WO2021189257A1 - Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage - Google Patents

Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage Download PDF

Info

Publication number
WO2021189257A1
WO2021189257A1 PCT/CN2020/080922 CN2020080922W WO2021189257A1 WO 2021189257 A1 WO2021189257 A1 WO 2021189257A1 CN 2020080922 W CN2020080922 W CN 2020080922W WO 2021189257 A1 WO2021189257 A1 WO 2021189257A1
Authority
WO
WIPO (PCT)
Prior art keywords
candidate
socket
system call
target
processes
Prior art date
Application number
PCT/CN2020/080922
Other languages
English (en)
Chinese (zh)
Inventor
郭子亮
Original Assignee
深圳市欢太科技有限公司
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市欢太科技有限公司, Oppo广东移动通信有限公司 filed Critical 深圳市欢太科技有限公司
Priority to CN202080094694.3A priority Critical patent/CN115023699A/zh
Priority to PCT/CN2020/080922 priority patent/WO2021189257A1/fr
Publication of WO2021189257A1 publication Critical patent/WO2021189257A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • This application relates to the field of network security technology, and more specifically, to a method, device, electronic device, and storage medium for detecting malicious processes.
  • the firewall usually has strict restrictions on the access of external machines to the machine, but there are few restrictions on the machine's active connection to the external machine. Therefore, if the hacker uses the rebound connection, even if the machine actively connects to the external machine, it can well evade the firewall. Supervise to attack the machine and threaten the safety of the machine. Therefore, in order to improve network security, it is necessary to detect malicious processes with bounced connections in the host, but it is currently impossible to achieve effective detection of such malicious processes.
  • This application proposes a malicious process detection method, device, electronic equipment, and computer readable storage medium to improve the above-mentioned defects.
  • an embodiment of the present application provides a method for detecting a malicious process.
  • the method includes: obtaining a target process requesting a network connection; obtaining a system call operation of the target process; if the system call operation is related to the target system The invocation operation matches, and it is determined that the target process is a malicious process.
  • an embodiment of the present application also provides a device for detecting malicious processes.
  • the device includes: a process acquisition module for acquiring a target process requesting a network connection; an operation acquiring module for acquiring information about the target process System call operation; an operation matching module for determining that the target process is a malicious process if the system call operation matches the target system call operation.
  • an embodiment of the present application also provides an electronic device, including: one or more processors; a memory; one or more application programs, wherein the one or more application programs are stored in the memory And is configured to be executed by the one or more processors, and the one or more programs are configured to execute the foregoing method.
  • the embodiments of the present application also provide a computer-readable storage medium, and the computer-readable storage medium stores program code, and the program code can be invoked by a processor to execute the foregoing method.
  • the malicious process detection method, device, electronic equipment, and computer readable storage medium provided by this application obtain the target process requesting network connection, and then obtain the system call operation of the target process, and perform the system call operation and the target system call operation Match and determine that the target process is a malicious process.
  • the embodiment of the present application first selects the target process according to whether the process requests an external network connection, and then determines the target process matching the target system call operation according to whether the system call operation of the target process matches the target system call operation It is a malicious process, so that it can detect not only the malicious process established by the system's own command interpreter, but also the malicious process that is not established according to the system rules, thereby greatly reducing the rate of false negatives of malicious processes and improving malicious processes The report rate is higher to achieve more effective detection.
  • Figure 1 shows a schematic diagram of a socket-based communication process
  • FIG. 2 shows a schematic diagram of an application scenario of a malicious process detection method provided by an embodiment of the present application
  • FIG. 3 shows a schematic flowchart of a method for detecting a malicious process according to an embodiment of the present application
  • FIG. 4 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application
  • FIG. 5 shows a schematic flowchart of a malicious process detection method provided by another embodiment of the present application.
  • Fig. 6 shows a schematic flowchart of step S320 in Fig. 5 in an exemplary embodiment
  • FIG. 7 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application.
  • FIG. 8 shows a schematic flowchart of step S420 in FIG. 7 in an exemplary embodiment of the present application
  • FIG. 9 shows a schematic flowchart of a method for detecting a malicious process according to another embodiment of the present application.
  • FIG. 10 shows a schematic flowchart of step S530 in FIG. 9 in an exemplary embodiment of the present application
  • FIG. 11 shows a schematic flowchart of a method for detecting a malicious process according to yet another embodiment of the present application.
  • FIG. 12 shows a schematic flowchart of a malicious process detection method provided by an exemplary embodiment of the present application
  • FIG. 13 shows a block diagram of a module for detecting a malicious process according to an embodiment of the present application
  • FIG. 14 shows a structural block diagram of an electronic device provided by an embodiment of the present application.
  • FIG. 15 shows a storage unit used to store or carry program code implementing the method for detecting malicious processes according to the embodiment of the present application according to an embodiment of the present application.
  • Transmission Control Protocol/Internet Protocol It is an industry standard protocol set, designed for wide area networks (WANs).
  • UDP User Data Protocol, User Datagram Protocol
  • the protocol corresponding to TCP Belongs to a kind of TCP/IP protocol family.
  • Socket is an abstraction layer of middleware that communicates between the application layer and the TCP/IP protocol suite. It is a set of interfaces. In the design mode, Socket is actually a facade mode, which hides the complex TCP/IP protocol family behind the Socket interface. For users, a set of simple interfaces is everything, allowing Socket to organize data to conform to the specified protocol. Applications that use the TCP/IP protocol usually use sockets to implement communication between network processes.
  • Socket-based communication Take TCP connection as an example to explain the socket-based communication process. Please refer to Figure 1.
  • the server initializes Socket, and then binds to the port to monitor the port ( listen), call accept to block and wait for the client to connect.
  • a client initializes a Socket
  • connects to the server and the connection is successful, then the connection between the client and the server is established.
  • the client sends a data request
  • the server receives the request and processes the request, then sends the response data to the client, the client reads the data, and finally closes the connection, and the interaction ends.
  • System call When Linux starts, it first starts the kernel.
  • the kernel is a computer program that directly manages and manages the hardware, including CPU, memory space, hard disk interface, network interface, and so on. All computer operations must be passed to the hardware through the kernel.
  • the function of the kernel is summarized as a system call, and the function of the kernel can be realized through the system call operation.
  • the system call provides a clear interface for the upper program and hides the complex structure of the kernel. A function on an operating system can be seen as the effect of a combination of system calls.
  • Shell is a command-language interpreter, with its own built-in shell command set, which is an interface program used to interact with the Linux kernel.
  • the shell provides an interface through which the user can access the services of the operating system kernel.
  • the shell communicates with various upper-layer applications, and the shell communicates with system calls.
  • Shell is both a command language and a programming language.
  • a shell script is a script program written for the shell, a program with command parsing and execution. Shell scripts can be interpreted by the shell and passed to the kernel.
  • Shell process a running process of a shell program written in accordance with the programming syntax specified by the shell.
  • shells in Linux and UNIX systems include Bourne shell (sh), (Bourne Again shell, bash), C shell (csh), and Korn shell (ksh).
  • bash is the default shell of most Linux systems.
  • these shells can also be recorded as shells that come with the system.
  • connection between the control terminal and the controlled terminal can generally be achieved through two connection methods.
  • the first connection mode can be called forward connection.
  • the control end actively connects to the port of the controlled end, and the controlled end monitors the port to realize the connection, that is, when the connection is forward, the controlled end
  • the control terminal is the client in the network concept.
  • remote desktops, web services, shells, etc. are generally implemented by forward connections.
  • the use of the first connection method may lead to problems such as the control end being unable to connect to the controlled end, continuous control of the controlled end, or failure to receive requests from the controlled end. Therefore, some attackers such as hackers, in order to break through the aforementioned restrictions to control or attack or invade the user's host, they will use the second connection method to establish a connection with the host of the attacked party, namely: the host of the attacking party is in the host of the attacked party Create a socket on the above, the attacked party actively connects to the attacker’s port, and the attacker listens to the port for connection. At this time, the attacked party acts as the client and the attacker acts as the server. Compared with the aforementioned forward connection The roles of the client and server are reversed, and this connection method can be called a bounce connection.
  • the malicious process corresponds to a program with command parsing and execution
  • the program can be called a reverse shell
  • the malicious process can be further recorded as a reverse shell process. Therefore, according to the embodiments of this application, The provided method can detect the reverse shell process.
  • Reverse shell (reverse shell) program: It is a shell based on reverse connection. The control end monitors the port, the controlled end initiates a request to the port, and transfers the input and output of its command line to the control end. Reverse shell is essentially the reversal of the roles of the client and server in the network concept.
  • hackers can create a rebound shell without using the shell that comes with the system.
  • hackers can build on a self-developed command interpreter. , Write a program with command parsing and execution, which can be used as a shell.
  • hackers can also upload a shell program or copy the system shell to another directory and use it after changing the shell name, making the shell program incompatible with the system's own shell
  • the designated naming method is not in the designated directory of the system's own shell. This type of shell program is difficult to be detected by the current detection methods, that is, the current detection method will fail to report when it is applied to detect this type of malicious process.
  • embodiments of the present application provide a method, device, electronic device, and computer-readable storage medium for detecting malicious processes, so as to reduce the false negative rate of malicious processes.
  • FIG. 2 shows a schematic diagram of an application scenario of an image recognition method provided by an embodiment of the present application.
  • the application scenario includes a communication system 10 provided by an embodiment of the present application.
  • the communication system 10 includes: a first host 100 and a second host 200.
  • the first host 100 and the second host 120 may be connected through a network.
  • the first host 100 and the second host 200 may be terminals or servers. If they are terminals, the terminals may be, but are not limited to, mobile phones, tablets, MP3 players (Moving Picture Experts Group Audio Layer III, standard audio layer for dynamic image compression). 3) MP4 (Moving Picture Experts Group Audio Layer IV, standard audio layer for dynamic image compression 4) Players, personal computers or wearable electronic devices, etc.
  • the embodiment of the present application does not limit the device type of a specific terminal. If it is a server, the server can be a traditional server or a cloud server, it can be a server, or a server cluster composed of several servers, or a cloud computing service center.
  • the first host 100 and the second host 200 may be the same device or different devices, which is not limited here.
  • the first host 100 and the second host 200 may both be terminals or servers, or one may be a terminal and the other may be a server.
  • the first host 100 can be used to represent the compromised host, that is, the host of the attacked party, and the second host 200 can be used to represent the intruding host, that is, the host of the attacker. If the second host 200 creates a socket in the first host 100, so that the first host 100 actively requests to connect to the second host 200, the process related to this process can be regarded as the malicious process described in the embodiment of the present application. At this time, the first host 100 corresponds to the client in the network concept, and the second host 200 corresponds to the server in the network concept.
  • a specific host can have a role reversal between the invaded host and the invaded host under different circumstances. That is, if at a certain moment, host A is invaded by host B, then host A can be used as The compromised host is represented by the first host 100, and the host B can be used as the intruding host, and the second host 200 is represented; and if at another moment, the host A invades the host B, at this time, the host A can be used as the intruding host.
  • the second host 200 indicates that the host B can be used as the compromised host, which is represented by the first host 100.
  • FIG. 3 shows a schematic flow chart of a method for detecting a malicious process provided by an embodiment of the present application, which can be applied to the above-mentioned first host.
  • the following will elaborate on the process shown in FIG. 3.
  • the method can include:
  • the target process is a process with external connections, that is, the compromised host under this process will request network connections from other hosts.
  • the process can request a network connection to the outside based on various communication protocols, for example, the communication protocol can be TCP, UDP communication protocol, etc., which are not limited here.
  • the process should create a socket and use the socket to send connection requests to other hosts. For example, it is necessary to call connect() to send the connection request. Therefore, the process that has called connect() can be obtained as the target process for requesting a network connection.
  • the system call operation is used to record the system calls used by the process.
  • the system call operation of a process includes the type of system call and the time when the process uses the system call, thereby obtaining the system call operation of the target process , Can determine the system call operation used by the target process.
  • the number of acquired system call operations is multiple, by acquiring multiple system call operations of the target process, the execution order of the multiple system call operations can also be determined.
  • the system call operation of the target process can be obtained through the process identification (PID) of the target process.
  • PID is a value used to uniquely identify a process.
  • the number when the number is multiple, the number can be characterized as two or more.
  • the types of processes can include but are not limited to shell processes, database processes (such as mysql), server processes (such as apache, tomcat, nginx), etc., which are not limited here. It is understandable that the system call operations of different processes are different, so the type of process can be determined through the system call operation.
  • the target system call operation may be a system call operation of a specified type of process. Therefore, by matching the system call operation of the target process with the target system call operation, it can be determined whether the system call operation of the target process conforms to The characteristics of the process of the specified type.
  • the invading host attacks the invaded host, it will use the program with command analysis execution (such as shell program) to realize the attack based on rebound connection, so this kind of program (that is, the program with command analysis execution)
  • the process of the specified type may be the process corresponding to the program with command parsing and execution
  • the target system call operation may be the system call operation used in this type of process.
  • the specified type of process may be a shell process
  • the target system call operation may be a system call operation of the shell process.
  • the number of system call operations and target system call operations can be one or more, which is not limited here.
  • the system call operation matches the target system call operation, which can be multiple system call operations types and multiple target systems.
  • the type of the call operation matches.
  • a target system call operation that matches each of the multiple system call operations can be found, and it can be determined that the system call operation matches the target system call operation, for example, If multiple system call operations are A1, A2, A3, and multiple target system call operations are A1, A3, A2, A4, A5, it can be determined that the two match.
  • the execution order of the system call operations determines the type of a process to a certain extent, it is also possible to determine whether the target process is a malicious process according to the execution order of the system call operations. That is, when the system call operation matches the target system call operation, multiple system call operations and multiple target system call operations may at least partially overlap, and the execution order of the overlapped parts is required to be consistent. Specific implementation manners can be seen in the following embodiments, which will not be repeated here.
  • the compromised host can perform related processing on the malicious process.
  • the malicious process can be terminated, and the termination can include killing the malicious process or other operations, which is not limited here, so as to prevent the malicious process from continuing to attack the host in time, so as to eliminate the threat of the malicious process in time , Protect the security of the host.
  • the compromised host can be connected to the operation and maintenance management device, and after detecting the malicious process, the compromised host can report the detection result to the operation and maintenance management device.
  • the operation and maintenance management equipment receives the reported detection result and can perform corresponding maintenance on the intruded host.
  • the operation and maintenance management device may be a server, a firewall, a network management device, and so on.
  • the operation and maintenance management equipment can generate alarm information to remind the operation and maintenance personnel or other related personnel to respond to the maintenance of the compromised host.
  • the alarm information may be voice prompts, text prompts, light-on prompts, etc., which is not limited in this embodiment.
  • the malicious process detection method first obtains the target process requesting network connection, and then obtains the system call operation of the target process, and according to the system call operation of the target process and The matching result of the target system call operation determines whether the target process is a malicious process. It can detect not only malicious processes established according to system rules, but also malicious processes not established according to system rules, which greatly reduces the false negative rate of malicious processes and improves the Report rate of malicious processes, thereby improving the security of terminal use. Specifically, it can effectively detect the processes corresponding to various reverse shell programs that do not use the shell that comes with the system, such as those generated by hacker tools such as metasploit or created by command interpreters written by hackers. Good recognition effect.
  • the embodiment of this application obtains the target process according to whether a network connection is requested first, which can improve detection. Efficiency, better detection performance.
  • a process that performs network communication based on a socket may be acquired as a candidate process, and then a process requesting an external connection is determined from the candidate process as a target process.
  • FIG. 4 shows a method for detecting a malicious process provided by another embodiment of the present application. The method may include:
  • the candidate process is a process that performs network communication based on a socket.
  • This part of the process includes both processes that request external connections based on sockets and processes that are connected by other hosts based on sockets.
  • candidate processes are not only The socket is created, and the socket is also used, for example, the socket has been used for binding (bind) or connection (connect).
  • the candidate process may also include a process that only creates a socket but does not use the socket, that is, only calls socket(), but does not call bind() or connect().
  • the process that created the socket can be searched for, and then the process can be determined as a candidate process. The specific implementation manner can be seen in the embodiments described later, and will not be repeated here.
  • S220 Determine the target process according to the candidate process.
  • the system call operation of the candidate process can be obtained to detect whether there is a connection function. For example, it can be detected whether the candidate process calls connect(). If the candidate process calls connect(), the candidate process can be determined as the request network The connected process, that is, the candidate process is determined as the target process.
  • connection event of the candidate process may also be monitored, so that when the connection event is monitored, the candidate process whose connection event is monitored is determined as the target process.
  • step S240 may be as follows: The execution sequence of the operations matches, and the target process is determined to be a malicious process.
  • the aforementioned multiple target system call operations performed sequentially can be recorded as the target system call sequence, and multiple system call operations performed sequentially by the target process are recorded as the target process system call sequence, then multiple system calls
  • the execution order of the operations matches the execution order of the multiple target system call operations, which can be recorded as the system call sequence of the target process matches the target system call sequence.
  • the system call sequence of the target process is A1, A2, A3, and the multiple target system call operations are in the order of execution.
  • A1, A3, A2, that is, the target system call sequence is A1, A3, A2, at this time, it can be determined that the system call sequence of the target process does not match the target system call sequence.
  • the system call sequence of the target process is A1, A2, A3, and the target system call sequence is A0, A1, A2, A3, A4, it can be determined that the system call sequence of the target process matches the target system call sequence.
  • the execution order of multiple target system call operations can be determined by the system call operations executed sequentially by the shell process, and thus the target process that satisfies the match can be called a shell process .
  • the sequence of multiple target system call operations may include: waiting for data on the socket, reading data, executing commands, writing data, and waiting for data on the socket . Among them, reading data is reading data on the socket, and writing data is writing data in the socket. In some embodiments, if there is a target system call sequence composed of the aforementioned multiple target system call operations in the system call sequence of the target process. The overlapped part can make the detection the most accurate, that is
  • the target system call sequence is "waiting for data on the socket, reading data, executing commands, writing data, waiting for data on the socket", it can better reflect the characteristics of the shell process, and even in some implementations For example, as long as the system call sequence of a process is consistent with the target system call sequence, the process can be determined to be a shell process. If it is inconsistent, the process is determined not to be a shell process. Therefore, based on this target system call sequence, other The non-shell process is determined to be an error detection caused by a malicious process, which improves the detection accuracy of the shell process, thereby improving the detection accuracy of the rebound shell process.
  • the target system call sequence can be in addition to the standard system call sequence
  • other target system call sequences can also be used to match the system call sequence of the target process. As an implementation mode, it can be selected when the execution order of each system call operation in the standard system call sequence remains unchanged.
  • a subset of the standard system call sequence is regarded as the target system call sequence.
  • the target system call sequence can be "read data, execute command, write data", "wait for data on socket, read data, execute command, write data" "Etc., it is not limited here.
  • the target process can be determined according to the candidate process by monitoring the connection event of the candidate process, so that subsequent matching of the target process can be performed in time, thereby improving the efficiency of the malicious process, so that the malicious process can be detected in time , which helps prevent malicious process attacks in time, and can further improve terminal security.
  • FIG. 5 shows a method for detecting a malicious process provided by another embodiment of the present application. The method may include:
  • connection event is used to request a network connection.
  • a process can request a network connection by calling connect().
  • connect() the connection event of the process can be monitored.
  • the audit function can be used to monitor the connection events of the candidate process. Audit can customize the audit of the specified files or commands. As long as the corresponding rules are configured, the configuration rules can be through the command line (temporary This can be achieved in two ways: effective) or by editing the configuration file (permanently effective), which is not limited in this embodiment.
  • connection events of candidate processes can be monitored by editing configuration files and configuring audit configuration items. If a connection event occurs, it will be written to the audit log. By auditing the audit log, the process ID corresponding to the process where the connection event occurred can be found to determine the process where the connection event occurred.
  • step S320 may include:
  • the number of candidate processes can be multiple. If the number of candidate processes is too large, the number of processes that the host needs to monitor at the same time may be too large, which may result in reduced system operation efficiency or even jamming, so it is control simultaneous. The number of monitored processes, the number of candidate processes can be obtained, and whether the number of candidate processes exceeds the specified monitoring number.
  • the designated monitoring quantity can be determined according to actual needs, can also be preset by the program, or customized by the user, which is not limited here.
  • the designated monitoring quantity can be determined by the current system operating performance.
  • the current system operating performance can be reflected by the central processing unit (CPU) occupancy rate.
  • the CPU occupancy rate can be set to the specified
  • the mapping relationship table between the monitoring quantities, the corresponding designated monitoring quantity can be determined according to the CPU occupancy rate. The higher the CPU occupancy rate, the lower the designated monitoring number corresponding to the CPU occupancy rate. This can be used when the CPU occupancy rate is high. Reduce the number of monitoring, because too many processes are being monitored at the same time, resulting in reduced operating efficiency and even stuck.
  • the CPU occupancy rate can be a specified value or a range of values, which is not limited here.
  • the designated monitoring quantity can also be determined according to other parameters that can reflect the operating performance of the system, such as memory occupancy, which is not limited in this embodiment.
  • the candidate processes to be monitored are determined from the candidate processes, where the number of candidate processes to be monitored is less than the number of candidate processes, which can be reduced by subsequently monitoring only the connection events of the candidate processes to be monitored The number of processes monitored at the same time.
  • the number of candidate processes to be monitored can be less than or equal to the specified monitoring number, and when the number of candidate processes exceeds the specified monitoring number, the number of candidate processes to be monitored at the same time can be reduced to no more than the specified monitoring number.
  • the preset poetry selection rule can be based on the time when the connection event occurs. Specifically, the candidate process Monitoring is performed to monitor the connection event at an early time, and monitor the connection event at a later time. The details are not repeated here.
  • step S323 is substantially the same as the foregoing step S320, and will not be repeated here.
  • connection events of the candidate process can be monitored by configuring the audit (audit) configuration item. If a connection event occurs, it will be written to the audit log. By auditing the audit log, the candidate process corresponding to the connection event can be obtained Process IDs to further obtain candidate processes corresponding to these process IDs as target processes. Therefore, the target process that actively requests the network connection is obtained from the candidate process.
  • FIG. 7 shows a method for detecting a malicious process provided by still another embodiment of the present application. The method may include:
  • the first process is a process that creates a socket, that is, a process that creates a socket, and may include a process that uses a socket and a process that does not use a socket.
  • the process information of all processes may be acquired first, and then the process corresponding to the process information containing socket-related information is determined as the first process according to whether the process information contains socket-related information. Then the process information of the first process includes socket-related information.
  • the process that created the socket can be directly found as the first process.
  • the command lsof-i can be used.
  • the -i option of lsof can be used to list all processes that have created a socket.
  • the listed information includes the process ID of the process and the corresponding socket created If the socket index is specified, the process corresponding to the process identifier listed in the lsof-i command can be used as the first process, so that the first process can be found.
  • the socket index is used to uniquely identify a socket.
  • the socket index may be the index node (inode) of the socket.
  • other commands may also be used to directly search for the first process, which is not limited in this embodiment.
  • the first process can be directly used as a candidate process.
  • all processes that have created sockets are determined as candidate processes.
  • the candidate process is determined, when the target process is determined according to the candidate process, the part of the process that only created the socket but is not used can be filtered out by detecting connect(). Even if this part of the process is not filtered out, it is still determined as When the target process is the target process, this part of the process can also be filtered out when the subsequent system call operation matches. Therefore, the first process is directly used as the candidate process to realize the detection of the malicious process.
  • the process that created the socket can be directly determined as a candidate process
  • the target process is subsequently determined from the candidate processes, or when the matching is performed according to the system call operation, the part of the process that only creates but does not use the socket can still be filtered out, so that it can still effectively detect that not only the socket is created but also used, and Specifically, it is a malicious process that uses sockets to request external connections. Therefore, in some possible embodiments, the first process can be directly determined as a candidate process, and the malicious process can still be detected at this time.
  • step S420 may include:
  • S421 Detect whether the number of first processes exceeds a specified threshold.
  • the specified threshold may be determined according to actual needs, may also be preset by the system, or may be user-defined, which is not limited in this embodiment. In some embodiments, the specified threshold may be determined by the CPU usage rate. As the CPU usage rate increases, the specified threshold value may be reduced, so that the specified threshold value can be adjusted according to the current system operating efficiency to control the number of first processes.
  • the specified threshold is greater than or equal to the specified monitoring quantity, so that the number of the first process can be controlled first before the subsequent control of the number of candidate processes monitored at the same time based on the specified monitoring quantity, so as to avoid candidates determined by the first process The number of processes is too large, which reduces the efficiency of the system.
  • step S422 it is detected whether the number of first processes exceeds a specified threshold. If the number of first processes exceeds the specified threshold, step S422 may be executed. If the number of first processes does not exceed the specified threshold, the first process may be directly used as For the candidate process, the specific implementation can be seen in step S420, which will not be repeated here. As a result, when the number of the first processes does not exceed the specified threshold, that is, when there are fewer processes that have created sockets, the first process can be directly used as a candidate process for subsequent detection, reducing operation steps, thereby helping to improve detection efficiency.
  • the specific implementation manner of determining the candidate process from the first process may be: from the first process, find the process that performs network communication based on the socket as a candidate process. The details can be seen in the following embodiments, which will not be repeated here.
  • the process using the socket may be found from the first process, and then these processes are determined as candidate processes.
  • FIG. 9 shows a method for detecting a malicious process according to another embodiment of the present application. The method may include:
  • the process information is used to record the files opened by the process, and may include the process identifier and at least one file descriptor (file descriptor, fd) information, and each file descriptor information may include: file descriptors 0, 1, 2,... ...And object properties.
  • each file descriptor has a corresponding relationship with an object attribute, and the object attribute may include an object type and an object identifier.
  • the object type may include socket, pipe, etc.
  • the object identifier may include socket index, pipe index (pipe ID or pipe inode), etc.
  • the object type may be a socket
  • the object identifier may be the socket index corresponding to the socket
  • the process information of the process may include the socket Logo.
  • the socket identifier may be the field "socket".
  • the process information may also include the socket index corresponding to the socket identifier.
  • the socket index can be a number after "socket", that is, if a process creates a socket, its process information can include “socket: [435473]", where "435473” is the socket socket created by the process Connector index.
  • the process information corresponding to all processes can be obtained through the command ls-la/proc/pid/fd.
  • all the information of all processes in the Linux system are stored in the /proc directory.
  • S520 Acquire a process including the socket identifier in the process information as the first process.
  • the process information of the process may include the socket identifier, so the process that contains the socket identifier in the process information can be obtained as the first process, that is, the socket is created Word process.
  • the first process can only be a name for a process, and the process information of this process contains the socket identifier, that is, the host does not have to perform the operation of obtaining the first process, but can just obtain the process information of all processes. If the socket identification and the process identification exist in the process information, the process containing the socket identification in the process information can be named the first process, and the process identification of the process can be recorded as the process identification of the first process.
  • S530 From the first process, search for a process that performs network communication based on a socket, as a candidate process.
  • step S530 may include:
  • S531 Acquire a first socket index corresponding to a socket used to establish a network link for network communication.
  • sockets used to establish network links for network communication are used sockets, that is, sockets that are only created but not used are not included.
  • this type of socket binds a port through bind(), or sends a connection request through connect(). Therefore, by obtaining the socket index of this type of socket as the first socket index, it can be used to filter out the first process that has established a socket but is not used, so that the candidate process is determined from the first process Processes that only created sockets but are not used are not included.
  • the command cat/proc/net/tcp can be used to obtain the socket used to establish a network link for network communication.
  • the /proc/net/tcp directory contains not only the creation of the socket but also the Using the socket information of the socket, the socket information contains the socket index of the socket, and the socket index corresponding to the socket used to establish a network link for network communication can be recorded as the first socket index.
  • S532 Obtain a second socket index corresponding to the socket created by the first process.
  • the process information of all processes can be obtained, and the process that contains the socket identifier in the process information is obtained as the first process, and the process information of the first process also includes the corresponding socket identifier. Therefore, based on the process information of all processes, the socket index corresponding to the socket created by the first process can be obtained as the second socket index.
  • the process information contains the process ID, namely the pid, the socket ID, and the socket index
  • the socket corresponding to the socket ID in the process information may have only been created but not used, so the second The socket index is matched with the first socket index to determine a candidate process that uses the socket from the first process.
  • the first socket index is matched with the second socket index, and a process that performs network communication based on the socket is obtained as a candidate process.
  • the socket corresponding to the first socket index is a socket that is not only created but also used
  • the socket corresponding to the second socket index is a socket created but not necessarily used Socket, so in order to get candidate processes that have used sockets, the first socket index can be matched with the second socket index, and the second socket that matches the first socket index
  • the process corresponding to the word index is used as a candidate process.
  • the process information of all processes can be obtained by the command ls-la/proc/pid/fd, and the inode number of the socket can be obtained by the command cat/proc/net/tcp as the first socket index, and then pass Inode number Find the pid corresponding to the inode number in the process information, and determine the process corresponding to the pid as a candidate process.
  • the process information contains the socket ID process, get the process information of the first process, use the inode number corresponding to the socket ID as the second socket index, and get the socket through the command cat/proc/net/tcp
  • the inode number is used as the first socket index, the first socket index is matched with the second socket index, and the pid corresponding to the second socket index matching the first socket index is obtained, and the pid The corresponding process is determined as a candidate process.
  • FIG. 11 shows a method for detecting a malicious process according to yet another embodiment of the present application. The method may include:
  • S610 Find a process that performs network communication based on a socket, as a candidate process.
  • the process of network communication based on sockets can be found through the command netstat.
  • This command can generally be used to check the network connection of each port of the machine. . In an example, it can be found through the command netstat-tunpa.
  • the netstat command Since the information obtained through the netstat command can include the process pids that have TCP and UDP connections, the netstat command will not count sockets that are just created but not used (bind or connect), so you can directly find the sockets for network communication. Process, as a candidate process.
  • the information sent by the first host may not be received by the second host, or the information sent by the second host may not be received by the first host. If it is received, there may be a loss of information transmission, causing part of the attack command to not be received by the first host. Therefore, by first detecting the process of network communication based on the TCP communication protocol, the malicious process with a higher degree of threat can be detected first, so that it can be dealt with in a more timely manner and the security threat can be solved in a timely manner.
  • a specific implementation manner of step S610 may be: searching for a process that performs network communication based on TCP as a candidate process.
  • This method can be applied to the host, and specifically, the host runs a rebound shell detection module, and the rebound shell detection module can be used to execute the method provided in the embodiments of the present application.
  • the rebound shell detection module After the rebound shell detection module is started, it will obtain all process information by traversing the host /proc directory.
  • the process information includes the process ID (pid) and external connection information
  • the external connection information can include the socket ID and the inode number corresponding to the socket ID.
  • the way to obtain all process information can be through the command: ls-la/proc/pid/fd.
  • the inode number can be found through the command cat/proc/net/tcp, and then the process corresponding to the pid can be found through the inode number.
  • this embodiment monitors the external network connection of the process to obtain the process with external network connection, and then determines whether the process is a rebound shell process by detecting whether the system call sequence of the process conforms to the law of the system call sequence of the shell process . So it can effectively detect all kinds of reverse shell processes that do not use the shell that comes with the system, such as those generated by hacker tools such as Metasploit or command interpreters written by hackers, etc., which have a good recognition effect. Moreover, since the number of external connection events of the server is generally less than the number of creation of shell processes, the detection efficiency of the module is higher, and the detection performance will be better.
  • the malicious process detection apparatus 1300 may include: a process acquisition module 1310, an operation acquisition module 1320, and an operation matching module 1330 .
  • the process acquisition module 1310 is used to acquire the target process requesting network connection
  • the operation acquisition module 1320 is used to acquire the system call operation of the target process
  • the operation matching module 1330 is configured to determine that the target process is a malicious process if the system call operation matches the target system call operation.
  • the operation matching module 1330 includes: an order matching submodule, wherein:
  • the order matching sub-module is configured to determine that the target process is a malicious process if the execution order of the multiple system call operations matches the execution order of the multiple target system call operations.
  • the execution order of the multiple target system call operations is determined by the system call operations executed sequentially by the shell process.
  • sequence of the multiple target system call operations includes: waiting for data on the socket, reading data, executing a command, writing data, and waiting for data on the socket.
  • the process acquisition module 1310 includes: a candidate process acquisition sub-module and a target process determination sub-module, wherein:
  • Candidate process acquisition sub-module for acquiring candidate processes the candidate process being a process that performs network communication based on a socket;
  • the target process determining sub-module is configured to determine a target process according to the candidate process, and the target process is a process that requests a network connection based on a socket.
  • target process determining submodule further includes: a connection event monitoring unit and a target process acquiring unit, wherein:
  • connection event monitoring unit is used to monitor the connection event of the candidate process, and the connection event is used to request a network connection;
  • the target process obtaining unit is configured to obtain the candidate process as the target process if the connection event of the candidate process is monitored.
  • connection event monitoring unit includes: a monitoring quantity detection subunit, a process to be monitored determination subunit, and a process monitoring subunit, wherein:
  • the monitoring quantity detection subunit is used to detect whether the number of the candidate processes exceeds the specified monitoring quantity
  • the process to be monitored determination subunit is configured to determine the candidate process to be monitored from the candidate processes if the number of the candidate processes exceeds the specified monitoring number;
  • the process monitoring subunit is used to determine and monitor the connection event of the candidate process to be monitored.
  • the candidate process acquisition sub-module includes: a first process search unit and a first candidate determination unit, wherein:
  • the first process search unit is configured to search for a first process, and the first process is a process that creates a socket;
  • the first candidate determining unit is configured to determine a candidate process from the first process.
  • the first process searching unit includes: a process information acquiring subunit and a socket identification determining subunit, wherein:
  • the process information obtaining subunit is used to obtain process information corresponding to all processes, and the process information is used to record the files opened by the process;
  • the first process determining subunit is used to obtain the process containing the socket identifier in the process information as the first process.
  • the first candidate determining unit includes: a first candidate determining subunit, wherein:
  • the first candidate determination subunit is configured to search for a socket-based network communication process from the first process as a candidate process.
  • the first candidate determining subunit includes: a first index obtaining subunit, a second index obtaining subunit, and an index matching subunit, wherein:
  • the first index obtaining sub-unit is used to obtain the first socket index corresponding to the socket used to establish a network link for network communication;
  • the second index obtaining sub-unit is used to obtain the second socket index corresponding to the socket created by the first process
  • the index matching subunit is used to match the first socket index with the second socket index, and obtain a socket-based network communication process as a candidate process.
  • the first candidate determining unit includes: a second candidate determining subunit, wherein:
  • the second candidate determination subunit is used to search for a socket-based network communication process as a candidate process.
  • the candidate process acquiring submodule includes: a second candidate determining unit, wherein:
  • the second candidate determining unit is used to search for a process that performs network communication based on a socket, as a candidate process.
  • the second candidate determining unit includes: a third candidate determining subunit, wherein:
  • the third candidate determination subunit is used to find a process for network communication based on the TCP communication protocol as a candidate process.
  • the device 1300 for detecting a malicious process further includes: a process termination module, wherein:
  • the process termination module is used to perform termination processing on the malicious process.
  • the malicious process detection apparatus provided in the embodiment of the present application is used to implement the corresponding malicious process detection method in the foregoing method embodiment, and has the beneficial effects of the corresponding method embodiment, which will not be repeated here.
  • the coupling between the modules may be electrical, mechanical or other forms of coupling.
  • each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • the electronic device 1400 may be an electronic device capable of running application programs, such as a smart phone, a tablet computer, an e-book, a personal computer, or a server.
  • the electronic device 1400 in this application may include one or more of the following components: a processor 1410, a memory 1420, and one or more application programs, where one or more application programs may be stored in the memory 1420 and configured to be configured by One or more processors 1410 execute, and one or more programs are configured to execute the methods described in the foregoing method embodiments.
  • the processor 1410 may include one or more processing cores.
  • the processor 1410 uses various interfaces and lines to connect various parts of the entire electronic device 1400, and executes by running or executing instructions, programs, code sets, or instruction sets stored in the memory 1420, and calling data stored in the memory 1420.
  • the processor 1410 may use at least one of digital signal processing (Digital Signal Processing, DSP), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), and Programmable Logic Array (Programmable Logic Array, PLA).
  • DSP Digital Signal Processing
  • FPGA Field-Programmable Gate Array
  • PLA Programmable Logic Array
  • the processor 1410 may be integrated with one or a combination of a central processing unit (CPU), a graphics processing unit (GPU), a modem, and the like.
  • the CPU mainly processes the operating system, user interface, and application programs;
  • the GPU is used for rendering and drawing of display content;
  • the modem is used for processing wireless communication. It is understandable that the above-mentioned modem may not be integrated into the processor 1410, but may be implemented by a communication chip alone.
  • the processor 1410 further includes: an external storage device management module 1411 and a storage management service module 1414.
  • the external storage device management module 1411 may be the management and control center of the external storage system in the Android platform, and is a background process for managing and controlling the external storage device of the Android platform. Its functions mainly include: external storage device plug-in event detection, external storage device mounting, unloading, formatting, etc.; storage management service module 1414 is a module for the Android system framework layer to communicate with the external storage device management module 1411, and at the same time
  • the storage management service module 1414 is also a module that provides storage access interfaces and storage mounting message broadcasts to applications. Further, in an implementation manner, the external storage device management module 1411 and the storage management service module 1414 may communicate based on the Binder communication mechanism.
  • the memory 1420 may include random access memory (RAM) or read-only memory (Read-Only Memory).
  • the memory 1420 may be used to store instructions, programs, codes, code sets or instruction sets.
  • the memory 1420 may include a storage program area and a storage data area, where the storage program area may store instructions for implementing the operating system and instructions for implementing at least one function (such as touch function, sound playback function, image playback function, etc.) , Instructions used to implement the following various method embodiments, etc.
  • the data storage area can also store data created by the electronic device 1400 during use (such as phone book, audio and video data, chat record data) and the like.
  • each unit in the malicious process detection device shown in FIG. 13 is used as a function module such as a program package, each unit in the malicious process detection device is stored in the memory 1420 and can be called by the processor and executes the corresponding Function.
  • FIG. 15 shows a structural block diagram of a computer readable storage medium provided by an embodiment of the present application.
  • the computer readable storage medium 1500 stores program code, and the program code can be invoked by a processor to execute the method described in the foregoing method embodiment.
  • the computer readable storage medium 1500 may be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • the computer-readable storage medium 1500 includes a non-transitory computer-readable storage medium.
  • the computer readable storage medium 1500 has storage space for the program code 1510 for executing any method steps in the above-mentioned methods. These program codes can be read from or written into one or more computer program products.
  • the program code 1510 may be compressed in an appropriate form, for example.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

Les modes de réalisation de la présente demande se rapportent au domaine technique de la sécurité réseau, et divulguent un procédé et un appareil de détection de processus malveillant, un dispositif électronique et un support de stockage. Le procédé consiste : à obtenir un processus cible demandant une connexion réseau ; à obtenir une opération d'appel de système du processus cible ; et si l'opération d'appel de système correspond à une opération d'appel de système cible, à déterminer que le processus cible est un processus malveillant. Dans les modes de réalisation de la présente demande, le processus cible est d'abord déterminé selon le fait qu'il existe ou pas une connexion réseau vers l'extérieur, puis il est déterminé si le processus cible est un processus malveillant ou pas en fonction de l'opération d'appel de système du processus cible, de telle sorte que des processus malveillants établis par un interpréteur de commande d'un système peuvent être détectés, et des processus malveillants qui ne sont pas établis selon des règles de système peuvent également être détectés, ce qui permet de réduire considérablement le taux de fuite de processus malveillants et de réaliser une détection plus efficace.
PCT/CN2020/080922 2020-03-24 2020-03-24 Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage WO2021189257A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080094694.3A CN115023699A (zh) 2020-03-24 2020-03-24 恶意进程的检测方法、装置、电子设备及存储介质
PCT/CN2020/080922 WO2021189257A1 (fr) 2020-03-24 2020-03-24 Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/080922 WO2021189257A1 (fr) 2020-03-24 2020-03-24 Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage

Publications (1)

Publication Number Publication Date
WO2021189257A1 true WO2021189257A1 (fr) 2021-09-30

Family

ID=77890894

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/080922 WO2021189257A1 (fr) 2020-03-24 2020-03-24 Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage

Country Status (2)

Country Link
CN (1) CN115023699A (fr)
WO (1) WO2021189257A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285621A (zh) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 一种网络威胁监测方法、装置及电子设备
CN115002186A (zh) * 2022-05-17 2022-09-02 深信服科技股份有限公司 网络信息采集方法、装置、电子设备及可读存储介质
CN116112295A (zh) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 一种外连类攻击结果研判方法及装置
CN116484364A (zh) * 2023-02-03 2023-07-25 安芯网盾(北京)科技有限公司 一种基于Linux内核的隐藏端口检测方法及装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350052A (zh) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 发现计算机程序的恶意行为的方法和装置
CN103023912A (zh) * 2012-12-26 2013-04-03 蓝盾信息安全技术股份有限公司 一种防止基于虚拟机进行网络攻击的方法
CN103839005A (zh) * 2013-11-22 2014-06-04 北京智谷睿拓技术服务有限公司 移动操作系统的恶意软件检测方法和恶意软件检测系统
CN106033511A (zh) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 防止网站数据泄露的方法及设备
US20180357413A1 (en) * 2017-05-31 2018-12-13 Paul A. Rivera Methods and Systems for the Active Defense of a Computing System Against Malware
CN110493165A (zh) * 2018-06-29 2019-11-22 厦门白山耘科技有限公司 自动确定恶意网络进程的方法、装置及网络入侵检测系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350052A (zh) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 发现计算机程序的恶意行为的方法和装置
CN103023912A (zh) * 2012-12-26 2013-04-03 蓝盾信息安全技术股份有限公司 一种防止基于虚拟机进行网络攻击的方法
CN103839005A (zh) * 2013-11-22 2014-06-04 北京智谷睿拓技术服务有限公司 移动操作系统的恶意软件检测方法和恶意软件检测系统
CN106033511A (zh) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 防止网站数据泄露的方法及设备
US20180357413A1 (en) * 2017-05-31 2018-12-13 Paul A. Rivera Methods and Systems for the Active Defense of a Computing System Against Malware
CN110493165A (zh) * 2018-06-29 2019-11-22 厦门白山耘科技有限公司 自动确定恶意网络进程的方法、装置及网络入侵检测系统

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285621A (zh) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 一种网络威胁监测方法、装置及电子设备
CN115002186A (zh) * 2022-05-17 2022-09-02 深信服科技股份有限公司 网络信息采集方法、装置、电子设备及可读存储介质
CN116484364A (zh) * 2023-02-03 2023-07-25 安芯网盾(北京)科技有限公司 一种基于Linux内核的隐藏端口检测方法及装置
CN116484364B (zh) * 2023-02-03 2024-01-26 安芯网盾(北京)科技有限公司 一种基于Linux内核的隐藏端口检测方法及装置
CN116112295A (zh) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 一种外连类攻击结果研判方法及装置
CN116112295B (zh) * 2023-04-12 2023-07-04 北京长亭未来科技有限公司 一种外连类攻击结果研判方法及装置

Also Published As

Publication number Publication date
CN115023699A (zh) 2022-09-06

Similar Documents

Publication Publication Date Title
WO2021189257A1 (fr) Procédé et appareil de détection de processus malveillant, dispositif électronique, et support de stockage
US10552348B2 (en) USB device access method, apparatus and system, a terminal, and a server
US9870303B2 (en) Monitoring and correlating a binary process in a distributed business transaction
EP4109861A1 (fr) Procédé de traitement de données, appareil, dispositif informatique, et support de stockage
CN107135249B (zh) 数据下载方法及装置
US10623450B2 (en) Access to data on a remote device
CN111193633B (zh) 异常网络连接的检测方法及装置
CN109831351B (zh) 链路跟踪方法、装置、终端及存储介质
US10067862B2 (en) Tracking asynchronous entry points for an application
CN114124929A (zh) 跨网络的数据处理方法和装置
CN111447201A (zh) 一种扫描行为识别方法、装置及电子设备和存储介质
CN114726633B (zh) 流量数据处理方法及装置、存储介质及电子设备
US9563485B2 (en) Business transaction context for call graph
CN110881224B (zh) 一种网络长连接方法、装置、设备及存储介质
WO2024078348A1 (fr) Procédé et appareil de traitement d'opération de registre dans un environnement de portage d'application, et support
CN116582365B (zh) 网络流量的安全控制方法、装置及计算机设备
CN111371783B (zh) 一种sql注入攻击检测方法、装置、设备和存储介质
WO2021097713A1 (fr) Système, procédé et dispositif de test de sécurité distribué, et support de stockage
CN109068170B (zh) 一种弹幕消息的存储方法、装置、终端和存储介质
CN116028917A (zh) 权限检测方法及装置、存储介质及电子设备
CN114462030A (zh) 隐私政策的处理、取证方法、装置、设备及存储介质
CN114461909A (zh) 信息处理方法、信息处理装置、电子设备和存储介质
CN113765924A (zh) 基于用户跨服务器访问的安全监测方法、终端及设备
CN115277188B (zh) 一种检测网络安全的方法、装置、设备及存储介质
CN116938605B (zh) 网络攻击防护方法、装置、电子设备及可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20927474

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 24.02.2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20927474

Country of ref document: EP

Kind code of ref document: A1