WO2021046811A1 - Attack behavior determination method and apparatus, and computer storage medium - Google Patents
Attack behavior determination method and apparatus, and computer storage medium Download PDFInfo
- Publication number
- WO2021046811A1 WO2021046811A1 PCT/CN2019/105747 CN2019105747W WO2021046811A1 WO 2021046811 A1 WO2021046811 A1 WO 2021046811A1 CN 2019105747 W CN2019105747 W CN 2019105747W WO 2021046811 A1 WO2021046811 A1 WO 2021046811A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- specified operation
- instruction execution
- actual
- execution logic
- logic sequence
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012544 monitoring process Methods 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 8
- 206010001488 Aggression Diseases 0.000 claims description 5
- 230000016571 aggressive behavior Effects 0.000 claims description 5
- 208000012761 aggressive behavior Diseases 0.000 claims description 5
- 230000006399 behavior Effects 0.000 abstract description 34
- 230000008859 change Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000004224 protection Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000007774 longterm Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000035807 sensation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Definitions
- the present invention relates to the field of information network security, in particular to a method, a device, a computer storage medium and a computing device for determining an attack behavior.
- APT Advanced Persistent Threat
- Advanced Persistent Threat is a cyber attack and intrusion launched by hackers for the purpose of stealing core information against customers. It is a long-planned "malicious business espionage threat.” This kind of behavior is often after long-term management and planning, and has a high degree of concealment.
- the attack method of APT is to conceal oneself and steal data from a specific target in a long-term, planned and organized manner. This act of stealing information and collecting information in the digital space is a kind of "cyber espionage" behavior.
- APT attacks usually do not have a clear target.
- An APT attack usually has a clear target in advance, and the system that is not the target will not be attacked even if there are loopholes. And has a clear purpose of attack, mainly based on stealing. After the attack is successful, it does not work immediately, but hides it. When certain conditions are met, or the target object appears, it will quickly attack to complete the intended purpose.
- APT attacks usually use exclusive private vulnerabilities and write exclusive private attack codes.
- the vulnerabilities and codes will not spread on a large scale. Basically, it is difficult for security companies to obtain samples, and it is also difficult to pass “features”. "Matching" means to discover APT attacks.
- APT attacks are usually in a hidden state, and there will not be too many additional behaviors before obtaining instructions to initiate a formal attack or before the attack target appears. It is also difficult for security software to detect APT attacks through "behavior identification”.
- APT attacks are usually initiated by countries or organizations. They have abundant available resources and can implement various effective protections. They can hide themselves in normal software and hardware codes and wait for opportunities to act silently.
- the Stuxnet virus which was once a sensation, fully demonstrated the concealment, harm, and difficulty of APT attacks.
- the target of the Stuxnet virus attack is clear: a nuclear plant in a certain country.
- the attack cycle is very long: first infect the system maintenance contractor of the nuclear plant, and wait latently, until the infected device enters the isolation network of its real target "nuclear plant", and then spreads horizontally, infects the industrial control system, and destroys Nuclear industry facilities lasted one year before and after.
- the present invention is proposed to provide a method, device, computer storage medium and computing device for determining attack behaviors that overcome the above-mentioned problems or at least partially solve the above-mentioned problems, which can effectively discover various attack behaviors.
- a method for judging attack behavior including:
- the designated operation includes an operation on a key file or a key location.
- monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
- monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
- monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
- the specified operation is captured during the actual execution of the specified operation, and the actual instruction execution logic sequence of the specified operation is obtained.
- the preset instruction execution logic sequence of the specified operation is collected in the following manner:
- the preset instructions of the specified operation are collected to execute the logic sequence.
- the preset instruction execution logic sequence of the specified operation is collected in the following manner:
- an apparatus for judging attack behavior including:
- the monitoring module is adapted to monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation;
- the comparison module is adapted to compare the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
- the determination module is adapted to determine that an attack is occurring if the actual instruction execution logic sequence of the designated operation is inconsistent with the preset instruction execution logic sequence of the designated operation.
- the designated operation includes an operation on a key file or a key location.
- the monitoring module is further adapted to: monitor the actual flow of the code executed by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit; In the information, the actual instruction execution logic sequence of the specified operation is extracted.
- the monitoring module is further adapted to: apply to the platform or the operating system to monitor the actual flow of the code executed by the central processing unit, record and save the relevant information of the branch instructions actually executed by the central processing unit;
- the applied capability extracts the actual instruction execution logic sequence of the specified operation from the relevant information of the branch instruction.
- the monitoring module is further adapted to: set a hook for monitoring the actual execution of the specified operation; use the set hook to capture the specified operation during the actual execution of the specified operation, Obtain the actual instruction execution logic sequence of the specified operation.
- the device further includes:
- the first collection module is adapted to collect the preset instruction execution logic sequence of the specified operation in a trusted environment.
- the device further includes:
- the second collection module is adapted to collect multiple instruction execution logic sequences involved in the actual execution process of the specified operation in a single computer; based on the multiple instruction execution logic sequences, determine the preset value of the specified operation Instruction execution logic sequence;
- a computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to execute the foregoing The method of judging aggressive behavior.
- a computing device including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device Perform the above-mentioned aggressive behavior determination method.
- the embodiment of the present invention breaks away from the level of "code features and behaviors", innovatively based on the level of the instruction execution logic sequence, and combines the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. In comparison, when the comparison is inconsistent, it is determined that the attack is occurring, and various attack behaviors can be found effectively.
- the embodiment of the present invention can monitor the actual execution status of the designated operation of the key file or the key position in a targeted manner, and obtain the actual instruction execution logic sequence for the designated operation of the key file or the key position.
- the actual instruction execution logic sequence of the designated operation of the file or key position is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination and discover the attack in time. , In order to take corresponding protective measures.
- Figure 1 shows the execution logic diagram of a complete program
- Figure 2 shows a flow chart of a method for judging an attack according to an embodiment of the present invention
- Fig. 3 shows a flowchart of a method for judging an attack according to another embodiment of the present invention
- Figure 4 shows a flow chart of instruction execution according to another embodiment of the present invention.
- FIG. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention.
- Fig. 6 shows a structural diagram of a device for judging an attacking behavior according to another embodiment of the present invention.
- the code is composed of a set of predefined instructions.
- call call; mov: move; cmp: compare; jnz: logical jump according to the comparison result.
- This code is fixed from beginning to end and is the execution logic. There will be no change. Unless this code is changed, the logic will not change.
- Figure 1 is a diagram of the execution logic of a complete program. It can be seen from Figure 1 that the execution logic of the entire program is composed of countless "conditional judgments" and "branch". Different branches are executed according to different conditions. Form an execution link.
- Fig. 2 shows a flowchart of a method for judging an attack according to an embodiment of the present invention. As shown in Figure 2, the method may include the following steps S201 to S203:
- Step S201 monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation
- Step S202 comparing the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation
- step S203 if the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation, it is determined that an attack is occurring.
- the embodiment of the present invention is innovatively based on the level of the instruction execution logic sequence, and compares the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring. Effectively discover all kinds of attacks.
- the above-mentioned designated operation may be various sensitive operations on key files or key locations.
- the key file here may be a file that is more important to enterprises or individual users, or a file that is more important to the system, etc., which is not limited in the embodiment of the present invention.
- the key location here may be a system directory, a key disk area, etc., which is not limited in the embodiment of the present invention. Attackers attack these key files or key locations to achieve the purpose of stealing data and obtaining permissions.
- the embodiment of the present invention can monitor the actual execution situation of the designated operation of the key file or key position in a targeted manner, obtain the actual instruction execution logic sequence for the key file or the designated operation of the key position, and then target the key file or key position.
- the actual instruction execution logic sequence of the designated operation of the location is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination, and discover the attack in time, so as to take Corresponding protection means.
- step S201 the actual execution of the specified operation is monitored, and the actual instruction execution logic sequence of the specified operation is obtained.
- the embodiment of the present invention provides optional solutions such as using existing monitoring capabilities or setting monitoring, which will be described in detail below. Introduction.
- the actual flow of the code execution by the central processing unit can be monitored, and the relevant information of the branch instructions actually executed by the central processing unit can be recorded and saved; then the information of the specified operation can be extracted from the relevant information of the saved branch instructions.
- the actual instruction executes the logical sequence.
- chip manufacturers, hardware manufacturers, or operating system manufacturers can also integrate instruction execution sequence monitoring into the system.
- Embodiments of the present invention can apply for corresponding capabilities. Based on the applied capabilities, obtain relevant information about branch instructions, and then obtain information from branch instructions. The actual instruction execution logic sequence of the specified operation is extracted from the relevant information.
- the preset instruction execution logic sequence of the specified operation mentioned in step S202 above is the instruction execution logic sequence of the specified operation in the normal operation scenario, which can be specifically collected in the following manner.
- the first way is to collect preset instructions for specified operations to execute logic sequences in a trusted environment.
- the trusted environment here may be a factory system environment or a legally digitally signed system environment of a regular company, etc.
- the embodiment of the present invention may select a trusted environment according to actual needs, and there is no limitation on this.
- Manner 2 In a single computer, collect multiple instruction execution logic sequences involved in the actual execution of the specified operation; based on the multiple instruction execution logic sequences, determine the preset instruction execution logic sequence of the specified operation.
- the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
- Mode three among multiple computers, collect one or more instruction execution logic sequences involved in the actual execution of the specified operation of each computer; execute logic sequences based on one or more instructions corresponding to each computer to determine the specified operation
- the preset instructions execute the logic sequence.
- the instruction execution logic sequences generated during the actual execution of the specified operation are all sequence P, then the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
- the above methods 2 and 3 are based on the principle of "for the same program or the same piece of code, under the premise that all conditions are consistent, you will get exactly the same execution chain". Under normal operation scenarios, no matter what The same instruction sequence with the same condition is collected multiple times in a single computer, or the same instruction sequence with the same condition is distributed in multiple computers. The collected instruction sequence should be the same. If there is a difference, it may only be Anomalies exist, such as: HOOK points with APT attack codes, etc.
- the purpose of the APT attacker is to steal all the file data with the word "secret”, then when designing the working logic, it is nothing more than reading and judging the file after the file is created successfully. Whether the title has the words "confidential”, if so, then pass it back, if not, ignore it.
- steps S301 to S303 can be used to discover attack behavior.
- step S301 the actual execution of the file operation is monitored, and the actual instruction execution logic sequence of the file operation is obtained.
- the file operation can specifically be an operation on a "secret" file.
- step S302 the actual instruction execution logic sequence of the file operation is compared with the preset instruction execution logic sequence of the file operation.
- step S303 if the actual instruction execution logic sequence of the file operation is inconsistent with the preset instruction execution logic sequence of the file operation, it is determined that the APT attack behavior is occurring.
- step S301 can be returned to continue to monitor the actual execution of the file operation.
- Stuxnet virus launched an APT attack on a nuclear plant in a certain country, it used a Windows operating system shortcut analysis vulnerability (vulnerability number: MS10-046). Its utilization principle and instruction execution process are shown in Figure 4 below.
- LoadLibrary is called to load the specified DLL/CPL file.
- the first three execution logics 1, 2, and 3 are normal shortcut parsing logic, because the flag bit is always non-zero under normal circumstances.
- file operations not only file operations, but any other operations, the present invention can be used to judge the instruction execution logic sequence to discover the existence of abnormal logic caused by the APT attack.
- BIOS Basic Input Output System
- hardware firmware For example, during the system startup phase, the codes in the BIOS (Basic Input Output System) and hardware firmware are collected for normal instruction logic. If there is malicious code in it, it will do evil when it meets certain conditions (such as specific Time), when it starts to do evil, its logic will inevitably change, and it will be discovered by the comparison of the instruction execution logic sequence.
- the embodiment of the present invention takes the discovery of APT attacks as an example, it is just that APT attacks are more difficult to detect than ordinary attacks, but it does not mean that the present invention can only detect APT attacks, which still has a good effect on ordinary attacks.
- the present invention has nothing to do with platforms (such as Intel, AMD, ARM, etc.), and has nothing to do with operating systems (such as Windows ⁇ Linux, etc.), and can be applied to any platform and system.
- platforms such as Intel, AMD, ARM, etc.
- operating systems such as Windows ⁇ Linux, etc.
- an embodiment of the present invention also provides a device for judging attack behavior.
- Fig. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention.
- the device may include a monitoring module 510, a comparison module 520, and a determination module 530.
- the monitoring module 510 is adapted to monitor the actual execution of the specified operation and obtain the actual instruction execution logic sequence of the specified operation;
- the comparison module 520 coupled with the monitoring module 510, is adapted to compare the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
- the determination module 530 coupled with the comparison module 520, is adapted to determine that an attack is occurring if the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation.
- the designated operation includes an operation on a key file or a key location.
- the monitoring module 510 is further adapted to: monitor the actual flow of the code executed by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit; In the related information of the instruction, extract the actual instruction execution logic sequence of the specified operation.
- the monitoring module 510 is further adapted to: apply to the platform or operating system to monitor the actual flow of the CPU executing code, record and save the relevant branch instructions actually executed by the CPU Information capability: Based on the applied capability, extract the actual instruction execution logic sequence of the specified operation from the relevant information of the branch instruction.
- the monitoring module 510 is further adapted to: set a hook for monitoring the actual execution of the specified operation; use the set hook to capture the specified operation during the actual execution of the specified operation, and obtain The actual instruction execution logic sequence of the specified operation.
- the device for determining the attack behavior shown in FIG. 5 above may further include:
- the first collection module 610 is coupled with the comparison module 520, and is adapted to collect a predetermined instruction execution logic sequence of a specified operation in a trusted environment.
- the device for determining the attack behavior shown in FIG. 5 above may further include:
- the second collection module 620 coupled with the comparison module 520, is adapted to collect multiple instruction execution logic sequences involved in the actual execution process of the specified operation in a single computer; determine the execution logic sequence of the specified operation based on the multiple instruction execution logic sequences Preset instruction execution logic sequence;
- the embodiments of the present invention also provide a computer storage medium, the computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to perform the aforementioned attack determination method .
- an embodiment of the present invention also provides a computing device, including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device is caused to perform the determination of the aforementioned attack behavior method.
- the functional units in the various embodiments of the present invention may be physically independent of each other, or two or more functional units may be integrated together, or all functional units may be integrated in one processing unit.
- the above-mentioned integrated functional unit can be implemented in the form of hardware, or in the form of software or firmware.
- the integrated functional unit is implemented in the form of software and sold or used as an independent product, it can be stored in a computer readable storage medium.
- the technical solution of the present invention is essentially or all or part of the technical solution can be embodied in the form of a software product.
- the computer software product is stored in a storage medium and includes a number of instructions to make a computer
- a computing device for example, a personal computer, a server, or a network device, etc.
- the aforementioned storage media include: U disk, mobile hard disk, read only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes.
- all or part of the steps of the foregoing method embodiments may be implemented by a program instructing related hardware (computing devices such as a personal computer, a server, or a network device), and the program instructions may be stored in a computer readable storage
- the program instructions when executed by the processor of the computing device, the computing device executes all or part of the steps of the methods described in the embodiments of the present invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
Description
本发明涉及信息网络安全领域,尤其是涉及到一种攻击行为的判定方法、装置、计算机存储介质以及计算设备。The present invention relates to the field of information network security, in particular to a method, a device, a computer storage medium and a computing device for determining an attack behavior.
APT(Advanced Persistent Threat,高级持续性威胁),是黑客以窃取核心资料为目的,针对客户所发动的网络攻击和侵袭行为,是一种蓄谋已久的“恶意商业间谍威胁”。这种行为往往经过长期的经营与策划,并具备高度的隐蔽性。APT的攻击手法,在于隐匿自己,针对特定对象,长期、有计划性和组织性地窃取数据,这种发生在数字空间的偷窃资料、搜集情报的行为,就是一种“网络间谍”的行为。APT (Advanced Persistent Threat, Advanced Persistent Threat) is a cyber attack and intrusion launched by hackers for the purpose of stealing core information against customers. It is a long-planned "malicious business espionage threat." This kind of behavior is often after long-term management and planning, and has a high degree of concealment. The attack method of APT is to conceal oneself and steal data from a specific target in a long-term, planned and organized manner. This act of stealing information and collecting information in the digital space is a kind of "cyber espionage" behavior.
APT攻击与普通的网络攻击,其最大的区别就是目的性、与长期持续性。普通攻击通常没有明确的攻击目标,只要存在漏洞的、在攻击范围内的系统,都会受到无差别攻击,并且在攻击成功的那一刻就会立即开展后续工作,或破坏、或窃取、或控制等。而APT攻击,通常则是提前有着明确的攻击目标,非其目标的系统即使存在漏洞,也不会被攻击。并有着明确的攻击目的,主要是以窃取为主。在攻击成功后,并不会立即工作,而是隐藏起来,当达到一定条件后,或目的物出现后,再迅速出击完成预定目的。The biggest difference between APT attacks and ordinary network attacks is the purpose and long-term sustainability. Ordinary attacks usually do not have a clear target. As long as there are vulnerabilities and within the scope of the attack, the system will be attacked indiscriminately, and the follow-up work will be carried out immediately when the attack is successful, or damage, or steal, or control . An APT attack usually has a clear target in advance, and the system that is not the target will not be attacked even if there are loopholes. And has a clear purpose of attack, mainly based on stealing. After the attack is successful, it does not work immediately, but hides it. When certain conditions are met, or the target object appears, it will quickly attack to complete the intended purpose.
在技术上,APT攻击通常会使用专属的私有漏洞、编写专属的私有攻击代码,漏洞及代码并不会大范围扩散,基本上安全公司很难拿到样本,同样的也就很难通过“特征匹配”的手段来发现APT攻击。另外,APT攻击平时处于隐藏状态,在获得指令发起正式攻击前或攻击标的物出现前,并不会有过多的额外行为发生,安全软件也很难通过“行为判别”来发现APT攻击。最后,APT攻击通常是由国家或组织来发起,有着丰富的可利用的资源,可以实施各种有效的隐护,将自身隐藏在正常的软硬件的代码之中静静的潜伏,伺机行动。Technically, APT attacks usually use exclusive private vulnerabilities and write exclusive private attack codes. The vulnerabilities and codes will not spread on a large scale. Basically, it is difficult for security companies to obtain samples, and it is also difficult to pass "features". "Matching" means to discover APT attacks. In addition, APT attacks are usually in a hidden state, and there will not be too many additional behaviors before obtaining instructions to initiate a formal attack or before the attack target appears. It is also difficult for security software to detect APT attacks through "behavior identification". Finally, APT attacks are usually initiated by countries or organizations. They have abundant available resources and can implement various effective protections. They can hide themselves in normal software and hardware codes and wait for opportunities to act silently.
曾经轰动一时的震网病毒,就充分的体现出了APT攻击的隐蔽性、危害性与难以防范性。The Stuxnet virus, which was once a sensation, fully demonstrated the concealment, harm, and difficulty of APT attacks.
震网病毒攻击的目标很明确:某国家的核工厂。The target of the Stuxnet virus attack is clear: a nuclear plant in a certain country.
投入的资源很庞大:4个操作系统的0Day漏洞和2个工控系统的0Day漏洞打造了完整的组合攻击链条。The resources invested are huge: 4 0Day vulnerabilities in operating systems and 2 0Day vulnerabilities in industrial control systems create a complete combined attack chain.
攻击周期很长:先感染核工厂的系统维护承包商,并潜伏等待,直到被感染的设备进入其真正的攻击目标“核工厂”的隔离网络之中,再横向传播,感染工控系统,并破坏核工业设施,前后历时一年。The attack cycle is very long: first infect the system maintenance contractor of the nuclear plant, and wait latently, until the infected device enters the isolation network of its real target "nuclear plant", and then spreads horizontally, infects the industrial control system, and destroys Nuclear industry facilities lasted one year before and after.
利用可信程序打掩护:攻击组件的核心驱动都有合法的数字签名。Use trusted programs to cover up: The core drivers of the attack components have legal digital signatures.
当前的安全技术,对恶意攻击的检测,仍然停留在“代码恶意特征比对检测”与“敏感危险行为触发检测”的判断层次,并且对系统本身及拥有正规公司合法数字签名的程序,通常会给予默认的信任而免予检查。The current security technology, the detection of malicious attacks, still stays at the judgment level of "code malicious feature comparison detection" and "sensitive and dangerous behavior trigger detection", and the system itself and the program with legal digital signature of a formal company usually will Give the default trust without checking.
因此,对无已知特征、平时又无行为发生、甚至还有可信程序做掩护的APT攻击而言,当前的安全技术并没有实质的发现与防护效果,亟需解决这一技术问题。Therefore, for APT attacks that have no known characteristics, no behaviors, and even trusted programs as a cover, the current security technology has no substantial discovery and protection effects, and it is urgent to solve this technical problem.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的攻击行为的判定方法、装置、计算机存储介质以及计算设备,能够有效的发现各类攻击行为。In view of the above-mentioned problems, the present invention is proposed to provide a method, device, computer storage medium and computing device for determining attack behaviors that overcome the above-mentioned problems or at least partially solve the above-mentioned problems, which can effectively discover various attack behaviors.
根据本发明实施例的一方面,提供了一种攻击行为的判定方法,包括:According to an aspect of the embodiments of the present invention, there is provided a method for judging attack behavior, including:
对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;Monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation;
将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;Comparing the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。If the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation, it is determined that an attack is occurring.
可选地,所述指定操作包括针对关键文件或关键位置的操作。Optionally, the designated operation includes an operation on a key file or a key location.
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:Optionally, monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;Monitor the actual process of code execution by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit;
从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令 执行逻辑序列。Extract the actual instruction execution logic sequence of the specified operation from the stored related information of the branch instruction.
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:Optionally, monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
向平台或操作系统申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;Apply to the platform or operating system for the ability to monitor the actual process of the CPU executing code, record and save the relevant information about the branch instructions actually executed by the CPU;
基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。Based on the capability of the application, extract the actual instruction execution logic sequence of the specified operation from the related information of the branch instruction.
可选地,对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列,包括:Optionally, monitoring the actual execution of the specified operation and obtaining the actual instruction execution logic sequence of the specified operation includes:
设置对指定操作的实际执行情况进行监控的钩子;Set up hooks that monitor the actual execution of the specified operation;
利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。By using the set hook, the specified operation is captured during the actual execution of the specified operation, and the actual instruction execution logic sequence of the specified operation is obtained.
可选地,通过以下方式来收集所述指定操作的预设的指令执行逻辑序列:Optionally, the preset instruction execution logic sequence of the specified operation is collected in the following manner:
在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。In a trusted environment, the preset instructions of the specified operation are collected to execute the logic sequence.
可选地,通过以下方式来收集所述指定操作的预设的指令执行逻辑序列:Optionally, the preset instruction execution logic sequence of the specified operation is collected in the following manner:
在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;In a single computer, collecting multiple instruction execution logic sequences involved in the actual execution of the specified operation; determining a preset instruction execution logic sequence of the specified operation based on the multiple instruction execution logic sequences;
和/或and / or
在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。In multiple computers, collect one or more instruction execution logic sequences involved in the actual execution process of the specified operation of each computer; based on the one or more instruction execution logic sequences corresponding to each computer, determine The preset instructions of the specified operation execute a logic sequence.
根据本发明实施例的另一方面,提供了一种攻击行为的判定装置,包括:According to another aspect of the embodiments of the present invention, there is provided an apparatus for judging attack behavior, including:
监控模块,适于对指定操作的实际执行情况进行监控,获取所述指定操作的实际的指令执行逻辑序列;The monitoring module is adapted to monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation;
比对模块,适于将所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列进行比对;The comparison module is adapted to compare the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
判定模块,适于若所述指定操作的实际的指令执行逻辑序列与所述指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。The determination module is adapted to determine that an attack is occurring if the actual instruction execution logic sequence of the designated operation is inconsistent with the preset instruction execution logic sequence of the designated operation.
可选地,所述指定操作包括针对关键文件或关键位置的操作。Optionally, the designated operation includes an operation on a key file or a key location.
可选地,所述监控模块还适于:对中央处理器执行代码的实际流程情况 进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;从保存的所述分支指令的相关信息中,提取所述指定操作的实际的指令执行逻辑序列。Optionally, the monitoring module is further adapted to: monitor the actual flow of the code executed by the central processing unit, record and save relevant information about the branch instructions actually executed by the central processing unit; In the information, the actual instruction execution logic sequence of the specified operation is extracted.
可选地,所述监控模块还适于:向平台或操作系统申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;基于申请的所述能力,从所述分支指令的相关信息中提取所述指定操作的实际的指令执行逻辑序列。Optionally, the monitoring module is further adapted to: apply to the platform or the operating system to monitor the actual flow of the code executed by the central processing unit, record and save the relevant information of the branch instructions actually executed by the central processing unit; The applied capability extracts the actual instruction execution logic sequence of the specified operation from the relevant information of the branch instruction.
可选地,所述监控模块还适于:设置对指定操作的实际执行情况进行监控的钩子;利用设置的所述钩子,在所述指定操作的实际执行过程中对所述指定操作进行捕获,获取所述指定操作的实际的指令执行逻辑序列。Optionally, the monitoring module is further adapted to: set a hook for monitoring the actual execution of the specified operation; use the set hook to capture the specified operation during the actual execution of the specified operation, Obtain the actual instruction execution logic sequence of the specified operation.
可选地,所述装置还包括:Optionally, the device further includes:
第一收集模块,适于在可信环境下,收集所述指定操作的预设的指令执行逻辑序列。The first collection module is adapted to collect the preset instruction execution logic sequence of the specified operation in a trusted environment.
可选地,所述装置还包括:Optionally, the device further includes:
第二收集模块,适于在单台计算机中,收集所述指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于所述多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列;The second collection module is adapted to collect multiple instruction execution logic sequences involved in the actual execution process of the specified operation in a single computer; based on the multiple instruction execution logic sequences, determine the preset value of the specified operation Instruction execution logic sequence;
和/或and / or
在多台计算机中,收集各台计算机的所述指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于所述各台计算机对应的所述一个或多个指令执行逻辑序列,确定所述指定操作的预设的指令执行逻辑序列。In multiple computers, collect one or more instruction execution logic sequences involved in the actual execution process of the specified operation of each computer; based on the one or more instruction execution logic sequences corresponding to each computer, determine The preset instructions of the specified operation execute a logic sequence.
根据本发明实施例的又一方面,还提供了一种计算机存储介质,所述计算机存储介质存储有计算机程序代码,当所述计算机程序代码在计算设备上运行时,导致所述计算设备执行上述的攻击行为的判定方法。According to another aspect of the embodiments of the present invention, a computer storage medium is also provided, the computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to execute the foregoing The method of judging aggressive behavior.
根据本发明实施例的再一方面,还提供了一种计算设备,包括:处理器;存储有计算机程序代码的存储器;当所述计算机程序代码被所述处理器运行时,导致所述计算设备执行上述的攻击行为的判定方法。According to another aspect of the embodiments of the present invention, there is also provided a computing device, including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device Perform the above-mentioned aggressive behavior determination method.
借由上述技术方案,本发明实施例脱离“代码特征与行为”的层次,创新性的基于指令执行逻辑序列的层次,将指定操作的预设的指令执行逻辑序列与实际的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以有效的发现各类攻击行为。With the above technical solutions, the embodiment of the present invention breaks away from the level of "code features and behaviors", innovatively based on the level of the instruction execution logic sequence, and combines the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. In comparison, when the comparison is inconsistent, it is determined that the attack is occurring, and various attack behaviors can be found effectively.
进一步地,本发明实施例可以有针对性的对于关键文件或关键位置的指定操作进行实际执行情况的监控,获得针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列,随后将针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列与预设的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以提高攻击行为判定的效率,及时发现攻击行为,以便采取对应的防护手段。Further, the embodiment of the present invention can monitor the actual execution status of the designated operation of the key file or the key position in a targeted manner, and obtain the actual instruction execution logic sequence for the designated operation of the key file or the key position. The actual instruction execution logic sequence of the designated operation of the file or key position is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination and discover the attack in time. , In order to take corresponding protective measures.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to understand the technical means of the present invention more clearly, it can be implemented in accordance with the content of the specification, and in order to make the above and other objectives, features and advantages of the present invention more obvious and understandable. In the following, specific embodiments of the present invention will be cited.
根据下文结合附图对本发明具体实施例的详细描述,本领域技术人员将会更加明了本发明的上述以及其他目的、优点和特征。Based on the following detailed description of specific embodiments of the present invention in conjunction with the accompanying drawings, those skilled in the art will better understand the above and other objectives, advantages and features of the present invention.
此处所说明的附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described here are used to provide a further understanding of the present invention and constitute a part of the present invention. The exemplary embodiments of the present invention and the description thereof are used to explain the present invention, and do not constitute an improper limitation of the present invention. In the attached picture:
图1示出了一个完整的程序的执行逻辑关系图;Figure 1 shows the execution logic diagram of a complete program;
图2示出了根据本发明一实施例的攻击行为的判定方法的流程图;Figure 2 shows a flow chart of a method for judging an attack according to an embodiment of the present invention;
图3示出了根据本发明另一实施例的攻击行为的判定方法的流程图;Fig. 3 shows a flowchart of a method for judging an attack according to another embodiment of the present invention;
图4示出了根据本发明又一实施例的指令执行流程图;Figure 4 shows a flow chart of instruction execution according to another embodiment of the present invention;
图5示出了根据本发明一实施例的攻击行为的判定装置的结构图;以及FIG. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention; and
图6示出了根据本发明另一实施例的攻击行为的判定装置的结构图。Fig. 6 shows a structural diagram of a device for judging an attacking behavior according to another embodiment of the present invention.
下面将参照附图更详细地描述本发明的示例性实施例。虽然附图中显示了本发明的示例性实施例,然而应当理解,可以以各种形式实现本发明而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本发明,并且能够将本发明的范围完整的传达给本领域的技术人员。Hereinafter, exemplary embodiments of the present invention will be described in more detail with reference to the accompanying drawings. Although the drawings show exemplary embodiments of the present invention, it should be understood that the present invention can be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to enable a more thorough understanding of the present invention and to fully convey the scope of the present invention to those skilled in the art.
如前文介绍,对于一些攻击行为,如APT攻击等,采用当前的特征匹配或行为判别的技术手段很难发现。为了有效的发现这类攻击行为,发明人进行了创造性的构思,下面将进行详细介绍。As introduced above, for some attacks, such as APT attacks, it is difficult to find using current feature matching or behavior discrimination technical means. In order to effectively discover this type of attack, the inventor made a creative idea, which will be introduced in detail below.
首先,计算机中的所有的行为都是由代码来实现的。而代码,则是由一组预定义好的指令组合而成。First of all, all behaviors in the computer are implemented by code. The code is composed of a set of predefined instructions.
举例如下:Examples are as follows:
FF 15 8C 0E 87 6B call ds:_imp_CreateFilew@28FF 15 8C 0E 87 6B call ds: _imp_CreateFilew@28
8B F0 mov esi,eax8B F0 mov esi, eax
83 FE FF cmp esi,0FFFFFFFFh83 FE FF cmp esi, 0FFFFFFFFh
75 33 jnz short loc_6B818B3875 33 jnz short loc_6B818B38
FF 15 C4 0D 87 6B call ds:_imp_GetLastError@0FF 15 C4 0D 87 6B call ds: _imp_GetLastError@0
83 F8 02 cmp eax,283 F8 02 cmp eax, 2
75 23 jnz short loc_6B818B3375 23 jnz short loc_6B818B33
以上的一段汇编代码,它实现了以下功能逻辑:The above piece of assembly code implements the following functional logic:
1、调用系统API(Application Programming Interface,应用编程接口)CreateFile来创建一个文件;1. Call the system API (Application Programming Interface) CreateFile to create a file;
2、判断文件是否创建成功;2. Judge whether the file is created successfully;
3、如果成功,则跳转到loc_6B818B38处去执行下面的动作;3. If successful, jump to loc_6B818B38 to perform the following actions;
4、如果不成功,则调用GetLastError来获取错误码;4. If unsuccessful, call GetLastError to get the error code;
5、如果错误码不等于2,则跳转到loc_6B818B33处执行。5. If the error code is not equal to 2, jump to loc_6B818B33 for execution.
它用到了以下的指令:It uses the following commands:
call:调用;mov:移动;cmp:比较;jnz:按比较结果进行逻辑跳转。call: call; mov: move; cmp: compare; jnz: logical jump according to the comparison result.
发明人发现,代码一旦编译好,就是固定不变的,而指令的执行逻辑,也是固定不变的。The inventor found that once the code is compiled, it is fixed, and the execution logic of the instruction is also fixed.
比如:只要文件创建成功,则一定会“跳转到loc_6B818B38处去执行”;如果创建不成功,则一定会“调用GetLastError”;如果错误码不等于2,则一定会“跳转到loc_6B818B33处执行”。For example: as long as the file is created successfully, it will "jump to loc_6B818B38 to execute"; if the creation is unsuccessful, it will "call GetLastError"; if the error code is not equal to 2, it will "jump to loc_6B818B33 for execution" ".
这段代码,自始至终固定了就是这个执行逻辑,不会有任何的变化,除非这段代码发生改变,否则逻辑就不会变。This code is fixed from beginning to end and is the execution logic. There will be no change. Unless this code is changed, the logic will not change.
图1是一个完整的程序的执行逻辑关系图,从图1中可见,整个程序的执行逻辑,是无数个“条件判断”和“分支”组成,依据不同的条件来执行不同的分支,最终会形成一条执行链路。Figure 1 is a diagram of the execution logic of a complete program. It can be seen from Figure 1 that the execution logic of the entire program is composed of countless "conditional judgments" and "branch". Different branches are executed according to different conditions. Form an execution link.
由此,发明人得出一个结论,对同一个程序或同一段代码而言,当一切条件都保持一致的前提下,会得到一个完全一样的执行链条,即,一组完全 一致的指令执行逻辑序列。As a result, the inventor came to the conclusion that for the same program or the same piece of code, when all conditions are consistent, an exactly the same execution chain will be obtained, that is, a set of exactly the same instruction execution logic sequence.
就上面举例所示的代码而言,只要“文件创建成功”这个条件保持不变,那指令执行逻辑序列就是固定的,这里忽略与逻辑无关的指令,只留下会改变执行路线的跳转类指令,则会得到如下的指令执行逻辑序列:As far as the code shown in the above example is concerned, as long as the condition of "file creation is successful" remains unchanged, the instruction execution logic sequence is fixed, and instructions that are not related to logic are ignored here, and only the jump class that will change the execution route is left. Instruction, you will get the following instruction execution logic sequence:
1、call CreateFile1. call CreateFile
2、jnz loc_6B818B382. jnz loc_6B818B38
另外的指令:Additional instructions:
call GetLastError与jnz loc_6B818B33并不会得到执行,也不会进入指令执行序列中去。The call GetLastError and jnz loc_6B818B33 will not be executed, nor will they enter the instruction execution sequence.
基于上述构思,发明人提出了基于指令执行逻辑序列的方案来发现攻击行为。图2示出了根据本发明一实施例的攻击行为的判定方法的流程图。如图2所示,该方法可以包括以下步骤S201至S203:Based on the above-mentioned concept, the inventor proposes a solution based on instruction execution logic sequence to discover attack behaviors. Fig. 2 shows a flowchart of a method for judging an attack according to an embodiment of the present invention. As shown in Figure 2, the method may include the following steps S201 to S203:
步骤S201,对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列;Step S201, monitor the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation;
步骤S202,将指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列进行比对;Step S202, comparing the actual instruction execution logic sequence of the specified operation with the preset instruction execution logic sequence of the specified operation;
步骤S203,若指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。In step S203, if the actual instruction execution logic sequence of the specified operation is inconsistent with the preset instruction execution logic sequence of the specified operation, it is determined that an attack is occurring.
本发明实施例创新性的基于指令执行逻辑序列的层次,将指定操作的预设的指令执行逻辑序列与实际的指令执行逻辑序列进行比对,在比对不一致时,判定攻击行为在发生,可以有效的发现各类攻击行为。The embodiment of the present invention is innovatively based on the level of the instruction execution logic sequence, and compares the preset instruction execution logic sequence of the specified operation with the actual instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring. Effectively discover all kinds of attacks.
在本发明的可选实施例中,上文提及的指定操作可以是针对关键文件或关键位置的各种敏感操作。这里的关键文件可以是对企业或个人用户比较重要的文件,也可以是对系统比较重要的文件等等,本发明实施例对此不作限制。这里的关键位置可以是系统目录、关键磁盘区域等,本发明实施例对此不作限制。攻击者对这些关键文件或关键位置进行攻击,以达到窃取数据、获取权限等目的。In an alternative embodiment of the present invention, the above-mentioned designated operation may be various sensitive operations on key files or key locations. The key file here may be a file that is more important to enterprises or individual users, or a file that is more important to the system, etc., which is not limited in the embodiment of the present invention. The key location here may be a system directory, a key disk area, etc., which is not limited in the embodiment of the present invention. Attackers attack these key files or key locations to achieve the purpose of stealing data and obtaining permissions.
本发明实施例可以有针对性的对于关键文件或关键位置的指定操作进行实际执行情况的监控,获得针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列,随后将针对关键文件或关键位置的指定操作的实际的指令执行逻辑序列与预设的指令执行逻辑序列进行比对,在比对不一致时,判定 攻击行为在发生,可以提高攻击行为判定的效率,及时发现攻击行为,以便采取对应的防护手段。The embodiment of the present invention can monitor the actual execution situation of the designated operation of the key file or key position in a targeted manner, obtain the actual instruction execution logic sequence for the key file or the designated operation of the key position, and then target the key file or key position. The actual instruction execution logic sequence of the designated operation of the location is compared with the preset instruction execution logic sequence. When the comparison is inconsistent, it is determined that the attack is occurring, which can improve the efficiency of attack determination, and discover the attack in time, so as to take Corresponding protection means.
上面步骤S201中对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列,本发明实施例提供了利用已有监控能力或设置监控等可选的方案,下面将分别进行详细介绍。In the above step S201, the actual execution of the specified operation is monitored, and the actual instruction execution logic sequence of the specified operation is obtained. The embodiment of the present invention provides optional solutions such as using existing monitoring capabilities or setting monitoring, which will be described in detail below. Introduction.
在方案一中,可以对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;随后从保存的分支指令的相关信息中,提取指定操作的实际的指令执行逻辑序列。In scheme one, the actual flow of the code execution by the central processing unit can be monitored, and the relevant information of the branch instructions actually executed by the central processing unit can be recorded and saved; then the information of the specified operation can be extracted from the relevant information of the saved branch instructions. The actual instruction executes the logical sequence.
在方案二中,可以向平台或操作系统申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息的能力;基于申请的能力,从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。In the second plan, you can apply to the platform or operating system to monitor the actual process of the CPU execution code, record and save the relevant information of the branch instructions actually executed by the CPU; branch from the application based on the ability of the application The actual instruction execution logic sequence of the specified operation is extracted from the related information of the instruction.
在该方案中,对于如何实现指令执行的监控能力,可根据不同的平台采用不同的方式,比如:奔腾处理器引入的BTM(Branch Trace Message,分支跟踪消息)机制、P6处理器引入的LBR(Last Branch Recording,最后分支记录)机制等,都可以实现相应能力。In this solution, how to realize the ability to monitor instruction execution can be implemented in different ways according to different platforms, such as the BTM (Branch Trace Message) mechanism introduced by the Pentium processor, and the LBR (Branch Trace Message) mechanism introduced by the P6 processor. The Last Branch Recording (Last Branch Recording) mechanism, etc., can all realize the corresponding capabilities.
此外,芯片厂商、硬件厂商或操作系统厂商也可以在系统中融入指令执行序列的监控,本发明实施例可以申请相应的能力,基于申请的能力,获取分支指令的相关信息,进而从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。In addition, chip manufacturers, hardware manufacturers, or operating system manufacturers can also integrate instruction execution sequence monitoring into the system. Embodiments of the present invention can apply for corresponding capabilities. Based on the applied capabilities, obtain relevant information about branch instructions, and then obtain information from branch instructions. The actual instruction execution logic sequence of the specified operation is extracted from the relevant information.
在方案三中,可以设置对指定操作的实际执行情况进行监控的钩子;之后利用设置的钩子,在指定操作的实际执行过程中对指定操作进行捕获,获取指定操作的实际的指令执行逻辑序列。In scheme three, you can set a hook to monitor the actual execution of the specified operation; then use the set hook to capture the specified operation during the actual execution of the specified operation, and obtain the actual instruction execution logic sequence of the specified operation.
上面步骤S202中提及的指定操作的预设的指令执行逻辑序列,是指定操作在正常操作场景下的指令执行逻辑序列,具体可以通过下面的方式来收集。The preset instruction execution logic sequence of the specified operation mentioned in step S202 above is the instruction execution logic sequence of the specified operation in the normal operation scenario, which can be specifically collected in the following manner.
方式一,在可信环境下,收集指定操作的预设的指令执行逻辑序列。这里的可信环境可以是出厂系统环境或者正规公司合法数字签名的系统环境等,本发明实施例可以根据实际需求来选取可信环境,对此不作限制。The first way is to collect preset instructions for specified operations to execute logic sequences in a trusted environment. The trusted environment here may be a factory system environment or a legally digitally signed system environment of a regular company, etc. The embodiment of the present invention may select a trusted environment according to actual needs, and there is no limitation on this.
方式二,在单台计算机中,收集指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。Manner 2: In a single computer, collect multiple instruction execution logic sequences involved in the actual execution of the specified operation; based on the multiple instruction execution logic sequences, determine the preset instruction execution logic sequence of the specified operation.
例如,收集的指定操作实际执行过程所涉及的20个指令执行逻辑序列均为序列P,那么可以将序列P确定为指定操作的预设的指令执行逻辑序列。需要说明的是,这里的举例仅是示意性的,并不对本发明进行限制。For example, if the collected 20 instruction execution logic sequences involved in the actual execution process of the specified operation are all sequence P, then the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
方式三,在多台计算机中,收集各台计算机的指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于各台计算机对应的一个或多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。Mode three, among multiple computers, collect one or more instruction execution logic sequences involved in the actual execution of the specified operation of each computer; execute logic sequences based on one or more instructions corresponding to each computer to determine the specified operation The preset instructions execute the logic sequence.
例如,在30台计算机中,对指定操作实际执行过程所产生的指令执行逻辑序列均为序列P,那么可以将序列P确定为指定操作的预设的指令执行逻辑序列。需要说明的是,这里的举例仅是示意性的,并不对本发明进行限制。For example, in 30 computers, the instruction execution logic sequences generated during the actual execution of the specified operation are all sequence P, then the sequence P can be determined as the preset instruction execution logic sequence of the specified operation. It should be noted that the examples here are only illustrative and do not limit the present invention.
以上方式二和方式三的方案是基于“对同一个程序或同一段代码而言,当一切条件都保持一致的前提下,会得到一个完全一样的执行链条”的原理,正常操作场景下,无论在单台计算机中多次采集同条件的相同指令序列,还是在多台计算机分布式采集同条件的相同指令序列,所采集到的指令序列都应该是相同的,如果有不同,只可能是有异常存在,比如:有APT攻击代码的HOOK(钩子)点等。The
以上介绍了图2所示的实施例中各个环节的多种实现方式,下面将通过具体的实施例对本发明实施例提供的攻击行为的判定方法做进一步说明。The foregoing describes the multiple implementation manners of each link in the embodiment shown in FIG. 2, and the method for determining the attack behavior provided by the embodiment of the present invention will be further described through specific embodiments below.
在一个具体实施例中,假如APT攻击者的目的是将所有的带有“保密”字样的文件数据窃取,那么它在设计工作逻辑时,无非是在文件创建成功后,去读取并判断文件标题是否有“保密”字样,如果有,那就回传,如果没有就忽略。In a specific embodiment, if the purpose of the APT attacker is to steal all the file data with the word "secret", then when designing the working logic, it is nothing more than reading and judging the file after the file is created successfully. Whether the title has the words "confidential", if so, then pass it back, if not, ignore it.
无论它如何设计操作逻辑,文件操作的指令执行逻辑序列都会随之发生改变,因为其会在逻辑链条中增加“判断”与“回传”的逻辑,而这两个逻辑在正常情况下是没有的。No matter how it designs the operation logic, the instruction execution logic sequence of the file operation will change accordingly, because it will add the logic of "judgment" and "return" in the logic chain, and these two logics are not in normal circumstances. of.
首先,有APT攻击代码的存在,与没有APT攻击代码的存在,其指令执行逻辑一定是不同的。First of all, the existence of APT attack code, and the existence of no APT attack code, its instruction execution logic must be different.
其次,操作“保密”文件,与操作“非保密”文件时,其指令执行逻辑仍然是不同的。Secondly, when operating a "secret" file, and operating a "non-secret" file, the instruction execution logic is still different.
因此,如图3所示,可以采用步骤S301至S303来发现攻击行为。Therefore, as shown in FIG. 3, steps S301 to S303 can be used to discover attack behavior.
步骤S301,对文件操作的实际执行情况进行监控,获取文件操作的实际的指令执行逻辑序列。In step S301, the actual execution of the file operation is monitored, and the actual instruction execution logic sequence of the file operation is obtained.
在该步骤中,文件操作具体可以是针对“保密”文件的操作。In this step, the file operation can specifically be an operation on a "secret" file.
步骤S302,将文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列进行比对。In step S302, the actual instruction execution logic sequence of the file operation is compared with the preset instruction execution logic sequence of the file operation.
步骤S303,若文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列比对不一致,则判定APT攻击行为在发生。In step S303, if the actual instruction execution logic sequence of the file operation is inconsistent with the preset instruction execution logic sequence of the file operation, it is determined that the APT attack behavior is occurring.
若文件操作的实际的指令执行逻辑序列与文件操作的预设的指令执行逻辑序列比对一致,则判定APT攻击行为没有发生,可以返回步骤S301继续对文件操作的实际执行情况进行监控。If the actual instruction execution logic sequence of the file operation is consistent with the preset instruction execution logic sequence of the file operation, it is determined that the APT attack has not occurred, and step S301 can be returned to continue to monitor the actual execution of the file operation.
下面再举一个在现实中实际发生过的例子。在震网病毒对某国家的核工厂发动APT攻击时,使用了一个Windows操作系统的快捷方式解析漏洞(漏洞编号:MS10-046),它的利用原理及指令执行流程如下图4所示。Here is another example that actually happened in reality. When Stuxnet virus launched an APT attack on a nuclear plant in a certain country, it used a Windows operating system shortcut analysis vulnerability (vulnerability number: MS10-046). Its utilization principle and instruction execution process are shown in Figure 4 below.
Windows操作系统在解析快捷方式时的执行逻辑如下(这里做了简化):The execution logic of the Windows operating system when parsing shortcuts is as follows (simplified here):
1、调用GetIconLocationW;1. Call GetIconLocationW;
2、判断快捷方式中的一个特殊标志位;2. Judge a special flag in the shortcut;
3、如果标志位是非零,则调用LookupIconIndex;3. If the flag bit is non-zero, call LookupIconIndex;
4、如果标志位是零,则调用CPL_FindCPLInfo;4. If the flag bit is zero, call CPL_FindCPLInfo;
5、继续调用CPL_LoadAndFindApplet;5. Continue to call CPL_LoadAndFindApplet;
6、最后调用LoadLibrary加载指定的DLL/CPL文件。6. Finally, LoadLibrary is called to load the specified DLL/CPL file.
前三个执行逻辑1、2、3是正常的快捷方式解析逻辑,因为那个标志位在正常情况下,永远是非零。The first three
但当APT攻击者进行攻击时,将攻击用的快捷方式中的特殊标志位设置为了“零”,随即触发了特殊的执行逻辑,快捷方式解析逻辑也就发生了变化,开始进入了4、5、6的执行环节,从而将攻击者的恶意DLL程序加载并执行起来,完成了攻击。However, when an APT attacker performs an attack, he sets the special flag in the shortcut used for the attack to "zero", then the special execution logic is triggered, and the shortcut parsing logic also changes, starting to enter 4, 5 6. The execution link of 6, thus loads and executes the attacker's malicious DLL program, completing the attack.
本发明实施例在采集正常快捷方式解析操作的指令执行逻辑序列时,显然只可能采集到1至3步的执行逻辑,不可能采集到4至6步。In the embodiment of the present invention, when the instruction execution logic sequence of the normal shortcut parsing operation is collected, it is obvious that only steps 1 to 3 of the execution logic can be collected, and it is impossible to collect steps 4 to 6.
但当APT攻击发生时,指令执行逻辑序列中必然要出现4至6步的指令逻辑,在做指令执行逻辑序列对比时,此APT攻击就必然会被发现。But when an APT attack occurs, 4 to 6 steps of instruction logic must appear in the instruction execution logic sequence. When the instruction execution logic sequence is compared, this APT attack will inevitably be discovered.
需要说明的是,不仅仅是文件操作,其它任何操作,都可以应用本发明来进行指令执行逻辑序列的判断,以发现APT攻击导致的异常逻辑的存在。It should be noted that not only file operations, but any other operations, the present invention can be used to judge the instruction execution logic sequence to discover the existence of abnormal logic caused by the APT attack.
比如:在系统启动阶段,对BIOS(Basic Input Output System,基本输入 输出系统)、硬件固件中的代码进行正常指令逻辑的收集,假如其中存在有恶意代码,其满足特定条件时作恶(如特定的时间),当开始作恶时,其逻辑必然将随之发生变化,必将被指令执行逻辑序列对比发现。For example, during the system startup phase, the codes in the BIOS (Basic Input Output System) and hardware firmware are collected for normal instruction logic. If there is malicious code in it, it will do evil when it meets certain conditions (such as specific Time), when it starts to do evil, its logic will inevitably change, and it will be discovered by the comparison of the instruction execution logic sequence.
本发明实施例虽然以发现APT攻击来举例,只是因为APT攻击相对与普通的攻击而言更难以发现,但并不意味着本发明只能发现APT攻击,其对普通攻击仍然有着良好的效果。Although the embodiment of the present invention takes the discovery of APT attacks as an example, it is just that APT attacks are more difficult to detect than ordinary attacks, but it does not mean that the present invention can only detect APT attacks, which still has a good effect on ordinary attacks.
需要说明的是,本发明与平台(如Intel、AMD、ARM等)无关,与操作系统(如Windows\Linux等)无关,可适用于任意的平台与系统。It should be noted that the present invention has nothing to do with platforms (such as Intel, AMD, ARM, etc.), and has nothing to do with operating systems (such as Windows\Linux, etc.), and can be applied to any platform and system.
实际应用中,上述所有可选实施方式可以采用结合的方式任意组合,形成本发明的可选实施例,在此不再一一赘述。In actual applications, all the above optional implementation manners can be combined arbitrarily to form optional embodiments of the present invention, which will not be repeated here.
基于上文各个实施例提供的攻击行为的判定方法,基于同一发明构思,本发明实施例还提供了一种攻击行为的判定装置。Based on the method for judging attack behavior provided by the above embodiments, and based on the same inventive concept, an embodiment of the present invention also provides a device for judging attack behavior.
图5示出了根据本发明一实施例的攻击行为的判定装置的结构图。如图5所示,该装置可以包括监控模块510、比对模块520以及判定模块530。Fig. 5 shows a structural diagram of a device for determining an attack behavior according to an embodiment of the present invention. As shown in FIG. 5, the device may include a
现介绍本发明实施例的攻击行为的判定装置的各组成或器件的功能以及各部分间的连接关系:Now introduces the functions of each component or device of the device for judging attack behavior and the connection relationship between the various parts of the embodiment of the present invention:
监控模块510,适于对指定操作的实际执行情况进行监控,获取指定操作的实际的指令执行逻辑序列;The
比对模块520,与监控模块510相耦合,适于将指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列进行比对;The
判定模块530,与比对模块520相耦合,适于若指定操作的实际的指令执行逻辑序列与指定操作的预设的指令执行逻辑序列比对不一致,则判定攻击行为在发生。The
在本发明的可选实施例中,指定操作包括针对关键文件或关键位置的操作。In an alternative embodiment of the present invention, the designated operation includes an operation on a key file or a key location.
在本发明的可选实施例中,监控模块510还适于:对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器实际执行到的分支指令的相关信息;从保存的分支指令的相关信息中,提取指定操作的实际的指令执行逻辑序列。In an optional embodiment of the present invention, the
在本发明的可选实施例中,监控模块510还适于:向平台或操作系统申请对中央处理器执行代码的实际流程情况进行监控,记录并保存中央处理器 实际执行到的分支指令的相关信息的能力;基于申请的能力,从分支指令的相关信息中提取指定操作的实际的指令执行逻辑序列。In an optional embodiment of the present invention, the
在本发明的可选实施例中,监控模块510还适于:设置对指定操作的实际执行情况进行监控的钩子;利用设置的钩子,在指定操作的实际执行过程中对指定操作进行捕获,获取指定操作的实际的指令执行逻辑序列。In an optional embodiment of the present invention, the
在本发明的可选实施例中,如图6所示,上面图5展示的攻击行为的判定装置还可以包括:In an optional embodiment of the present invention, as shown in FIG. 6, the device for determining the attack behavior shown in FIG. 5 above may further include:
第一收集模块610,与比对模块520相耦合,适于在可信环境下,收集指定操作的预设的指令执行逻辑序列。The
在本发明的可选实施例中,如图6所示,上面图5展示的攻击行为的判定装置还可以包括:In an optional embodiment of the present invention, as shown in FIG. 6, the device for determining the attack behavior shown in FIG. 5 above may further include:
第二收集模块620,与比对模块520相耦合,适于在单台计算机中,收集指定操作实际执行过程所涉及的多个指令执行逻辑序列;基于多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列;The
和/或and / or
在多台计算机中,收集各台计算机的指定操作实际执行过程所涉及的一个或多个指令执行逻辑序列;基于各台计算机对应的一个或多个指令执行逻辑序列,确定指定操作的预设的指令执行逻辑序列。In multiple computers, collect one or more instruction execution logic sequences involved in the actual execution process of the specified operation of each computer; based on the one or more instruction execution logic sequences corresponding to each computer, determine the preset operation of the specified operation The instruction executes a logical sequence.
基于同一发明构思,本发明实施例还提供了一种计算机存储介质,该计算机存储介质存储有计算机程序代码,当计算机程序代码在计算设备上运行时,导致计算设备执行上述的攻击行为的判定方法。Based on the same inventive concept, the embodiments of the present invention also provide a computer storage medium, the computer storage medium stores computer program code, and when the computer program code runs on a computing device, it causes the computing device to perform the aforementioned attack determination method .
基于同一发明构思,本发明实施例还提供了一种计算设备,包括:处理器;存储有计算机程序代码的存储器;当计算机程序代码被处理器运行时,导致计算设备执行上述的攻击行为的判定方法。Based on the same inventive concept, an embodiment of the present invention also provides a computing device, including: a processor; a memory storing computer program code; when the computer program code is executed by the processor, the computing device is caused to perform the determination of the aforementioned attack behavior method.
所属领域的技术人员可以清楚地了解到,上述描述的系统、装置、单元和模块的具体工作过程,可以参考前述方法实施例中的对应过程,为简洁起见,在此不另赘述。Those skilled in the art can clearly understand that the specific working process of the above-described system, device, unit, and module can refer to the corresponding process in the foregoing method embodiment, and for the sake of brevity, it will not be repeated here.
另外,在本发明各个实施例中的各功能单元可以物理上相互独立,也可以两个或两个以上功能单元集成在一起,还可以全部功能单元都集成在一个处理单元中。上述集成的功能单元既可以采用硬件的形式实现,也可以采用软件或者固件的形式实现。In addition, the functional units in the various embodiments of the present invention may be physically independent of each other, or two or more functional units may be integrated together, or all functional units may be integrated in one processing unit. The above-mentioned integrated functional unit can be implemented in the form of hardware, or in the form of software or firmware.
本领域普通技术人员可以理解:所述集成的功能单元如果以软件的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,其包括若干指令,用以使得一台计算设备(例如个人计算机,服务器,或者网络设备等)在运行所述指令时执行本发明各实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM)、随机存取存储器(RAM),磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that if the integrated functional unit is implemented in the form of software and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or all or part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes a number of instructions to make a computer A computing device (for example, a personal computer, a server, or a network device, etc.) executes all or part of the steps of the methods described in the embodiments of the present invention when running the instructions. The aforementioned storage media include: U disk, mobile hard disk, read only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes.
或者,实现前述方法实施例的全部或部分步骤可以通过程序指令相关的硬件(诸如个人计算机,服务器,或者网络设备等的计算设备)来完成,所述程序指令可以存储于一计算机可读取存储介质中,当所述程序指令被计算设备的处理器执行时,所述计算设备执行本发明各实施例所述方法的全部或部分步骤。Alternatively, all or part of the steps of the foregoing method embodiments may be implemented by a program instructing related hardware (computing devices such as a personal computer, a server, or a network device), and the program instructions may be stored in a computer readable storage In the medium, when the program instructions are executed by the processor of the computing device, the computing device executes all or part of the steps of the methods described in the embodiments of the present invention.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:在本发明的精神和原则之内,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案脱离本发明的保护范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: Within the spirit and principle of the present invention, it is still possible to modify the technical solutions recorded in the foregoing embodiments, or equivalently replace some or all of the technical features; and these modifications or substitutions do not depart from the corresponding technical solutions The scope of protection of the present invention.
Claims (16)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2019/105747 WO2021046811A1 (en) | 2019-09-12 | 2019-09-12 | Attack behavior determination method and apparatus, and computer storage medium |
| CN201980094807.7A CN113632432B (en) | 2019-09-12 | 2019-09-12 | Method and device for judging attack behaviors and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2019/105747 WO2021046811A1 (en) | 2019-09-12 | 2019-09-12 | Attack behavior determination method and apparatus, and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2021046811A1 true WO2021046811A1 (en) | 2021-03-18 |
Family
ID=74867332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2019/105747 WO2021046811A1 (en) | 2019-09-12 | 2019-09-12 | Attack behavior determination method and apparatus, and computer storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113632432B (en) |
| WO (1) | WO2021046811A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113946869A (en) * | 2021-11-02 | 2022-01-18 | 深圳致星科技有限公司 | Internal security attack detection method and device for federal learning and privacy calculation |
| CN115514548A (en) * | 2022-09-16 | 2022-12-23 | 北京易诚互动网络技术股份有限公司 | Method and device for guaranteeing Internet application security |
| WO2023179461A1 (en) * | 2022-03-25 | 2023-09-28 | 华为技术有限公司 | Method for processing suspected attack behavior, and related apparatus |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114640529B (en) * | 2022-03-24 | 2024-02-02 | 中国工商银行股份有限公司 | Attack protection method, apparatus, device, storage medium and computer program product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
| WO2013089767A1 (en) * | 2011-12-16 | 2013-06-20 | Intel Corporation | Method and system using exceptions for code specialization in a computer architecture that supports transactions |
| US20160012225A1 (en) * | 2008-08-29 | 2016-01-14 | AVG Netherlands B.V. | System and method for the detection of malware |
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9973531B1 (en) * | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
| CN105791261B (en) * | 2015-12-28 | 2019-06-21 | 华为技术有限公司 | A detection method and detection device for cross-site scripting attack |
| US10789361B2 (en) * | 2016-01-24 | 2020-09-29 | Minerva Labs Ltd. | Ransomware attack remediation |
| US10990682B2 (en) * | 2017-12-18 | 2021-04-27 | Nuvoton Technology Corporation | System and method for coping with fault injection attacks |
| JP7284761B2 (en) * | 2018-01-12 | 2023-05-31 | ヴァーセック・システムズ・インコーポレーテッド | Defending Against Speculative Execution Exploits |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
| CN109829313B (en) * | 2019-02-28 | 2020-11-24 | 中国人民解放军战略支援部队信息工程大学 | A method and device for defending against SGX side-channel attacks based on code reuse programming |
| CN110135166B (en) * | 2019-05-08 | 2021-03-30 | 北京国舜科技股份有限公司 | Detection method and system for service logic vulnerability attack |
-
2019
- 2019-09-12 WO PCT/CN2019/105747 patent/WO2021046811A1/en active Application Filing
- 2019-09-12 CN CN201980094807.7A patent/CN113632432B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
| US20160012225A1 (en) * | 2008-08-29 | 2016-01-14 | AVG Netherlands B.V. | System and method for the detection of malware |
| WO2013089767A1 (en) * | 2011-12-16 | 2013-06-20 | Intel Corporation | Method and system using exceptions for code specialization in a computer architecture that supports transactions |
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113946869A (en) * | 2021-11-02 | 2022-01-18 | 深圳致星科技有限公司 | Internal security attack detection method and device for federal learning and privacy calculation |
| WO2023179461A1 (en) * | 2022-03-25 | 2023-09-28 | 华为技术有限公司 | Method for processing suspected attack behavior, and related apparatus |
| CN115514548A (en) * | 2022-09-16 | 2022-12-23 | 北京易诚互动网络技术股份有限公司 | Method and device for guaranteeing Internet application security |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113632432A (en) | 2021-11-09 |
| CN113632432B (en) | 2023-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Javaheri et al. | Detection and elimination of spyware and ransomware by intercepting kernel-level system routines | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| CN104766011B (en) | The sandbox detection alarm method and system of Intrusion Detection based on host feature | |
| US10073970B2 (en) | System and method for reverse command shell detection | |
| EP3225009B1 (en) | Systems and methods for malicious code detection | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| RU2646352C2 (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| US8918878B2 (en) | Restoration of file damage caused by malware | |
| US8966624B2 (en) | System and method for securing an input/output path of an application against malware with a below-operating system security agent | |
| WO2021046811A1 (en) | Attack behavior determination method and apparatus, and computer storage medium | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| CN107016283A (en) | Android privilege-escalations attack safety defense method and device based on integrity verification | |
| Kumara et al. | Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment | |
| KR101614809B1 (en) | Practice control system of endpoint application program and method for control the same | |
| CN107169354A (en) | Multi-layer android system malicious act monitoring method | |
| TWI711939B (en) | Systems and methods for malicious code detection | |
| CN112395609B (en) | Application layer shellcode detection method and device | |
| CN114640529A (en) | Attack protection method, apparatus, device, storage medium and computer program product | |
| US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives | |
| Lin et al. | TVGuarder: A trace-enable virtualization protection framework against insider threats for IaaS environments | |
| KR20250102600A (en) | Edr system with deep process monitoring and threat thread screening blocking technology based on malicious behavior thread tracking technology | |
| CN118862069A (en) | Industrial control host ransomware protection method, device and storage medium | |
| Manjeera et al. | Preventing Malicious Use of Keyloggers Using Anti-Keyloggers | |
| Sulaiman et al. | Avoiding Data Loss and Corruption (Towards File Integrity Monitoring) | |
| KR101825699B1 (en) | Method for improving security in program using CNG(cryptography API next generation) and apparatus for using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19945113 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 19945113 Country of ref document: EP Kind code of ref document: A1 |