CN117972683A - Kernel-level security terminal and installation method - Google Patents
Kernel-level security terminal and installation method Download PDFInfo
- Publication number
- CN117972683A CN117972683A CN202311734438.8A CN202311734438A CN117972683A CN 117972683 A CN117972683 A CN 117972683A CN 202311734438 A CN202311734438 A CN 202311734438A CN 117972683 A CN117972683 A CN 117972683A
- Authority
- CN
- China
- Prior art keywords
- event
- kernel
- information
- module
- security terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000009434 installation Methods 0.000 title abstract description 6
- 230000008569 process Effects 0.000 claims abstract description 54
- 230000006399 behavior Effects 0.000 claims abstract description 43
- 230000007246 mechanism Effects 0.000 claims abstract description 11
- 101150093240 Brd2 gene Proteins 0.000 claims abstract description 9
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 claims abstract description 9
- 238000001914 filtration Methods 0.000 claims description 35
- 230000002159 abnormal effect Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 13
- 230000000694 effects Effects 0.000 claims description 11
- 230000002155 anti-virotic effect Effects 0.000 claims description 7
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 abstract description 10
- 230000000875 corresponding effect Effects 0.000 description 10
- 238000001514 detection method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 6
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 230000010485 coping Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 101150026195 hook gene Proteins 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a kernel-level security terminal and an installation method, wherein the kernel-level security terminal comprises: the user module is operated at a third privilege level Ring3 and is configured to monitor a target event and filter the target event to obtain an event to be processed, wherein the target event is an event with invisible kernel mode; the kernel module is operated at the zeroth privilege level Ring0, and is configured to collect event information in a kernel mode to obtain a kernel event and process the event to be processed and the kernel event, wherein the event to be processed is transmitted to the kernel module through an I/O mechanism. By adopting the kernel-level security terminal provided by the embodiment of the application, the unknown threats can be well detected through the monitoring of the process behaviors by the kernel module and the user module, so that the environment with rapid iteration and a large number of unknown threats can be better dealt with by the current malicious software update.
Description
Technical Field
The application relates to the field of security, in particular to a kernel-level security terminal and an installation method.
Background
With the popularity of the internet in everyday life, malware is increasingly threatening system resources, data, and personal information. Conventional coping approaches mainly involve the use of signature and heuristic based antivirus software. These techniques rely on a remote server to define malware, scan a host device in which the antivirus is installed, and upload a scan file to the remote server to match the malware.
However, conventional disinfection software suffers from a number of problems. Malware providers are typically able to update malware faster to circumvent detection of security software. Furthermore, there is a window of time when new definitions or updates of security software are implemented, without any measures to prevent intrusion and propagation of malware during this time. In addition, antivirus software is typically a user-mode application that, after being loaded on an operating system, gives the malware an opportunity to evade detection.
Disclosure of Invention
The embodiment of the application aims to provide a kernel-level security terminal and an installation method, and by adopting the kernel-level security terminal provided by the embodiment of the application, unknown threats can be well detected through monitoring the process behaviors of a kernel module and a user module, so that the environment with rapid updating iteration and a large number of unknown threats of the current malicious software can be better dealt with.
In a first aspect, an embodiment of the present application provides a kernel-level security terminal, where the kernel-level security terminal includes: the user module is operated at a third privilege level Ring3 and is configured to monitor a target event and filter the target event to obtain an event to be processed, wherein the target event is an event with invisible kernel mode; the kernel module is operated at the zeroth privilege level Ring0, and is configured to collect event information in a kernel mode to obtain a kernel event and process the event to be processed and the kernel event, wherein the event to be processed is transmitted to the kernel module through an I/O mechanism.
The user module and the kernel module of the embodiment of the application interact in real time, and the malicious program is detected through the process behavior, which is compared with the traditional technical scheme that the terminal safely detects the characteristics of the malicious program depending on viruses, such as file hash, and the like, and the virus detection rate is low compared with the unknown threat (the hash cannot be matched in the virus characteristic library), the kernel-level security terminal of the embodiment of the application can better detect the unknown threat through the kernel module and the user module monitoring the process behavior, thereby better coping with the environment with quick update iteration of the current malicious software and a large number of unknown threats.
In some embodiments of the application, the user module comprises: a user module collector configured to collect the target event; and the filtering module is configured to filter out the normal behavior of the trusted program and retain the abnormal behavior of the trusted program and the behavior of the untrusted program.
In some embodiments, the target event comprises: the HOOK event, ETW related event or syscall of the user state API is invoked directly.
In some embodiments, the kernel module comprises: the kernel module collector is configured to collect file events, events corresponding to a registry and events corresponding to a process and a thread, and obtain the kernel events; the filtering and dispatcher is configured to receive the kernel event and the event to be processed and screen out a set type event; an information correlator configured to record the occurrence frequency of the set type event and count frequency anomaly events; an event information base configured to track attributes, behaviors and/or patterns of computing device objects or processes and provide a complete chain of process activities, and to perform data updates according to the frequency anomaly events; and the event processor is configured to determine whether the frequency abnormal event belongs to malicious behaviors according to configuration information, update data in the event information base when the frequency abnormal event is confirmed to belong to the malicious behaviors, and take processing measures.
In some embodiments, the kernel module collector receives the kernel event occurrence through a hook or filter driver; or the kernel module collector observes kernel events corresponding to the log file or the memory location through the generated threads.
In some embodiments, the monitoring object of the kernel module collector is configurable.
In some embodiments, the information correlator is configured to treat as the frequency anomaly event a first set type of event that occurs more frequently than a set frequency threshold.
In some embodiments, the information correlator provides the frequency anomaly event to the event information base, the event processor, or the manager.
In some embodiments, the processing means comprises: stop the relevant process, clear malicious code, or act fraudulently to guard against the attack.
According to the embodiment of the application, the execution of a malicious program can be immediately prevented after the unknown threat is detected, the detection rate of the existing kernel-level terminal on the unknown threat is low, a time window exists for each time of processing the unknown threat by manual analysis and product updating, and the kernel-level security terminal of the embodiment of the application can better detect the unknown threat and eliminate dangerous gaps in a security coverage area through process behavior analysis.
In some embodiments, the kernel-level security terminal further comprises: a manager configured to manage various configuration files and log files, wherein the log files are used at least to record operations to synchronize the configuration of the filter and dispatcher to the user module collector.
In a second aspect, some embodiments of the present application provide a method for a kernel-level security terminal, the method comprising: collecting user state information through a user module collector to obtain a target event; filtering the target event, and transmitting the filtered information to a filtering dispatcher included in the kernel module by an I/O mechanism between the user module and the kernel module; collecting event information of a kernel mode through a kernel module collector to obtain a kernel event; passing the kernel event to the filter and dispatcher; transmitting a set type event which needs to be processed by the information correlator in the received information to the information correlator through a filter and dispatcher; generating associated information of the event by inquiring an event information base through an information correlator to obtain a frequency abnormal event, and transmitting the frequency abnormal event back to the filtering and dispatcher; synchronizing, by the filter and dispatcher, the received information into an event information base; querying data in an event information base through the filter and dispatcher; the treatment method obtained after the behavior analysis is sent to an event processor through a filtering and dispatcher; returning, by the event handler, the processing result to the filter and dispatcher; the information correlator reads the data in the event information base; the event processor reads data in an event information base and sends the information of a process corresponding to the malicious attack to the manager after identifying the malicious attack according to the frequency abnormal event; the manager is used for issuing configuration files to the filtering and dispatcher and the user module collector to update the configuration files.
In a third aspect, some embodiments of the present application provide a method of installing a kernel-level security terminal on an electronic device, the method comprising: the kernel-level security terminal according to any one of the embodiments of the first aspect is run on the electronic device at a target time, where the target time is used to avoid a risk event, and the risk event is that malware is started when antivirus is not installed after the operating system is started.
In the starting process of the computer, the modules necessary for starting the windows system are required to be loaded firstly, and then the user application program is loaded, and the kernel-level security terminal of the embodiment of the application ensures that the user host can be protected in the whole process by loading the modules necessary for starting the windows system (namely, loading the modules necessary for starting the windows system) immediately after loading the computer, so that the situation of loading the malicious program is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is one of the architecture diagrams of a kernel-level security terminal provided in an embodiment of the present application;
fig. 2 is a second architecture diagram of a kernel-level security terminal according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a kernel-level security terminal which is one of early loads in the booting process of a host computing device. By loading early in boot, the kernel-level security terminal significantly reduces the time window in which malware may activate and interfere with host computing device operation, or unattended operation on the host computing device.
The kernel-level security terminal of some embodiments of the present application comprises two parts, a kernel module and a user module, and the kernel-level security terminal can be installed on a host computing device in the form of a driver and create a security service that can receive notifications of events observed by the kernel-level security terminal, analyze relevant data, repair the host computing device, and generate configuration updates that are to be provided to the kernel-level security terminal. The interaction between the kernel-level security terminal and the security service can break the malware update cycle of the malware developer. In this way, the kernel-level security terminal can perform updating while continuously monitoring, eliminating dangerous gaps in the security coverage.
Referring to fig. 1, fig. 1 is a schematic diagram of a kernel-level security terminal according to an embodiment of the present application, where the kernel-level security terminal includes: a user module 110, and a kernel module 120.
And the user module is operated at a third privilege level Ring3 and is configured to monitor a target event and filter the target event to obtain a to-be-processed event, wherein the target event is an event with invisible kernel mode.
The kernel module is operated at the zeroth privilege level Ring0, and is configured to collect event information in a kernel mode to obtain a kernel event and process the event to be processed and the kernel event, wherein the event to be processed is transmitted to the kernel module through an I/O mechanism.
The user module and the kernel module of the embodiment of the application interact in real time, and the malicious program is detected through the process behavior, which is compared with the traditional technical scheme that the terminal safely detects the characteristics of the malicious program depending on viruses, such as file hash, and the like, and the virus detection rate is low compared with the unknown threat (the hash cannot be matched in the virus characteristic library), the kernel-level security terminal of the embodiment of the application can better detect the unknown threat through the kernel module and the user module monitoring the process behavior, thereby better coping with the environment with quick update iteration of the current malicious software and a large number of unknown threats.
Further architectures for the user module and the kernel module are exemplarily set forth below in connection with fig. 2.
It should be noted that, the processor CPU of the Windows operating system generally supports four privilege levels, i.e., the zeroth privilege level Ring0 to the third privilege level Ring3, and only Ring0 (kernel mode) and Ring3 (user mode) are used in the actual trial process, where the privilege levels or authority levels of the codes running in kernel mode and user mode are different, and in the kernel-level security terminal architecture of the embodiment of the present application, the code running in kernel mode (i.e., the user module 110) and the code running in kernel mode (i.e., the kernel module 120) are distinguished by the parting line (i.e., the dashed line) in fig. 2.
As shown in fig. 2, in some embodiments of the application, the user module 110 illustratively includes: a user module collector 111 and a filter module 112.
A user module collector 111 configured to collect the target events. For example, in some embodiments of the application, the target event comprises: the HOOK event, ETW related event or syscall of the user state API is invoked directly. Wherein, API: english abbreviation of Application Programming Interface and Chinese is application programming interface; HOOK: is a technique that allows modification or interception of function calls of a system or application, chinese can be translated into HOOKs, usually directly using HOOK, without translation; ETW: english abbreviation of EVENT TRACING for Windows, chinese is Windows event tracking; syscall: chinese is fully called: system call, english full name: SYSTEM CALL, the application program interacts with the operating system kernel through a system call to request execution of a specific operation.
The filtering module 112 is configured to filter out the normal behavior of the trusted program and to retain the abnormal behavior of the trusted program and the behavior of the untrusted program.
That is, in the design of a kernel-level security terminal according to some embodiments of the present application, a user module collector refers to code that runs under a user module to collect process behavior information, and the user module collector serves as a component of the kernel-level security terminal for monitoring events in the system that are not visible to kernel mode. For example, in some embodiments of the present application, the user module collector is configured to monitor and collect events belonging to a user state, including HOOK, ETW related events, syscall direct call, etc. of the user state API.
It should be noted that in some embodiments of the present application, the configuration of the user module collector may be adjusted by the kernel-level security terminal to determine the specific event type it monitors. For example, in some embodiments of the present application, the updated configuration file may be issued to the user module collector by a manager in the kernel module, where the information that needs to be collected by the user module collector may be configured. This is because there is a huge amount of information in the Windows operating system at every moment, so important information of interest, such as selection of HOOK user mode API (VirtualAlloc, writeProcessMemrory etc.), selection of etc event, etc., needs to be collected through the configuration file. The information collected by the user module collector is processed by the filtering module, and then the filtered residual data is transmitted to the kernel module through the I/O mechanism of the user module and the kernel module (the data needs to be transmitted through the I/O mechanism for the code running in the user mode and the kernel mode in the windows operating system). In some embodiments of the present application, the purpose of the filtering module is to reduce sending unimportant data to the kernel module, where the filtering module corresponds to a condition that normal behavior of a program considered trusted is filtered out, and the data remaining after filtering is abnormal behavior of a trusted program and behavior of an untrusted program.
As shown in fig. 2, in some embodiments of the application, the kernel module 120 illustratively includes: kernel module collector 121, filter and dispatcher 122, information correlator 123, event information base 124, event handler 125, and manager 126.
And the kernel module collector is configured to collect file events, events corresponding to the registry and events corresponding to the processes and threads, and obtain the kernel events. Kernel module collectors refer to code that runs under kernel modules to collect process behavior information.
For example, in some embodiments of the application, the kernel module collector receives the kernel event occurrence through hooks or filter drivers; or the kernel module collector observes kernel events corresponding to the log file or the memory location through the generated threads. For example, in some embodiments of the application, the monitoring object of the kernel module collector is configurable.
That is, in some embodiments of the application the kernel module collector is used to observe events associated with one or more processes (including kernel-mode processes) and to collect event information in kernel mode, including file events, registry-related events, process and thread-related events, and the like. For example, the kernel module collector utilizes hooks or filter drivers provided by the operating system to receive notifications about the occurrence or non-occurrence of certain events, such as creation, reading, writing of files, and loading of executable files. In addition, the kernel module collector may also monitor memory, log files, or generate threads to observe events related to log files or memory locations. Likewise, the monitoring object of the kernel module collector can be configured through the kernel-level security terminal.
It should be noted that, a process may have both Ring0 and Ring3 behaviors, where when the process runs on Ring3, the process behavior needs to be collected by the user module collector, and when the process runs on Ring0, the process behavior is collected by the kernel module collector; the process running on Ring3 cannot directly use Ring 0's functionality (for security of the windows operating system) and therefore Ring 0's functionality is used in the form of a system call (syscall) through the APIs provided by the operating system.
And the filtering and dispatcher is configured to receive the kernel event and the event to be processed and filter out the event of a set type.
That is, in some embodiments of the present application, the filter and dispatcher is located in the kernel module, receives event information from the kernel module collector and the user module collector, and after filtering, distributes the event information to one or more of the information correlator, the event information base, the event processor, or the manager.
And the information correlator is configured to record the occurrence frequency of the set type event and count the frequency abnormal event.
For example, in some embodiments of the application, the information correlator is configured to treat as the frequency anomaly event a first set type of event that occurs more frequently than a set frequency threshold. For example, in some embodiments of the application, the information correlator provides the frequency anomaly event to the event information base, the event processor, or the manager. It should be noted that, in some embodiments of the present application, the information correlator generates a result each time the information correlator performs information correlation, and the result is stored in the event information base; the result generated by the information correlator may conclude that a certain behavior is malicious, for example, the threshold is set to be that the number of files rewritten in five minutes is greater than 100, and when the information correlator discovers the behavior, the event processor needs to process the behavior, for example, ending the related process; the event handler's record of handling the malicious behaviour is sent to the manager, which records it in the configuration file, after which it can be directly detected and blocked against the same behaviour.
That is, in some embodiments of the present application, an information correlator is used to record the occurrence of certain types of events, which can identify screening events and take corresponding actions based on the number, threshold, set, or sequence of occurrence of those events. For example, the information correlator may record the number of occurrences of an event and generate an event when a certain threshold is reached, indicating that the frequency of an event of a certain type may be noticeable. The events generated by the information correlator are transmitted to other components, such as an event information base, an event handler or manager.
An event information base configured to track attributes, behaviors, and/or patterns of computing device objects or processes and provide a complete chain of process activities, and to perform data updates based on the frequency anomaly events. It should be noted that, the data in the event information base is stored in the cloud end, when the event information base in the kernel module needs to store the data, the data is uploaded to the cloud end, and when the data needs to be queried, the cloud end is accessed to obtain the result.
That is, in some embodiments of the application, an event information repository is used to track attributes, behaviors, and/or patterns of computing device objects or processes, which may reflect the execution activities of the processes, which may provide a complete chain of process activities, which receives events from filters and dispatchers, and from which the contents of the event information repository are continually updated. The event information base to be described is at least used for storing information collected by the user module collector and the kernel module collector, for example: process information, HOOKAPI information, file-related information, registry-related information, malware signature information, and the like.
And the event processor is configured to determine whether the frequency abnormal event belongs to malicious behaviors according to configuration information, update data in the event information base when the frequency abnormal event is confirmed to belong to the malicious behaviors, and take processing measures. For example, in some embodiments of the application, the processing means comprises: stop the relevant process, clear malicious code, or act fraudulently to guard against the attack.
That is, in some embodiments of the present application, the event handler is configured to receive events and collect additional evidence-obtaining data, and after obtaining the data, the event handler updates the event information base and determines whether the event is related to malicious behavior according to the configuration of the kernel-level security terminal. Once an event is associated with malicious activity, the event handler updates the event information base and takes appropriate action, such as stopping the relevant process, removing malicious code, or performing fraudulent actions to guard against the attack.
It is easy to understand that the embodiment of the application can immediately prevent the execution of the malicious program after detecting the unknown threat, the existing kernel-level terminal has low detection rate on the unknown threat, a time window exists for manually analyzing and updating products when the unknown threat is processed each time, and the kernel-level security terminal of the embodiment of the application can better detect the unknown threat and eliminate dangerous gaps in the security coverage range through analyzing the process behaviors.
In some embodiments, the kernel-level security terminal further comprises: a manager configured to manage various configuration files and log files, wherein the log files are used at least to record operations to synchronize the configuration of the filter and dispatcher to the user module collector.
That is, in some embodiments of the present application, a manager is responsible for managing the various configuration files and log files, which receives configuration updates from the filter and dispatcher and synchronizes those updates to the user module and the kernel module, where the behavior of these event monitoring, filtering, processing, and configuration updates may be recorded for future review and analysis.
Some embodiments of the present application provide a method for a kernel-level security terminal, the method comprising: collecting user state information through a user module collector to obtain a target event; filtering the target event, and transmitting the filtered information to a filtering dispatcher included in the kernel module by an I/O mechanism between the user module and the kernel module; collecting event information of a kernel mode through a kernel module collector to obtain a kernel event; passing the kernel event to the filter and dispatcher; transmitting a set type event which needs to be processed by the information correlator in the received information to the information correlator through a filter and dispatcher; generating associated information of the event by inquiring an event information base through an information correlator to obtain a frequency abnormal event, and transmitting the frequency abnormal event back to the filtering and dispatcher; synchronizing, by the filter and dispatcher, the received information into an event information base; querying data in an event information base through the filter and dispatcher; the treatment method obtained after the behavior analysis is sent to an event processor through a filtering and dispatcher; returning, by the event handler, the processing result to the filter and dispatcher; the information correlator reads the data in the event information base; the event processor reads data in an event information base and sends the information of a process corresponding to the malicious attack to the manager after identifying the malicious attack according to the frequency abnormal event; the manager is used for issuing configuration files to the filtering and dispatcher and the user module collector to update the configuration files.
For example, the information flow between the modules corresponding to fig. 2 is:
1. user state information collected by the user module collector is transmitted to the filtering module.
2. The filtering module filters the input data according to the filtering condition, and the user state information is transmitted to the filtering dispatcher of the kernel module by the I/O mechanism between the user module and the kernel module.
3. The kernel-mode event information collected by the kernel module collector is transmitted to the filtering and dispatcher.
4. The filter and dispatcher communicates to the information correlator specific types of events in the received information that require processing by the information correlator.
5. The information correlator generates the correlation information of the event by inquiring the event information base and transmits the correlation information back to the filtering and dispatcher.
6. The filter and dispatcher synchronizes the received information into an event information base.
7. The filter and dispatcher queries the data in the event information base.
8. The filtering and dispatcher sends the treatment method obtained after the behavior analysis to the event processor.
9. The event handler passes the processing results back to the filter and dispatcher.
10. The information correlator reads the data in the event information base.
11. The event processor reads the data in the event information base.
12. The filtering and dispatcher, upon identifying a malicious attack, will send information about the relevant process to the manager.
13. The manager controls the updating of the filters and dispatchers.
14. And the manager issues the configuration file to the user module collector to update the configuration file.
Some embodiments of the application provide a method of installing a kernel-level security terminal on an electronic device, the method comprising: the kernel-level security terminal according to any one of the embodiments of the first aspect is run on the electronic device at a target time, where the target time is used to avoid a risk event, and the risk event is that malware is started when antivirus is not installed after the operating system is started.
It is easy to understand that, in the process of starting up the computer, the modules necessary for starting up the windows system need to be loaded first, and then the user application program is loaded.
It should be noted that, the improved technology of the kernel-level security terminal according to some embodiments of the present application may be divided into three points:
1. early loaded kernel-level security terminal: the main innovation point of this technology is to place the installation of software at an early stage of device boot, thereby suppressing the damage that malware may cause to a computer when the operating system is booted.
That is, loading the kernel-level security terminal corresponds to installing the system of fig. 2. The early loading is to find out the earliest opportunity for installing the kernel-level security terminal under the conditions that the normal starting of a windows operating system is not influenced and the normal operation of the kernel-level security terminal can be provided through investigation. By this way, it is avoided that the antivirus software has not been installed after the operating system is booted, but that malware has been started.
2. Interaction mode of security service and kernel-level security terminal: the technical innovation point comprises interaction between the kernel-level security terminal and the security service, and the interaction mode is helpful for breaking the malicious software update cycle of a malicious software developer, and simultaneously, updating and repairing measures are executed in real time, so that the system security is enhanced.
That is, the user module collector collects user state information and transmits the user state information to the kernel module through the I/O mechanism, and the manager of the kernel module updates the configuration file by updating the configuration file and transmitting the configuration file to the user module collector. In this way, the unknown threat identified by the kernel module analysis can be immediately issued to the user module in this form through a profile update.
3. Eliminating dangerous gaps of safety coverage: the technical innovation point emphasizes the capability of the kernel-level security terminal, not only can continuously monitor malicious activities, but also can timely execute updating, thereby effectively eliminating the security clearance possibly existing in the security coverage range of the system.
That is, the point of eliminating the dangerous gap of the safety coverage is embodied from the macroscopic whole of the whole kernel-level safety terminal, and the embodiment of the application achieves the effect of eliminating the dangerous gap of the safety coverage by a series of means of early loading the kernel-level safety terminal, real-time behavior detection and analysis, identifying the known threat and the unknown threat and immediately intercepting the like.
It will be appreciated that the technical advantages provided by the use of the three-point improvement described above include at least:
1. Early kernel-level secure loading: the method prevents the malicious software from generating potential threat when the equipment is operated, reduces potential malicious activities and attack possibility, and strengthens the overall security of the system.
2. Security service interaction mode: the method breaks through the update cycle of malicious software, allows the repair measures to be executed in real time, and improves the resistance of the system to novel threats.
3. Security coverage hole elimination: the malicious activities are continuously monitored, and updating is immediately performed, so that the time window for the system to suffer from the malicious activities is reduced, and the resistance and the repair capability of the whole system are enhanced.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (12)
1. A kernel-level security terminal, characterized in that the kernel-level security terminal comprises:
The user module is operated at a third privilege level Ring3 and is configured to monitor a target event and filter the target event to obtain an event to be processed, wherein the target event is an event with invisible kernel mode;
The kernel module is operated at the zeroth privilege level Ring0, and is configured to collect event information in a kernel mode to obtain a kernel event and process the event to be processed and the kernel event, wherein the event to be processed is transmitted to the kernel module through an I/O mechanism.
2. The kernel-level security terminal of claim 1, wherein the user module comprises:
a user module collector configured to collect the target event;
and the filtering module is configured to filter out the normal behavior of the trusted program and retain the abnormal behavior of the trusted program and the behavior of the untrusted program.
3. The kernel-level security terminal of claim 2, wherein the target event comprises: the HOOK event, ETW related event or syscall of the user state API is invoked directly.
4. A kernel-level security terminal as claimed in any one of claims 2 to 3, wherein the kernel module comprises:
The kernel module collector is configured to collect file events, events corresponding to a registry and events corresponding to a process and a thread, and obtain the kernel events;
the filtering and dispatcher is configured to receive the kernel event and the event to be processed and screen out a set type event;
an information correlator configured to record the occurrence frequency of the set type event and count frequency anomaly events;
The event information base is configured to track the attribute, the behavior and/or the mode of the computing device object or the process, provide a complete chain of the process activity and update data according to the frequency abnormal event, wherein the data in the event information base is stored in a cloud end, and the cloud end is accessed when the data is required to be queried;
And the event processor is configured to determine whether the frequency abnormal event belongs to malicious behaviors according to configuration information, update data in the event information base when the frequency abnormal event is confirmed to belong to the malicious behaviors, and take processing measures.
5. The kernel-level security terminal of claim 4, wherein the kernel module collector receives the kernel event occurrence through a hook or a filter driver; or the kernel module collector observes kernel events corresponding to the log file or the memory location through the generated threads.
6. The kernel-level security terminal of claim 5, wherein the monitor object of the kernel module collector is configurable.
7. The kernel-level security terminal of claim 4: wherein the information correlator is configured to treat as the frequency anomaly event a first set type of event having a frequency of occurrence greater than a set frequency threshold.
8. The kernel-level security terminal of claim 7, wherein the information correlator provides the frequency exception event to the event information base, the event processor, or manager.
9. The kernel-level security terminal of claim 4, wherein the processing means comprises: stop the relevant process, clear malicious code, or act fraudulently to guard against the attack.
10. The kernel-level security terminal of claim 4, wherein the kernel-level security terminal further comprises:
A manager configured to manage various configuration files and log files, wherein the log files are used at least to record operations to synchronize the configuration of the filter and dispatcher to the user module collector.
11. A method for a kernel-level secure terminal, the method comprising:
collecting user state information through a user module collector to obtain a target event;
filtering the target event, and transmitting the filtered information to a filtering dispatcher included in the kernel module by an I/O mechanism between the user module and the kernel module;
collecting event information of a kernel mode through a kernel module collector to obtain a kernel event;
Passing the kernel event to the filter and dispatcher;
Transmitting a set type event which needs to be processed by the information correlator in the received information to the information correlator through a filter and dispatcher;
Generating associated information of the event by inquiring an event information base through an information correlator to obtain a frequency abnormal event, and transmitting the frequency abnormal event back to the filtering and dispatcher;
synchronizing, by the filter and dispatcher, the received information into an event information base;
querying data in an event information base through the filter and dispatcher;
the treatment method obtained after the behavior analysis is sent to an event processor through a filtering and dispatcher;
Returning, by the event handler, the processing result to the filter and dispatcher;
The information correlator reads the data in the event information base;
the event processor reads data in an event information base and sends the information of a process corresponding to the malicious attack to the manager after identifying the malicious attack according to the frequency abnormal event;
The manager is used for issuing configuration files to the filtering and dispatcher and the user module collector to update the configuration files.
12. A method of installing a kernel-level security terminal on an electronic device, the method comprising: the kernel-level security terminal of any one of claims 1-10 being run on an electronic device at a target time, wherein the target time is used to avoid a risk event, the risk event being that malware has been started when antivirus software is not installed after an operating system is booted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311734438.8A CN117972683A (en) | 2023-12-15 | 2023-12-15 | Kernel-level security terminal and installation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311734438.8A CN117972683A (en) | 2023-12-15 | 2023-12-15 | Kernel-level security terminal and installation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117972683A true CN117972683A (en) | 2024-05-03 |
Family
ID=90857005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311734438.8A Pending CN117972683A (en) | 2023-12-15 | 2023-12-15 | Kernel-level security terminal and installation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117972683A (en) |
-
2023
- 2023-12-15 CN CN202311734438.8A patent/CN117972683A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| US8468604B2 (en) | Method and system for detecting malware | |
| US9754102B2 (en) | Malware management through kernel detection during a boot sequence | |
| KR101948711B1 (en) | Complex Scoring for Malware Detection | |
| US8255998B2 (en) | Information protection method and system | |
| EP3654218B1 (en) | Method for detecting malicious code and deferring countermeasures | |
| US7624443B2 (en) | Method and system for a self-heating device | |
| US8621624B2 (en) | Apparatus and method for preventing anomaly of application program | |
| KR101086203B1 (en) | A proactive system against malicious processes by investigating the process behaviors and the method thereof | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| EP1915719B1 (en) | Information protection method and system | |
| JP2017527931A (en) | Malware detection method and system | |
| KR20120031745A (en) | Malware auto-analysis system and method using kernel call-back mechanism | |
| Joy et al. | Rootkit detection mechanism: A survey | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| Ahmed et al. | Medusa: Malware detection using statistical analysis of system's behavior | |
| KR100745640B1 (en) | Method for protecting kernel memory and apparatus thereof | |
| KR100745639B1 (en) | Method for protecting file system and registry and apparatus thereof | |
| KR101580624B1 (en) | Method of Penalty-based Unknown Malware Detection and Response | |
| CN117972683A (en) | Kernel-level security terminal and installation method | |
| KR20190072784A (en) | Method of profiling runtime feature | |
| Anand et al. | and Sandeep K Shukla Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur, Kanpur, India {pmohan, pvcharan, hrushicnv, sandeeps}@ cse. iitk. ac. in | |
| KR20130078960A (en) | Malicious code which exploit office software vulnerability activity-based diagnosis and blocking methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |