[go: up one dir, main page]

CN102438023B - Method and device for detecting malicious remote procedure call (RPC) behaviors - Google Patents

Method and device for detecting malicious remote procedure call (RPC) behaviors Download PDF

Info

Publication number
CN102438023B
CN102438023B CN201110449688.8A CN201110449688A CN102438023B CN 102438023 B CN102438023 B CN 102438023B CN 201110449688 A CN201110449688 A CN 201110449688A CN 102438023 B CN102438023 B CN 102438023B
Authority
CN
China
Prior art keywords
rpc
uuid
behavior
control strategy
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110449688.8A
Other languages
Chinese (zh)
Other versions
CN102438023A (en
Inventor
蒋武
周莹莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN201110449688.8A priority Critical patent/CN102438023B/en
Publication of CN102438023A publication Critical patent/CN102438023A/en
Application granted granted Critical
Publication of CN102438023B publication Critical patent/CN102438023B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种恶意远程过程调用行为的检测方法和装置,用以解决现有技术对恶意RPC行为的检测效果不佳,漏报较多的问题。该方法包括:在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;根据所述记录的UUID和RPC流,获得与所述RPC过程相关的所有UUID;判断获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。提高了防护设备检测恶意RPC行为的有效性,加强了所保护的RPC服务器的安全性。

The invention discloses a method and a device for detecting malicious remote procedure call behaviors, which are used to solve the problems in the prior art that the detection effect of malicious RPC behaviors is poor and there are many false positives. The method includes: when the client computer queries the server for the high-order port corresponding to the RPC service, record the UUIDs of all RPC services requested by the client computer; Analyze the data packet to obtain the RPC flow carried on the session connection; obtain all UUIDs related to the RPC process according to the recorded UUID and RPC flow; judge whether each UUID in all obtained UUIDs conforms to the policy Predetermined control strategy in the library to detect whether the client executes malicious RPC behavior. Improve the effectiveness of the protection device to detect malicious RPC behavior, and strengthen the security of the protected RPC server.

Description

恶意远程过程调用行为的检测方法和装置Method and device for detecting malicious remote procedure call behavior

技术领域 technical field

本发明涉及计算机网络技术领域,尤其涉及一种恶意远程过程调用(RPC,Remote Procedure Call)行为的检测方法及一种恶意RPC行为的检测装置。The invention relates to the technical field of computer networks, in particular to a method for detecting malicious remote procedure call (RPC, Remote Procedure Call) behavior and a detection device for malicious RPC behavior.

背景技术 Background technique

RPC协议提供了一种进程间的通信机制,通过这一机制,在一台计算机上运行的程序可以向网络中另一台计算机上的程序请求服务。RPC协议在应用时,采用客户机/服务器模式,请求服务的程序作为一个客户机,提供服务的程序作为一个服务器。The RPC protocol provides an inter-process communication mechanism through which a program running on one computer can request services from a program on another computer in the network. When the RPC protocol is applied, it adopts the client/server mode, the program that requests the service acts as a client, and the program that provides the service acts as a server.

为了区分同一个计算机提供的多个不同的基于RPC协议的服务(以下简称RPC服务),现有技术通过UUID来唯一地标识同一个服务器上的每个RPC服务。当服务器上的每个PRC服务启动时,会申请获得一个端口号在1024~65525范围内的高位端口,并且根据该PRC服务的UUID对高位端口进行注册,即保存UUID和高位端口号之间的一一映射关系。当客户机向服务器请求一项RPC服务时,需要与服务器上该PRC服务对应的高位端口建立连接,再通过该连接请求服务。具体地:客户机需要首先通过预定查询端口,如135端口与服务器建立连接,依据待请求RPC服务的UUID向服务器查询该RPC服务对应的高位端口号,获得服务器返回的高位端口号后,关闭查询连接;然后,利用获得的待请求RPC服务对应的高位端口号,与服务器建立一个连接请求服务。In order to distinguish multiple different RPC protocol-based services (hereinafter referred to as RPC services) provided by the same computer, the prior art uses a UUID to uniquely identify each RPC service on the same server. When each PRC service on the server is started, it will apply for a high-order port with a port number ranging from 1024 to 65525, and register the high-order port according to the UUID of the PRC service, that is, save the UUID and the high-order port number. One-to-one mapping relationship. When the client requests an RPC service from the server, it needs to establish a connection with the high-order port corresponding to the RPC service on the server, and then request the service through the connection. Specifically: the client needs to first establish a connection with the server through a predetermined query port, such as port 135, query the server for the high-order port number corresponding to the RPC service according to the UUID of the RPC service to be requested, and close the query after obtaining the high-order port number returned by the server connection; then, use the obtained high-order port number corresponding to the RPC service to be requested to establish a connection request service with the server.

由于服务器系统在设计上存在漏洞,客户机可以通过请求某些UUID对应的RPC服务来进行危险操作,例如在请求执行RPC服务时,通过发送格式或参数不正确的数据包来制造缓冲区溢出,从而获得对服务器的完全控制。为了解决该问题,现有技术提出,通过入侵防御系统(IPS,Intrusion PreventionSystem)对RPC调用过程进行检测,如果RPC调用过程所绑定的UUID对应的服务是危险的、存在漏洞、应被禁止调用的、或者所执行的操作是被禁止执行的,则阻断该调用过程。Due to loopholes in the design of the server system, the client can perform dangerous operations by requesting RPC services corresponding to certain UUIDs, such as creating buffer overflows by sending packets with incorrect formats or parameters when requesting RPC services. Thus gaining full control over the server. In order to solve this problem, the prior art proposes to detect the RPC call process through an intrusion prevention system (IPS, Intrusion Prevention System). If the service corresponding to the UUID bound to the RPC call process is dangerous and has loopholes, it should be prohibited from calling , or the executed operation is prohibited, block the calling process.

发明人在实现本发明过程中,发现现有技术至少存在以下缺陷:In the process of realizing the present invention, the inventor finds that the prior art has at least the following defects:

当恶意客户机在RPC过程中绑定多个UUID,其中包含恶意RPC服务的UUID、或者企图执行的被禁止的操作时,现有IPS无法有效检测出其中的恶意RPC行为,产生较多漏报,从而无法确保服务器的安全。When a malicious client binds multiple UUIDs during the RPC process, including the UUID of the malicious RPC service, or attempts to perform prohibited operations, the existing IPS cannot effectively detect the malicious RPC behavior, resulting in many false positives , so that the security of the server cannot be ensured.

发明内容 Contents of the invention

本发明实施例提供一种恶意RPC行为的检测方法,用以解决现有技术对恶意RPC行为的检测效果不佳,漏报较多的问题。An embodiment of the present invention provides a method for detecting malicious RPC behavior, which is used to solve the problem of poor detection effect and many false positives in the prior art.

对应地,本发明实施例还提供了一种恶意RPC行为的检测装置。Correspondingly, the embodiment of the present invention also provides a detection device for malicious RPC behavior.

本发明实施例提供的技术方案如下:The technical scheme that the embodiment of the present invention provides is as follows:

一种恶意远程过程调用RPC行为的检测方法,包括:A detection method for malicious remote procedure call RPC behavior, comprising:

在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;When the client queries the server for the high port corresponding to the RPC service, record the UUIDs of all RPC services requested by the client;

在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;In the RPC process, the data packet transmitted in the session connection between the client and the server is analyzed to obtain the RPC stream carried on the session connection;

根据所述记录的UUID和RPC流,获得与所述RPC过程相关的所有UUID;Obtain all UUIDs related to the RPC process according to the recorded UUID and RPC flow;

判断获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。Judging whether each UUID among all obtained UUIDs conforms to the predetermined control policy in the policy library, so as to detect whether the client computer executes malicious RPC behavior.

一种恶意RPC行为的检测装置,包括:A detection device for malicious RPC behavior, comprising:

记录模块,用于在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;The recording module is used to record the UUIDs of all RPC services requested by the client when the client queries the server for the high port corresponding to the RPC service;

解析模块,用于在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;The analysis module is used to analyze the data packets transmitted in the session connection between the client and the server during the RPC process, and obtain the RPC stream carried on the session connection;

获取模块,用于根据记录模块记录的UUID和解析模块获得的RPC流,获得与所述RPC过程相关的所有UUID;An acquisition module, configured to obtain all UUIDs related to the RPC process according to the UUID recorded by the recording module and the RPC flow obtained by the parsing module;

检测模块,用于判断获取模块获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。The detection module is used to judge whether each UUID among all the UUIDs obtained by the acquisition module conforms to the predetermined control strategy in the strategy library, so as to detect whether the client computer executes malicious RPC behavior.

本发明实施例通过对交互数据包的解析,获得客户机在RPC过程中绑定的所有UUID,并根据策略库中的策略对其中每个UUID的合法性进行检测,以此检测客户机是否执行了恶意RPC行为。避免客户机通过绑定多个UUID逃避防护设备检测,提高了防护设备检测恶意RPC行为的有效性,从而加强了所保护的RPC服务器的安全性。The embodiment of the present invention obtains all UUIDs bound by the client in the RPC process by analyzing the interactive data packets, and detects the legitimacy of each UUID according to the policies in the policy library, so as to detect whether the client executes malicious RPC behavior. It prevents the client from evading the detection of the protection device by binding multiple UUIDs, improves the effectiveness of the protection device in detecting malicious RPC behaviors, and thus strengthens the security of the protected RPC server.

附图说明 Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例的主要实现原理流程图;Fig. 1 is the flow chart of main realization principle of the embodiment of the present invention;

图2为本发明实施例提供的网络部署结构的示意图;FIG. 2 is a schematic diagram of a network deployment structure provided by an embodiment of the present invention;

图3为本发明实施例提供的恶意RPC行为的检测方法的详细流程图;Fig. 3 is the detailed flowchart of the detection method of malicious RPC behavior that the embodiment of the present invention provides;

图4为本发明实施例中服务器通过RPC流向客户机提供RPC服务的示意图;Fig. 4 is the schematic diagram that server provides RPC service to client computer through RPC flow in the embodiment of the present invention;

图5为本发明实施例提供的恶意RPC行为的检测装置的结构示意图;FIG. 5 is a schematic structural diagram of a detection device for malicious RPC behavior provided by an embodiment of the present invention;

图6为本发明实施例提供的恶意RPC行为的检测装置的另一种结构示意图。FIG. 6 is another schematic structural diagram of a detection device for malicious RPC behavior provided by an embodiment of the present invention.

具体实施方式Detailed ways

发明人对现有IPS在RPC过程中绑定多个UUID时,无法有效检测出其中的恶意RPC服务调用行为的情况进行深入分析,发现其原因是:鉴于RPC调用过程是需要以UUID、以及该UUID注册时对应的端口号为参数,建立连接从而提供服务的,因此现有IPS的设计前提是在一次RPC调用过程中,即传输RPC内容的一个TCP会话连接中,只绑定了一个UUID,只要IPS对其中携带的第一个UUID进行检测就能够实现防护恶意RPC调用的目的。The inventor conducted an in-depth analysis of the fact that the existing IPS cannot effectively detect the malicious RPC service call behavior when multiple UUIDs are bound in the RPC process, and found that the reason is: in view of the fact that the RPC call process needs to use UUID, and the The port number corresponding to the UUID registration is a parameter, and the connection is established to provide services. Therefore, the design premise of the existing IPS is that only one UUID is bound in the process of an RPC call, that is, a TCP session connection that transmits RPC content. As long as the IPS detects the first UUID carried in it, the purpose of protecting against malicious RPC calls can be achieved.

但是,恶意客户机可以通过在一次RPC调用中绑定多个UUID的方式来逃避检测,只要其中的第一个UUID对应的RPC服务是被允许的,IPS就认定此次RPC调用是非恶意的。恶意客户机可以通过多种方式实现在一次RPC调用中绑定多个UUID的目的,例如利用RPC的Alter Context选项实现在一个TCP会话连接中调用多个UUID分别对应的RPC服务,或者在一个TCP会话连接中携带多个UUID、但其中第一个UUID对应的是服务器不支持服务的方式来逃避检测。However, a malicious client can evade detection by binding multiple UUIDs in one RPC call. As long as the RPC service corresponding to the first UUID is allowed, the IPS will determine that the RPC call is non-malicious. Malicious clients can achieve the purpose of binding multiple UUIDs in one RPC call in various ways, such as using the Alter Context option of RPC to call RPC services corresponding to multiple UUIDs in a TCP session connection, or in a TCP session The session connection carries multiple UUIDs, but the first UUID corresponds to the way the server does not support the service to avoid detection.

在上述分析的基础上,针对在一次RPC调用过程中,通过绑定多个UUID来逃避检测的情况,发明人提供了一种恶意RPC调用行为的检测方法。On the basis of the above analysis, the inventor provides a method for detecting malicious RPC call behaviors in order to evade detection by binding multiple UUIDs during an RPC call process.

下面结合各个附图对本发明实施例技术方案的主要实现原理、具体实施方式及其对应能够达到的有益效果进行详细的阐述。The main realization principles, specific implementation modes and corresponding beneficial effects that can be achieved of the technical solutions of the embodiments of the present invention will be described in detail below in conjunction with each accompanying drawing.

如图1所示,本发明实施例的主要实现原理流程如下:As shown in Figure 1, the main implementation principle flow of the embodiment of the present invention is as follows:

步骤10,在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID。Step 10, when the client computer queries the server for the high-order port corresponding to the RPC service, record the UUIDs of all RPC services requested by the client computer.

可选地,由于客户机的地址或端口通常是固定的,部署于客户机和服务器之间的防护设备可以通过监控服务器上预定查询端口,如135端口的流量,获得每个客户机请求的所有RPC服务的UUID。所述防护设备包括但不限于IPS和防火墙。Optionally, since the address or port of the client is usually fixed, the protection device deployed between the client and the server can obtain all the traffic requested by each client by monitoring the flow of a predetermined query port on the server, such as port 135. The UUID of the RPC service. The protective devices include, but are not limited to, IPS and firewalls.

步骤20,在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流。Step 20, during the RPC process, analyze the data packets transmitted in the session connection between the client and the server, and obtain the RPC flow carried by the session connection.

其中,TCP会话连接中的每个TCP数据包的载荷部分可以承载会话层、应用层等上层协议的数据,通过对TCP会话连接中的每个TCP数据包的载荷部分进行协议解析,可以获得客户机和服务器一次会话连接交互的数据包所承载的RPC流。Wherein, the load part of each TCP data packet in the TCP session connection can carry the data of the upper layer protocols such as the session layer and the application layer, and by performing protocol analysis on the load part of each TCP data packet in the TCP session connection, the client can be obtained The RPC flow carried by the data packets exchanged between the machine and the server in a session connection.

由于防护设备事先无法获悉RPC服务将使用哪个端口,因而通常防护设备允许所有高位端口的数据包通过,因此为了确保安全防护设备需要监控服务器上所有高位端口的会话连接。Since the protection device cannot know which port the RPC service will use in advance, the protection device usually allows the data packets of all high-order ports to pass through. Therefore, in order to ensure security, the protection device needs to monitor the session connections of all high-order ports on the server.

步骤30,根据所述记录的UUID和RPC流,获得与所述RPC过程相关的所布UUID。Step 30, according to the recorded UUID and RPC flow, obtain the issued UUID related to the RPC process.

本实施例提供的方案防护设备通过解析RPC流,得到该RPC流中所绑定的所有UUID,而不是如现有技术一样,解析到第一个UUID就停止解析。The solution protection device provided by this embodiment obtains all UUIDs bound in the RPC stream by parsing the RPC stream, instead of stopping parsing when the first UUID is parsed as in the prior art.

步骤40,通过查询策略库,判断获得的与所述RPC过程相关的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。Step 40, by querying the policy library, judging whether each UUID obtained related to the RPC process conforms to the predetermined control policy in the policy library, so as to detect whether the client computer executes malicious RPC behavior.

具体地,策略库和查询要求可以根据IPS或防火墙等防护设备所处网络环境的不同安全等级的要求来设置,例如:对于对安全要求较高的网络环境,可以在策略库中配置正常控制策略,所述正常控制策略包含正常的RPC过程相关的UUID,若判断与所述客户机RPC过程相关的至少一个UUID不符合所述正常控制策略,则确定所述客户机执行了恶意RPC行为;对于对安全要求较低的网络环境,可以在策略库中配置异常控制策略,所述异常控制策略包括恶意RPC行为相关的UUID,若判断所述客户机RPC过程相关的至少一个UUID符合所述异常控制策略,则确定所述客户机执行了恶意RPC行为,只要每个UUID都不符合所述异常控制策略,均认为所述客户机执行的是正常RPC行为。Specifically, the policy library and query requirements can be set according to the requirements of different security levels of the network environment where protective devices such as IPS or firewalls are located. For example, for a network environment with high security requirements, normal control policies can be configured in the policy library , the normal control policy includes a normal UUID related to the RPC process, if it is judged that at least one UUID related to the RPC process of the client does not comply with the normal control policy, then it is determined that the client has executed a malicious RPC behavior; for For a network environment with low security requirements, an exception control policy can be configured in the policy library, and the exception control policy includes UUIDs related to malicious RPC behaviors. If it is determined that at least one UUID related to the client RPC process conforms to the exception control policy, it is determined that the client computer has executed a malicious RPC behavior, as long as each UUID does not comply with the abnormality control strategy, it is considered that the client computer executes a normal RPC behavior.

可选地,在检测出客户机执行了恶意RPC行为后,还包括:阻断所述TCP会话连接中恶意RPC行为对应的数据包,当然也可以阻断所述TCP会话连接。Optionally, after detecting that the client executes the malicious RPC behavior, the method further includes: blocking a data packet corresponding to the malicious RPC behavior in the TCP session connection, and of course, blocking the TCP session connection.

本发明实施例提供的恶意RPC行为的检测方法,通过对TCP会话连接中数据包载荷内容的解析,获得客户机在RPC过程中绑定的所有UUID,并根据策略库中的策略对其中每个UUID的合法性进行检测,以此检测客户机是否执行了恶意RPC行为。消除了客户机通过绑定多个UUID逃避防护设备检测的可能性,提高了防护设备检测恶意RPC行为的有效性,从而加强了所保护的RPC服务器的安全性。The method for detecting malicious RPC behavior provided by the embodiment of the present invention obtains all UUIDs bound by the client during the RPC process by analyzing the payload content of the data packet in the TCP session connection, and checks each UUID according to the policy in the policy library. The legitimacy of the UUID is detected to detect whether the client executes malicious RPC behavior. It eliminates the possibility that the client can evade the detection of the protection device by binding multiple UUIDs, improves the effectiveness of the protection device in detecting malicious RPC behaviors, and thus strengthens the security of the protected RPC server.

下面将依据本发明上述发明原理,详细介绍一个实施例来对本发明方法的主要实现原理进行详细的阐述和说明。In the following, an embodiment will be introduced in detail based on the above-mentioned inventive principles of the present invention to elaborate and describe the main realization principles of the method of the present invention in detail.

附图2为本发明实施例提供的网络部署结构的示意图。防护设备部署于客户机和服务器之间,客户机和服务器之间交互的数据包需要经过防护设备的检测才能发给对方。附图2中按照时间的先后顺序给出了几个数据包转发过程的示例。防护设备包括但不限于IPS、防火墙等。当然客户机和服务器可以为多个,为了简明起见,在图2和图3中仅以一个客户机和一个服务器为例进行说明。Figure 2 is a schematic diagram of a network deployment structure provided by an embodiment of the present invention. The protection device is deployed between the client and the server, and the data packets exchanged between the client and the server need to be detected by the protection device before being sent to the other party. Figure 2 shows several examples of data packet forwarding processes in chronological order. Protective devices include but are not limited to IPS, firewalls, etc. Of course, there may be multiple clients and servers. For the sake of simplicity, only one client and one server are used as examples in FIG. 2 and FIG. 3 for illustration.

附图3为本发明实施例提供的恶意RPC行为的检测方法的详细流程图。Figure 3 is a detailed flowchart of the detection method for malicious RPC behavior provided by the embodiment of the present invention.

步骤301,防护设备通过监控服务器预定查询端口(如135端口)的流量,获得客户机ClientA的端口查询请求。In step 301, the protection device obtains the port query request of the client ClientA by monitoring the traffic of the predetermined query port (such as port 135) of the server.

可选地,客户机向服务器查询RPC服务的UUID对应的高位端口号时,发送的端口查询请求中的Packet Flag字段被设置为0x03。防护设备可以根据包括Packet Flag字段在内的特征字段,识别出查询请求。Optionally, when the client queries the server for the high-order port number corresponding to the UUID of the RPC service, the Packet Flag field in the port query request sent is set to 0x03. The protection device can identify the query request based on the characteristic fields including the Packet Flag field.

若Packet Flag字段的内容不是0x03,则表示数据包载荷中携带的是分片数据(有时候查询的UUID较多,无法携带在同一个数据包中),防护设备对客户机发送的分片数据拼接重组,从而拼接出完整的查询请求。If the content of the Packet Flag field is not 0x03, it means that the packet payload carries fragmented data (sometimes there are many UUIDs queried, which cannot be carried in the same packet), and the protection device will check the fragmented data sent by the client. Splicing and reorganization to splice out a complete query request.

步骤302,防护设备对客户机ClientA的端口查询请求进行协议解析,获得该客户机请求的所有RPC服务的UUID并记录。In step 302, the protection device performs protocol analysis on the port query request of client A, obtains and records UUIDs of all RPC services requested by the client.

可选地,防护设备可以采用记录表、单向链表、树等形式来存储客户机请求的UUID。采用记录表方式存储时,如表1所示。Optionally, the protection device may store the UUID requested by the client in the form of a record table, a one-way linked list, or a tree. When stored in the form of a record table, as shown in Table 1.

表1Table 1

可选地,由于服务器并非支持客户机请求的所有UUID对应的RPC服务,即使客户机向服务器请求不支持的RPC服务,服务器也不会提供这些服务,因此为了减轻防护设备后续的流量监控负担,可以对表1进行删减,执行步骤303。Optionally, since the server does not support RPC services corresponding to all UUIDs requested by the client, even if the client requests unsupported RPC services from the server, the server will not provide these services. Therefore, in order to reduce the subsequent traffic monitoring burden of the protection device, Table 1 can be deleted, and step 303 is executed.

步骤303,防护设备对服务器返回的端口查询响应进行协议解析,获得服务器是否支持客户端所请求的UUID的信息,并所述记录中删除服务器不支持的RPC服务的UUID。Step 303 , the protection device performs protocol analysis on the port query response returned by the server, obtains information about whether the server supports the UUID requested by the client, and deletes the UUID of the RPC service not supported by the server from the record.

服务器若支持客户机发送的查询请求中携带的UUID对应的服务,则在查询响应中返回对应的高位端口号,否则返回拒绝信息,如Providerrejection(0x02)。防护设备若能够从查询响应中获取UUID对应的高位端口号,则说明服务器支持UUID所标识的RPC服务,否则说明服务器不支持UUID所标识的RPC服务。If the server supports the service corresponding to the UUID carried in the query request sent by the client, it will return the corresponding high-order port number in the query response, otherwise it will return rejection information, such as Providerrejection (0x02). If the protection device can obtain the high-order port number corresponding to the UUID from the query response, it means that the server supports the RPC service identified by the UUID; otherwise, it means that the server does not support the RPC service identified by the UUID.

在本实施例中服务器不支持UUID121、UUID80对应的RPC服务,表2为对表1删减后的结果。In this embodiment, the server does not support the RPC service corresponding to UUID121 and UUID80, and Table 2 is the result after deleting Table 1.

表2Table 2

步骤304,客户机根据查询到的UUID对应的高位端口号,与服务器建立TCP会话连接。服务器和客户机之间通过TCP会话连接承载RPC流,交互参数和数据,从而提供RPC服务。Step 304, the client establishes a TCP session connection with the server according to the high-order port number corresponding to the queried UUID. The server and the client carry the RPC flow through the TCP session connection, and exchange parameters and data, thereby providing RPC services.

其中,服务器通过RPC流向客户机提供RPC服务的过程为:Among them, the process of the server providing RPC service to the client through RPC flow is as follows:

步骤401,客户机向服务器发送“UUID的顺序号+操作符”,该顺序号表明在端口查询阶段客户机发送UUID时的顺序;Step 401, the client computer sends "UUID sequence number + operator" to the server, and the sequence number indicates the sequence when the client computer sends UUID during the port query phase;

操作符包括但不限于:写操作对应的操作符“w”、读操作对应的操作符“r”、查询操作对应的操作符“q”等等。Operators include, but are not limited to: operator "w" corresponding to a write operation, operator "r" corresponding to a read operation, operator "q" corresponding to a query operation, and so on.

步骤402,服务器根据“顺序号+操作符”,执行对应的处理;Step 402, the server performs corresponding processing according to the "sequence number + operator";

步骤403,在所述“顺序号+操作符”对应的处理中包括需要向客户机返回信息时,服务器将处理结果返回给客户机;Step 403, when the processing corresponding to the "sequence number + operator" includes the need to return information to the client, the server returns the processing result to the client;

例如,当所述操作符为读操作对应的操作符“r”时,服务器需要将读取的数据返回给客户机;当所述操作符为写操作对应的操作符“w”时,服务器需要将写成功或失败的结果返回给客户机。For example, when the operator is the operator "r" corresponding to the read operation, the server needs to return the read data to the client; when the operator is the operator "w" corresponding to the write operation, the server needs to Returns success or failure of the write to the client.

上述步骤401和步骤403可以重复多次执行,客户机每次发送的顺序号和操作符可以不同。The above step 401 and step 403 may be repeated multiple times, and the sequence number and operator sent by the client may be different each time.

步骤305,防护设备对通过该防护设备的客户机与服务器之间TCP会话连接中所传输的数据包进行解析,获得RPC流。Step 305, the protection device analyzes the data packets transmitted in the TCP session connection between the client and the server passing through the protection device, and obtains the RPC flow.

防护设备对客户机发送的流经该防护设备的数据包进行IP分片重组,在此基础上再进行会话内容重组。然后对会话内容进行协议解析,从中获得RPC流。The protection device reassembles the IP fragmentation of the data packets sent by the client and flows through the protection device, and then reassembles the session content on this basis. Then protocol analysis is performed on the session content, and the RPC stream is obtained from it.

防护设备通过步骤306~步骤308,获得客户机RPC过程相关的所有UUID。The protection device obtains all UUIDs related to the client RPC process through steps 306 to 308 .

步骤306,防护设备从所述RPC流中解析出携带的每个RPC服务的顺序号。Step 306, the protection device parses out the sequence number of each RPC service carried in the RPC stream.

可选地,防护设备还可以从RPC流中解析获得各顺序号对应的操作符。Optionally, the protection device may also parse the RPC stream to obtain operators corresponding to each sequence number.

例如,防护设备从客户机ClientA与服务器的RPC流中获得S1、S2+“r”、S3+“w”。For example, the protection device obtains S1, S2+"r", and S3+"w" from the RPC flow between the client ClientA and the server.

步骤307,防护设备根据记录所述UUID时的先后顺序,得到记录的每个UUID对应的顺序号,并保存UUID和顺序号的对应关系,如表3所示。In step 307, the protection device obtains the sequence number corresponding to each recorded UUID according to the sequence in which the UUIDs are recorded, and saves the corresponding relationship between the UUID and the sequence number, as shown in Table 3.

表3table 3

步骤308,防护设备对于每个解析出的顺序号,在所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID。Step 308 , for each parsed sequence number, the protection device searches for the corresponding UUID in the corresponding relationship, so as to obtain all UUIDs related to the RPC process.

可选地,经查找还可以获得与所述RPC过程相关的UUID与操作符的组合。Optionally, a combination of a UUID and an operator related to the RPC process can also be obtained after searching.

例如,经查找还可以得到与RPC过程相关的各UUID、以及各UUID与操作符的组合为:UUID2、UUID75+“r”、UUID105+“w”。For example, after searching, it can also be found that the combinations of UUIDs related to the RPC process, and the combinations of UUIDs and operators are: UUID2, UUID75+"r", UUID105+"w".

步骤309,防护设备查询策略库,判断与本次RPC过程相关的各UUID是否符合预定的控制策略,以此检测客户机是否执行了恶意RPC行为,若是进入步骤310,否则进入步骤311。In step 309, the protection device queries the policy database to determine whether each UUID related to this RPC process conforms to the predetermined control policy, so as to detect whether the client has executed a malicious RPC behavior. If so, go to step 310; otherwise, go to step 311.

可选地,还判断本次RPC过程相关的各UUID与操作符的组合是否符合预定的控制策略。Optionally, it is also judged whether the combinations of UUIDs and operators related to this RPC process conform to a predetermined control strategy.

具体检测方式包括但不限于以下两种:Specific detection methods include but are not limited to the following two:

方式一:若策略库中包含正常控制策略,所述正常控制策略包含正常的RPC行为相关的UUID,则若防护设备判断与本次RPC行为相关的至少一个UUID不符合所述正常控制策略,则确定所述客户机执行了恶意RPC行为。Mode 1: If the policy library contains normal control policies, and the normal control policies include UUIDs related to normal RPC behaviors, then if the protection device judges that at least one UUID related to this RPC behavior does not conform to the normal control policies, then It is determined that the client computer has performed a malicious RPC behavior.

正常策略库如表4所示,The normal policy library is shown in Table 4,

表4Table 4

经查询,防护设备确认ClientA的RPC行为相关的各UUID、和各UUID与操作符的组合中,UUID2符合策略1;UUID75+“r”符合策略2;UUID105+“w”不符合策略3,因为策略3中规定对于UUID105标识的RPC服务,仅允许执行读操作,而ClientA试图对UUID105标识的RPC服务执行写操作。由于不符合策略3,因此防护设备确认ClientA执行了恶意RPC行为。After query, the protection device confirmed that among the UUIDs related to ClientA's RPC behavior, and the combination of each UUID and operator, UUID2 conforms to policy 1; UUID75+"r" conforms to policy 2; UUID105+"w" does not conform to policy 3, because policy 3 It stipulates that for the RPC service identified by UUID105, only read operations are allowed, and ClientA tries to perform write operations on the RPC service identified by UUID105. Since policy 3 is not met, the protection device confirms that ClientA has performed a malicious RPC behavior.

方式二:Method 2:

若策略库中包含异常控制策略,所述异常控制策略包含恶意的RPC行为相关的UUID,若防护设备判断本次RPC过程相关的至少一个UUID符合所述异常控制策略,则确定所述客户机执行了恶意RPC行为。If the policy library contains an abnormality control strategy, the abnormality control strategy includes UUIDs related to malicious RPC behaviors, and if the protection device judges that at least one UUID related to this RPC process conforms to the abnormality control strategy, then determine that the client executes malicious RPC behavior.

正常策略库如表5所示,The normal policy library is shown in Table 5,

表5table 5

经查询,防护设备确认ClientA的RPC行为相关的各UUID、和各UUID与操作符的组合中,UUID2符合策略4;UUID75+“r”符合策略5;UUID105+“w”不符合策略6,因为策略3中规定对于UUID105标识的RPC服务,不允许执行读操作,而ClientA试图对UUID105标识的RPC服务执行的写操作是允许的。由于符合策略4和5,因此防护设备确认ClientA执行了恶意RPC行为。After query, the protection device confirmed that among the UUIDs related to ClientA's RPC behavior, and the combination of each UUID and operator, UUID2 conforms to policy 4; UUID75+"r" conforms to policy 5; UUID105+"w" does not conform to policy 6, because policy 3 It stipulates that for the RPC service identified by UUID105, the read operation is not allowed, and the write operation that ClientA tries to perform on the RPC service identified by UUID105 is allowed. Since policies 4 and 5 are met, the protection device confirms that ClientA has performed malicious RPC behavior.

需要说明的是,具体检测方式并不局限于以上两种,可以灵活设置。例如,对于第一预定范围内的UUID执行正常控制策略,例如对UUID处于0~100范围内的UUID、以及该范围内的UUID与操作符的组合执行正常控制策略;对第二预定范围内的UUID执行异常控制策略,例如对UUID处于101~200范围内的UUID、以及该范围内的UUID与操作符的组合执行异常控制策略。It should be noted that the specific detection methods are not limited to the above two, and can be flexibly set. For example, execute a normal control strategy for UUIDs in the first predetermined range, for example, execute a normal control strategy for UUIDs with UUIDs in the range of 0 to 100, and combinations of UUIDs and operators within this range; for UUIDs in the second predetermined range UUID implements an exception control strategy, for example, executes an exception control strategy for UUIDs whose UUIDs are in the range of 101 to 200, and combinations of UUIDs and operators within this range.

步骤310,防护设备在检测出客户机执行了恶意RPC行为后,阻断恶意RPC行为对应的数据包。In step 310, the protection device blocks the data packets corresponding to the malicious RPC behavior after detecting that the client computer executes the malicious RPC behavior.

具体地,防护设备阻断恶意RPC行为对应的数据包。如防护设备在步骤309中采用方式一检测时,阻断ClientA试图对UUID105标识的RPC服务执行写操作的数据包。当然,防护设备还可以根据预先设置阻断策略对客户机执行其他控制措施,例如只要检测出客户机执行了恶意RPC行为,就阻断客户机本次TCP会话连接中的所有数据包,将所述客户机的标识,例如用户名、地址等加入黑名单库等等。Specifically, the protection device blocks data packets corresponding to malicious RPC behaviors. For example, when the protection device adopts the first detection method in step 309, it blocks the data packet that ClientA tries to perform a write operation on the RPC service identified by UUID105. Of course, the protection device can also perform other control measures on the client computer according to the preset blocking strategy. For example, as long as it detects that the client computer has performed malicious RPC behavior, it will block all data packets in the current TCP session connection of the client computer, and send all The identification of the client computer, such as user name, address, etc., is added to the blacklist library and so on.

步骤311,若防护设备检测出客户机未执行恶意RPC行为,允许所述RPC流通过防护设备,服务器向客户机提供远程RPC服务。Step 311 , if the protection device detects that the client computer does not perform malicious RPC behavior, the RPC flow is allowed to pass through the protection device, and the server provides remote RPC services to the client computer.

本发明实施例提供的恶意RPC行为的检测方法,设置于客户机和服务器之间的防护设备对流经该防护设备的TCP会话连接中的数据包进行解析,获得客户机和服务器执行RPC过程中的RPC流,并从中获得客户机在RPC过程中绑定的所有UUID;根据策略库中的策略对其中每个UUID的合法性进行检测,只有在检测结果中所有UUID均符合所述正常控制策略,或者不存在符合异常控制策略UUID时,才确认所述客户机的RPC行为是正常的,否则确认客户机执行了恶意RPC行为。消除了客户机通过绑定多个UUID逃避IPS检测的可能性,提高了IPS检测恶意RPC行为的有效性,从而加强了所保护的RPC服务器的安全性。In the detection method of the malicious RPC behavior provided by the embodiment of the present invention, the protection device arranged between the client computer and the server analyzes the data packets in the TCP session connection flowing through the protection device, and obtains the client computer and the server during the execution of the RPC process. RPC stream, and obtain all the UUIDs bound by the client in the RPC process; according to the policy in the policy library, the validity of each UUID is detected, only in the detection results, all UUIDs conform to the normal control strategy, Or it is confirmed that the RPC behavior of the client is normal only when there is no UUID conforming to the exception control policy; otherwise, it is confirmed that the client executes a malicious RPC behavior. It eliminates the possibility that the client can evade IPS detection by binding multiple UUIDs, improves the effectiveness of IPS in detecting malicious RPC behaviors, and thus strengthens the security of the protected RPC server.

相应地,本发明实施例还提供了一种恶意RPC行为的检测装置,该装置可以集成于IPS或防火墙等防护设备中,如图5所示,该装置包括记录模块501、解析模块502、获取模块503和检测模块504,具体如下:Correspondingly, the embodiment of the present invention also provides a malicious RPC behavior detection device, which can be integrated into protection equipment such as IPS or firewall, as shown in Figure 5, the device includes a recording module 501, an analysis module 502, an Module 503 and detection module 504, specifically as follows:

记录模块501,用于在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;The recording module 501 is used to record the UUIDs of all RPC services requested by the client when the client queries the server for the high port corresponding to the RPC service;

解析模块502,用于在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;The analysis module 502 is used to analyze the data packets transmitted in the session connection between the client and the server during the RPC process, and obtain the RPC stream carried on the session connection;

获取模块503,用于根据记录模块501记录的UUID和解析模块502获得的RPC流,获得与所述RPC过程相关的所有UUID;The obtaining module 503 is used to obtain all UUIDs related to the RPC process according to the UUID recorded by the recording module 501 and the RPC flow obtained by the parsing module 502;

检测模块504,用于判断获取模块503获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。The detection module 504 is configured to judge whether each UUID among all the UUIDs obtained by the acquisition module 503 conforms to a predetermined control policy in the policy library, so as to detect whether the client executes malicious RPC behavior.

可选地,该检测装置还包括:Optionally, the detection device also includes:

阻断模块505,用于在检测模块504确定所述客户机执行了恶意RPC行为之后,阻断所示恶意RPC行为对应的数据包。The blocking module 505 is configured to block the data packet corresponding to the malicious RPC behavior after the detection module 504 determines that the client computer has executed the malicious RPC behavior.

可选地,如附图6所示,所述检测装置还包括:Optionally, as shown in Figure 6, the detection device also includes:

存储模块506,用于根据记录模块501记录所述UUID时的先后顺序,得到记录的每个UUID对应的顺序号,并保存UUID和顺序号的对应关系;The storage module 506 is used to obtain the sequence number corresponding to each UUID recorded according to the sequence when the recording module 501 records the UUID, and save the correspondence between the UUID and the sequence number;

相应地,所述获取模块503包括:Correspondingly, the acquisition module 503 includes:

解析单元601,用于从所述RPC流中解析出携带的每个RPC服务的顺序号;A parsing unit 601, configured to parse out the sequence number of each RPC service carried from the RPC stream;

获得单元602,用于对于每个解析出的顺序号,在存储模块506保存的所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID。The obtaining unit 602 is configured to, for each parsed sequence number, search for a corresponding UUID in the corresponding relationship stored in the storage module 506, so as to obtain all UUIDs related to the RPC process.

可选地,所述检测模块504包括:Optionally, the detection module 504 includes:

筛选单元603,用于对获取模块503获得的与所述RPC行为相关的所有UUID进行筛选,去除其中所述服务器不支持的RPC服务的UUID;A screening unit 603, configured to screen all UUIDs related to the RPC behavior obtained by the acquisition module 503, and remove UUIDs of RPC services that are not supported by the server;

检测单元604,用于通过查询策略库,判断筛选单元603筛选保留的每个UUID是否符合预定的控制策略。The detection unit 604 is configured to query the policy library to determine whether each UUID screened and retained by the screening unit 603 conforms to a predetermined control policy.

可选地,附图6中的所述解析单元601,还用于从所述RPC流中解析出携带的每个RPC服务的顺序号和操作符的组合;Optionally, the parsing unit 601 in FIG. 6 is further configured to parse out the combination of sequence number and operator of each RPC service carried in the RPC stream;

所述获得单元602,还用于对于所述解析单元601解析出的每个顺序号和操作符的组合,根据其中的顺序号在所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID与操作符的组合。The obtaining unit 602 is further configured to, for each sequence number and operator combination parsed by the parsing unit 601, search for the corresponding UUID in the corresponding relationship according to the sequence number therein, so as to obtain the UUID corresponding to the RPC All UUID and operator combinations associated with the process.

相应地,所述筛选单元603,还用于对所述获得单元获得的每个UUID与操作符的组合进行筛选,去除其中所述服务器不支持的RPC服务的UUID与操作符的组合;Correspondingly, the screening unit 603 is further configured to screen each combination of UUID and operator obtained by the obtaining unit, and remove the combination of UUID and operator of the RPC service not supported by the server;

所述检测单元604,还用于通过查询策略库,判断所述筛选单元603筛选保留的每个UUID与操作符的组合是否符合预定的控制策略。The detection unit 604 is further configured to query the policy library to determine whether the combination of each UUID and operator screened and retained by the screening unit 603 conforms to a predetermined control policy.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读取存储介质中,如:ROM/RAM、磁碟、光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, such as: ROM/RAM, Diskettes, CDs, etc.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (14)

1. a detection method for malice remote procedure call behavior, is characterized in that, comprising:
In the time that client computer is served corresponding high-order port to server lookup RPC, record the UUID of all RPC services of this client requests;
In RPC process, the packet transmitting in session connection between described client computer and server is resolved, obtain the RPC stream carrying in described session connection;
According to the UUID of described record and RPC stream, obtain all UUIDs relevant to described RPC process;
Judge whether the each UUID in all UUID that obtain meets control strategy predetermined in policy library, detect client computer with this and whether carried out malice RPC behavior.
2. the method for claim 1, is characterized in that, before the RPC stream carrying, also comprises in the described session connection of described acquisition:
Sequencing when recording described UUID, obtains the serial number corresponding to each UUID of record, and preserves the corresponding relation of UUID and serial number;
Describedly obtain all UUIDs relevant to described RPC process according to the UUID of described record and RPC stream, comprising:
From described RPC stream, parse the serial number of each RPC service of carrying;
For each serial number parsing, in described corresponding relation, search corresponding UUID, thereby obtain all UUIDs relevant to described RPC process.
3. the method for claim 1, is characterized in that, whether the each UUID in the described all UUID that judge acquisition meets control strategy predetermined in policy library, comprising:
The all UUIDs relevant to described RPC process that obtain are screened, remove the UUID that RPC that wherein said server do not support serves;
By query strategy storehouse, judge whether each UUID that screening retains meets predetermined control strategy.
4. as the method as described in arbitrary in claims 1 to 3, it is characterized in that, described policy library comprises normal control strategy or abnormal control strategy, and described normal control strategy comprises the UUID that normal RPC behavior is relevant, described abnormal control strategy comprises the relevant UUID of malice RPC behavior;
Describedly judge whether each UUID meets control strategy predetermined in policy library, detect client computer with this and whether carried out malice RPC behavior, comprising:
Judge whether each UUID meets the normal control strategy in policy library, if do not meet described normal control strategy, definite described client computer has been carried out malice RPC behavior; Or/and
Judge whether each UUID meets the abnormal control strategy in policy library, if meet described abnormal control strategy, definite described client computer has been carried out malice RPC behavior.
5. method as claimed in claim 2, is characterized in that, describedly obtains after all UUID relevant to described RPC behavior according to the UUID of described record and RPC stream, also comprises:
From described RPC stream, parse the serial number of each RPC service of carrying and the combination of operator;
For each described combination, in described corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all UUID AND operators relevant to described RPC process.
6. method as claimed in claim 5, is characterized in that, whether the each UUID in the described all UUID that judge acquisition meets control strategy predetermined in policy library, comprising:
To the each UUID obtaining and each UUID AND operator be combined into row filter, remove the UUID of the RPC service that wherein said server do not support and the combination of the UUID AND operator of the RPC service do not supported;
By query strategy storehouse, judge whether each UUID of screening reservation, the combination of each UUID AND operator meet predetermined control strategy.
7. as the method for claim 1,2,3,5 or 6 as described in arbitrary, it is characterized in that, described detection client computer also comprises after having carried out malice RPC behavior:
Block packet corresponding to described malice RPC behavior.
8. a checkout gear for malice RPC behavior, is characterized in that, comprising:
Logging modle, in the time that client computer is served corresponding high-order port to server lookup RPC, records the UUID of all RPC services of this client requests;
Parsing module, in RPC process, resolves the packet transmitting in session connection between described client computer and server, obtains the RPC stream carrying in described session connection;
Acquisition module, for according to the RPC stream of the UUID of logging modle record and parsing module acquisition, obtains all UUIDs relevant to described RPC process;
Detection module, for judging whether each UUID of all UUID that acquisition module obtains meets control strategy predetermined in policy library, detects client computer with this and whether has carried out malice RPC behavior.
9. device as claimed in claim 8, is characterized in that, also comprises:
Memory module, the sequencing when recording described UUID according to logging modle, obtains the serial number corresponding to each UUID of record, and preserves the corresponding relation of UUID and serial number;
Described acquisition module comprises:
Resolution unit, for parsing the serial number of each RPC service of carrying from described RPC stream;
Obtain unit, for for each serial number parsing, in the described corresponding relation of preserving in described memory module, search corresponding UUID, thereby obtain all UUIDs relevant to described RPC process.
10. device as claimed in claim 8, is characterized in that, described detection module comprises:
Screening unit, screens for all UUID relevant to described RPC process that acquisition module is obtained, and removes the UUID that RPC that wherein said server do not support serves;
Detecting unit, for by query strategy storehouse, judges whether each UUID that the screening of screening unit retains meets predetermined control strategy.
11. devices as claimed in claim 9, is characterized in that, described detection module comprises:
Screening unit, screens for all UUID relevant to described RPC process that acquisition module is obtained, and removes the UUID that RPC that wherein said server do not support serves;
Detecting unit, for by query strategy storehouse, judges whether each UUID that the screening of screening unit retains meets predetermined control strategy.
12. devices as claimed in claim 11, is characterized in that,
Described resolution unit, also for parsing the serial number of each RPC service of carrying and the combination of operator from described RPC stream;
Described acquisition unit, also for each serial number of parsing for described resolution unit and the combination of operator, in described corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all UUID AND operators relevant to described RPC process.
13. devices as claimed in claim 12, is characterized in that,
Described screening unit, also for each UUID AND operator that described acquisition unit is obtained be combined into row filter, remove the combination of the UUID AND operator of the RPC service that wherein said server do not support;
Described detecting unit, also, for by query strategy storehouse, judges whether the combination of each UUID AND operator of described screening unit screening reservation meets predetermined control strategy.
14. devices as described in as arbitrary in claim 8 to 13, is characterized in that, also comprise:
Blocking-up module, after determining that at detection module described client computer has been carried out malice RPC behavior, blocks packet corresponding to described malice RPC behavior.
CN201110449688.8A 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors Expired - Fee Related CN102438023B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110449688.8A CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110449688.8A CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Publications (2)

Publication Number Publication Date
CN102438023A CN102438023A (en) 2012-05-02
CN102438023B true CN102438023B (en) 2014-08-20

Family

ID=45985895

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110449688.8A Expired - Fee Related CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Country Status (1)

Country Link
CN (1) CN102438023B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036895B (en) * 2012-12-20 2015-11-11 北京奇虎科技有限公司 A kind of status tracking method and system
US11409871B1 (en) * 2019-03-22 2022-08-09 Ca, Inc. Universal tracing of side-channel processes in computing environments
CN112738123B (en) * 2021-01-05 2022-09-20 成都安思科技有限公司 Method and device for detecting malicious remote process tracing calling behavior
CN112929365B (en) * 2021-02-05 2023-05-16 深信服科技股份有限公司 Remote command detection method and device and electronic equipment
CN114218564B (en) * 2021-11-17 2025-03-28 奇安信科技集团股份有限公司 A fileless attack detection method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7257818B2 (en) * 2002-08-29 2007-08-14 Sap Aktiengesellschaft Rapid application integration using functional atoms
CN101039324A (en) * 2007-03-12 2007-09-19 华为技术有限公司 Method, system and apparatus for defending network virus
CN101116068A (en) * 2004-10-28 2008-01-30 思科技术公司 Intrusion detection in a data center environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7885996B2 (en) * 2001-09-29 2011-02-08 Siebel Systems, Inc. Method, apparatus, and system for implementing notifications in a framework to support web-based applications

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7257818B2 (en) * 2002-08-29 2007-08-14 Sap Aktiengesellschaft Rapid application integration using functional atoms
CN101116068A (en) * 2004-10-28 2008-01-30 思科技术公司 Intrusion detection in a data center environment
CN101039324A (en) * 2007-03-12 2007-09-19 华为技术有限公司 Method, system and apparatus for defending network virus

Also Published As

Publication number Publication date
CN102438023A (en) 2012-05-02

Similar Documents

Publication Publication Date Title
CN114095198B (en) Method and system for efficient cryptographic SNI filtering for network security applications
US10021033B2 (en) Context driven policy based packet capture
US11949654B2 (en) Distributed offload leveraging different offload devices
JP7544401B2 (en) Ensuring separation of control and user planes in mobile networks
US8631499B2 (en) Platform for analyzing the security of communication protocols and channels
US8060927B2 (en) Security state aware firewall
US7646728B2 (en) Network monitoring and intellectual property protection device, system and method
EP1817685A2 (en) Intrusion detection in a data center environment
CN102438023B (en) Method and device for detecting malicious remote procedure call (RPC) behaviors
US20240022486A1 (en) Streaming complex endpoint events
JP2006099590A (en) Access controller, access control method and access control program
CN119817059A (en) Applying subscriber ID-based security, device ID-based security, and/or network slice ID-based security using user ID and system log messages in mobile networks
Zhang Security Snort Early Warning Assessment Program of Hazardous Sources

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB02 Change of applicant information

Address after: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221009

Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041

Patentee after: Chengdu Huawei Technologies Co.,Ltd.

Address before: 611731 Hi Tech University of Electronic Science and Technology, No. 88, Tianchen Road, Qingshuihe District, Western Park, Hi Tech Zone, Chengdu, Sichuan

Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140820