CN109753806B - Server protection method and device - Google Patents
Server protection method and device Download PDFInfo
- Publication number
- CN109753806B CN109753806B CN201811640471.3A CN201811640471A CN109753806B CN 109753806 B CN109753806 B CN 109753806B CN 201811640471 A CN201811640471 A CN 201811640471A CN 109753806 B CN109753806 B CN 109753806B
- Authority
- CN
- China
- Prior art keywords
- preset
- server
- calling
- memory
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Retry When Errors Occur (AREA)
- Alarm Systems (AREA)
- Telephonic Communication Services (AREA)
- Computer And Data Communications (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
技术领域Technical field
本发明涉及安全技术领域,特别是涉及一种服务器防护方法及装置。The present invention relates to the field of security technology, and in particular to a server protection method and device.
背景技术Background technique
随着互联网技术的高速发展,业务提供商通常使用大规模服务器集群开发服务项目,以满足用户多样化的业务需求。为了保证服务项目能够正常稳定运行,通常需要对服务器集群中的各个服务器端口进行监听。With the rapid development of Internet technology, service providers usually use large-scale server clusters to develop service projects to meet the diverse business needs of users. In order to ensure that the service project can run normally and stably, it is usually necessary to monitor each server port in the server cluster.
目前,在服务器集群中通常允许任意设置服务器端口的监听状态。然而,在实际应用中,黑客通常会利用允许任意设置服务器端口的监听状态的漏洞,新增服务器监听端口以持久控制主机服务器,攻击主机服务器长期稳定运行特定服务,从而导致服务器集群中各服务器的安全性较低。因此,提出一种新的服务器防护方法已成为服务器集群领域亟待解决的技术问题。Currently, in server clusters, it is usually allowed to set the listening status of server ports arbitrarily. However, in actual applications, hackers usually exploit vulnerabilities that allow the listening status of server ports to be set arbitrarily, add server listening ports to permanently control the host server, and attack the host server to run specific services stably for a long time, thus causing the failure of each server in the server cluster. Less secure. Therefore, proposing a new server protection method has become an urgent technical issue to be solved in the field of server clusters.
发明内容Contents of the invention
有鉴于此,本发明提供一种服务器方法及装置,主要目的在于能够实现对服务器监听端口的新增行为进行安全检测,且能够防止黑客利用漏洞新增服务器监听端口以持久控制主机服务器,从而能够提升服务器的安全性。In view of this, the present invention provides a server method and device, whose main purpose is to enable security detection of new behavior of server listening ports, and to prevent hackers from using vulnerabilities to add new server listening ports to permanently control the host server, thereby enabling Improve server security.
依据本发明第一方面,提供了一种服务器防护方法,包括:According to the first aspect of the present invention, a server protection method is provided, including:
获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;Obtain the new behavior information of the server listening port in the host server of the server cluster;
检测所述新增行为信息是否符合预设新增条件;Detect whether the new behavior information meets the preset new conditions;
若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;If it is consistent, the new behavior is determined to be a safe behavior, and the new behavior is released;
若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。If not, the new behavior is determined to be a dangerous behavior, and the new behavior is blocked.
依据本发明第二方面,提供了一种服务器防护装置,包括:According to the second aspect of the present invention, a server protection device is provided, including:
获取单元,用于获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;The acquisition unit is used to obtain the new behavior information of the server listening port in the host server of the server cluster;
检测单元,用于检测所述新增行为信息是否符合预设新增条件;A detection unit, used to detect whether the new behavior information meets the preset new conditions;
处理单元,用于若所述检测单元检测所述新增行为信息符合预设新增条件,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;A processing unit, configured to determine that the new behavior is a safe behavior if the detection unit detects that the new behavior information meets the preset new conditions, and perform release processing on the new behavior;
所述处理单元,还用于若所述检测单元检测所述新增行为信息不符合预设新增条件,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。The processing unit is also configured to determine that the new behavior is a dangerous behavior and block the new behavior if the detection unit detects that the new behavior information does not meet the preset new conditions.
依据本发明第三方面,提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现以下步骤:According to a third aspect of the present invention, a computer-readable storage medium is provided, on which a computer program is stored. When the program is executed by a processor, the following steps are implemented:
获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;Obtain the new behavior information of the server listening port in the host server of the server cluster;
检测所述新增行为信息是否符合预设新增条件;Detect whether the new behavior information meets the preset new conditions;
若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;If it is consistent, the new behavior is determined to be a safe behavior, and the new behavior is released;
若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。If not, the new behavior is determined to be a dangerous behavior, and the new behavior is blocked.
依据本发明第四方面,提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现以下步骤:According to a fourth aspect of the present invention, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, the following steps are implemented:
获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;Obtain the new behavior information of the server listening port in the host server of the server cluster;
检测所述新增行为信息是否符合预设新增条件;Detect whether the new behavior information meets the preset new conditions;
若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;If it is consistent, the new behavior is determined to be a safe behavior, and the new behavior is released;
若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。If not, the new behavior is determined to be a dangerous behavior, and the new behavior is blocked.
本发明提供一种服务器防护方法及装置,与目前允许任意设置服务器端口的监听状态相比,本发明能够获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。并能够检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理,从而能够实现对服务器监听端口的新增行为进行安全检测,且能够防止黑客利用漏洞新增服务器监听端口以持久控制主机服务器,进而能够提升服务器的安全性。The present invention provides a server protection method and device. Compared with the current listening state that allows arbitrary setting of server ports, the present invention can obtain new behavior information of server listening ports in the host server of the server cluster. And it can detect whether the new behavior information meets the preset new conditions; if it meets, it is determined that the new behavior is a safe behavior, and the new behavior is released; if it does not meet, it is determined that the new behavior is safe. New behaviors are dangerous behaviors, and the new behaviors are blocked, thereby enabling security detection of new behaviors on the server listening port, and preventing hackers from exploiting vulnerabilities to add new server listening ports to permanently control the host server. This can improve server security.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to have a clearer understanding of the technical means of the present invention, it can be implemented according to the content of the description, and in order to make the above and other objects, features and advantages of the present invention more obvious and understandable. , the specific embodiments of the present invention are listed below.
附图说明Description of the drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for the purpose of illustrating preferred embodiments only and are not to be construed as limiting the invention. Also throughout the drawings, the same reference characters are used to designate the same components. In the attached picture:
图1示出了本发明实施例提供的一种服务器防护方法的流程示意图;Figure 1 shows a schematic flow chart of a server protection method provided by an embodiment of the present invention;
图2示出了本发明实施例提供的另一种服务器防护方法的流程示意图;Figure 2 shows a schematic flow chart of another server protection method provided by an embodiment of the present invention;
图3示出了本发明实施例提供的一种服务器防护装置的结构示意图;Figure 3 shows a schematic structural diagram of a server protection device provided by an embodiment of the present invention;
图4示出了本发明实施例提供的另一种服务器防护装置的结构示意图;Figure 4 shows a schematic structural diagram of another server protection device provided by an embodiment of the present invention;
图5示出了本发明实施例提供的一种计算机设备的实体结构示意图。FIG. 5 shows a schematic diagram of the physical structure of a computer device provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that a thorough understanding of the disclosure will be provided, and the scope of the disclosure will be fully conveyed to those skilled in the art.
如背景技术所述,目前,在服务器集群中通常允许任意设置服务器端口的监听状态。然而,在实际应用中,黑客通常会利用允许任意设置服务器端口的监听状态的漏洞,新增服务器监听端口以持久控制主机服务器,攻击主机服务器长期稳定运行特定服务,从而导致服务器集群中各服务器的安全性较低。As mentioned in the background art, at present, in a server cluster, it is usually allowed to set the listening state of a server port arbitrarily. However, in actual applications, hackers usually exploit vulnerabilities that allow the listening status of server ports to be set arbitrarily, add server listening ports to permanently control the host server, and attack the host server to run specific services stably for a long time, thus causing the failure of each server in the server cluster. Less secure.
为了解决上述技术问题,本发明实施例提供了一种服务器防护方法,如图1所示,所述方法包括:In order to solve the above technical problems, embodiments of the present invention provide a server protection method, as shown in Figure 1. The method includes:
101、获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。101. Obtain the new behavior information of the server listening port in the host server of the server cluster.
其中,所述新增行为信息可以为新增行为对应的内存调用序列。所述内存调用序列可以为服务器执行所述新增行为时调用的系统功能函数接口序列,属于动态内存数据。不同场景下相同的新增行为对应的内存调用序列不同。在本发明实施例,可以通过进程注入技术把预设捕获模块注入到所述服务器集群的各个服务器进程中,然后通过挂钩技术挂钩所述新增行为的系统调用,最后再利用回溯技术对所述系统调用进行回溯的方式,获取所述新增行为对应的内存调用序列。此外,所述新增行为信息还可以为新增服务器监听端口的端口信息,所述端口信息可以为新增服务器监听端口的端口号。The new behavior information may be a memory calling sequence corresponding to the new behavior. The memory calling sequence may be a system function function interface sequence called when the server executes the new behavior, which belongs to dynamic memory data. The same new behavior in different scenarios corresponds to different memory call sequences. In the embodiment of the present invention, the preset capture module can be injected into each server process of the server cluster through process injection technology, and then the system call of the new behavior can be hooked through hooking technology, and finally the backtracking technology can be used to hook the system call of the new behavior. System calls are used to trace back to obtain the memory call sequence corresponding to the new behavior. In addition, the new behavior information may also be port information of a new server listening port, and the port information may be a port number of a new server listening port.
102、检测所述新增行为信息是否符合预设新增条件。若符合,则执行步骤103;若不符合,则执行步骤104。102. Detect whether the new behavior information meets the preset new conditions. If they match, go to step 103; if they don't match, go to step 104.
其中,所述预设新增条件可以为服务器监听端口的主动新增行为对应的额调用规则,主动新增行为可以为通过键盘或者鼠标操作终端设备的行为,即由运维人员在主机服务器中主动新增服务器监听端口的行为,相对于主动新增行为而言,被动新增服务器端口的行为为通过程序或者函数新增服务器监听端口的行为。开发商在设计服务器集群时,通常会允许运维人员主动新增需要监听的服务器端口,当运维人员在合法新增需要监控的服务器端口时,通常会采用键盘或者鼠标点击新增需要监听的服务器端口,主动新增行为会按照主机服务器内部设置的调用规则进行系统内存调用,而黑客在利用漏洞时,通常会使用程序或者函数的被动新增行为新增服务器监听端口,所述被动新增行为会按照病毒或者恶意应用程序开发者设定的方式或者调用规则进行系统内存调用,与主机服务器内部设置的系统内存调用方式或者调用规则不符合。因此,本发明实施例可以通过检测所述新增行为的内存调用序列对应的调用规则是否符合预设调用规则,对所述新增行为进行安全检测,即检测所述新增行为是否为主动新增行为,若所述新增行为的内存调用序列对应的调用规则符合预设调用规则,则确定所述新增行为为主动新增行为,并确定为安全行为。若所述新增行为的内存调用序列对应的调用规则不符合预设调用规则,则确定所述新增行为为被动新增行为,并确定为危险行为。Among them, the preset new condition can be the calling rule corresponding to the active new behavior of the server monitoring port. The active new behavior can be the behavior of operating the terminal device through the keyboard or mouse, that is, the operation and maintenance personnel can add the new behavior in the host server by the operation and maintenance personnel. The act of actively adding a server listening port. Compared with the act of actively adding a server port, the act of passively adding a server port is the act of adding a server listening port through a program or function. When developers design server clusters, they usually allow operation and maintenance personnel to actively add server ports that need to be monitored. When operation and maintenance personnel legally add server ports that need to be monitored, they usually use keyboard or mouse clicks to add new server ports that need to be monitored. Server port, the active new behavior will make system memory calls according to the calling rules set inside the host server. When hackers exploit vulnerabilities, they usually use the passive new behavior of programs or functions to add server listening ports. The passive new behavior is The behavior will be to make system memory calls according to the method or calling rules set by the virus or malicious application developer, which is inconsistent with the system memory calling method or calling rules set inside the host server. Therefore, embodiments of the present invention can perform safety detection on the new behavior by detecting whether the calling rules corresponding to the memory calling sequence of the new behavior comply with the preset calling rules, that is, detecting whether the new behavior is an active new behavior. When adding a new behavior, if the calling rules corresponding to the memory calling sequence of the new behavior comply with the preset calling rules, the new behavior is determined to be an active new behavior and is determined to be a safe behavior. If the calling rules corresponding to the memory calling sequence of the new behavior do not comply with the preset calling rules, the new behavior is determined to be a passive new behavior and is determined to be a dangerous behavior.
此外,由于主机服务器长期稳定运行特定服务,端口状态趋于稳定,极少情况会新增监听端口,为了防止黑客利用漏洞,在服务器部署之后,可以禁止主机服务器再新增服务器监听端口,因此,所述预设新增条件可以为新增服务器监听端口为已开放的服务器监听端口,即即使存在新增服务器监听端口的情况,新增的服务器监听端口也应为已开放的服务器监听端口,所述已开放的服务器监听端口可以在部署服务器期间收集的。In addition, because the host server runs specific services stably for a long time, the port status tends to be stable, and new listening ports are rarely added. In order to prevent hackers from exploiting vulnerabilities, after the server is deployed, the host server can be prohibited from adding new server listening ports. Therefore, The preset new condition may be that the new server listening port is an open server listening port, that is, even if there is a new server listening port, the newly added server listening port should also be an open server listening port, so The open server listening ports described above can be collected during server deployment.
103、确定所述新增行为为安全行为,并对所述新增行为进行放行处理。103. Determine the new behavior as a safe behavior, and release the new behavior.
104、确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。104. Determine the new behavior as a dangerous behavior, and block the new behavior.
对于本发明实施例,为了确定所述新增行为检测的准确性,在确定所述新增行为为危险行为,还可以将检测结果上传到云控制中心,由运维人员做进一步的判断或者处理。For the embodiment of the present invention, in order to determine the accuracy of the new behavior detection, after determining that the new behavior is a dangerous behavior, the detection results can also be uploaded to the cloud control center for further judgment or processing by operation and maintenance personnel. .
本发明实施例提供的一种服务器防护方法,与目前允许任意设置服务器端口的监听状态相比,本发明实施例能够获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。并能够检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理,从而能够实现对服务器监听端口的新增行为进行安全检测,且能够防止黑客利用漏洞新增服务器监听端口以持久控制主机服务器,进而能够提升服务器的安全性。The embodiment of the present invention provides a server protection method. Compared with the current monitoring status that allows arbitrary setting of server ports, the embodiment of the present invention can obtain new behavior information of the server listening port in the host server of the server cluster. And it can detect whether the new behavior information meets the preset new conditions; if it meets, it is determined that the new behavior is a safe behavior, and the new behavior is released; if it does not meet, it is determined that the new behavior is safe. New behaviors are dangerous behaviors, and the new behaviors are blocked, thereby enabling security detection of new behaviors on the server listening port, and preventing hackers from exploiting vulnerabilities to add new server listening ports to permanently control the host server. This can improve server security.
进一步的,为了更好的说明上述服务器防护的过程,作为对上述实施例的细化和扩展,本发明实施例提供了另一种服务器防护方法,如图2所示,但不限于此,具体如下所示:Further, in order to better explain the above-mentioned server protection process, as a refinement and expansion of the above-mentioned embodiments, the embodiment of the present invention provides another server protection method, as shown in Figure 2, but is not limited to this. Specifically, As follows:
201、获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。201. Obtain the new behavior information of the server listening port in the host server of the server cluster.
其中,所述新增行为信息可以为新增行为对应的内存调用序列,也可以为新增服务器监听端口的端口信息。The new behavior information may be a memory calling sequence corresponding to the new behavior, or may be port information of a new server listening port.
对于本发明实施例,当所述新增行为信息为新增行为对应的内存调用序列时,为了捕获所述内存调用序列,所述步骤201具体可以包括:将预设捕获模块注入到所述服务器集群的各个服务器进程中,监控所述新增行为;利用预设挂钩函数对所述主机服务器的系统应用层的功能函数进行挂钩,以拦截所述新增行为对应的系统调用;利用预设栈信息回溯函数对所述系统调用进行栈信息回溯,得到所述新增行为对应的内存调用序列。For the embodiment of the present invention, when the new behavior information is a memory call sequence corresponding to the new behavior, in order to capture the memory call sequence, step 201 may specifically include: injecting a preset capture module into the server In each server process of the cluster, monitor the new behavior; use a preset hook function to hook the function function of the system application layer of the host server to intercept the system call corresponding to the new behavior; use a preset stack The information traceback function performs stack information traceback on the system call to obtain the memory call sequence corresponding to the new behavior.
其中,所述预设捕获模块可以为技术人员根据进程注入技术设置的,所述预设挂钩函数可以为技术人员根据挂钩技术编写的,所述挂钩技术所述预设栈信息回溯函数可以为技术人员根据回溯技术。针对不同的进程行为可以设置不同的捕获模块,所述捕获模块可以为对应的功能动态链接库,或者编写不同的预设挂钩函数,不同的预设栈信息回溯函数,例如,针对打开文件的进程行为,所述预设挂钩函数可以为hookNtAddPort函数,所述预设栈信息回溯函数可以为RtlCaptureStackBackTrace函数。Wherein, the preset capture module can be set by technicians based on process injection technology, the preset hook function can be written by technicians based on hook technology, and the preset stack information traceback function of the hook technology can be based on technology. Personnel based on backtracking techniques. Different capture modules can be set for different process behaviors. The capture module can be a corresponding functional dynamic link library, or write different preset hook functions and different preset stack information traceback functions, for example, for the process of opening a file. behavior, the preset hook function may be the hookNtAddPort function, and the preset stack information traceback function may be the RtlCaptureStackBackTrace function.
202a、当所述新增行为信息为新增行为对应的内存调用序列时,检测所述内存调用序列对应的调用规则是否符合预设调用规则。若是,则执行步骤203;若否,则执行步骤204。202a. When the new behavior information is a memory calling sequence corresponding to the new behavior, detect whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules. If yes, perform step 203; if not, perform step 204.
其中,所述预设调用规则可以为服务器端口的主动新增行为的调用规则,当主机服务器中存在服务器监听端口的主动新增行为,即通过鼠标或者键盘新增服务器端口时,主动新增行为会调用一些系统功能函数或者对应的接口序列,因此,所述主动新增行为的调用规则可以为所述内存调用序列中存在特定系统功能函数;所述特定系统功能函数可以为主动新增行为调用的系统功能函数或者对应的接口序列,具体可以为消息派发相关的系统功能函数,或者其他主动新增行为调用的相关系统功能函数,所述消息派发相关的系统功能函数可以为包括GetMessage函数、TranslateMessage函数、DispatchMessage函数等。所述其他主动新增行为调用的相关系统功能函数可以包括:SHELL32!CDefFolderMenu::InvokeCommand函数、IFileOpenDialog接口相关的函数、IFileSaveDialog接口相关的函数、IFileSaveDialog接口相关的函数、DragQueryFile接口相关的函数等。Wherein, the preset calling rules may be the calling rules for the active new behavior of the server port. When there is the active new behavior of the server monitoring port in the host server, that is, when the server port is added through the mouse or keyboard, the active new behavior Some system function functions or corresponding interface sequences will be called. Therefore, the calling rule for the active new behavior can be that there is a specific system function function in the memory call sequence; the specific system function function can be called for the active new behavior. system function functions or corresponding interface sequences, specifically system function functions related to message distribution, or other related system function functions called by actively adding new behaviors. The system function functions related to message distribution can include GetMessage function, TranslateMessage function function, DispatchMessage function, etc. The related system functions called by other actively added behaviors may include: SHELL32! CDefFolderMenu::InvokeCommand function, IFileOpenDialog interface related functions, IFileSaveDialog interface related functions, IFileSaveDialog interface related functions, DragQueryFile interface related functions, etc.
在具体应用场景中,所述检测所述内存调用序列对应的调用规则是否符合预设调用规则的步骤,具体包括:检测所述内存调用序列中是否存在特定系统功能函数;若存在,则确定所述内存调用序列对应的调用规则符合预设调用规则;若不存在,则确定所述内存调用序列对应的调用规则不符合预设调用规则。In a specific application scenario, the step of detecting whether the calling rules corresponding to the memory calling sequence conforms to the preset calling rules specifically includes: detecting whether there is a specific system function function in the memory calling sequence; if it exists, determining whether the The calling rule corresponding to the memory calling sequence conforms to the preset calling rule; if it does not exist, it is determined that the calling rule corresponding to the memory calling sequence does not conform to the preset calling rule.
对于本发明实施例,为了提升所述新增行为识别的准确率,所述预设调用规则具体可以为所述内存调用序列中存在特定系统功能函数,并且所述内存调用序列中特定系统功能函数的调用顺序符合预设调用顺序,在检测所述内存调用序列中存在特定系统功能函数后,还可以继续检测所述内存调用序列中特定系统功能函数的调用顺序是否符合预设调用顺序;若不符合,则确定所述内存调用序列对应的调用规则不符合预设调用规则;若符合,则确定所述内存调用序列对应的调用规则符合预设调用规则。例如,服务器监听端口的主动新增行为调用特定系统功能函数的调用顺序为:GetMessage函数-TranslateMessage函数、DispatchMessage函数。若通过检测发现,服务器监听端口的新增行为对应的内存调用序列中特定系统功能函数的调用顺序与上述预设调用顺序符合,则确定服务器监听端口的新增行为为主动新增行为,进而确定所述新增行为为安全行为。若通过检测发现,服务器监听端口的新增行为对应的内存调用序列中特定系统功能函数的调用顺序与上述预设调用顺序不符合,则确定服务器监听端口的新增行为为为被动新增行为,进而判断确定所述新增行为为危险行为。For the embodiment of the present invention, in order to improve the accuracy of the new behavior recognition, the preset calling rule may be that there is a specific system function function in the memory calling sequence, and the specific system function function in the memory calling sequence The calling sequence conforms to the preset calling sequence. After detecting the presence of a specific system function function in the memory calling sequence, you can continue to detect whether the calling sequence of the specific system function function in the memory calling sequence conforms to the preset calling sequence; if not If it matches, it is determined that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule; if it matches, it is determined that the calling rule corresponding to the memory calling sequence conforms to the preset calling rule. For example, the active new behavior of the server listening port calls specific system function functions in the following order: GetMessage function-TranslateMessage function, DispatchMessage function. If it is found through detection that the calling sequence of specific system function functions in the memory call sequence corresponding to the new behavior of the server listening port is consistent with the above-mentioned preset calling sequence, then it is determined that the new behavior of the server listening port is an active new behavior, and then the The new behaviors mentioned above are safe behaviors. If it is found through inspection that the calling sequence of specific system function functions in the memory call sequence corresponding to the new behavior of the server listening port does not match the above-mentioned preset calling sequence, then it is determined that the new behavior of the server listening port is a passive new behavior. Then it is determined that the new behavior is a dangerous behavior.
又或者所述预设调用规则具体可以为所述内存调用序列中存在特定系统功能函数,并且所述内存调用序列中特定系统功能函数所在的栈位置符合预设栈位置,在检测所述内存调用序列中存在特定系统功能函数后,还可以继续检测所述内存调用序列中特定系统功能函数所在的位置是否符合预设位置;若不符合,则确定所述内存调用序列对应的调用规则不符合预设调用规则;若符合,则确定所述内存调用序列对应的调用规则符合预设调用规则。其中,所述预设位置为服务器监听端口的主动新增行为所对应内存调用序列中特定系统功能函数所在的位置。例如,预设位置为0x10。若通过检测发现,所述新增行为的内存调用序列中GetMessage函数所在的位置为0x08,则确定所述内存调用序列对应的调用规则不符合预设调用规则,确定服务器监听端口的新增行为并非为主动新增行为,而为黑客利用漏洞的被动新增行为。Or the preset calling rule may be that there is a specific system function function in the memory call sequence, and the stack position where the specific system function function is located in the memory call sequence matches the preset stack position. When detecting the memory call After there is a specific system function function in the sequence, you can also continue to detect whether the position of the specific system function function in the memory call sequence matches the preset position; if it does not match, it is determined that the calling rule corresponding to the memory call sequence does not match the preset position. Assume the calling rules; if they match, it is determined that the calling rules corresponding to the memory calling sequence comply with the preset calling rules. Wherein, the preset position is the position where the specific system function function is located in the memory call sequence corresponding to the active new behavior of the server listening port. For example, the default position is 0x10. If it is found through detection that the location of the GetMessage function in the memory call sequence of the new behavior is 0x08, it is determined that the calling rules corresponding to the memory call sequence do not comply with the preset calling rules, and it is determined that the new behavior of the server listening port is not It is an active new behavior, and it is a passive new behavior for hackers to exploit vulnerabilities.
与步骤202a并列的步骤202b、当所述新增行为信息为新增服务器监听端口的端口信息时,检测所述端口信息是否与预设监听端口白名单中的端口信息匹配。若匹配,则执行步骤203;若不匹配,则执行步骤204。Step 202b parallel to step 202a: when the new behavior information is the port information of a new server listening port, detect whether the port information matches the port information in the default listening port whitelist. If they match, perform step 203; if they do not match, perform step 204.
其中,所述预设监听端口白名单中保存有所述服务器集群中已开放的服务器监听端口及其对应的端口信息。所述端口信息可以为端口号,如已开放的服务器监听端口的端口号为8080。具体地,若新增服务器监听端口的端口信息与预设监听端口白名单中的端口信息匹配,则说明新增服务器监听端口为已开放的服务器监听端口,且为主机服务器允许新增的服务器监听端口,因此,确定所述新增行为为安全行为。若新增服务器监听端口的端口信息与预设监听端口白名单中的端口信息不匹配,则说明新增服务器监听端口为并非已开放的服务器监听端口,不是主机服务器允许新增的服务器监听端口,因此,确定所述新增行为为危险行为。The preset listening port whitelist stores open server listening ports in the server cluster and their corresponding port information. The port information may be a port number, for example, the port number of the open server listening port is 8080. Specifically, if the port information of the newly added server listening port matches the port information in the default listening port whitelist, it means that the newly added server listening port is an open server listening port, and the host server allows the newly added server monitoring port. port, therefore, the new behavior is determined to be a safe behavior. If the port information of the newly added server listening port does not match the port information in the default listening port whitelist, it means that the newly added server listening port is not an open server listening port and is not a new server listening port allowed by the host server. Therefore, the new behavior is determined to be dangerous behavior.
对于本发明实施例,还支持设置预设监听端口白名单的功能,所述方法还包括:在所述服务器集群中的服务器部署期间,收集所述已开放的服务器端口及其对应的端口信息;根据所述已开放的服务器监听端口及其对应的端口信息,构建所述预设监听端口白名单。For embodiments of the present invention, the function of setting a preset listening port whitelist is also supported. The method further includes: during server deployment in the server cluster, collecting the opened server ports and their corresponding port information; The preset listening port whitelist is constructed based on the opened server listening ports and their corresponding port information.
进一步地,为了保证所述预设监听端口白名单的完整性,提升服务器的安全性,所述方法还包括:将所述所述预设监听端口白名单发送给云端控制中心进行修正;获取所述云端控制中心修正后的监听端口白名单。因此,在存在新增的服务器监听端口时,可以将所述新增的服务器监听端口与修正后的监听端口白名单进行匹配。Further, in order to ensure the integrity of the preset listening port whitelist and improve the security of the server, the method also includes: sending the preset listening port whitelist to the cloud control center for correction; obtaining all The following is the modified listening port whitelist of the cloud control center. Therefore, when there is a newly added server listening port, the newly added server listening port can be matched with the revised listening port whitelist.
203、确定所述新增行为信息符合预设新增条件,确定所述新增行为为安全行为,并对所述新增行为进行放行处理。203. Determine that the new behavior information meets the preset new conditions, determine that the new behavior is a safe behavior, and release the new behavior.
需要说明的是,在对所述新增行为放行处理后,主机服务器中会存在新增的服务器监听端口,为了后续更好的对服务器端口进行安全检测以及防护,可以利用新增的服务器监听端口更新预设监听端口白名单。具体地,若新增的服务器监听端口在所述预设监听端口白名单中不存在,可以将所述新增的服务器监听端口添加到所述预设监听端口白名单中。It should be noted that after the new behavior is released, a new server listening port will exist in the host server. In order to better perform security detection and protection on the server port in the future, the new server listening port can be used. Update the default listening port whitelist. Specifically, if the newly added server listening port does not exist in the default listening port whitelist, the newly added server listening port can be added to the default listening port whitelist.
204、确定所述新增行为信息不符合预设新增条件,确定所述新增行为为操作行为,并对所述新增行为进行阻止处理。204. Determine that the new behavior information does not meet the preset new conditions, determine that the new behavior is an operation behavior, and block the new behavior.
本发明实施例提供的另一种服务器防护方法,与目前允许任意设置服务器端口的监听状态相比,本发明实施例能够获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。并能够检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理,从而能够实现对服务器监听端口的新增行为进行安全检测,且能够防止黑客利用漏洞新增服务器监听端口以持久控制主机服务器,进而能够提升服务器的安全性。Another server protection method provided by embodiments of the present invention. Compared with the current monitoring status that allows arbitrary setting of server ports, embodiments of the present invention can obtain new behavior information of server listening ports in the host server of the server cluster. And it can detect whether the new behavior information meets the preset new conditions; if it meets, it is determined that the new behavior is a safe behavior, and the new behavior is released; if it does not meet, it is determined that the new behavior is safe. New behaviors are dangerous behaviors, and the new behaviors are blocked, thereby enabling security detection of new behaviors on the server listening port, and preventing hackers from exploiting vulnerabilities to add new server listening ports to permanently control the host server. This can improve server security.
进一步地,作为图1的具体实现,本发明实施例提供了一种服务器防护装置,如图3所示,所述装置包括:获取单元31、检测单元32、处理单元33。Further, as a specific implementation of FIG. 1 , an embodiment of the present invention provides a server protection device. As shown in FIG. 3 , the device includes: an acquisition unit 31 , a detection unit 32 , and a processing unit 33 .
所述获取单元31,可以用于获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。所述获取单元31是本装置中获取在服务器集群的主机服务器中服务器监听端口的新增行为信息的功能模块。The obtaining unit 31 may be used to obtain new behavior information of the server listening port in the host server of the server cluster. The acquisition unit 31 is a functional module in this device that acquires the new behavior information of the server listening port in the host server of the server cluster.
所述检测单元32,可以用于检测所述新增行为信息是否符合预设新增条件。所述检测单元32是本装置中检测所述新增行为信息是否符合预设新增条件的主要功能模块。The detection unit 32 may be used to detect whether the newly added behavior information meets the preset new addition conditions. The detection unit 32 is the main functional module in the device for detecting whether the new behavior information meets the preset new conditions.
所述处理单元33,可以用于若所述检测单元32检测所述新增行为信息符合预设新增条件,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理。所述处理单元33是本装置中若检测所述新增行为信息符合预设新增条件,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理的主要功能模块。The processing unit 33 may be configured to determine that the new behavior is a safe behavior if the detection unit 32 detects that the new behavior information meets the preset new conditions, and perform release processing on the new behavior. . The processing unit 33 is the main functional module of the device that determines that the new behavior is a safe behavior and performs release processing on the new behavior if it detects that the new behavior information meets the preset new conditions.
所述处理单元33,还用于若所述检测单元32检测所述新增行为信息不符合预设新增条件,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。所述处理单元33是本装置中若检测所述新增行为信息不符合预设新增条件,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理的主要功能模块。The processing unit 33 is also configured to determine that the new behavior is a dangerous behavior and block the new behavior if the detection unit 32 detects that the new behavior information does not meet the preset new conditions. deal with. The processing unit 33 is the main functional module of the device that determines the new behavior as a dangerous behavior and blocks the new behavior if it detects that the new behavior information does not meet the preset new conditions. .
在具体应用场景中,所述检测单元32可以包括:第一检测模块321和第一确定模块322,如图4所示。In a specific application scenario, the detection unit 32 may include: a first detection module 321 and a first determination module 322, as shown in Figure 4 .
所述第一检测模块321,可以用于当所述新增行为信息为新增行为对应的内存调用序列,检测所述内存调用序列对应的调用规则是否符合预设调用规则。The first detection module 321 may be used to detect whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules when the new behavior information is a memory calling sequence corresponding to the new behavior.
所述第一确定模块322,可以用于若所述第一检测模块321检测所述内存调用序列对应的调用规则符合预设调用规则,则确定所述新增行为信息符合预设新增条件。The first determination module 322 may be used to determine that the new behavior information meets the preset new conditions if the first detection module 321 detects that the calling rule corresponding to the memory calling sequence complies with the preset calling rule.
所述第一确定模块322,还可以用于若所述第一检测模块321检测所述内存调用序列对应的调用规则不符合预设调用规则,则确定所述新增行为信息不符合预设新增条件。The first determination module 322 may also be used to determine that the newly added behavior information does not comply with the preset new behavior information if the first detection module 321 detects that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule. Add conditions.
需要说明的是,为了确定所述内存调用序列对应的调用规则是否符合预设调用规则,所述第一检测模块321可以包括:检测子模块和确定子模块。It should be noted that, in order to determine whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules, the first detection module 321 may include: a detection sub-module and a determination sub-module.
所述检测子模块,可以用于检测所述内存调用序列中是否存在特定系统功能函数。The detection sub-module may be used to detect whether there is a specific system function in the memory call sequence.
所述确定子模块,可以用于若所述检测子模块检测所述内存调用序列中存在特定系统功能函数,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module may be used to determine that the calling rule corresponding to the memory calling sequence complies with the preset calling rule if the detecting sub-module detects the presence of a specific system function function in the memory calling sequence.
所述确定子模块,还可以用于若所述检测子模块检测所述内存调用序列中不存在特定系统功能函数,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determining sub-module may also be used to determine that the calling rules corresponding to the memory calling sequence comply with the preset calling rules if the detecting sub-module detects that there is no specific system function function in the memory calling sequence.
进一步地,为了提升所述新增行为识别的准确率,所述检测子模块,还可以用于检测所述内存调用序列中特定系统功能函数的调用顺序是否符合预设调用顺序。Further, in order to improve the accuracy of the new behavior recognition, the detection sub-module can also be used to detect whether the calling sequence of specific system function functions in the memory calling sequence complies with the preset calling sequence.
所述确定子模块,还可以用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的调用顺序不符合预设调用顺序,则确定所述内存调用序列对应的调用规则不符合预设调用规则;The determination sub-module may also be used to determine that the calling rules corresponding to the memory calling sequence do not comply with the preset calling sequence if the detection sub-module detects that the calling sequence of specific system function functions in the memory calling sequence does not comply with the preset calling sequence. Default calling rules;
所述确定子模块,具体还可以用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的调用顺序符合预设调用顺序,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module may specifically be used to determine that the calling rules corresponding to the memory calling sequence conform to the preset calling sequence if the detecting sub-module detects that the calling sequence of specific system function functions in the memory calling sequence conforms to the preset calling sequence. Set calling rules.
所述检测子模块,还可以用于检测所述内存调用序列中特定系统功能函数的所在位置是否符合预设位置。The detection sub-module can also be used to detect whether the location of a specific system function function in the memory call sequence matches the preset location.
所述确定子模块,还可以用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的所在位置不符合预设位置,则确定所述内存调用序列对应的调用规则不符合预设调用规则。其中,所述预设位置可以为根据实际情况设置的,例如所述预设位置为0x08或者0x10等。The determination sub-module may also be used to determine that the calling rule corresponding to the memory calling sequence does not meet the preset location if the detection sub-module detects that the location of a specific system function function in the memory calling sequence does not meet the preset location. Set calling rules. Wherein, the preset position may be set according to actual conditions, for example, the preset position is 0x08 or 0x10, etc.
所述确定子模块,具体还用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的所在位置符合预设位置,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module is specifically also used to determine that the calling rule corresponding to the memory calling sequence conforms to the preset calling if the detection sub-module detects that the location of the specific system function function in the memory calling sequence matches the preset position. rule.
对于本发明实施例,所述获取单元31包括:监控模块311、挂钩模块312和回溯模块313。For the embodiment of the present invention, the acquisition unit 31 includes: a monitoring module 311, a hooking module 312 and a traceback module 313.
所述监控模块311,可以用于将预设捕获模块注入到所述服务器集群的各个服务器进程中,监控所述新增行为。The monitoring module 311 may be used to inject a preset capture module into each server process of the server cluster to monitor the new behavior.
所述挂钩模块312,可以用于利用预设挂钩函数对所述主机服务器的系统应用层的功能函数进行挂钩,以拦截所述新增行为对应的系统调用。The hooking module 312 may be used to hook the functional functions of the system application layer of the host server using a preset hooking function to intercept system calls corresponding to the new behavior.
所述回溯模块313,可以用于利用预设栈信息回溯函数对所述系统调用进行栈信息回溯,得到所述新增行为对应的内存调用序列。The backtracking module 313 may be used to use a preset stack information backtracking function to perform stack information backtracking on the system calls to obtain the memory call sequence corresponding to the new behavior.
在具体应用场景中,所述检测单元32可以包括:第二检测模块323和第二确定模块324。In specific application scenarios, the detection unit 32 may include: a second detection module 323 and a second determination module 324.
所述第二检测模块323,可以用于当所述新增行为信息为新增服务器监听端口的端口信息时,检测所述端口信息是否与预设监听端口白名单中的端口信息匹配,所述预设监听端口白名单中保存有所述服务器集群中已开放的服务器监听端口及其对应的端口信息;The second detection module 323 may be used to detect whether the port information matches the port information in the preset listening port whitelist when the new behavior information is the port information of a new server listening port. The default listening port whitelist stores the open server listening ports in the server cluster and their corresponding port information;
所述第二确定模块324,可以用于若所述第二检测模块323检测端口信息与预设监听端口白名单中的端口信息匹配,则确定所述新增行为信息符合预设新增条件;The second determination module 324 may be used to determine that the newly added behavior information meets the preset new addition conditions if the second detection module 323 detects that the port information matches the port information in the preset listening port whitelist;
所述第二确定模块324,还可以用于若所述第二检测模块检测端口信息与预设监听端口白名单中的端口信息不匹配,则确定所述新增行为信息不符合预设新增条件。The second determination module 324 may also be used to determine that the new behavior information does not match the default new behavior information if the port information detected by the second detection module does not match the port information in the default listening port whitelist. condition.
此外,为了获取预设监听端口白名单,所述装置还包括:收集单元34和构建单元35。In addition, in order to obtain the default listening port whitelist, the device also includes: a collection unit 34 and a construction unit 35.
所述收集单元34,可以用于在所述服务器集群中的服务器部署期间,收集所述已开放的服务器端口及其对应的端口信息。The collection unit 34 may be used to collect the opened server ports and their corresponding port information during server deployment in the server cluster.
所述构建单元35,可以用于根据所述已开放的服务器监听端口及其对应的端口信息,构建所述预设监听端口白名单。The construction unit 35 may be configured to construct the preset listening port whitelist based on the opened server listening ports and their corresponding port information.
进一步地,为了保证所述预设监听端口白名单的完整性,,提升服务器的安全性,所述装置还可以包括:修正单元36。Further, in order to ensure the integrity of the preset listening port whitelist and improve the security of the server, the device may also include: a correction unit 36 .
所述修正单元36,可以用于将所述所述预设监听端口白名单发送给云端控制中心进行修正。The correction unit 36 may be used to send the preset listening port whitelist to the cloud control center for correction.
所述获取单元31,还可以用于获取所述云端控制中心修正后的监听端口白名单。The obtaining unit 31 may also be used to obtain the corrected listening port whitelist of the cloud control center.
需要说明的是,本发明实施例提供的一种服务器防护装置所涉及各功能模块的其他相应描述,可以参考图1所示方法的对应描述,在此不再赘述。It should be noted that, for other corresponding descriptions of the functional modules involved in the server protection device provided by the embodiment of the present invention, reference can be made to the corresponding description of the method shown in Figure 1, which will not be described again here.
基于上述如图1所示方法,相应的,本发明实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现以下步骤:获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。Based on the above method shown in Figure 1, correspondingly, embodiments of the present invention also provide a computer-readable storage medium on which a computer program is stored. When the program is executed by the processor, the following steps are implemented: Obtaining the data in the server cluster New behavior information on the server listening port in the host server; detect whether the new behavior information meets the preset new conditions; if so, determine that the new behavior is a safe behavior and allow the new behavior processing; if not, the new behavior is determined to be a dangerous behavior, and the new behavior is blocked.
基于上述如图1所示方法和如图3所示服务器防护装置的实施例,本发明实施例还提供了一种计算机设备的实体结构图,如图5所示,该设备包括:处理器41、存储器42、及存储在存储器42上并可在处理器上运行的计算机程序,其中存储器42和处理器41均设置在总线43上所述处理器41执行所述程序时实现以下步骤:获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。该设备还包括:总线43,被配置为耦接处理器41及存储器42。Based on the above embodiment of the method shown in Figure 1 and the server protection device shown in Figure 3, an embodiment of the present invention also provides a physical structure diagram of a computer device, as shown in Figure 5, the device includes: a processor 41 , memory 42, and a computer program stored in the memory 42 and executable on the processor, wherein the memory 42 and the processor 41 are both arranged on the bus 43. The processor 41 implements the following steps when executing the program: obtain the New behavior information of the server listening port in the host server of the server cluster; detect whether the new behavior information meets the preset new conditions; if so, determine that the new behavior is a safe behavior, and check the new behavior The behavior will be released; if it does not comply, the new behavior will be determined to be a dangerous behavior and the new behavior will be blocked. The device also includes a bus 43 configured to couple the processor 41 and the memory 42 .
通过本发明的技术方案,能够获取在服务器集群的主机服务器中服务器监听端口的新增行为信息。并能够检测所述新增行为信息是否符合预设新增条件;若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理,从而能够实现对服务器监听端口的新增行为进行安全检测,且能够防止黑客利用漏洞新增服务器监听端口以持久控制主机服务器,进而能够提升服务器的安全性。Through the technical solution of the present invention, the new behavior information of the server listening port in the host server of the server cluster can be obtained. And it can detect whether the new behavior information meets the preset new conditions; if it meets, it is determined that the new behavior is a safe behavior, and the new behavior is released; if it does not meet, it is determined that the new behavior is safe. New behaviors are dangerous behaviors, and the new behaviors are blocked, thereby enabling security detection of new behaviors on the server listening port, and preventing hackers from exploiting vulnerabilities to add new server listening ports to permanently control the host server. This can improve the security of the server.
本发明实施例还提供如下技术方案:The embodiments of the present invention also provide the following technical solutions:
A1、一种服务器防护方法,包括:A1. A server protection method, including:
获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;Obtain the new behavior information of the server listening port in the host server of the server cluster;
检测所述新增行为信息是否符合预设新增条件;Detect whether the new behavior information meets the preset new conditions;
若符合,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;If it is consistent, the new behavior is determined to be a safe behavior, and the new behavior is released;
若不符合,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。If not, the new behavior is determined to be a dangerous behavior, and the new behavior is blocked.
A2、如A1所述的方法,所述新增行为信息为新增行为对应的内存调用序列,所述检测所述新增行为信息是否符合预设新增条件,包括:A2. The method as described in A1, the new behavior information is a memory calling sequence corresponding to the new behavior, and the detection of whether the new behavior information meets the preset new conditions includes:
检测所述内存调用序列对应的调用规则是否符合预设调用规则;Detect whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules;
若符合,则确定所述新增行为信息符合预设新增条件;If so, it is determined that the new behavior information meets the preset new conditions;
若不符合,则确定所述新增行为信息不符合预设新增条件。If not, it is determined that the new behavior information does not meet the preset new conditions.
A3、如A2所述的方法,所述检测所述内存调用序列对应的调用规则是否符合预设调用规则,包括:A3. The method as described in A2, detecting whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules, including:
检测所述内存调用序列中是否存在特定系统功能函数;Detect whether there is a specific system function function in the memory call sequence;
若存在,则确定所述内存调用序列对应的调用规则符合预设调用规则;If it exists, it is determined that the calling rule corresponding to the memory calling sequence complies with the preset calling rule;
若不存在,则确定所述内存调用序列对应的调用规则不符合预设调用规则。If it does not exist, it is determined that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule.
A4、如A3所述的方法,所述确定所述内存调用序列对应的调用规则符合预设调用规则之前,所述方法还包括:A4. The method described in A3, before determining that the calling rule corresponding to the memory calling sequence complies with the preset calling rule, the method further includes:
检测所述内存调用序列中特定系统功能函数的调用顺序是否符合预设调用顺序;Detect whether the calling sequence of specific system function functions in the memory calling sequence complies with the preset calling sequence;
若不符合,则确定所述内存调用序列对应的调用规则不符合预设调用规则;If not, it is determined that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule;
所述确定所述内存调用序列对应的调用规则符合预设调用规则,包括:Determining that the calling rule corresponding to the memory calling sequence complies with the preset calling rule includes:
若符合,则确定所述内存调用序列对应的调用规则符合预设调用规则。If so, it is determined that the calling rule corresponding to the memory calling sequence complies with the preset calling rule.
A5、如A3所述的方法,所述确定所述内存调用序列对应的调用规则符合预设调用规则之前,所述方法还包括:A5. The method described in A3, before determining that the calling rule corresponding to the memory calling sequence complies with the preset calling rule, the method further includes:
检测所述内存调用序列中特定系统功能函数的所在位置是否符合预设位置;Detect whether the location of the specific system function function in the memory call sequence matches the preset location;
若不符合,则确定所述内存调用序列对应的调用规则不符合预设调用规则;If not, it is determined that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule;
所述确定所述内存调用序列对应的调用规则符合预设调用规则,包括:Determining that the calling rule corresponding to the memory calling sequence complies with the preset calling rule includes:
若符合,则确定所述内存调用序列对应的调用规则符合预设调用规则。If so, it is determined that the calling rule corresponding to the memory calling sequence complies with the preset calling rule.
A6、如A1-A5任一项所述的方法,所述获取在服务器集群的主机服务器中新增服务器监听端口的新增行为信息,包括:A6. The method described in any one of A1-A5, wherein obtaining the new behavior information of a new server listening port in the host server of the server cluster includes:
将预设捕获模块注入到所述服务器集群的各个服务器进程中,监控所述新增行为;Inject the preset capture module into each server process of the server cluster to monitor the new behavior;
利用预设挂钩函数对所述主机服务器的系统应用层的功能函数进行挂钩,以拦截所述新增行为对应的系统调用;Use a preset hook function to hook the functional function of the system application layer of the host server to intercept the system call corresponding to the new behavior;
利用预设栈信息回溯函数对所述系统调用进行栈信息回溯,得到所述新增行为对应的内存调用序列。Use a preset stack information traceback function to perform stack information traceback on the system call to obtain the memory call sequence corresponding to the new behavior.
A7、如A1所述的方法,所述新增行为信息为新增服务器监听端口的端口信息,所述检测所述新增行为信息是否符合预设新增条件,包括:A7. The method as described in A1, the new behavior information is the port information of a new server listening port, and the detection of whether the new behavior information meets the preset new conditions includes:
检测所述端口信息是否与预设监听端口白名单中的端口信息匹配,所述预设监听端口白名单中保存有所述服务器集群中已开放的服务器监听端口及其对应的端口信息;Detecting whether the port information matches the port information in a preset listening port whitelist, which stores open server listening ports in the server cluster and their corresponding port information;
若符合,则确定所述新增行为信息符合预设新增条件;If so, it is determined that the new behavior information meets the preset new conditions;
若不符合,则确定所述新增行为信息不符合预设新增条件。If not, it is determined that the new behavior information does not meet the preset new conditions.
A8、如A7所述的方法,所述检测所述端口信息是否与预设端口白名单中的端口信息匹配之前,所述方法还包括:A8. The method described in A7, before detecting whether the port information matches the port information in the preset port whitelist, the method further includes:
在所述服务器集群中的服务器部署期间,收集所述已开放的服务器端口及其对应的端口信息;During server deployment in the server cluster, collect the opened server ports and their corresponding port information;
根据所述已开放的服务器监听端口及其对应的端口信息,构建所述预设监听端口白名单。The preset listening port whitelist is constructed based on the opened server listening ports and their corresponding port information.
A9、如A8所述的方法,所述根据所述已开放的服务器监听端口及其对应的端口信息,构建所述预设监听端口白名单之后,所述方法还包括:A9. The method described in A8, after constructing the preset listening port whitelist based on the opened server listening ports and their corresponding port information, the method further includes:
将所述所述预设监听端口白名单发送给云端控制中心进行修正;Send the preset listening port whitelist to the cloud control center for correction;
获取所述云端控制中心修正后的监听端口白名单。Obtain the corrected listening port whitelist of the cloud control center.
B10、一种服务器防护装置,包括:B10. A server protection device, including:
获取单元,用于获取在服务器集群的主机服务器中服务器监听端口的新增行为信息;The acquisition unit is used to obtain the new behavior information of the server listening port in the host server of the server cluster;
检测单元,用于检测所述新增行为信息是否符合预设新增条件;A detection unit, used to detect whether the new behavior information meets the preset new conditions;
处理单元,用于若所述检测单元检测所述新增行为信息符合预设新增条件,则确定所述新增行为为安全行为,并对所述新增行为进行放行处理;A processing unit, configured to determine that the new behavior is a safe behavior if the detection unit detects that the new behavior information meets the preset new conditions, and perform release processing on the new behavior;
所述处理单元,还用于若所述检测单元检测所述新增行为信息不符合预设新增条件,则确定所述新增行为为危险行为,并对所述新增行为进行阻止处理。The processing unit is also configured to determine that the new behavior is a dangerous behavior and block the new behavior if the detection unit detects that the new behavior information does not meet the preset new conditions.
B11、如B10所述的装置,所述检测单元包括:B11. The device as described in B10, the detection unit includes:
第一检测模块,用于当所述新增行为信息为新增行为对应的内存调用序列,检测所述内存调用序列对应的调用规则是否符合预设调用规则;The first detection module is used to detect whether the calling rules corresponding to the memory calling sequence comply with the preset calling rules when the new behavior information is a memory calling sequence corresponding to the new behavior;
第一确定模块,用于若所述第一检测模块检测所述内存调用序列对应的调用规则符合预设调用规则,则确定所述新增行为信息符合预设新增条件;A first determination module, configured to determine that the new behavior information meets the preset new conditions if the first detection module detects that the calling rule corresponding to the memory calling sequence complies with the preset calling rule;
所述第一确定模块,还用于若所述第一检测模块检测所述内存调用序列对应的调用规则不符合预设调用规则,则确定所述新增行为信息不符合预设新增条件。The first determination module is also configured to determine that the new behavior information does not meet the preset new condition if the first detection module detects that the calling rule corresponding to the memory calling sequence does not comply with the preset calling rule.
B12、如B11所述的装置,所述第一检测模块包括:B12. The device as described in B11, the first detection module includes:
检测子模块,用于检测所述内存调用序列中是否存在特定系统功能函数;A detection sub-module is used to detect whether there is a specific system function function in the memory call sequence;
确定子模块,用于若所述检测子模块检测所述内存调用序列中存在特定系统功能函数,则确定所述内存调用序列对应的调用规则符合预设调用规则;Determining sub-module, used to determine that the calling rules corresponding to the memory calling sequence comply with the preset calling rules if the detection sub-module detects that a specific system function function exists in the memory calling sequence;
所述确定子模块,还用于若所述检测子模块检测所述内存调用序列中不存在特定系统功能函数,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module is also configured to determine that the calling rules corresponding to the memory calling sequence comply with the preset calling rules if the detection sub-module detects that there is no specific system function function in the memory calling sequence.
B13、如B12所述的装置,B13. Device as described in B12,
所述检测子模块,还用于检测所述内存调用序列中特定系统功能函数的调用顺序是否符合预设调用顺序;The detection sub-module is also used to detect whether the calling sequence of specific system function functions in the memory calling sequence conforms to the preset calling sequence;
所述确定子模块,还用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的调用顺序不符合预设调用顺序,则确定所述内存调用序列对应的调用规则不符合预设调用规则;The determination sub-module is also configured to determine that the calling rules corresponding to the memory calling sequence do not conform to the preset calling sequence if the detecting sub-module detects that the calling sequence of specific system function functions in the memory calling sequence does not comply with the preset calling sequence. Set the calling rules;
所述确定子模块,具体还用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的调用顺序符合预设调用顺序,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module is specifically also configured to determine that the calling rules corresponding to the memory calling sequence conform to the preset calling sequence if the detecting sub-module detects that the calling sequence of specific system function functions in the memory calling sequence conforms to the preset calling sequence. Call rules.
B14、如B12所述的装置,B14. Device as described in B12,
所述检测子模块,还用于检测所述内存调用序列中特定系统功能函数的所在位置是否符合预设位置;The detection sub-module is also used to detect whether the location of the specific system function function in the memory call sequence meets the preset location;
所述确定子模块,还用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的所在位置不符合预设位置,则确定所述内存调用序列对应的调用规则不符合预设调用规则;The determination sub-module is also used to determine that the calling rule corresponding to the memory calling sequence does not conform to the preset position if the detection sub-module detects that the location of the specific system function function in the memory calling sequence does not meet the preset location. calling rules;
所述确定子模块,具体还用于若所述检测子模块检测所述内存调用序列中特定系统功能函数的所在位置符合预设位置,则确定所述内存调用序列对应的调用规则符合预设调用规则。The determination sub-module is specifically also used to determine that the calling rule corresponding to the memory calling sequence conforms to the preset calling if the detection sub-module detects that the location of the specific system function function in the memory calling sequence matches the preset position. rule.
B15、如B10-B14任一项所述的装置,所述获取单元包括:B15. The device according to any one of B10-B14, the acquisition unit includes:
监控模块,用于将预设捕获模块注入到所述服务器集群的各个服务器进程中,监控所述新增行为;A monitoring module, used to inject the preset capture module into each server process of the server cluster and monitor the new behavior;
挂钩模块,用于利用预设挂钩函数对所述主机服务器的系统应用层的功能函数进行挂钩,以拦截所述新增行为对应的系统调用;A hooking module, configured to use a preset hooking function to hook the functional functions of the system application layer of the host server to intercept system calls corresponding to the new behavior;
回溯模块,用于利用预设栈信息回溯函数对所述系统调用进行栈信息回溯,得到所述新增行为对应的内存调用序列。A traceback module is used to trace stack information of the system call using a preset stack information traceback function to obtain the memory call sequence corresponding to the new behavior.
B16、如B10所述的装置,所述检测单元包括:B16. The device as described in B10, the detection unit includes:
第二检测模块,用于当所述新增行为信息为新增服务器监听端口的端口信息时,检测所述端口信息是否与预设监听端口白名单中的端口信息匹配,所述预设监听端口白名单中保存有所述服务器集群中已开放的服务器监听端口及其对应的端口信息;The second detection module is used to detect whether the port information matches the port information in the preset listening port whitelist when the new behavior information is the port information of a new server listening port. The preset listening port The whitelist stores the open server listening ports in the server cluster and their corresponding port information;
第二确定模块,用于若所述第二检测模块检测端口信息与预设监听端口白名单中的端口信息匹配,则确定所述新增行为信息符合预设新增条件;a second determination module, configured to determine that the new behavior information meets the preset new addition conditions if the port information detected by the second detection module matches the port information in the preset listening port whitelist;
所述第二确定模块,还用于若所述第二检测模块检测端口信息与预设监听端口白名单中的端口信息不匹配,则确定所述新增行为信息不符合预设新增条件。The second determination module is also configured to determine that the new behavior information does not meet the preset new addition conditions if the port information detected by the second detection module does not match the port information in the preset listening port whitelist.
B17、如B16所述的装置,所述装置还包括:B17. The device as described in B16, which further includes:
收集单元,用于在所述服务器集群中的服务器部署期间,收集所述已开放的服务器端口及其对应的端口信息;A collection unit configured to collect the opened server ports and their corresponding port information during server deployment in the server cluster;
构建单元,用于根据所述已开放的服务器监听端口及其对应的端口信息,构建所述预设监听端口白名单。A construction unit configured to construct the preset listening port whitelist based on the opened server listening ports and their corresponding port information.
B18、如B16所述的装置,所述装置还包括:修正单元,B18. The device as described in B16, which further includes: a correction unit,
所述修正单元,用于将所述所述预设监听端口白名单发送给云端控制中心进行修正;The correction unit is used to send the preset listening port whitelist to the cloud control center for correction;
所述获取单元,还用于获取所述云端控制中心修正后的监听端口白名单。The obtaining unit is also used to obtain the corrected listening port whitelist of the cloud control center.
C19、一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如A1至A9中任一项所述的方法的步骤。C19. A computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of the method described in any one of A1 to A9 are implemented.
D20、一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如A1至A9中任一项所述方法的步骤。D20. A computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the method described in any one of A1 to A9. A step of.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above embodiments, each embodiment is described with its own emphasis. For parts that are not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.
可以理解的是,上述方法及装置中的相关特征可以相互参考。另外,上述实施例中的“第一”、“第二”等是用于区分各实施例,而并不代表各实施例的优劣。It can be understood that relevant features in the above methods and devices can be referred to each other. In addition, “first”, “second”, etc. in the above-mentioned embodiments are used to distinguish between the embodiments and do not represent the advantages and disadvantages of each embodiment.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided herein are not inherently associated with any particular computer, virtual system, or other device. Various general-purpose systems can also be used with teaching based on this. From the above description, the structure required to construct such a system is obvious. Furthermore, this invention is not specific to any specific programming language. It should be understood that a variety of programming languages may be utilized to implement the invention described herein, and that the above descriptions of specific languages are intended to disclose the best mode of carrying out the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the instructions provided here, a number of specific details are described. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment in order to streamline the disclosure and aid in the understanding of one or more of the various inventive aspects. figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will understand that modules in the devices in the embodiment can be adaptively changed and arranged in one or more devices different from that in the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of the equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include certain features included in other embodiments but not others, combinations of features of different embodiments are meant to be within the scope of the invention. within and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的服务器防护装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the server protection device according to embodiments of the present invention. The invention may also be implemented as an apparatus or apparatus program (eg, computer program and computer program product) for performing part or all of the methods described herein. Such a program implementing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the element claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, third, etc. does not indicate any order. These words can be interpreted as names.
Claims (16)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810668277X | 2018-06-26 | ||
| CN201810668277.XA CN108846287A (en) | 2018-06-26 | 2018-06-26 | A kind of method and device of detection loophole attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109753806A CN109753806A (en) | 2019-05-14 |
| CN109753806B true CN109753806B (en) | 2024-01-19 |
Family
ID=64202031
Family Applications (10)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810668277.XA Pending CN108846287A (en) | 2018-05-04 | 2018-06-26 | A kind of method and device of detection loophole attack |
| CN201811640753.3A Pending CN109829309A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640481.7A Active CN109711168B (en) | 2018-06-26 | 2018-12-29 | Behavior-based service identification method, apparatus, device, and readable storage medium |
| CN201811640526.0A Pending CN109726560A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640231.3A Active CN109871691B (en) | 2018-06-26 | 2018-12-29 | Permission-based process management method, system, device and readable storage medium |
| CN201811645681.1A Pending CN109766698A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811645578.7A Pending CN109711172A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811640471.3A Active CN109753806B (en) | 2018-06-26 | 2018-12-29 | Server protection method and device |
| CN201811640643.7A Pending CN109829307A (en) | 2018-06-26 | 2018-12-29 | Process behavior recognition methods and device |
| CN201811646131.1A Active CN109766701B (en) | 2018-06-26 | 2018-12-29 | Processing method, device and electronic device for abnormal process termination operation |
Family Applications Before (7)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810668277.XA Pending CN108846287A (en) | 2018-05-04 | 2018-06-26 | A kind of method and device of detection loophole attack |
| CN201811640753.3A Pending CN109829309A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640481.7A Active CN109711168B (en) | 2018-06-26 | 2018-12-29 | Behavior-based service identification method, apparatus, device, and readable storage medium |
| CN201811640526.0A Pending CN109726560A (en) | 2018-06-26 | 2018-12-29 | Terminal device system protection method and device |
| CN201811640231.3A Active CN109871691B (en) | 2018-06-26 | 2018-12-29 | Permission-based process management method, system, device and readable storage medium |
| CN201811645681.1A Pending CN109766698A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
| CN201811645578.7A Pending CN109711172A (en) | 2018-06-26 | 2018-12-29 | Data prevention method and device |
Family Applications After (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811640643.7A Pending CN109829307A (en) | 2018-06-26 | 2018-12-29 | Process behavior recognition methods and device |
| CN201811646131.1A Active CN109766701B (en) | 2018-06-26 | 2018-12-29 | Processing method, device and electronic device for abnormal process termination operation |
Country Status (1)
| Country | Link |
|---|---|
| CN (10) | CN108846287A (en) |
Families Citing this family (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109711166B (en) * | 2018-12-17 | 2020-12-11 | 北京知道创宇信息技术股份有限公司 | Vulnerability detection method and device |
| CN109558730B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Browser security protection method and device |
| CN109800576B (en) * | 2018-12-29 | 2021-07-23 | 360企业安全技术(珠海)有限公司 | Monitoring method, device, and electronic device for abnormal request of unknown program |
| CN112398784B (en) * | 2019-08-15 | 2023-01-06 | 奇安信安全技术(珠海)有限公司 | Method and device for defending vulnerability attack, storage medium and computer equipment |
| CN112395585B (en) * | 2019-08-15 | 2023-01-06 | 奇安信安全技术(珠海)有限公司 | Database service login method, device, equipment and readable storage medium |
| CN112395604B (en) * | 2019-08-15 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | System monitoring login protection method, client, server and storage medium |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
| CN112398787B (en) * | 2019-08-15 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | Mailbox login verification method and device, computer equipment and storage medium |
| CN112398789A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Remote login control method and device, system, storage medium, and electronic device |
| CN110610086B (en) * | 2019-08-30 | 2021-06-18 | 北京卓识网安技术股份有限公司 | Illegal code identification method, system, device and storage medium |
| WO2021046811A1 (en) * | 2019-09-12 | 2021-03-18 | 奇安信安全技术(珠海)有限公司 | Attack behavior determination method and apparatus, and computer storage medium |
| CN110505247B (en) * | 2019-09-27 | 2022-05-17 | 百度在线网络技术(北京)有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN111209559B (en) * | 2019-12-23 | 2022-02-15 | 东软集团股份有限公司 | Permission processing method and device of application program, storage medium and electronic equipment |
| CN111046377B (en) * | 2019-12-25 | 2023-11-14 | 五八同城信息技术有限公司 | Method and device for loading dynamic link library, electronic equipment and storage medium |
| CN111353143B (en) * | 2020-02-27 | 2025-07-15 | 深圳市腾讯信息技术有限公司 | Sensitive permission detection method, device and storage medium |
| CN111382076B (en) * | 2020-03-10 | 2023-04-25 | 抖音视界有限公司 | Application program testing method and device, electronic equipment and computer storage medium |
| CN113626296B (en) * | 2020-05-09 | 2025-02-14 | 深圳云天励飞技术有限公司 | A method, device and terminal for detecting system stability |
| CN111884884B (en) * | 2020-07-31 | 2022-05-31 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
| CN111859405A (en) * | 2020-07-31 | 2020-10-30 | 深信服科技股份有限公司 | Threat immunization framework, method, equipment and readable storage medium |
| CN112069505B (en) * | 2020-09-15 | 2021-11-23 | 北京微步在线科技有限公司 | Audit information processing method and electronic equipment |
| US12039031B2 (en) * | 2020-09-16 | 2024-07-16 | Cisco Technology, Inc. | Security policies for software call stacks |
| CN112910868A (en) * | 2021-01-21 | 2021-06-04 | 平安信托有限责任公司 | Enterprise network security management method and device, computer equipment and storage medium |
| CN113392416B (en) * | 2021-06-28 | 2024-03-22 | 北京恒安嘉新安全技术有限公司 | Method, device, equipment and storage medium for acquiring application program encryption and decryption data |
| CN113742726B (en) * | 2021-08-27 | 2024-10-15 | 恒安嘉新(北京)科技股份公司 | Program identification model training and program identification method, device, equipment and medium |
| CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN115051905A (en) * | 2022-07-19 | 2022-09-13 | 广东泓胜科技股份有限公司 | Port security monitoring and analyzing method, device and related equipment |
| CN116707929B (en) * | 2023-06-16 | 2024-07-05 | 广州市玄武无线科技股份有限公司 | Mobile phone photographing and faking detection method and device based on call stack information acquisition, terminal equipment and computer readable storage medium |
| CN118468280A (en) * | 2024-04-29 | 2024-08-09 | 中电云计算技术有限公司 | Method and system for adaptively generating process chain detection rules |
| CN118226795B (en) * | 2024-05-23 | 2024-08-13 | 山东颐阳生物科技集团股份有限公司 | Production line safety supervision system and method for wine raw material processing workshop |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002006928A2 (en) * | 2000-07-14 | 2002-01-24 | Vcis, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
| CN101286995A (en) * | 2008-05-23 | 2008-10-15 | 北京锐安科技有限公司 | Long-range control method and system |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| US7891000B1 (en) * | 2005-08-05 | 2011-02-15 | Cisco Technology, Inc. | Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers |
| CN102546624A (en) * | 2011-12-26 | 2012-07-04 | 西北工业大学 | Method and system for detecting and defending multichannel network intrusion |
| CN103631712A (en) * | 2013-10-23 | 2014-03-12 | 北京信息控制研究所 | Modeled software key behavior tracking method based on memory management |
| US8990944B1 (en) * | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
| CN106411588A (en) * | 2016-09-29 | 2017-02-15 | 锐捷网络股份有限公司 | Network device management method, master device and management server |
| US9807104B1 (en) * | 2016-04-29 | 2017-10-31 | STEALTHbits Technologies, Inc. | Systems and methods for detecting and blocking malicious network activity |
| CN107483274A (en) * | 2017-09-25 | 2017-12-15 | 北京全域医疗技术有限公司 | Service item running state monitoring method and device |
| CN107959595A (en) * | 2016-10-14 | 2018-04-24 | 腾讯科技(深圳)有限公司 | The method, apparatus and system of a kind of abnormality detection |
Family Cites Families (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7546587B2 (en) * | 2004-03-01 | 2009-06-09 | Microsoft Corporation | Run-time call stack verification |
| KR100843701B1 (en) * | 2006-11-07 | 2008-07-04 | 소프트캠프(주) | How Apia checks the information recorded in the call stack |
| CN101059829A (en) * | 2007-05-16 | 2007-10-24 | 珠海金山软件股份有限公司 | Device and method for automatically analyzing course risk grade |
| US8117424B2 (en) * | 2007-09-21 | 2012-02-14 | Siemens Industry, Inc. | Systems, devices, and/or methods for managing programmable logic controller processing |
| CN101373501B (en) * | 2008-05-12 | 2010-06-02 | 公安部第三研究所 | Dynamic Behavior Capturing Method for Computer Viruses |
| US9110801B2 (en) * | 2009-02-10 | 2015-08-18 | International Business Machines Corporation | Resource integrity during partial backout of application updates |
| CN103136472B (en) * | 2011-11-29 | 2016-08-31 | 腾讯科技(深圳)有限公司 | A kind of anti-application program steals method and the mobile device of privacy |
| CN103368904B (en) * | 2012-03-27 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | The detection of mobile terminal, questionable conduct and decision-making system and method |
| WO2013156823A1 (en) * | 2012-04-20 | 2013-10-24 | Freescale Semiconductor, Inc. | Information processing device and method for protecting data in a call stack |
| CN102750475B (en) * | 2012-06-07 | 2017-08-15 | 中国电子科技集团公司第三十研究所 | Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine |
| CN103778375B (en) * | 2012-10-24 | 2017-11-17 | 腾讯科技(深圳)有限公司 | The apparatus and method for preventing user equipment from loading illegal dynamic link library file |
| US9558347B2 (en) * | 2013-08-27 | 2017-01-31 | Globalfoundries Inc. | Detecting anomalous user behavior using generative models of user actions |
| US9519758B2 (en) * | 2014-02-04 | 2016-12-13 | Pegasus Media Security, Llc | System and process for monitoring malicious access of protected content |
| CN103761472B (en) * | 2014-02-21 | 2017-05-24 | 北京奇虎科技有限公司 | Application program accessing method and device based on intelligent terminal |
| US9652328B2 (en) * | 2014-05-12 | 2017-05-16 | International Business Machines Corporation | Restoring an application from a system dump file |
| CN105335654B (en) * | 2014-06-27 | 2018-12-14 | 北京金山安全软件有限公司 | Android malicious program detection and processing method, device and equipment |
| CN104268471B (en) * | 2014-09-10 | 2017-04-26 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| US9721112B2 (en) * | 2014-09-29 | 2017-08-01 | Airwatch Llc | Passive compliance violation notifications |
| SG11201704059RA (en) * | 2014-11-25 | 2017-06-29 | Ensilo Ltd | Systems and methods for malicious code detection accuracy assurance |
| CN104484599B (en) * | 2014-12-16 | 2017-12-12 | 北京奇虎科技有限公司 | A kind of behavior treating method and apparatus based on application program |
| WO2017023773A1 (en) * | 2015-07-31 | 2017-02-09 | Digital Guardian, Inc. | Systems and methods of protecting data from injected malware |
| CN105224862B (en) * | 2015-09-25 | 2018-03-27 | 北京北信源软件股份有限公司 | A kind of hold-up interception method and device of office shear plates |
| CN105279432B (en) * | 2015-10-12 | 2018-11-23 | 北京金山安全软件有限公司 | Software monitoring processing method and device |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| WO2017166037A1 (en) * | 2016-03-29 | 2017-10-05 | 深圳投之家金融信息服务有限公司 | Data tampering detection device and method |
| CN107330320B (en) * | 2016-04-29 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Method and device for monitoring application process |
| CN105956462B (en) * | 2016-06-29 | 2019-05-10 | 珠海豹趣科技有限公司 | A kind of method, apparatus and electronic equipment preventing malicious loading driving |
| CN106201811B (en) * | 2016-07-06 | 2019-03-26 | 青岛海信宽带多媒体技术有限公司 | The fault recovery method and terminal of application program |
| CN108171056A (en) * | 2016-12-08 | 2018-06-15 | 武汉安天信息技术有限责任公司 | It is a kind of to automate the malicious detection method of judgement sample and device |
| CN106708734B (en) * | 2016-12-13 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Software anomaly detection method and device |
| CN108280346B (en) * | 2017-01-05 | 2022-05-31 | 腾讯科技(深圳)有限公司 | Application protection monitoring method, device and system |
| CN106991324B (en) * | 2017-03-30 | 2020-02-14 | 兴华永恒(北京)科技有限责任公司 | Malicious code tracking and identifying method based on memory protection type monitoring |
| CN107358071A (en) * | 2017-06-07 | 2017-11-17 | 武汉斗鱼网络科技有限公司 | Prevent the method and device that function illegally calls in Flash application programs |
| CN107704356B (en) * | 2017-06-12 | 2019-06-28 | 平安科技(深圳)有限公司 | Exception stack information acquisition method, device and computer readable storage medium |
| CN108052431A (en) * | 2017-12-08 | 2018-05-18 | 北京奇虎科技有限公司 | Terminal program exception closing information processing method, device, terminal |
-
2018
- 2018-06-26 CN CN201810668277.XA patent/CN108846287A/en active Pending
- 2018-12-29 CN CN201811640753.3A patent/CN109829309A/en active Pending
- 2018-12-29 CN CN201811640481.7A patent/CN109711168B/en active Active
- 2018-12-29 CN CN201811640526.0A patent/CN109726560A/en active Pending
- 2018-12-29 CN CN201811640231.3A patent/CN109871691B/en active Active
- 2018-12-29 CN CN201811645681.1A patent/CN109766698A/en active Pending
- 2018-12-29 CN CN201811645578.7A patent/CN109711172A/en active Pending
- 2018-12-29 CN CN201811640471.3A patent/CN109753806B/en active Active
- 2018-12-29 CN CN201811640643.7A patent/CN109829307A/en active Pending
- 2018-12-29 CN CN201811646131.1A patent/CN109766701B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002006928A2 (en) * | 2000-07-14 | 2002-01-24 | Vcis, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
| US7891000B1 (en) * | 2005-08-05 | 2011-02-15 | Cisco Technology, Inc. | Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers |
| CN101286995A (en) * | 2008-05-23 | 2008-10-15 | 北京锐安科技有限公司 | Long-range control method and system |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN102546624A (en) * | 2011-12-26 | 2012-07-04 | 西北工业大学 | Method and system for detecting and defending multichannel network intrusion |
| US8990944B1 (en) * | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
| CN103631712A (en) * | 2013-10-23 | 2014-03-12 | 北京信息控制研究所 | Modeled software key behavior tracking method based on memory management |
| US9807104B1 (en) * | 2016-04-29 | 2017-10-31 | STEALTHbits Technologies, Inc. | Systems and methods for detecting and blocking malicious network activity |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
| CN106411588A (en) * | 2016-09-29 | 2017-02-15 | 锐捷网络股份有限公司 | Network device management method, master device and management server |
| CN107959595A (en) * | 2016-10-14 | 2018-04-24 | 腾讯科技(深圳)有限公司 | The method, apparatus and system of a kind of abnormality detection |
| CN107483274A (en) * | 2017-09-25 | 2017-12-15 | 北京全域医疗技术有限公司 | Service item running state monitoring method and device |
Non-Patent Citations (1)
| Title |
|---|
| Detection Based on Perflow Packet Count and Entropy;Xuyang Zhu;Hai Zhang;2009 Intgernational Conference on Electronic Computer Technology;524-528 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109726560A (en) | 2019-05-07 |
| CN109711168A (en) | 2019-05-03 |
| CN109871691B (en) | 2021-07-20 |
| CN109829307A (en) | 2019-05-31 |
| CN109766701B (en) | 2021-04-27 |
| CN108846287A (en) | 2018-11-20 |
| CN109766701A (en) | 2019-05-17 |
| CN109711172A (en) | 2019-05-03 |
| CN109871691A (en) | 2019-06-11 |
| CN109766698A (en) | 2019-05-17 |
| CN109711168B (en) | 2021-01-15 |
| CN109829309A (en) | 2019-05-31 |
| CN109753806A (en) | 2019-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109753806B (en) | Server protection method and device | |
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| US10467406B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| CN105320883B (en) | File security loads implementation method and device | |
| KR101657191B1 (en) | Software Protection Mechanism | |
| US9280664B2 (en) | Apparatus and method for blocking activity of malware | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| US8732836B2 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| CN102882875B (en) | Active defense method and device | |
| US20210026947A1 (en) | Intrusion detection and prevention for unknown software vulnerabilities using live patching | |
| CN109918285B (en) | Security identification method and device for open source software | |
| WO2019072008A1 (en) | Security scanning method and apparatus for mini program, and electronic device | |
| JP2017527931A (en) | Malware detection method and system | |
| EP3270317B1 (en) | Dynamic security module server device and operating method thereof | |
| WO2018182126A1 (en) | System and method for authenticating safe software | |
| US10055251B1 (en) | Methods, systems, and media for injecting code into embedded devices | |
| US11055168B2 (en) | Unexpected event detection during execution of an application | |
| US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
| CN102508768A (en) | Monitoring method and monitoring device for application program | |
| CN106415577B (en) | System and method for identifying the source of a suspicious event | |
| US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| CN102857519B (en) | Active defensive system | |
| CN109784051B (en) | Information security protection methods, devices and equipment | |
| CN112395593B (en) | Instruction execution sequence monitoring method and device, storage medium, computer equipment | |
| CN117914582A (en) | Method, device, equipment and storage medium for detecting process hollowing attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |