CN118114248A - Command injection bypass detection system and method - Google Patents

Command injection bypass detection system and method Download PDF

Info

Publication number
CN118114248A
CN118114248A CN202311807844.2A CN202311807844A CN118114248A CN 118114248 A CN118114248 A CN 118114248A CN 202311807844 A CN202311807844 A CN 202311807844A CN 118114248 A CN118114248 A CN 118114248A
Authority
CN
China
Prior art keywords
command
module
execution
detection system
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311807844.2A
Other languages
Chinese (zh)
Inventor
刘晓晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anheng Xin'an Technology Co ltd
Original Assignee
Beijing Anheng Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anheng Xin'an Technology Co ltd filed Critical Beijing Anheng Xin'an Technology Co ltd
Priority to CN202311807844.2A priority Critical patent/CN118114248A/en
Publication of CN118114248A publication Critical patent/CN118114248A/en
Pending legal-status Critical Current

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The command injection bypass detection system and method provided by the application comprise a capturing module, a scheduler and a flow analysis module which are connected in sequence; the capturing module is used for capturing a first command by mounting eBPF programs on each running path of the kernel and feeding back the first command to the scheduler; the dispatcher sends the first command to the virtual environment for execution and receives a returned execution result; the first command and the execution result are sent to a flow analysis module; the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance, and detects whether the command injection bypass is successfully executed according to the comparison result. According to the application, all commands can be captured from the kernel and the execution condition can be reproduced in the virtual environment based on eBPF technology, and whether the command injection is successfully executed can be judged by screening and judging the execution result corresponding to the commands and the abnormal data, so that accurate alarm is realized, thereby effectively detecting the command injection bypass and reducing the alarm false alarm rate.

Description

Command injection bypass detection system and method
Technical Field
The present invention relates to the field of command injection bypass detection, and in particular, to a command injection bypass detection system and method.
Background
In the existing security detection process, command injection detection is always a conventional topic, and the existing command injection detection is generally a detection mode combining context and machine learning detection or specific vulnerability rule, but Linux command bypass modes are various, such as encryption, confusion, deformation and the like, conventional detection can only find a part of simple command bypass attacks, and cannot effectively detect some complex command injection bypass and some novel command injection bypass, and some command bypass is included in normal service, so that parameter false alarm is easy to occur, and the false alarm rate is high.
Disclosure of Invention
Therefore, an object of the present invention is to provide a system and a method for detecting command injection bypass, so as to effectively detect the command injection bypass and reduce the false alarm rate of the alarm.
In a first aspect, an embodiment of the present invention provides a command injection bypass detection system, the detection system comprising: the system comprises a capturing module, a scheduler and a flow analysis module which are connected in sequence; the capturing module is connected with the kernel, and the dispatcher is connected with the virtual environment; the capturing module stores a eBPF program which is acquired in advance;
the capturing module is used for mounting eBPF programs on each running path of the kernel so as to capture first commands corresponding to each running path and feed the first commands back to the scheduler;
the dispatcher is used for sending the first command to the virtual environment for execution and receiving an execution result returned by the virtual environment; the first command and the execution result are sent to a flow analysis module;
the flow analysis module is used for comparing the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance to obtain a comparison result, and detecting whether the command injection bypass is successfully executed or not according to the comparison result.
Further, the scheduler includes a time setting module;
the time setting module is used for sending a first execution instruction to the capturing module according to the preset time frequency, so that the capturing module feeds back a first command to the scheduler according to the first execution instruction.
Further, the virtual environment is a dock;
The time setting module is used for sending a second execution instruction to the docker according to the preset time frequency so that the docker calls the mirror image and starts the container; and loading the first command to the container for execution, and receiving an execution result returned by the container.
Further, if the number of the first commands is not greater than the first preset threshold, the dock starts a plurality of containers; wherein the number of the started containers is the same as a first preset threshold; each first command corresponds to a container;
The time setting module is used for loading each first command to a corresponding container;
Each container is used for performing isolated execution on the first command and returning the execution result of the corresponding first command to the time setting module.
Further, the dock further comprises a purge module;
The clearing module is used for clearing the redundant container when the number of the first commands is monitored to be larger than a first preset threshold value; wherein the redundant container is a container which returns the execution result to the time setting module.
Further, the detection system also comprises a monitor;
the monitor is used for monitoring the memory and the disk of the capturing module to obtain a monitoring log, and storing the monitoring log into a log file.
Further, the detection system also comprises an alarm module, and the alarm module is connected with the flow analysis module;
The alarm module is used for outputting alarm information when the first command injection bypassing execution is successful.
Further, the flow analysis module is also connected with the switch;
The switch is used for acquiring flow mirror information between the client and the server and sending the flow mirror information to the flow analysis module; wherein, the flow mirror information includes: the client sends a second command corresponding to the request to the server, and the server receives the response information returned to the client after the request.
Further, the flow analysis module further comprises a screening module and a comparison module;
The screening module is used for deleting invalid response information in the flow mirror information to obtain screening data; wherein the screening data comprises: a second command, valid response information;
the screening module is also used for extracting abnormal data from the screening data through a pre-obtained screening model; wherein the anomaly data comprises: an abnormal second command and abnormal response information corresponding to the abnormal second command;
The comparison module is used for comparing the first command with the abnormal second command and executing results and abnormal response information to obtain comparison results, and if the comparison results indicate that the abnormal second command contains the same target abnormal second command as the first command or the abnormal response information contains target abnormal response information with similarity with the executing results not smaller than a second preset threshold value, the first command is judged to be injected and bypassed to be executed successfully.
In a second aspect, an embodiment of the present invention provides a command injection bypass detection method, where the detection method includes:
the capturing module mounts eBPF programs on each running path of the kernel to capture first commands corresponding to each running path and feeds the first commands back to the scheduler;
the dispatcher sends a first command to the virtual environment for execution and receives an execution result returned by the virtual environment; the first command and the execution result are sent to a flow analysis module;
The flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance to obtain a comparison result, and detects whether the command injection bypass is successfully executed according to the comparison result.
The command injection bypass detection system and method provided by the application comprise a capturing module, a scheduler and a flow analysis module which are connected in sequence; the capturing module is used for capturing a first command by mounting eBPF programs on each running path of the kernel and feeding the first command back to the scheduler; the dispatcher sends the first command to the virtual environment for execution and receives a returned execution result; the first command and the execution result are sent to a flow analysis module; the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance, and detects whether the first command injection bypass is successfully executed or not according to the comparison result. According to the application, all commands can be captured from the kernel and the execution condition can be reproduced in the virtual environment based on eBPF technology, and whether the command injection is successfully executed can be judged by screening and judging the execution result corresponding to the commands and the abnormal data, so that accurate alarm is realized, thereby effectively detecting the command injection bypass and reducing the alarm false alarm rate.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a command injection bypass detection system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of another command injection bypass detection system according to an embodiment of the present invention;
fig. 9 is a flowchart of a command injection bypass detection method according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the existing security detection process, command injection detection is always a conventional topic, the existing command injection detection is generally a method combining detection of contexts and machine learning or rule detection of specific loopholes, a rule-based detection method is one of the most common command injection detection methods, command injection is detected through a predefined rule, as Linux command bypassing modes are various, the rule-based detection can only detect the existing rule base, the rule base is not found, only a part of command injection can be found, the complex command injection is difficult to cope with, detection cannot be carried out on some novel command injections, for example, the regular detection cannot capture the command bypassing actual situation after flash 64 encryption nesting is carried out through php language. The detection method based on machine learning is a relatively new command injection detection method, which automatically detects command injection by training a machine learning model, but the method can intercept some legal inputs as malicious inputs, so that the false alarm rate is higher.
In the conventional security traffic detection products, there are detection and interception operations for command injection, but there is no good defense for command injection bypassing, and an accurate alarm condition cannot be given, whether an attack is successful, whether obvious sensitive data is contained, whether system stability is destroyed or a computer of a remote control victim is damaged, so a method is needed to monitor the conditions and give an accurate answer.
Based on the above, the embodiment of the invention provides a command injection bypass detection system and a command injection bypass detection method, and the technology can be applied to applications requiring detection of command injection, and particularly can be applied to applications for detecting command injection bypass.
For ease of understanding the present embodiment, a detailed description of a command injection bypass detection system is first disclosed.
The invention provides a command injection bypass detection system, as shown in fig. 1, comprising a capturing module 11, a scheduler 12 and a flow analysis module 13 which are connected in sequence; the capturing module 11 is connected with the kernel 14, and the scheduler 12 is connected with the virtual environment 15; the capturing module 11 stores a eBPF program acquired in advance.
The capturing module 11 is configured to install eBPF programs on each running path of the kernel 14, so as to capture a first command corresponding to each running path, and feed back the first command to the scheduler 12;
the scheduler 12 is configured to send a first command to the virtual environment 15 for execution, and receive an execution result returned by the virtual environment 15; sending the first command and the execution result to the flow analysis module 13;
the flow analysis module 13 is configured to compare the first command and the execution result with the abnormal data in the flow mirror image information obtained in advance, obtain a comparison result, and detect whether the first command injection bypassing is successfully executed according to the comparison result.
Command injection (Command Injection, i.e., command injection attack) refers to that since the embedded application program or the web application program does not strictly filter the data submitted by the user, a hacker can submit the data to the application program by constructing a special command string, and execute an external program or a system command to implement the attack by using the method, thereby illegally acquiring the data or network resources, etc. Among them, the most common is command injection of PHP, and the main reason why PHP command injection attack exists is that when a web application programmer applies some functions with command execution functions in PHP language, data content submitted by a user is carried into the functions for execution without strict filtering. For example, when the data content submitted by a hacker is PHP file writing to the website directory, an attack vulnerability can be injected through the command to write into a PHP back door file, so as to further implement penetration attack.
Currently, in common security traffic detection products, there are detection and interception operations for command injection, such as detection of a combination of context and machine learning or rule detection of a specific vulnerability. However, the Linux command bypass modes are various, such as encryption, confusion, deformation and the like, and the command bypass is usually simulated normal service, and some command injection bypass (namely, the command bypass attack is initiated after the command bypass), such as performing echo after flash 64 encryption nesting through php language, are difficult to find by the conventional command injection detection method.
The capturing module 11 can be understood as ecapture open source assembly, ecapture is an open source data capturing tool for kernel tracking based on eBPF program, and has good system compatibility by adopting go language development. Specifically, the eBPF program (Extended Berkeley PACKET FILTER ) is a program that can run user commands in the Linux kernel.
The above-mentioned virtual environment 15 (i.e. virtualized operating system) may be a traditional virtual machine, such as VMware, visualBox Docker, or may be a Docker (a package belonging to a Linux container, which may provide a simple and easy-to-use container use interface).
The kernel may be understood as a Linux system kernel (hook), and commands executed by a general client (flash) may run on multiple running paths of the kernel.
The scheduler and the flow analysis module can be written and designed according to actual conditions, the scheduler can be connected with ecapture interfaces in general, the flow analysis module can be connected with the scheduler through the interfaces, and the scheduler and the flow analysis module can be reserved and configured into redis (equivalent to a storage database).
In a specific implementation process, a eBPF program meeting the requirement of a user can be written by using a C language according to the actual situation, a eBPF byte code is generated after the eBPF program is compiled, the compiled eBPF byte code is loaded into a kernel and is compiled into a eBPF machine code, the eBPF machine code can be mounted on different running paths of the kernel and used for capturing all commands (corresponding to a first command) executed by a client, wherein one command or a plurality of commands executed by the client can be captured as long as the commands executed by the client can be captured, and therefore, even if the commands bypass (such as deformation and the like) are performed, the commands can be captured. Ecapture may then feed back all commands captured based on the eBPF procedure to scheduler 12; the scheduler 12 submits all the commands to the virtual environment 15 for execution, the virtual environment can reproduce the execution condition of each command to obtain the execution result (i.e. the return display information) corresponding to each command, and the execution result is returned to the scheduler, and the scheduler sends all the execution results returned by the virtual environment and all the commands returned by ecapture to the flow analysis module 13; the flow analysis module screens and judges the pre-acquired data (equivalent to the abnormal data) which is already alarmed according to all commands and all execution results received from the scheduler, so as to judge whether the command injection bypass is successfully executed (namely, the command injection bypass can be detected) and generate accurate alarm.
The command injection bypass detection system comprises a capturing module, a scheduler and a flow analysis module which are connected in sequence; the capturing module is used for capturing a first command by mounting eBPF programs on each running path of the kernel and feeding the first command back to the scheduler; the dispatcher sends the first command to the virtual environment for execution and receives a returned execution result; the first command and the execution result are sent to a flow analysis module; the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance, and detects whether the first command injection bypass is successfully executed or not according to the comparison result. According to the application, all commands can be captured from the kernel and the execution condition can be reproduced in the virtual environment based on eBPF technology, and whether the command injection is successfully executed can be judged by screening and judging the execution result corresponding to the commands and the abnormal data, so that accurate alarm is realized, thereby effectively detecting the command injection bypass and reducing the alarm false alarm rate.
On the basis of the above command injection bypass detection system, another command injection bypass detection system is provided in the embodiment of the present invention, and as shown in fig. 2, the scheduler 12 includes a time setting module 121.
The time setting module 121 is configured to send a first execution instruction to the capturing module 11 according to a preset time frequency, so that the capturing module 11 feeds back a first command to the scheduler 12 according to the first execution instruction.
In actual implementation, the scheduler issues ecapture an execution command (first execution instruction), suspends the program, monitors the return information, records the acquired command if the return information exists, and issues a next instruction to the virtual environment. Specifically, the time frequency (interval time) of the scheduler receiving the capturing command from the capturing module is set according to the actual situation, namely, the time frequency is set to detect the progress of the scheduler; assuming that the time frequency is set to 5 minutes, the time setting module 121 may send the first execution instruction to the capturing module every 5 minutes, and after the capturing module receives the first execution instruction, return all the commands captured in the 5 minutes to the time setting module, after the receiving, the commands may be saved in the redis, then issue the execution instruction, and feed back the saved commands to the virtual environment for execution.
On the basis of the command injection bypass detection system, the embodiment of the invention also provides another command injection bypass detection system, as shown in fig. 3, wherein the virtual environment 15 is a dock; the time setting module 121 is configured to send a second execution instruction to the dock according to a preset time frequency, so that the dock calls the image 151 and starts the container 152; the first command is loaded into the container 152 for execution, and the execution result returned by the container 152 is received.
The dock is an open-source application container engine, which can be understood as a software container platform, so that developers can package their applications and rely on packages to a portable mirror image, then issue the packages to any popular Linux or Windows machine, and can realize virtualization, and the containers are completely using sandboxes without any interfaces; dock generally contains three basic concepts, mirror (Image), container (Container), and Repository (Repository), respectively; the image is a precondition of a container operated by the Docker, a warehouse is a place for storing the image, and the Docker image can be regarded as a special file system, and besides the files of programs, libraries, resources, configurations and the like required by the container operation, the Docker image also contains some configuration parameters (such as anonymous volumes, environment variables, users and the like) prepared for the operation. The mirror does not contain any dynamic data, nor does its content change after construction.
In actual implementation, the virtual environment may use a docker to schedule the execution container (typically busybox, a simple linux open source item); specifically, the dock environment is installed in advance, after the dispatcher records the acquired command, a second execution instruction can be sent to the dock to call the dock mirror image and enable the busybox container, then the command is loaded into the busybox container to be executed, and information (an execution result corresponding to the command) returned by the container execution is acquired.
If the scheduler obtains a plurality of first commands from the capturing module and the number of the first commands is not greater than a first preset threshold value, the docker can start a plurality of busybox containers; wherein the number of starts of busybox containers is the same as a first preset threshold; each first command corresponds to one busybox container.
Specifically, the first preset threshold may be understood as the number of busybox containers that can be started up at most (for example, the dock may start up 5 containers at the same time, where the first preset threshold is 5, and after receiving the second execution command call mirror image, the dock may start up 3 containers that are busybox if the number of commands is not greater than the second preset threshold (for example, 3) and the time setting module loads each first command into a corresponding busybox container to execute, that is, one command corresponds to one container, and when executing, the first commands do not interfere with each other (which is equivalent to feeding the first commands back to the virtual environment to execute in an isolated manner, and taking a multithreading manner to isolate and monitor each container), and receive the execution result of the corresponding first command returned by each container.
On the basis of the command injection bypass detection system, the embodiment of the invention also provides another command injection bypass detection system, as shown in fig. 4, and the dock further comprises a cleaning module 153.
The clearing module 153 is configured to clear the redundant container when the number of the first commands is monitored to be greater than a first preset threshold; wherein the redundant container is a container 152 that has returned the execution result to the time setting module.
In actual implementation, if the number of commands carried by the received second execution command is greater than the first preset threshold (i.e. the number of times the command needs to be executed is too many or the number of containers needs to be enabled is too many), the first preset threshold corresponding number busybox of containers may be opened first, after the execution results of these containers have been returned to the time setting module, the purging module 153 may automatically purge these redundant containers, restart the new containers, specifically, the number of starts may be determined according to the number of purged redundant containers and the number of remaining commands, for example, the number of remaining commands after the first preset threshold corresponding number busybox of containers is opened is not greater than the number of purged redundant containers, and may restart directly busybox containers as many as the number of purged redundant containers, but if the number of remaining commands after the first preset threshold corresponding number busybox of containers is greater than the number of purged redundant containers, after restarting busybox of containers as many redundant containers as many as purged, the new containers need to be repeatedly executed until all the corresponding commands are loaded.
On the basis of the command injection bypassing the detection system, another command injection bypassing the detection system is provided in the embodiment of the present invention, and the detection system further comprises a monitor 16 as shown in fig. 5.
The monitor 16 is configured to monitor the memory and the disk of the capturing module 11, obtain a monitoring log, and store the monitoring log in a log file.
In actual implementation, the monitor 16 can be designed and written by using go language according to actual requirements, the monitor 16 is responsible for asynchronous monitoring, automatically monitors the use of ecapture memory and disk, performs log recording, and stores the log recording in a log file; the occurrence of memory, disk, network card or other abnormal problems can be processed in real time, and the restarting detection system can be operated in the case of serious conditions.
On the basis of the command injection bypass detection system, the embodiment of the invention also provides another command injection bypass detection system, and as shown in fig. 6, the flow analysis module 13 is also connected with the switch 17.
The switch 17 is configured to obtain traffic mirror information between the client and the server, and send the traffic mirror information to the traffic analysis module 13; wherein, the flow mirror information includes: the client sends a second command corresponding to the request to the server, and the server receives the response information returned to the client after the request.
In actual implementation, the switch 17 may be disposed between the client and the server, and obtain traffic mirror information, which includes data such as request data (a request sent from the client to the server), response data (response information returned to the client after the server receives the request), a second command corresponding to the request (actually, a command executed by the client, and the client sends a request corresponding to the command to the server).
On the basis of the command injection bypass detection system, the embodiment of the invention also provides another command injection bypass detection system, as shown in fig. 7, the flow analysis module 13 further comprises a screening module 131 and a comparison module 132.
The filtering module 131 is configured to delete invalid response information in the flow mirror information to obtain filtering data; wherein the screening data comprises: a second command, valid response information;
The screening module 131 is further configured to extract abnormal data from the screening data through a pre-obtained screening model; wherein the anomaly data comprises: an abnormal second command and abnormal response information corresponding to the abnormal second command.
The comparison module 132 is configured to compare the first command with the abnormal second command, and execute the result with the abnormal response information, to obtain a comparison result, and determine that the first command is injected to bypass the execution if the comparison result indicates that the abnormal second command contains the same target abnormal second command as the first command, or if the abnormal response information contains target abnormal response information with similarity to the execution result not smaller than a second preset threshold.
In actual implementation, the flow analysis module may be connected to the switch through the flow access interface to receive the flow mirror information obtained by the switch, and then store the flow mirror information into the message queue (using redis or rabbitMQ) for waiting processing.
The filtering module 131 may process the traffic mirror information in the message queue, specifically, may filter invalid response information in the traffic mirror information (for example, invalid feedback information such as non found, etc.), that is, filter the invalid response information, and then reintroduce a second command corresponding to the invalid response information into the message queue, where the message queue is filtering data, including: a second command, valid response information; the screening module 131 may further process the screening data in the message queue, specifically, the screening module may screen the second command belonging to the sensitive information or the malicious behavior (i.e. the abnormal second command only extracts the second command belonging to the sensitive data and the malicious behavior, and the second command corresponding to the invalid response information is not extracted) from the screening data, and then extract the anti-display information (i.e. the abnormal response information) corresponding to the abnormal second command separately and re-update the queue information, which is to prevent the normal command behavior of the client from being determined to be the malicious behavior. In fact, sensitive data and malicious attacks exist, relevant commands and return display information are extracted, and the extracted commands and return display information are suspicious; and refreshing and sequencing the extracted message queues again, and continuing to detect sensitive data and malicious attacks.
After the further flow analysis module receives the first command and the execution result sent by the scheduler, the filtering module can also filter the invalid execution result to obtain the first command and the effective execution result. The flow analysis module filters, and the filtered data is not analyzed and deleted, which is the data treatment process of the flow analysis module and ensures the quality of the analyzed data.
The comparison module 132 may compare the first command with the second command, and compare the effective execution result with the abnormal response information, so as to obtain a comparison result, and if the second command includes the second command with the same target exception as the first command, and the second command with the corresponding abnormal response information, that is, the second command with the target exception is not the second command corresponding to the previously deleted invalid response information (corresponding to the second command including the first command and having a normal response), or there is the target exception response information (corresponding to the target exception response information having a similarity with the execution result not less than the second preset threshold (which may be generally set to 80%) in the abnormal response information, where the similarity with the returned effective execution result in the virtual environment reaches 80%), may determine that the command injection bypasses the execution. The method solves the defects that the existing rule-based method can detect partial bypass, but is not complete in exhaustion and the method is lagged behind; the defects of more false alarms and low accuracy of machine learning are overcome; the method improves the command bypassing accuracy to 100%.
On the basis of the command injection bypass detection system, the embodiment of the invention also provides another command injection bypass detection system, as shown in fig. 8, the detection system also comprises an alarm module 18, and the alarm module 18 is connected with the flow analysis module 13; the alarm module 18 is configured to output alarm information when the command injection bypass execution is successful.
Specifically, the flow analysis module obtains information such as the alarm authority of the alarm output module (i.e. the alarm module 18) command injection, the serial number of the butt-pull alarm, the payload (i.e. abnormal data) or the tuple (i.e. the alarm time). The data are organized into groups according to the alarm time. And screening the alarm condition in a proper time period according to the time group, checking whether the payload contains the captured first command, and judging that the command injection is successful if the first command is contained and responds normally or the similarity with the returned information of the first command under the virtual environment reaches 80%. And returning successful information to the alarm module 18 for processing.
The command injection bypass detection system acquires all commands executed in the client flash based on the characteristic of hook grabbing of ebpf programs in the kernel through ecpture, submits returned command information (comprising execution time and specific commands) to the virtual environment busybox for execution, returns busybox execution conditions to the flow analysis module, and carries out batch screening judgment on the data which are already alarmed according to the acquired executed commands and results, so that whether the command injection is successfully executed is judged, and accurate alarm is generated.
The traditional command injection needs a large number of command sets and anti-display sets to carry out modularized screening for evaluation, the real-time anti-display of the command captured in the kernel is obtained to carry out the anti-push command execution process, and whether the command captured in the kernel participates in confusion or deformation is not needed, and only whether the flash execution is successful is checked, so that the detection difficulty can be reduced, and the detection accuracy is improved.
Furthermore, the application starts from the execution of the command itself, discovers the specific command injection from the kernel, and simultaneously reproduces the execution condition in combination with the virtual environment, thereby judging whether the command injection is successfully executed and feeding back the detection tool to generate accurate alarm, and solving the technical problems of bypassing the command injection and high false alarm rate of the alarm.
The embodiment of the invention also provides a command injection bypass detection method, as shown in fig. 9, which comprises the following steps:
In step S102, the capturing module mounts eBPF programs on each running path of the kernel, so as to capture a first command corresponding to each running path, and feeds back the first command to the scheduler.
Step S104, the dispatcher sends the first command to the virtual environment for execution and receives an execution result returned by the virtual environment; and sending the first command and the execution result to a flow analysis module.
And step S106, the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance to obtain a comparison result, and detects whether the command injection bypass is successfully executed according to the comparison result.
The command injection bypass detection method comprises the steps that a capturing module captures a first command by mounting eBPF programs on each running path of a kernel, and feeds the first command back to a scheduler; the dispatcher sends the first command to the virtual environment for execution and receives a returned execution result; the first command and the execution result are sent to a flow analysis module; the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance, and detects whether the command injection bypass is successfully executed according to the comparison result. According to the application, all commands can be captured from the kernel and the execution condition can be reproduced in the virtual environment based on eBPF technology, and whether the command injection is successfully executed can be judged by screening and judging the execution result corresponding to the commands and the abnormal data, so that accurate alarm is realized, thereby effectively detecting the command injection bypass and reducing the alarm false alarm rate.
The implementation principle and the generated technical effects of the command injection bypass detection method provided by the embodiment of the invention are the same as those of the command injection bypass detection system embodiment, and the command injection bypass detection method embodiment part can refer to the corresponding content in the command injection bypass detection system embodiment.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention for illustrating the technical solution of the present invention, but not for limiting the scope of the present invention, and although the present invention has been described in detail with reference to the foregoing examples, it will be understood by those skilled in the art that the present invention is not limited thereto: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. A command injection bypass detection system, the detection system comprising: the system comprises a capturing module, a scheduler and a flow analysis module which are connected in sequence; the capturing module is connected with the kernel, and the dispatcher is connected with the virtual environment; the capturing module stores a eBPF program which is acquired in advance;
The capturing module is used for mounting the eBPF programs on each running path of the kernel so as to capture a first command corresponding to each running path and feed the first command back to the scheduler;
The dispatcher is used for sending the first command to the virtual environment for execution and receiving an execution result returned by the virtual environment; sending the first command and the execution result to the flow analysis module;
The flow analysis module is used for comparing the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance to obtain a comparison result, and detecting whether the command injection bypass is successfully executed or not according to the comparison result.
2. The detection system of claim 1, wherein the scheduler comprises a time setting module;
the time setting module is used for sending a first execution instruction to the capturing module according to a preset time frequency, so that the capturing module feeds back the first command to the scheduler according to the first execution instruction.
3. The detection system of claim 2, wherein the virtual environment is a docker mirror;
the time setting module is used for sending a second execution instruction to the docker according to preset time frequency so that the docker calls a mirror image and starts a container; and loading the first command to the container for execution, and receiving an execution result returned by the container.
4. The detection system of claim 3, wherein the docker initiates a plurality of the containers if the first command is a plurality of the first commands and the number of the first commands is not greater than a first preset threshold; wherein the number of starts of the containers is the same as the first preset threshold; each of the first commands corresponds to one of the containers;
the time setting module is used for loading each first command to the corresponding container;
Each container is used for performing isolated execution on the first command and returning an execution result corresponding to the first command to the time setting module.
5. The detection system of claim 4, wherein the dock further comprises a purge module;
The clearing module is used for clearing redundant containers when the number of the first commands is monitored to be larger than the first preset threshold value; wherein the redundant container is the container that has returned the execution result to the time setting module.
6. The detection system of claim 1, wherein the detection system further comprises a monitor;
The monitor is used for monitoring the memory and the disk of the capture module to obtain a monitoring log, and storing the monitoring log into a log file.
7. The detection system of claim 1, further comprising an alarm module coupled to the flow analysis module;
And the alarm module is used for outputting alarm information when the first command injection bypassing execution is successful.
8. The detection system of claim 1, wherein the traffic analysis module is further coupled to a switch;
The switch is used for acquiring flow mirror information between the client and the server and sending the flow mirror information to the flow analysis module; wherein the flow mirror information includes: and the client sends a second command corresponding to the request to the server, and the server receives the request and returns response information to the client.
9. The detection system of claim 8, wherein the flow analysis module further comprises a screening module, a comparison module;
The screening module is used for deleting invalid response information in the flow mirror information to obtain screening data; wherein the screening data comprises: the second command and valid response information;
The screening module is also used for extracting abnormal data from the screening data through a pre-obtained screening model; wherein the anomaly data comprises: an abnormal second command and abnormal response information corresponding to the abnormal second command;
The comparison module is used for comparing the first command with the abnormal second command, the execution result and the abnormal response information to obtain a comparison result, and if the comparison result indicates that the abnormal second command contains the same target abnormal second command as the first command, or the abnormal response information contains target abnormal response information with the similarity with the execution result not smaller than a second preset threshold value, the first command injection bypassing execution is judged to be successful.
10. A command injection bypass detection method, the detection method comprising:
The capturing module is used for mounting eBPF programs on each running path of the kernel so as to capture a first command corresponding to each running path and feeding the first command back to the scheduler;
The dispatcher sends the first command to the virtual environment for execution and receives an execution result returned by the virtual environment; the first command and the execution result are sent to a flow analysis module;
and the flow analysis module compares the first command and the execution result with the abnormal data in the flow mirror image information acquired in advance to obtain a comparison result, and detects whether the command injection bypass is successfully executed according to the comparison result.
CN202311807844.2A 2023-12-26 2023-12-26 Command injection bypass detection system and method Pending CN118114248A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311807844.2A CN118114248A (en) 2023-12-26 2023-12-26 Command injection bypass detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311807844.2A CN118114248A (en) 2023-12-26 2023-12-26 Command injection bypass detection system and method

Publications (1)

Publication Number Publication Date
CN118114248A true CN118114248A (en) 2024-05-31

Family

ID=91209647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311807844.2A Pending CN118114248A (en) 2023-12-26 2023-12-26 Command injection bypass detection system and method

Country Status (1)

Country Link
CN (1) CN118114248A (en)

Similar Documents

Publication Publication Date Title
US12019734B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US9659175B2 (en) Methods and apparatus for identifying and removing malicious applications
US7870612B2 (en) Antivirus protection system and method for computers
CN101098226B (en) Virus online real-time processing system and method
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
US11012449B2 (en) Methods and cloud-based systems for detecting malwares by servers
US10839077B2 (en) Detecting malicious software
US10733296B2 (en) Software security
CN105593870A (en) Complex scoring for malware detection
CN108234480B (en) Intrusion detection method and device
CN113886814A (en) Attack detection method and related device
CN110737888B (en) Method for detecting attack behavior of kernel data of operating system of virtualization platform
CN111859386A (en) Trojan horse detection method and system based on behavior analysis
CN115086081B (en) Escape prevention method and system for honeypots
CN118114248A (en) Command injection bypass detection system and method
CN110909349B (en) detection method and system for rebound shell in dock container
CN109344028B (en) Super-user-permission-free process behavior monitoring device and method
EP3394786B1 (en) Software security
CN111949362A (en) Host information acquisition method based on virtualization technology
US12026257B2 (en) Method of malware detection and system thereof
US20240220614A1 (en) System and method for threat detection based on stack trace and kernel sensors
CN117272295A (en) Malicious file detection method for avoiding sandbox escape
CN114640529A (en) Attack protection method, apparatus, device, storage medium and computer program product
CN114048473A (en) Processing method for malicious software of computer
CN118174939A (en) Threat detection method based on dynamic behavior association analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination