises the source code of the target software, performing isomerization processing on the target software data by using diversified compilation.
3. The method of claim 1, the isomerizing the target software data comprising:
and if the target software data does not comprise the source code of the target software, carrying out isomerization processing on the target software by binary confusion or disassembling and recompiling.
4. The method of claim 1, wherein determining the output state of the target output based on the first output, the second output, and the third output comprises:
and if the first output, the second output and the third output are determined to be different based on a preset voting algorithm, determining that the output state of the target output is an abnormal output state.
5. The method of claim 1, further comprising:
and if the output state of the target output is a normal output state, performing redundancy removal on the first output, the second output and the third output, and determining the target output.
6. A mimicry defense device, the device comprising:
a first acquisition unit configured to acquire target software data;
the processing unit is used for carrying out isomerization processing on the target software data to obtain a target heterogeneous variant;
a construction unit, configured to construct a target mimicry container mirror image using the target heterogeneous variant;
a running unit for running a target mimicry container based on the target mimicry container mirror image;
the control unit is used for controlling the target software to run in the target mimicry container;
a second obtaining unit, configured to obtain a target output of target software running in the target mimicry container, where the target output includes a first output of a first execution area of the target mimicry container, a second output of a second execution area of the target mimicry container, and a third output of a third execution area of the target mimicry container, and the first execution area, the second execution area, and the third execution area are heterogeneous and functionally equivalent;
a determination unit configured to determine an output state of the target output according to the first output, the second output, and the third output;
and the cleaning unit is used for blocking the target output and stopping the running of the target software if the output state of the target output is an abnormal output state, and cleaning the first execution area, the second execution area and the third execution area based on a preset cleaning strategy.
7. The apparatus according to claim 6, wherein the processing unit is configured to perform an isomerization process on the target software data, and includes:
the processing unit is further configured to perform an isomerization process on the target software data by using diversified compilation if the target software data includes a source code of the target software.
8. The apparatus according to claim 6, wherein the processing unit is configured to perform isomerization processing on the target software data, and includes:
and the processing unit is used for carrying out isomerization processing on the target software by utilizing binary confusion or disassembling and recompiling if the target software data does not comprise the source code of the target software.
9. The apparatus of claim 6, wherein the determining unit comprises:
and if the first output, the second output and the third output are determined to be different based on a preset voting algorithm, determining that the output state of the target output is an abnormal output state.
10. The apparatus of claim 6, further comprising:
and the redundancy removing unit is used for removing redundancy of the first output, the second output and the third output if the output state of the target output is a normal output state, and determining the target output.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211362347.1A CN115695011A (en) | 2022-11-02 | 2022-11-02 | Mimicry defense method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211362347.1A CN115695011A (en) | 2022-11-02 | 2022-11-02 | Mimicry defense method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115695011A true CN115695011A (en) | 2023-02-03 |
Family
ID=85047887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211362347.1A Pending CN115695011A (en) | 2022-11-02 | 2022-11-02 | Mimicry defense method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115695011A (en) |
-
2022
- 2022-11-02 CN CN202211362347.1A patent/CN115695011A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3465529B1 (en) | Apparatus and method for locking and unlocking removable media for use inside and outside protected systems | |
| US10402577B2 (en) | Apparatus and method for device whitelisting and blacklisting to override protections for allowed media at nodes of a protected system | |
| Wu et al. | Taxonomy of cross-domain attacks on cybermanufacturing system | |
| Wang et al. | Malicious firmware detection with hardware performance counters | |
| US10205726B2 (en) | Apparatus and method for preventing file access by nodes of a protected system | |
| US10643007B2 (en) | System and method for auditing file access to secure media by nodes of a protected system | |
| US20170351854A1 (en) | System and method supporting secure data transfer into and out of protected systems using removable media | |
| US10812517B2 (en) | System and method for bridging cyber-security threat intelligence into a protected system using secure media | |
| JP2010515177A (en) | Automatic vulnerability detection and response | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| WO2017209953A1 (en) | System and method for providing command and control parameters, configuration data, and other data to nodes of a protected system using secure media | |
| JP6918269B2 (en) | Attack estimator, attack control method, and attack estimator program | |
| US10990671B2 (en) | System and method for implementing secure media exchange on a single board computer | |
| Azzam et al. | Forensic readiness of industrial control systems under stealthy attacks | |
| Khalil et al. | Threat modeling of industrial control systems: A systematic literature review | |
| CN115695011A (en) | Mimicry defense method and device | |
| CN114844684B (en) | Active defense network evaluation method and system based on multiple fusion method | |
| Pasandideh et al. | Improving attack trees analysis using Petri net modeling of cyber-attacks | |
| CN110188539B (en) | Method, device and system for running application | |
| Redelinghuys et al. | Cybersecurity considerations for industrie 4.0 | |
| Bekiroglu et al. | Source Code Transformations for Improving Security of Time-bounded K-variant Systems | |
| CN113422776A (en) | Active defense method and system for information network security | |
| JP2007058862A (en) | Method and apparatus for managing server process, and computer program (method or apparatus for managing server process in computer system) | |
| Kharatyan et al. | Security-and safety-driven functional architecture development exemplified by automotive systems engineering | |
| Uemura et al. | Optimal Security Patch Management Policies Maximizing System Availability. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |