CN115904605A

CN115904605A - Software defense method and related equipment

Info

Publication number: CN115904605A
Application number: CN202111161950.9A
Authority: CN
Inventors: 李丹; 董志强
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-09-30
Filing date: 2021-09-30
Publication date: 2023-04-04

Abstract

The application discloses a software defense method and related equipment, and related embodiments can be applied to various scenes such as cloud technology, cloud security, artificial intelligence, intelligent traffic and the like. The defense method relates to network attack protection in the field of cloud security, and can execute data processing of target software by creating a target virtual machine of a host machine on target equipment and acquire behavior data of the target virtual machine in the data processing process through the host machine; performing exception identification on the behavior data according to an exception software monitoring strategy; and triggering a host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result. The embodiment of the application can monitor the virtual machine from the host machine layer, when the abnormal software triggers the abnormal software monitoring strategy in the virtual machine, the defense response is carried out through the host machine layer, the bait file does not need to be set in advance, the attack of the abnormal software can be effectively prevented, and the safety of computer network application is improved.

Description

Software defense method and related equipment

Technical Field

The application relates to the technical field of computers, in particular to a software defense method and related equipment.

Background

With the rapid development of internet technology, the network attack mode shows the trend of diversified development, and events threatening network security, such as malicious software attack, occur occasionally. The extant software is a malicious software which adopts destructive behavior modes such as encrypting user files or deleting original files, so that user data assets or computing resources cannot be normally used, and extant money to users under the condition. To secure the network environment and avoid possible data loss or economic loss, it is necessary to protect against such malware.

In the related art, a decoy file conforming to the encryption type of the legendre software is generally constructed and inserted into an original file sequence of a disk to be protected; the functions of early warning the lasso software and protecting other files of the disk are achieved by monitoring whether the decoy files change or not. However, it is necessary to set the decoy file in the operating system in advance, and when the scanning sequence is changed by the lasso software, the decoy file is invalidated, that is, the decoy file is not encrypted after a plurality of files are encrypted, so that the protection is invalidated.

Disclosure of Invention

The embodiment of the application provides a software defense method and related equipment, wherein the related equipment can comprise a software defense device, electronic equipment, a computer readable storage medium and a computer program product, can effectively prevent the attack of abnormal software, and improves the safety of computer network application.

The embodiment of the application provides a software defense method, which comprises the following steps:

creating a target virtual machine of a host machine on target equipment, and executing data processing of target software by adopting the target virtual machine;

acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine;

according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result;

based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors aiming at the target software.

Correspondingly, the embodiment of the application provides a software defense device, which comprises:

the system comprises a creating unit, a processing unit and a processing unit, wherein the creating unit is used for creating a target virtual machine of a host machine on target equipment and executing data processing of target software by adopting the target virtual machine;

an obtaining unit, configured to obtain, by the host, behavior data of the target virtual machine in the data processing process, where the behavior data represents internal state information of the target virtual machine;

the identification unit is used for carrying out exception identification on the behavior data according to an exception software monitoring strategy to obtain an exception identification result;

and the defense unit is used for triggering the host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result.

Optionally, in some embodiments of the present application, the obtaining unit may include a manager identifying subunit, a sending subunit, and a behavior obtaining subunit, as follows:

the manager identification subunit is configured to identify a virtual machine manager in the host machine, which manages the target virtual machine;

the sending subunit is configured to send a monitoring instruction to the target virtual machine through the virtual machine manager;

and the behavior acquisition subunit is used for acquiring behavior data of the target virtual machine in the data processing process according to the monitoring instruction.

Optionally, in some embodiments of the present application, the identifying unit may include a policy obtaining subunit, an identifying subunit, and a obtaining subunit, as follows:

the strategy acquisition subunit is configured to acquire a monitoring strategy set corresponding to the abnormal software, where the monitoring strategy set includes at least one abnormal software monitoring strategy;

the identification subunit is used for identifying whether the behavior data hits any abnormal software monitoring strategy in the monitoring strategy set;

and the obtaining subunit is used for obtaining the abnormal recognition result aiming at the target software according to the strategy hit result.

Optionally, in some embodiments of the application, the obtaining subunit may be specifically configured to obtain a combined abnormal software monitoring policy when a policy hit result is that the behavior data does not hit any abnormal software monitoring policy in the monitoring policy set; identifying whether the behavior data hits the combined abnormal software monitoring strategy; and acquiring an abnormal recognition result aiming at the target software according to the combined strategy hit result.

Optionally, in some embodiments of the present application, the step "obtaining a combined abnormal software monitoring policy" may include:

determining a monitoring time period of abnormal software;

and acquiring a combined abnormal software monitoring strategy according to the monitoring time period and target behavior information, wherein the target behavior information is the behavior information of the abnormal software for reading and writing data.

Optionally, in some embodiments of the present application, the behavior data includes current behavior data and historical behavior data;

the step of identifying whether the behavior data hits in the combined abnormal software monitoring policy may include:

performing statistical analysis on the current behavior data and the historical behavior data to obtain a behavior analysis result;

and identifying whether the behavior analysis result hits the combined abnormal software monitoring strategy.

Optionally, in some embodiments of the present application, the policy obtaining subunit may be further configured to analyze at least one abnormal behavior corresponding to the abnormal software, so as to obtain an abnormal analysis result; constructing and processing an abnormal software monitoring strategy according to the abnormal analysis result; and updating the monitoring strategy set according to the constructed abnormal software monitoring strategy.

Optionally, in some embodiments of the present application, the behavior data includes a parent process corresponding to a child process in the target software; the identification subunit may be specifically configured to identify a parent process corresponding to a child process of the target software; and judging whether the identified parent process is a preset system process.

Optionally, in some embodiments of the present application, the defending unit may include a setting identifying subunit and a first executing subunit, as follows:

the setting identification subunit is configured to identify defense response behavior setting for the abnormal software monitoring policy when the abnormal identification result indicates that the behavior data hits the abnormal software monitoring policy;

the first execution subunit is configured to trigger the host to execute the target defense response behavior when it is recognized that the abnormal software monitoring policy sets a corresponding target defense response behavior for the target software.

Optionally, in some embodiments of the present application, the defense unit may include an important index identification subunit, a defense level determination subunit, and a second execution subunit, as follows:

the important index identification subunit is used for identifying important indexes of the data in the target virtual machine;

the defense level determining subunit is used for determining a target defense response level matched with the important index from preset defense response levels;

and the second execution subunit is used for triggering the host machine to execute the target defense response behavior under the target defense response level aiming at the target software based on the abnormal recognition result.

The electronic device provided by the embodiment of the application comprises a processor and a memory, wherein the memory stores a plurality of instructions, and the processor loads the instructions to execute the steps in the software defense method provided by the embodiment of the application.

The embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the software defense method provided by the embodiment of the present application.

In addition, a computer program product is provided in the embodiments of the present application, and includes a computer program or instructions, where the computer program or instructions, when executed by a processor, implement the steps in the software defense method provided in the embodiments of the present application.

The embodiment of the application provides a software defense method and related equipment, which can be used for creating a target virtual machine of a host machine on target equipment and executing data processing of target software by adopting the target virtual machine; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result; and triggering the host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result. According to the embodiment of the application, the virtual machine can be monitored from the host machine layer, when abnormal software triggers an abnormal software monitoring strategy in the virtual machine, defense response is carried out through the host machine layer, bait files do not need to be set in advance, the condition of scanning rule change behaviors of the abnormal software can be responded, attack of the abnormal software can be effectively prevented, and the safety of computer network application is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1a is a schematic view of a scenario of a software defense method provided in an embodiment of the present application;

FIG. 1b is a flowchart of a software defense method provided by an embodiment of the present application;

FIG. 1c is an illustration of a software defense method provided by an embodiment of the present application;

FIG. 1d is another flowchart of a software defense method provided by an embodiment of the present application;

FIG. 1e is a system architecture diagram of a software defense method provided by an embodiment of the present application;

FIG. 1f is another flow chart of a software defense method provided by an embodiment of the present application;

FIG. 2 is another flow chart of a software defense method provided by an embodiment of the present application;

FIG. 3 is a schematic structural diagram of a software defense device provided in an embodiment of the present application;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The embodiment of the application provides a software defense method and related equipment, and the related equipment can comprise a software defense device, electronic equipment, a computer readable storage medium and a computer program product. The software defense apparatus may be specifically integrated in an electronic device, and the electronic device may be a terminal or a server or other devices.

It can be understood that the software defense method of the embodiment may be executed on the terminal, may also be executed on the server, and may also be executed by both the terminal and the server. The above examples should not be construed as limiting the present application.

As shown in fig. 1a, a method for executing software defense by a terminal and a server together is taken as an example. The software defense system provided by the embodiment of the application comprises a terminal 10, a server 11 and the like; the terminal 10 and the server 11 are connected via a network, for example, a wired or wireless network connection, etc., wherein the software defense device may be integrated in the server.

The server 11 may be configured to: creating a target virtual machine of a host machine on target equipment, and executing data processing of target software by adopting the target virtual machine; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result; based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors aiming at the target software. The server 11 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud computing services. The application discloses a software defense method or device, wherein a plurality of servers can be combined into a block chain, and the servers are nodes on the block chain.

Among them, the terminal 10 may be configured to receive, sent by the server 11: the method comprises the steps that information such as abnormal software monitoring strategies triggered by behavior data corresponding to target software, defense response behaviors aiming at the target software, collected attack times of malicious software and the like is collected, so that the information is collected to a software defense process display platform to be displayed, and the overall situation of attack and defense response of the malicious software is presented. The terminal 10 may include, but is not limited to, a smart phone, a smart television, a tablet computer, a notebook computer, a desktop computer, a smart voice interaction device, a smart home appliance, a smart watch, and a vehicle-mounted terminal. A client, which may be an application client or a browser client or the like, may also be provided on the terminal 10.

The software defense procedure performed by the server 11 may be executed by the terminal 10.

The software defense method provided by the embodiment of the application relates to the cloud security direction in the technical field of cloud.

The Cloud technology (Cloud technology) is a hosting technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.

The Cloud Security (Cloud Security) refers to a generic name of Security software, hardware, users, organizations and Security Cloud platforms applied based on Cloud computing business models. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client. The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud computing of the security infrastructure mainly researches how to newly build and integrate security infrastructure resources by adopting cloud computing and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform by using a cloud computing technology, realizing acquisition and correlation analysis of mass information and improving the handling control capability and risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services such as anti-virus services and the like provided for users based on a cloud computing platform.

The following are detailed descriptions. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.

The embodiment will be described from the perspective of a software defense apparatus, which may be specifically integrated in an electronic device, and the electronic device may be a server or a terminal, and the like.

As shown in fig. 1b, the specific flow of the software defense method may be as follows:

101. and creating a target virtual machine of the host machine on the target equipment, and executing data processing of target software by adopting the target virtual machine.

Wherein the target device may be a computer device or the like. The host machine is specifically the host machine, and the concept is relative to the slave machine (virtual machine). The virtual machine is installed on a host machine, and the host machine is a host. One or more virtual machines may be included on the target device. A Virtual Machine (VM) is a virtualization scene implemented by a host Machine, or is run in a virtualization environment built by the host Machine through a virtualization tool. For example, the virtualization tool may be kvm, and the host machine constructs a virtualization environment of a kvm virtualization architecture, which implements memory virtualization and CPU (central processing unit) virtualization for the virtual machine. The kvm is called a Kernel-based Virtual Machine, i.e., a Kernel-based Virtual Machine, and is an open-source system virtualization module.

A virtual machine is a complete computer system with complete hardware system functionality, emulated by software, running in a completely isolated environment of the physical machine. An operating system and an application program can be installed on the virtual machine, and the virtual machine can also access network resources. For applications running in a virtual machine, the virtual machine operates as if it were a real computer.

In this embodiment, the target virtual machine entity may be a virtual machine that needs to perform malware behavior detection and prevention. The target software is software running on the target virtual machine.

The malicious software can be extinct software, which is a popular trojan horse, and makes user data assets or computing resources unable to be normally used by harassing, scaring or even adopting a mode of kidnapping user files and the like, and extinct money to users on the condition of the misadventure software. Such user data assets include documents, mail, databases, source code, pictures, compressed files, and the like. The redemption form may include real currency, bitcoin, or other virtual currency.

Furthermore, it should be noted that the host will provide the virtual machine with available physical resources, e.g., calls to various hardware. Therefore, the machine instructions of the memory operations generated by the virtual machine are executed on the physical memory of the host, that is, the memory accesses performed by the virtual machine are implemented with respect to the physical memory of the host.

For a machine instruction of a memory operation generated by a virtual machine, the machine instruction is captured by a virtualization tool corresponding to the virtualization environment where the machine instruction is located, and the machine instruction can be completed by running the machine instruction through the virtualization tool or by converting a physical address according to a virtual address accessed by the memory operation indicated by the machine instruction.

102. And acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents the internal state information of the target virtual machine.

Specifically, in some embodiments, the host may implement monitoring on the target virtual machine based on the preset underlying code through a virtualization technology, and the target virtual machine does not sense the monitoring and does not need to send a monitoring instruction through the virtual machine manager. The virtual machine manager may be used to view resource allocations, such as memory allocations, for the virtual machine.

Optionally, in some embodiments, the step of obtaining, by the host, behavior data of the target virtual machine in the data processing process includes:

identifying a virtual machine manager in the host machine that manages the target virtual machine;

sending a monitoring instruction to the target virtual machine through the virtual machine manager;

and acquiring behavior data of the target virtual machine in the data processing process according to the monitoring instruction.

Among them, a Virtual Machine Manager (VMM) may provide services for setting and managing Virtual machines. When the target virtual machine receives the monitoring instruction sent by the virtual machine manager, the target virtual machine can send behavior data of the target virtual machine in the data processing process of the target software to the virtual machine manager.

The behavior data may specifically include data generated in the process of executing the target software by the target virtual machine, such as the number of read files, the time for accessing the files, and the like. By analyzing the behavior data, the internal state information of the target virtual machine can be obtained, for example, if the behavior data indicates that the number of files read by the target software in a short time is high, it indicates that the target software has a high probability of having an abnormality, and the target virtual machine may have a risk of being attacked by malicious software.

In the embodiment, the effective prevention of the malicious software can be realized through the virtual machine introspection technology. The Virtual Machine Introspection (VMI) technology may specifically rely on a Virtual Machine manager on a host Machine to obtain information inside the Virtual Machine. It is a method for monitoring and obtaining internal state information of virtual machine, and these internal state information can include memory usage, disk space usage, and data of log file of operating system, etc. The method specifically comprises the steps of obtaining internal binary data of a virtual machine running on a host machine through Hypervisor, bridging semantic isolation between the binary data and system level information of the virtual machine by using the knowledge of a pre-known operating system, and further obtaining the internal state of the virtual machine. In short, the method is to use the known operating system information to know the internal state information of the virtual machine under the condition that the virtual machine is not aware and the application or the driver is not additionally installed in the internal operating system of the virtual machine.

Among them, hypervisor is a Hypervisor or Hypervisor, which is an intermediate layer of software running between a physical server and an operating system, allowing multiple operating systems and applications to share a set of underlying physical hardware. In particular, the Hypervisor can be regarded as a meta operating system in a virtual environment, and is used for coordinating and accessing all physical devices and virtual machines on a server; the Hypervisor layer may be responsible for managing the target virtual machine.

As shown in fig. 1c, which is an illustration diagram corresponding to the virtual machine introspection technology, the host may construct a virtualization environment through the virtualization technology, so that the virtual machine runs in the virtualization environment, and the virtualization environment may run one or more virtual machines. The operating systems corresponding to the virtual machines may be the same or different, which is not limited in this embodiment; the operating system can comprise Windows and Linux platforms and the like. The Linux may specifically include a CentOS, ubuntu, and the like. In addition, the host machine can also acquire internal state information of each virtual machine through the virtual machine introspection technology so as to monitor the virtual machines.

There are many virtualization technologies, which are not limited in this embodiment. For example, the virtualization technique may be xen, kvm, etc. Wherein xen is an open source code virtual machine monitor, which can achieve high-performance virtualization without special hardware support. kvm can be commonly used with qemu, which is a virtual operating system simulator.

In a specific embodiment, four monitored virtual machines are operated on a virtualization environment constructed by a host machine, and are respectively marked as vm1, vm2, vm3 and vm4, an operating system of the virtual machine vm1 may be Windows, an operating system of the virtual machine vm2 may be WinServer, an operating system of the virtual machine vm3 may be CentOS, and an operating system of the virtual machine vm4 may be Ubuntu.

The centros is called a Community Enterprise Operating System, and is an open-source Operating System that can be redistributed. Ubuntu is a modern open source Linux operating system suitable for enterprise servers, desktop computers, the cloud, and the Internet of Things (IoT).

The lasso software is a frequently occurring security event at present, the technology of the lasso software is relatively simple, the lasso software has the characteristics of simplicity and convenience in distribution and copying and easiness in propagation, and the conditions of data loss and data damage are easily caused. In most cases, the lost or damaged data can not be found back basically, so that the method has great significance for attack defense and processing recovery of the Lesog software. At present, more and more enterprises use a private cloud or remote desktop mode to perform centralized management on office assets, and based on the advantages of the virtual machine introspection technology, the attack defense and the processing recovery of the lasso software can be performed by the virtual machine introspection technology. The method for detecting the malicious software behaviors of the virtual machine can be suitable for various operation platforms, such as a Linux platform, a Windows platform and the like. Therefore, the target virtual machine can be a Linux platform, a Windows platform and the like. When the target virtual machine is a Linux platform, the operating system of the target virtual machine may be Ubuntu, centOS, fedora, debian, or the like, which is not limited in this embodiment. The Fedora is a fast, stable and powerful operating system for daily application. Debian is an operating system belonging to Linux.

103. And performing exception identification on the behavior data according to an exception software monitoring strategy to obtain an exception identification result.

Lexus software typically has some relatively fixed abnormal behavior after attacking an infected system, such as: and calling a system encryption function for multiple times in a short time, reading and writing a large amount of file data in a short time, and the like, and setting a strategy in advance by predicting the behaviors so as to perform the next response when the target virtual machine triggers the abnormal behaviors. According to the embodiment, the behavior data of the target virtual machine can be subjected to exception identification through a preset exception software monitoring strategy, so that whether the target virtual machine is attacked by malicious software or not is determined.

Optionally, in this embodiment, the step "performing exception identification on the behavior data according to an exception software monitoring policy to obtain an exception identification result" may include:

acquiring a monitoring strategy set corresponding to abnormal software, wherein the monitoring strategy set comprises at least one abnormal software monitoring strategy;

identifying whether the behavior data hits any abnormal software monitoring strategy in the monitoring strategy set;

and acquiring an abnormal recognition result aiming at the target software according to the strategy hit result.

The abnormal software monitoring policy may be obtained by analyzing abnormal behavior of the malicious software, and may be set in various aspects, such as encryption function call, multiple subprocesses, multiple file reading and writing in a short time, and the like.

If the behavior data hits any abnormal software monitoring strategy in the monitoring strategy set, it can be judged that the target software in the target virtual machine is abnormal. If the behavior data does not hit any abnormal software monitoring policy in the monitoring policy set, further abnormality identification may be performed on the behavior data, and it may also be determined that there is no abnormality in the target software running in the target virtual machine, which may be specifically set according to an actual situation, which is not limited in this embodiment. Such as setting according to the security level corresponding to the data stored in the target virtual machine.

Optionally, in this embodiment, the software defense method may further include:

analyzing at least one abnormal behavior corresponding to the abnormal software to obtain an abnormal analysis result;

constructing and processing an abnormal software monitoring strategy according to the abnormal analysis result;

and updating the monitoring strategy set according to the constructed abnormal software monitoring strategy.

The exception software may be malware such as lasso software. The abnormal behavior of the abnormal software is analyzed, for example, the lasso software is usually generated in a decompression and release manner in the normal software execution process, so that an abnormal analysis result of the lasso software running in a child process manner can be obtained, and for the abnormal analysis result, the abnormal software monitoring policy can be set to set a parent process corresponding to the child process in the target software as a non-system process.

For another example, the user file is usually encrypted when the lasso software attacks, so that an exception analysis result that the lasso software calls the encryption function for multiple times in a short time can be obtained, and for the exception analysis result, the exception software monitoring policy can be set such that the number of times that the encryption function is called in the preset time exceeds the preset number of times, wherein the preset time and the preset number of times can be set according to actual conditions.

It should be noted that the abnormal software monitoring policy used in this embodiment includes, but is not limited to, the above enumeration, and when a new abnormal software behavior exists subsequently, a new abnormal software monitoring policy may be constructed according to the new abnormal software behavior, and the newly constructed abnormal software monitoring policy is added to the monitoring policy set, that is, the monitoring policy set is updated.

Optionally, in this embodiment, the behavior data includes a parent process corresponding to a child process in the target software;

the step of identifying whether the behavior data hits any abnormal software monitoring policy in the monitoring policy set may include:

identifying a parent process corresponding to a child process in the target software;

and judging whether the identified parent process is a preset system process.

The method comprises the steps of identifying a parent process corresponding to a child process of target software, specifically identifying whether the parent process is a preset system process. If the system process is not the preset system process, it can be judged that the target software in the target virtual machine is abnormal and possibly attacked by malicious software. If the parent process belongs to the preset system process, the target software is considered to have no exception, and further exception identification can be performed on the behavior data. The preset system process may specifically be a program or an operation corresponding to data processing performed by the target software under a normal condition.

Wherein, based on the analysis of the lasso software, some lasso software is run as a separately executed program; there are also some lasso software that does not run as a direct executable but is hidden in normal software as part of the normal software. After the normal software is executed, the lasso software is generated in a decompression and release mode in the process, and at the moment, the process corresponding to the lasso software runs in a child process mode, namely the parent process of the lasso software is the previous normal software process, so that the trigger strategy of the lasso software can be set as the creation parent process of the new process to be a non-system process.

Optionally, in this embodiment, the step "obtaining an exception identification result for the target software according to a policy hit result" may include:

when the strategy hit result is that the behavior data does not hit any abnormal software monitoring strategy in the monitoring strategy set, acquiring a combined abnormal software monitoring strategy;

identifying whether the behavior data hits the combined abnormal software monitoring strategy;

and acquiring an abnormal recognition result aiming at the target software according to the combined strategy hit result.

When the behavior data does not hit any abnormal software monitoring policy in the monitoring policy set, further abnormality identification can be performed on the behavior data, specifically, a combined abnormal software monitoring policy can be obtained, and whether abnormality exists in target software in the target virtual machine is further determined by judging whether the behavior data hits the combined abnormal software monitoring policy. If the behavior data hit the combined abnormal software monitoring strategy, the target software can be considered to be abnormal, and the target virtual machine may have the risk of being attacked by malicious software. If the behavior data does not hit the combined abnormal software monitoring strategy, the target software can be considered to have no abnormality.

The combination abnormal software monitoring policy may be specifically formulated according to an abnormal behavior of a certain monitoring duration, which is not limited in this embodiment. For example, the combination exception software monitoring policy may be file read and write of a plurality of (for example, 10 specified) document types in a short time (for example, 30 s).

Optionally, in this embodiment, the step "obtaining a combined abnormal software monitoring policy" may include:

determining a monitoring time period of abnormal software;

The abnormal software monitoring strategy in the above embodiment may specifically be to perform abnormal detection of the target software in real time based on behavior data, and the combined abnormal software monitoring strategy is compared with the abnormal software monitoring strategy, and the abnormal behavior detection of the target software is non-real time and has a certain time delay relatively; that is to say, the combined abnormal software monitoring policy needs to acquire behavior data for a period of time, that is, combine historical behavior data and current behavior data to determine whether the target software is abnormal.

The monitoring time period of the abnormal software is specifically the time length of behavior data required to be acquired for analyzing abnormal behaviors, and can be set according to actual conditions, and the combined abnormal software monitoring strategy can be correspondingly set according to the required monitoring time length. The target behavior information may include behavior information such as the number and frequency of abnormal software reading files.

For example, the monitoring time period may be set to 30 seconds, the target behavior information is the number of read and write of the file, and the combined abnormal software monitoring policy may be set such that the number of read and write of the file exceeds 10 in 30 seconds.

In some embodiments, the cryptographic action of the lasso software typically occurs automatically in a very short time based on an analysis of the lasso software. The method comprises the following steps that firstly, lego software carries out system attack, namely, file lists needing to be encrypted are obtained, and the file lists can be some fixed file types or non-system folder files and the like; after the file list is obtained, frequent reading and writing are required to be carried out on the file so as to encrypt the file. Based on the consideration of encryption speed and file size, generally speaking, the operation behavior of a normal user or the operation behavior of normal software only operates 1 file at a time, so if the number of file reads and writes or the frequency of file reads and writes occurring in a short time is too high, it can be determined that the file belongs to abnormal behavior of the lasso software, and thus a combined abnormal software monitoring strategy for the abnormal behavior can be made.

Optionally, in this embodiment, the behavior data includes current behavior data and historical behavior data;

the step of identifying whether the behavior data hits the combined abnormal software monitoring policy may include:

The abnormal behavior detection can be performed on the target software by combining the current behavior data and the historical behavior data. For example, the current behavior data and the historical behavior data represent file information (e.g., the number of files) read by the target software at each time point, statistical analysis may be performed by combining the current behavior data and the historical behavior data to determine the number of files read by the target software within a preset time, and if a behavior analysis result obtained by the statistical analysis is: the number of files read by the target software in 20 seconds exceeds 10, and the combined abnormal software monitoring strategy is as follows: if the number of the read-write files exceeds 10 in 30 seconds, the behavior analysis result hits a combined abnormal software monitoring strategy, and it can be judged that the target software is abnormal and the target virtual machine may have a risk of being attacked by malicious software.

After the host computer obtains the behavior data of the target virtual machine in the data processing process, the collected behavior data can be stored in a preset behavior database, so that abnormal behavior detection of the target software can be performed based on a combined abnormal software monitoring strategy. And presetting behavior data stored in a behavior database, namely historical behavior data. The preset behavior database may be a redis database, a splunk database, an ES database, and the like, which is not limited in this embodiment.

Among them, redis, i.e., remote Dictionary Server, is a high-performance key-value (key-value) database, which is a memory storage system and is generally called a data structure Server. The splunk is a hosted log file management tool that uses the splunk to collect, index, and utilize all applications, servers, and device generated fast moving computer data. The ES, known as elastic search, is an open source search framework, which provides a distributed full-text search engine with multi-user capability, and can conveniently provide a large amount of data with the capability of searching, analyzing and exploring.

104. And triggering the host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result.

If the anomaly identification result indicates that the target software is anomalous and the target virtual machine is at risk of being attacked by malicious software, a defense response behavior aiming at the anomalous software can be triggered, wherein the defense response behavior can be preset specifically and can be set aiming at a triggered monitoring strategy of the anomalous software; or default uniform response behavior, namely different abnormal software monitoring strategies are triggered, and the responded defense behaviors are the same.

Wherein the target defense response behavior comprises: changing a system hard disk into read-only, terminating a corresponding process, aiming at a file memory dump of a specified type, closing a virtual machine and the like. It is understood that the target defense response behavior used includes, but is not limited to, the above list, which can be customized to the actual situation.

Optionally, in this embodiment, the step "triggering the host to execute a target defense response behavior for the target software based on the abnormal recognition result" may include:

when the abnormal recognition result is that the behavior data hits the abnormal software monitoring strategy, performing recognition of defense response behavior setting on the abnormal software monitoring strategy;

when the abnormal software monitoring strategy is identified to set corresponding target defense response behaviors aiming at the target software, the host is triggered to execute the target defense response behaviors.

For example, the abnormal software monitoring policy "the parent process corresponding to the child process in the target software is a non-system process", and sets a corresponding trigger response behavior: and when the abnormal software monitoring strategy is hit, closing the target virtual machine. Therefore, when detecting that the parent process corresponding to the child process in the target software is a non-system process based on the behavior data, the host is triggered to execute a target defense response behavior for closing the target virtual machine.

In some embodiments, if it is recognized that the abnormal software monitoring policy does not set a corresponding defense response behavior for the target software, a preset default defense response behavior may be used as the target defense response behavior, and the host is triggered to execute the target defense response behavior. For example, the default defensive response behavior may be set to modify a hard disk to be read-only, or may be set to terminate a corresponding process, and the like, and may also be specifically set according to a specific situation of a user and an importance degree of data stored in the virtual machine, which is not limited in this embodiment.

Optionally, in this embodiment, the step "triggering the host to execute the target defense response behavior for the target software based on the abnormal recognition result" may include:

identifying important indexes of data in the target virtual machine;

determining a target defense response level matched with the important index from preset defense response levels;

based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors under the target defense response level aiming at the target software.

The higher the important index is, the higher the corresponding defense response level is, so as to better protect the data in the target virtual machine.

For example, the preset defense response level includes a first defense response level and a second defense response level, the first defense response level is higher than the second defense response level, the defense response behavior corresponding to the first defense response level may be set to close the virtual machine and set the memory read-write dump, and the defense response behavior corresponding to the second defense response level may be set to modify the hard disk to be read-only or terminate the corresponding process. If the important index of the data in the target virtual machine is higher, the host machine can be triggered to execute defense response behaviors under a first defense response level; and if the important index of the data in the target virtual machine is low, triggering the host machine to execute defense response behaviors under a second defense response level.

Specifically, if the data stored in the target virtual machine is relatively important, the defense response behavior can be set strictly, and preparation is made for subsequent data recovery, for example, the virtual machine can be set to be closed, and the memory read-write dump is set, so that data loss possibly caused and data recovery during data damage are reduced. Because the system can also have the memory read-write condition under the normal condition, the memory read-write dump is set, which may have a certain influence on the system performance, and the function can be started only when the data in the target virtual machine is important enough.

Wherein dump may refer to exporting and unloading data into a file or static form, and may specifically be understood as: the contents of the memory at a certain time, dump (dump, export, save), are converted into files, i.e. data are backed up.

The software defense method can be used for application scenes of current private clouds, remote desktops in enterprises and the like, can monitor the virtual machines from a host level based on the virtual machine introspection technology, can perform behavior interception from the host level when behavior data corresponding to target software in the target virtual machines trigger abnormal software monitoring strategies, and can also pre-configure data recovery related strategies according to the requirements of users to avoid possible data loss or economic loss.

The method and the device do not need to perform any manual operation setting in the virtual machine system in advance, such as setting a possibly encrypted designated file as a bait; meanwhile, the method and the device can also adopt a preset defense response action to recover the file when the worst condition (namely abnormal action is found after a plurality of files are encrypted) occurs. Moreover, the user of the virtual machine level does not have any perception and does not influence the normal use of the system. In addition, through the combination of various abnormal software monitoring strategies, the attack related to the malicious software can be quickly discovered, and new abnormal software monitoring strategies can be set in time for the occurrence of new types of malicious software, so that the latest coping scheme aiming at the malicious software is kept.

In a specific embodiment, as shown in fig. 1d, a process of software defense based on virtual machine introspection technology includes the following specific steps:

a) Behavior data of a target virtual machine in a data processing process of executing target software is collected by using a virtual machine introspection technology, wherein the behavior data comprises but is not limited to behaviors of new process creation, file reading and writing, memory reading and writing, specified function calling and the like, the specified function can be an encryption function EncryptFile and the like, and the EncryptFile is a function for encrypting and decrypting a file provided from the level of a kernel; the behavior data may include data generated in the process of executing the target software by the target virtual machine, and the internal state information of the target virtual machine may be obtained by analyzing the behavior data;

b) After behavior data are collected, the behavior data can be stored in a preset behavior database, and on one hand, the behavior data are used for displaying the overall situation of subsequent attack, defense and response to malicious software; on the other hand, the method can also be used in the subsequent process of further carrying out exception identification according to the combined exception software monitoring strategy;

c) In the behavior data acquisition process, the behavior data can be directly subjected to exception identification according to an exception software monitoring strategy (data collection through a virtual machine introspection technology is performed in a mode similar to that of upper and lower breakpoints of a preset function in advance, so that whether the exception software monitoring strategy is triggered or not can be judged while the data are collected), and the step d is carried out;

d) Detecting whether any one abnormal software monitoring strategy in the monitoring strategy set is triggered (if a parent process corresponding to a subprocess in the target software is a non-system process), if so, judging that the target software in the target virtual machine is abnormal, and turning to the step f; otherwise, further abnormal recognition can be carried out on the behavior data, and the step e is carried out; the abnormal software monitoring strategy can be obtained by analyzing abnormal behaviors of malicious software and can be set from various aspects such as encryption function call, a plurality of subprocesses, reading and writing of a plurality of files in a short time and the like;

e) Detecting whether a combined abnormal software monitoring strategy is triggered or not (if the number of the files read in a short time exceeds the preset number) by combining the current behavior data and the historical behavior data in the preset behavior database, if so, judging that the target software in the target virtual machine is abnormal and the target virtual machine possibly has a risk of being attacked by malicious software, and turning to the step f; the combined abnormal software monitoring strategy can be specifically formulated according to abnormal behaviors of a certain monitoring duration;

f) Detecting whether an abnormal software monitoring strategy triggered by behavior data is provided with a corresponding defense response behavior, if so, turning to the step g, and if not, turning to the step h;

g) Triggering a host machine to execute a target defense response behavior corresponding to the triggered abnormal software monitoring strategy, and turning to the step i;

h) Triggering a host machine to execute a preset default defense response behavior, and turning to i; the default defense response behavior can be set to modify a hard disk into read-only, can also be set to terminate a corresponding process and the like, and can also be specifically set according to the specific condition of a user and the importance degree of data stored in the target virtual machine;

i) Information such as abnormal software monitoring strategy triggering, defense response behavior and collected attack times of the malicious software is collected to a software defense process display platform for information display, so that the overall situation of attack and defense response of the malicious software is presented.

Specifically, as shown in fig. 1e, a system architecture diagram corresponding to the software defense method provided by the present application is shown. The system mainly comprises a data collection module, a data storage module, a strategy setting and responding module and a platform display module.

The data collection module may be configured to obtain behavior data of the virtual machine in a data processing process of executing target software through a virtual machine manager on the host machine by using a virtual machine introspection technology, where the behavior data may represent internal state information of the virtual machine. For example, if the behavior data indicates that the number of files read by the target software in a short time is high, it indicates that the target software has a high probability of having an exception, and the target virtual machine may have a risk of being attacked by the malicious software. The behavior data may include process creation, specified function call, dump memory during memory modification, and the like. After the data collection module collects the behavior data, the data collection module may send the behavior data to the data storage module to store the collected behavior data.

The data storage module can be used for uploading the behavior data sent by the data collection module to a corresponding preset behavior database for storage.

The policy setting and responding module may include a policy setting submodule and an action responding submodule.

The policy setting sub-module may be configured to analyze abnormal behavior of the lasso software and set an abnormal software monitoring policy, for example, the abnormal software monitoring policy may be set from various aspects such as encryption function call, multiple sub-processes, multiple file reading and writing in a short time, and the like. When a new lasso software type appears, a new abnormal software monitoring strategy can be constructed according to the abnormal behavior of the new lasso software type; in addition, the strategy setting submodule can also detect whether the behavior data hit the abnormal software monitoring strategy or not, and acquire an abnormal recognition result aiming at the target software according to a strategy hit result.

The behavior response submodule may be configured to trigger the host to execute a defense response behavior when the behavior data hits the abnormal software monitoring policy, so as to prevent the lasso software from continuing to perform a destructive activity on the encrypted file, where the defense response behavior may include interception, snapshot establishment, disk attribute change, virtual machine shutdown, memory dump, and the like. Specifically, the defense response behavior may be set according to the specific situation of the user and the importance of the data stored in the virtual machine. For example, if the data stored in the target virtual machine is relatively important, the defense response behavior can be set to be strict, and preparation is made for subsequent data recovery, for example, the virtual machine can be set to be closed, and the memory read-write dump is set, so that data loss possibly caused and data recovery when data is damaged can be reduced.

The platform display module can be used for collecting the data, defense response events and the like collected by the three modules to the software defense process display platform for overall display, so that a system manager can visually know the invasion, defense and disposal conditions of the whole Lego software. The content displayed by the software defense process display platform includes but is not limited to: attack times, attack events, triggered monitoring strategies, defense response behaviors, defense times, regional distribution of attacked conditions of the whole cloud platform and the like.

As shown in fig. 1f, a data flow process based on the system design of fig. 1e is shown, which shows possible operations of each module in the data flow process, and is described as follows:

the data collection module can utilize the virtual machine introspection technology to acquire internal state information of the virtual machine through the virtual machine manager so as to monitor the behavior of the virtual machine, wherein the acquired internal state information includes but is not limited to function call, process creation, file reading and writing and memory reading and writing;

the strategy setting submodule can analyze abnormal behaviors of the lasso software so as to set an abnormal software monitoring strategy, and can set various aspects such as encryption function calling, a plurality of subprocesses, a plurality of file reading and writing in a short time, file memory dump (dump) aiming at a specified type and the like. In addition, the strategy setting sub-module can also perform abnormity identification on the behavior data collected by the data collection module based on an abnormal software monitoring strategy to obtain an abnormity identification result;

the behavior response sub-module may set a corresponding defense response behavior for the abnormal software monitoring policy, and when it is detected that behavior data hits the abnormal software monitoring policy, execute a target defense response behavior, such as intercepting, closing a virtual machine, changing a disk attribute, and the like. The behavior response sub-module may further configure a data recovery related policy to repair the damaged data, for example, a defense response behavior of "save dump (export) memory setting or establishing virtual machine image setting" may be set when the encryption function is called multiple times in a short time, so as to quickly recover a lost or damaged file afterwards.

As can be seen from the above, in this embodiment, a target virtual machine of a host may be created on a target device, and the target virtual machine is used to execute data processing of target software; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result; based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors aiming at the target software. The embodiment of the application can monitor the virtual machine from the host machine level, when abnormal software triggers an abnormal software monitoring strategy in the virtual machine, defense response is carried out through the host machine level, bait files do not need to be set in advance, the condition of scanning rule change behaviors of the abnormal software can be responded, attack of the abnormal software can be effectively prevented, and the safety of computer network application is improved.

The method described in the previous embodiment will be described in further detail below with the software defense apparatus specifically integrated in the server.

The embodiment of the application provides a software defense method, and as shown in fig. 2, a specific flow of the software defense method may be as follows:

201. the server creates a target virtual machine of a host machine on target equipment, and executes data processing of target software by adopting the target virtual machine.

202. And the server acquires behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents the internal state information of the target virtual machine.

Optionally, in this embodiment, the step of obtaining, by the host, behavior data of the target virtual machine in the data processing process may include:

Among them, a Virtual Machine Manager (VMM) may provide services for setting and managing the creation of Virtual machines and deploy them to resources required by the private cloud. When the target virtual machine receives the monitoring instruction sent by the virtual machine manager, the target virtual machine can send behavior data of the target virtual machine in the data processing process of the target software to the virtual machine manager.

The behavior data may specifically include data generated in the process of executing the target software by the target virtual machine, such as the number of read files, the time for accessing the files, and the like.

203. The method comprises the steps that a server obtains a monitoring strategy set corresponding to abnormal software, wherein the monitoring strategy set comprises at least one abnormal software monitoring strategy; identifying whether the behavior data hits any abnormal software monitoring strategy in the monitoring strategy set; if yes, go to step 204; if there is no hit, go to step 205.

Lexus software typically has some relatively fixed abnormal behavior after attacking an infected system, such as: and calling a system encryption function for multiple times in a short time, reading and writing a large amount of file data in a short time, and the like, and setting a strategy in advance by predicting the behaviors so as to perform the next response when the target virtual machine triggers the abnormal behaviors. According to the embodiment, the behavior data of the target virtual machine can be subjected to abnormal identification through a preset abnormal software monitoring strategy, so that whether the target virtual machine is attacked by malicious software or not is determined.

The abnormal software monitoring policy may be obtained by analyzing abnormal behavior of malicious software, and may be set in various aspects such as encryption function call, multiple subprocesses, multiple file reading and writing in a short time, and the like.

and judging whether the identified parent process is a preset system process.

204. The server obtains the anomaly identification result for the target software and proceeds to step 206.

205. The server acquires a combined abnormal software monitoring strategy; identifying whether the behavior data hits the combined abnormal software monitoring strategy; and according to the combined strategy hit result, acquiring an abnormal recognition result aiming at the target software, and entering the step 206.

When the behavior data does not hit any abnormal software monitoring policy in the monitoring policy set, further abnormality identification may be performed on the behavior data, specifically, a combined abnormal software monitoring policy may be obtained, and whether abnormality exists in the target software in the target virtual machine may be further determined by judging whether the behavior data hits the combined abnormal software monitoring policy. If the behavior data hits the combined abnormal software monitoring strategy, the target software is considered to be abnormal, and the target virtual machine may have a risk of being attacked by malicious software. If the behavior data does not hit the combined abnormal software monitoring strategy, the target software can be considered to have no abnormality.

determining a monitoring time period of abnormal software;

After the host machine obtains the behavior data of the target virtual machine in the data processing process, the collected behavior data can be stored in a preset behavior database, so that abnormal behavior detection of the target software can be performed on the basis of a combined abnormal software monitoring strategy. And presetting behavior data stored in a behavior database, namely historical behavior data.

206. And triggering the host machine to execute target defense response behaviors aiming at the target software by the server based on the abnormal recognition result.

If the exception identification result indicates that the target software is abnormal and the target virtual machine has a risk of being attacked by malicious software, a defense response behavior aiming at the abnormal software can be triggered, wherein the defense response behavior can be preset specifically and can be set aiming at a triggered abnormal software monitoring strategy; or default uniform response behavior, namely different abnormal software monitoring strategies are triggered, and the responded defense behaviors are the same.

when the abnormal recognition result is that the behavior data hits the abnormal software monitoring strategy, recognizing defense response behavior setting of the abnormal software monitoring strategy;

and when the abnormal software monitoring strategy is identified to set a corresponding target defense response behavior aiming at the target software, triggering the host machine to execute the target defense response behavior.

identifying important indexes of data in the target virtual machine;

As can be seen from the above, in this embodiment, a target virtual machine of a host may be created on a target device through a server, and the target virtual machine is used to execute data processing of target software; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; acquiring a monitoring strategy set corresponding to abnormal software, wherein the monitoring strategy set comprises at least one abnormal software monitoring strategy; identifying whether the behavior data hits any abnormal software monitoring strategy in the monitoring strategy set; if yes, obtaining an abnormal recognition result aiming at the target software; if not, acquiring a combined abnormal software monitoring strategy; identifying whether the behavior data hits the combined abnormal software monitoring strategy; and acquiring an abnormal recognition result aiming at the target software according to the combined strategy hit result. Finally, based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors aiming at the target software. The embodiment of the application can monitor the virtual machine from the host machine level, when abnormal software triggers an abnormal software monitoring strategy in the virtual machine, defense response is carried out through the host machine level, bait files do not need to be set in advance, the condition of scanning rule change behaviors of the abnormal software can be responded, attack of the abnormal software can be effectively prevented, and the safety of computer network application is improved.

In order to better implement the above method, an embodiment of the present application further provides a software defense apparatus, as shown in fig. 3, the software defense apparatus may include a creating unit 301, an obtaining unit 302, an identifying unit 303, and a defending unit 304, as follows:

(1) A creation unit 301;

a creating unit 301, configured to create a target virtual machine of a host on a target device, and execute data processing of target software by using the target virtual machine.

(2) An acquisition unit 302;

an obtaining unit 302, configured to obtain, by the host, behavior data of the target virtual machine in the data processing process, where the behavior data represents internal state information of the target virtual machine.

(3) An identification unit 303;

the identifying unit 303 is configured to perform anomaly identification on the behavior data according to an anomaly software monitoring policy to obtain an anomaly identification result.

Optionally, in some embodiments of the present application, the obtaining subunit may be specifically configured to obtain a combined abnormal software monitoring policy when a policy hit result indicates that the behavior data does not hit any abnormal software monitoring policy in the monitoring policy set; identifying whether the behavior data hits the combined abnormal software monitoring strategy; and acquiring an abnormal recognition result aiming at the target software according to the combined strategy hit result.

determining a monitoring time period of abnormal software;

and acquiring a combined abnormal software monitoring strategy according to the monitoring time period and target behavior information, wherein the target behavior information is behavior information of the abnormal software for data reading and writing.

Optionally, in some embodiments of the present application, the policy obtaining subunit may be further configured to analyze at least one abnormal behavior corresponding to the abnormal software, to obtain an abnormal analysis result; constructing and processing an abnormal software monitoring strategy according to the abnormal analysis result; and updating the monitoring strategy set according to the constructed abnormal software monitoring strategy.

(4) A defense unit 304;

a defense unit 304, configured to trigger the host to execute a target defense response behavior for the target software based on the anomaly identification result.

Optionally, in some embodiments of the present application, the defense unit may include a setting identification subunit and a first execution subunit, as follows:

the important index identification subunit is used for identifying important indexes of data in the target virtual machine;

and the second execution subunit is used for triggering the host to execute a target defense response behavior under the target defense response level aiming at the target software based on the abnormal recognition result.

As can be seen from the above, in this embodiment, the creating unit 301 may create a target virtual machine of a host on a target device, and execute data processing of target software by using the target virtual machine; acquiring, by the acquiring unit 302, behavior data of the target virtual machine in the data processing process through the host, where the behavior data represents internal state information of the target virtual machine; performing exception identification on the behavior data through an identification unit 303 according to an exception software monitoring strategy to obtain an exception identification result; and triggering the host machine to execute target defense response behaviors aiming at the target software through the defense unit 304 based on the abnormal recognition result. The embodiment of the application can monitor the virtual machine from the host machine level, when abnormal software triggers an abnormal software monitoring strategy in the virtual machine, defense response is carried out through the host machine level, bait files do not need to be set in advance, the condition of scanning rule change behaviors of the abnormal software can be responded, attack of the abnormal software can be effectively prevented, and the safety of computer network application is improved.

An electronic device according to an embodiment of the present application is further provided, as shown in fig. 4, which shows a schematic structural diagram of the electronic device according to the embodiment of the present application, where the electronic device may be a terminal or a server, and specifically:

the electronic device may include components such as a processor 401 of one or more processing cores, memory 402 of one or more computer-readable storage media, a power supply 403, and an input unit 404. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 4 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:

the processor 401 is a control center of the electronic device, connects various parts of the whole electronic device by various interfaces and lines, performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby performing overall monitoring of the electronic device. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.

The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by operating the software programs and modules stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 access to the memory 402.

The electronic device further comprises a power supply 403 for supplying power to the various components, and preferably, the power supply 403 is logically connected to the processor 401 through a power management system, so that functions of managing charging, discharging, and power consumption are realized through the power management system. The power supply 403 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.

The electronic device may further include an input unit 404, and the input unit 404 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the electronic device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 401 in the electronic device loads the executable file corresponding to the process of one or more application programs into the memory 402 according to the following instructions, and the processor 401 runs the application programs stored in the memory 402, thereby implementing various functions as follows:

creating a target virtual machine of a host machine on target equipment, and executing data processing of target software by adopting the target virtual machine; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result; and triggering the host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result.

The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.

It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, the present application provides a computer-readable storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute the steps in any one of the software defense methods provided in the present application. For example, the instructions may perform the steps of:

creating a target virtual machine of a host machine on target equipment, and executing data processing of target software by adopting the target virtual machine; acquiring behavior data of the target virtual machine in the data processing process through the host machine, wherein the behavior data represents internal state information of the target virtual machine; according to an abnormal software monitoring strategy, performing abnormal recognition on the behavior data to obtain an abnormal recognition result; based on the abnormal recognition result, triggering the host machine to execute target defense response behaviors aiming at the target software.

Wherein the computer-readable storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.

Since the instructions stored in the computer-readable storage medium can execute the steps in any software defense method provided in the embodiments of the present application, the beneficial effects that can be achieved by any software defense method provided in the embodiments of the present application can be achieved, which are detailed in the foregoing embodiments and will not be described herein again.

According to an aspect of the application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read by a processor of the computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the methods provided in the various alternative implementations of the software defense aspect described above.

The software defense method and the related devices provided by the embodiments of the present application are described in detail above, and the principles and embodiments of the present application are explained herein by applying specific examples, and the description of the embodiments above is only used to help understand the method and the core ideas of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A method of software defense, comprising:

and triggering the host machine to execute target defense response behaviors aiming at the target software based on the abnormal recognition result.

2. The method according to claim 1, wherein the obtaining, by the host machine, behavior data of the target virtual machine in the data processing process includes:

3. The method according to claim 1, wherein the performing exception identification on the behavior data according to an exception software monitoring policy to obtain an exception identification result comprises:

4. The method of claim 3, wherein obtaining the exception identification result for the target software according to the policy hit result comprises:

5. The method of claim 4, wherein obtaining the combined exception software monitoring policy comprises:

determining a monitoring time period of abnormal software;

6. The method of claim 4, wherein the behavioral data includes current behavioral data and historical behavioral data;

the identifying whether the behavior data hits the combined abnormal software monitoring strategy comprises:

7. The method of claim 3, further comprising:

8. The method of claim 3, wherein the behavior data includes a parent process corresponding to a child process in the target software;

the identifying whether the behavior data hits any abnormal software monitoring policy in the monitoring policy set includes:

identifying a parent process corresponding to a child process of the target software;

and judging whether the identified parent process is a preset system process.

9. The method of claim 1, wherein the triggering the host to perform a target defense response behavior for the target software based on the anomaly identification result comprises:

10. The method of claim 1, wherein triggering the host to perform a target defense response behavior for the target software based on the anomaly identification result comprises:

identifying important indexes of data in the target virtual machine;

11. A software defense apparatus, comprising:

the identification unit is used for carrying out abnormal identification on the behavior data according to an abnormal software monitoring strategy to obtain an abnormal identification result;

12. An electronic device comprising a memory and a processor; the memory stores an application program, and the processor is used for running the application program in the memory to execute the operation in the software defense method of any one of claims 1 to 10.

13. A computer readable storage medium storing instructions adapted to be loaded by a processor to perform the steps of the software defense method of any one of claims 1 to 10.

14. A computer program product comprising a computer program or instructions, characterized in that the computer program or instructions, when executed by a processor, implement the steps in the software defense method of any one of claims 1 to 10.