[go: up one dir, main page]

CN102438023A - Method and device for detecting malicious remote procedure call behavior - Google Patents

Method and device for detecting malicious remote procedure call behavior Download PDF

Info

Publication number
CN102438023A
CN102438023A CN2011104496888A CN201110449688A CN102438023A CN 102438023 A CN102438023 A CN 102438023A CN 2011104496888 A CN2011104496888 A CN 2011104496888A CN 201110449688 A CN201110449688 A CN 201110449688A CN 102438023 A CN102438023 A CN 102438023A
Authority
CN
China
Prior art keywords
rpc
uuid
uuids
behavior
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011104496888A
Other languages
Chinese (zh)
Other versions
CN102438023B (en
Inventor
蒋武
周莹莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN201110449688.8A priority Critical patent/CN102438023B/en
Publication of CN102438023A publication Critical patent/CN102438023A/en
Application granted granted Critical
Publication of CN102438023B publication Critical patent/CN102438023B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a device for detecting malicious remote procedure call behaviors, which are used for solving the problems of poor detection effect and more missed reports of malicious RPC behaviors in the prior art. The method comprises the following steps: when a client inquires a high-order port corresponding to the RPC service from a server, recording UUIDs of all RPC services requested by the client; in the RPC process, analyzing a data packet transmitted in a session connection between the client and the server to obtain an RPC flow borne on the session connection; obtaining all UUIDs related to the RPC process according to the recorded UUIDs and the RPC stream; and judging whether each UUID in all the obtained UUIDs conforms to a preset control strategy in a strategy library, so as to detect whether the client executes malicious RPC behaviors. The effectiveness of the protective equipment for detecting the malicious RPC behaviors is improved, and the safety of the protected RPC server is enhanced.

Description

The detection method and the device of the behavior of malice remote procedure call
Technical field
The present invention relates to technical field of the computer network, relate in particular to a kind of malice remote procedure call (RPC, Remote Procedure Call) detection method of behavior and a kind of checkout gear of malice RPC behavior.
Background technology
The RPC agreement provides the communication mechanism between a kind of process, and through this mechanism, the program of on a computer, moving can the PROGRAMMED REQUESTS service on another computer in network.The RPC agreement adopts Client when using, the program of request service is as a client computer, and the program that service is provided is as a server.
In order to distinguish a plurality of different service based on the RPC agreement (hereinafter to be referred as the RPC service) that same computer provides, prior art comes to identify uniquely each the RPC service on the same server through UUID.When each the PRC service on the server starts; Can application obtain the high-order port of a port numbers in 1024~65525 scopes; And the UUID according to this PRC service registers high-order port, promptly preserves the mapping relations one by one between UUID and the high order end slogan.When client computer during to RPC of server requests service, need connect with the corresponding high-order port of this PRC service on the server, serve through this connection request again.Particularly: client computer needs at first through the predetermined queries port; Connect like 135 ports and server;,, close inquiry and connect behind the high order end slogan that the acquisition server returns to the corresponding high order end slogan of this RPC service of server lookup according to the UUID that waits to ask the RPC service; Then, utilize waiting of obtaining to ask the corresponding high order end slogan of RPC service, set up a connection request service with server.
Because there is leak in server system in design; Client computer can be carried out risky operation through asking the corresponding RPC of some UUID to serve; For example when the RPC service is carried out in request; Make buffering area through transmission form or the incorrect packet of parameter and overflow, thereby obtain control fully server.In order to address this problem; Prior art proposes; Through intrusion prevention system (IPS; Intrusion PreventionSystem) the RPC invoked procedure is detected, if the corresponding service of the UUID that the RPC invoked procedure is bound be dangerous, have leak, should be under an embargo call, or the performed operation execution that is under an embargo, then block this invoked procedure.
The inventor finds that there is following defective at least in prior art in realizing process of the present invention:
When malicious client is bound a plurality of UUID in the RPC process; Wherein comprise malice RPC service UUID, or attempt carry out forbidden operation the time; Existing IPS can't effectively detect malice RPC behavior wherein, produces more failing to report, thereby can't guarantee the safety of server.
Summary of the invention
The embodiment of the invention provides a kind of detection method of malice RPC behavior, in order to solve the detection poor effect of prior art to malice RPC behavior, fails to report more problem.
Accordingly, the embodiment of the invention also provides a kind of checkout gear of malice RPC behavior.
The technical scheme that the embodiment of the invention provides is following:
The detection method of a kind of malice remote procedure call RPC behavior comprises:
When server lookup RPC serves corresponding high-order port, write down the UUID of all RPC services of this client requests in client computer;
In the RPC process, institute's data packets for transmission in the session connection between said client computer and the server is resolved, obtain the RPC stream that carries in the said session connection;
UUID and RPC stream according to said record obtain all UUIDs relevant with said RPC process;
Judge that whether each UUID among all UUID that obtain meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
A kind of checkout gear of malice RPC behavior comprises:
Logging modle is used in client computer when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests;
Parsing module is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Acquisition module is used for obtaining all UUIDs relevant with said RPC process according to the UUID of logging modle record and the RPC stream of parsing module acquisition;
Detection module is used for judging whether each UUID of all UUID that acquisition module obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
The embodiment of the invention obtains all UUID that client computer is bound through to the parsing of interaction data bag in the RPC process, and according to the strategy in the policy library legitimacy of each UUID is wherein detected, and detects client computer with this and whether has carried out malice RPC behavior.Avoid client computer to escape safeguards and detect, improved the validity of safeguard detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the main realization principle flow chart of the embodiment of the invention;
The sketch map of the network design structure that Fig. 2 provides for the embodiment of the invention;
The detail flowchart of the detection method of the malice RPC behavior that Fig. 3 provides for the embodiment of the invention;
Fig. 4 provides RPC the sketch map of service for server in the embodiment of the invention flows to client computer through RPC;
The structural representation of the checkout gear of the malice RPC behavior that Fig. 5 provides for the embodiment of the invention;
The another kind of structural representation of the checkout gear of the malice RPC behavior that Fig. 6 provides for the embodiment of the invention.
Embodiment
When the inventor binds a plurality of UUID to existing IPS in the RPC process; The situation that can't effectively detect malice RPC service call behavior is wherein analysed in depth; Find that its reason is: in view of the RPC invoked procedure is that corresponding port number is a parameter need be with UUID and this UUID registration the time; Thereby connect service is provided, the design premises of therefore existing IPS is in RPC invoked procedure, promptly transmits in the TCP session connection of RPC content; Only bound a UUID, as long as IPS detects first UUID that wherein carries and just can realize protecting the purpose that malice RPC calls.
But malicious client can be escaped detection through the mode of in a RPC calls, binding a plurality of UUID, as long as the corresponding RPC service of first UUID wherein is allowed to, IPS just assert that it is non-malice that this RPC calls.Malicious client can be accomplished in several ways the purpose of in a RPC calls, binding a plurality of UUID; For example utilize the Alter Context option of RPC to be implemented in and call the corresponding respectively RPC service of a plurality of UUID in the TCP session connection, perhaps in a TCP session connection, carry a plurality of UUID but wherein first UUID corresponding be that server does not support service manner to escape detection.
On the basis of above-mentioned analysis, in RPC invoked procedure, escape the situation of detection through binding a plurality of UUID, the inventor provides a kind of malice RPC to call the detection method of behavior.
Carry out detailed elaboration below in conjunction with each accompanying drawing to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach.
As shown in Figure 1, the main realization principle process of the embodiment of the invention is following:
Step 10 when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests in client computer.
Alternatively; Because the address of client computer or port are normally fixed; The safeguard that is deployed between the client-server can like the flow of 135 ports, obtain the UUID of all RPC services of each client requests through predetermined queries port on the monitoring server.Said safeguard includes but not limited to IPS and fire compartment wall.
Step 20 in the RPC process, is resolved institute's data packets for transmission in the session connection between said client computer and the server, obtains the RPC stream that carries in the said session connection.
Wherein, The data that the payload segment of each the tcp data bag in the TCP session connection can carry upper-layer protocols such as session layer, application layer; Payload segment through to each the tcp data bag in the TCP session connection carries out protocol analysis, can obtain the mutual RPC that packet the carried stream of a session connection of client-server.
Because safeguard can't learn in advance which port the RPC service will use, thereby safeguard allows the packet of all high-order ports to pass through usually, therefore needs the session connection of all high-order ports on the monitoring server in order to ensure safety protection equipment.
Step 30, UUID and RPC stream according to said record obtain the institute cloth UUID relevant with said RPC process.
The scheme safeguard that present embodiment provides is through resolving RPC stream, obtains all UUID of being bound in this RPC stream, rather than as prior art, is resolved to first UUID and just stops parsing.
Step 40 through the query strategy storehouse, judges that whether each UUID relevant with said RPC process that obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
Particularly; Policy library and search request can be provided with according to the requirement of the different safety class of safeguard network environments of living in such as IPS or fire compartment wall; For example: for the network environment higher to safety requirements; Can in policy library, dispose normal control strategy; Said normal control strategy comprises the relevant UUID of normal RPC process, if judge that at least one UUID relevant with said client computer RPC process do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior; For the network environment lower to safety requirements; Can be in policy library the arrangement abnormalities control strategy; Said unusual control strategy comprises the UUID that malice RPC behavior is relevant, meets said unusual control strategy if judge at least one relevant UUID of said client computer RPC process, and then definite said client computer has been carried out malice RPC behavior; As long as each UUID does not meet said unusual control strategy, what all think said client computer execution is normal RPC behavior.
Alternatively, detecting after client computer carried out malice RPC behavior, also comprise: block the corresponding packet of malice RPC behavior in the said TCP session connection, can certainly block said TCP session connection.
The detection method of the malice RPC behavior that the embodiment of the invention provides; Through parsing to packet payload content in the TCP session connection; Obtain all UUID that client computer is bound in the RPC process; And according to the strategy in the policy library legitimacy of each UUID is wherein detected, detect client computer with this and whether carried out malice RPC behavior.Eliminated client computer and escaped the possibility that safeguards detect, improved the validity of safeguard detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
To introduce an embodiment in detail and come the main realization principle of the inventive method is carried out detailed elaboration and explanation according to foregoing invention principle of the present invention below.
The sketch map of the network design structure that accompanying drawing 2 provides for the embodiment of the invention.Safeguard is deployed between the client-server, and packets need mutual between the client-server just can be issued the other side through the detection of safeguard.Provided the example of several packet repeating process in the accompanying drawing 2 according to the sequencing of time.Safeguard includes but not limited to IPS, fire compartment wall etc.Certainly client-server can for brevity, be that example describes with a client computer and a server only in Fig. 2 and Fig. 3 for a plurality of.
The detail flowchart of the detection method of the malice RPC behavior that accompanying drawing 3 provides for the embodiment of the invention.
Step 301, safeguard obtain the interface querying request of client computer ClientA through the flow of monitoring server predetermined queries port (like 135 ports).
Alternatively, client computer is when the corresponding high order end slogan of the UUID of server lookup RPC service, and the Packet Flag field in the interface querying request of transmission is set to 0x03.Safeguard can identify query requests according to the feature field that comprises Packet Flag field.
If the content of Packet Flag field is not 0x03; What then represent to carry in the packet load is that (sometimes the UUID of inquiry is more for fragment data; Can't be carried in the same packet), the fragment data splicing reorganization that safeguard sends client computer, thus splice complete query requests.
Step 302, safeguard carries out protocol analysis to the interface querying request of client computer ClientA, obtains the UUID and the record of all RPC services of this client requests.
Alternatively, safeguard can adopt forms such as record sheet, single-track link table, tree to come the UUID of storage client request.When adopting the record sheet mode to store, as shown in table 1.
Table 1
Figure BDA0000126523610000071
Alternatively; Because server is not the corresponding RPC service of all UUID of supporting client requests; Even client computer is to the unsupported RPC service of server requests, server can not provide these services yet, therefore in order to alleviate the follow-up traffic monitoring burden of safeguard; Can delete by his-and-hers watches 1 execution in step 303.
Step 303, safeguard carries out protocol analysis to the interface querying response that server returns, and obtains the information whether server supports the UUID that client is asked, and the UUID of the unsupported RPC service of deletion server in the said record.
The service that server is corresponding as if the UUID that carries in the query requests of supporting the client computer transmission is then returned corresponding high order end slogan, otherwise is returned refusal information, like Providerrejection (0x02) in inquiry response.Safeguard is then explained the server support RPC that UUID identified service if can from inquiry response, obtain the corresponding high order end slogan of UUID, otherwise the RPC service that the explanation server is not supported UUID and identified.
Server is not supported UUID121, the RPC service that UUID80 is corresponding in the present embodiment, and table 2 is the result after his-and-hers watches 1 are deleted.
Table 2
Figure BDA0000126523610000072
Figure BDA0000126523610000081
Step 304, the high order end slogan that client computer is corresponding according to the UUID that inquires is set up the TCP session connection with server.Carry RPC stream through the TCP session connection between server and the client computer, interaction parameter and data, thus RPC is provided service.
Wherein, server flows to client computer through RPC provides the process of RPC service to be:
Step 401, client computer is sent " serial number+operator of UUID " to server, the order when this serial number is illustrated in interface querying stage client computer transmission UUID;
Operator includes but not limited to: the operator " r " of the operator " w " that write operation is corresponding, read operation correspondence, operator " q " that query manipulation is corresponding or the like.
Step 402, server are carried out corresponding processing according to " serial number+operator ";
Step 403 comprises that in said " serial number+operator " corresponding processing need be to the client computer return information time, server returns to client computer with result;
For example, when said operator was the operator " r " of read operation correspondence, server need return to client computer with the data that read; When said operator was the operator " w " of write operation correspondence, server needed the result that will write success or failure to return to client computer.
Above-mentioned steps 401 can repeat repeatedly to carry out with step 403, and the each serial number that sends of client computer can be different with operator.
Step 305, safeguard is resolved institute's data packets for transmission in the TCP session connection between client computer through this safeguard and the server, obtains RPC stream.
Safeguard carries out the IP fragmentation reorganization to the packet of this safeguard of flowing through that client computer is sent, and carries out the session content reorganization on this basis again.Then session content is carried out protocol analysis, therefrom obtain RPC stream.
Safeguard obtains all relevant UUID of client computer RPC process through step 306~step 308.
Step 306, safeguard parse the serial number of each RPC service of carrying from said RPC stream.
Alternatively, safeguard can also be resolved from RPC stream and obtained the corresponding operator of each serial number.
For example, safeguard obtains S1, S2+ " r ", S3+ " w " from the RPC stream of client computer ClientA and server.
Step 307, safeguard be according to the sequencing of record during said UUID, the corresponding serial number of each UUID that obtains writing down, and preserve the corresponding relation of UUID and serial number, as shown in table 3.
Table 3
Figure BDA0000126523610000091
Step 308, safeguard are searched corresponding UUID for each serial number that parses in said corresponding relation, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, through searching the combination that can also obtain the UUID AND operator relevant with said RPC process.
For example, can also obtain being combined as of each UUID relevant and each UUID AND operator: UUID2, UUID75+ " r ", UUID105+ " w " through searching with the RPC process.
Step 309, safeguard query strategy storehouse judges whether each UUID relevant with this RPC process meets the expectant control strategy, detects client computer with this and whether has carried out malice RPC behavior, if get into step 310, otherwise gets into step 311.
Whether the combination of alternatively, also judging each UUID AND operator that this RPC process is relevant meets the expectant control strategy.
Concrete detection mode includes but not limited to following two kinds:
Mode one: if comprise normal control strategy in the policy library; Said normal control strategy comprises the relevant UUID of normal RPC behavior; Then if safeguard judges that at least one UUID relevant with this RPC behavior do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 4,
Table 4
Figure BDA0000126523610000101
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 1; UUID75+ " r " meets strategy 2; UUID105+ " w " does not meet strategy 3, because regulation is for the RPC service of UUID105 sign in the strategy 3, only allow to carry out read operation, and ClientA attempts the RPC service execution write operation to the UUID105 sign.Owing to do not meet strategy 3, so safeguard confirms that ClientA has carried out malice RPC behavior.
Mode two:
If comprise unusual control strategy in the policy library; Said unusual control strategy comprises the relevant UUID of RPC behavior of malice; At least one relevant UUID meets said unusual control strategy if safeguard is judged this RPC process, and then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 5,
Table 5
Figure BDA0000126523610000111
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 4; UUID75+ " r " meets strategy 5; UUID105+ " w " does not meet strategy 6, because regulation does not allow to carry out read operation for the RPC service of UUID105 sign in the strategy 3, and ClientA attempts the write operation of the RPC service execution of UUID105 sign is allowed.Owing to meet strategy 4 and 5, so safeguard confirms that ClientA has carried out malice RPC behavior.
Need to prove that concrete detection mode is not limited to above two kinds, can be provided with flexibly.For example, carry out normal control strategy for the UUID in first preset range, normal control strategy is carried out in the UUID and the combination of the UUID AND operator in this scope that for example UUID are in 0~100 scope; To the UUID execute exception control strategy in second preset range, for example UUID is in UUID and the combination execute exception control strategy of the UUID AND operator in this scope in 101~200 scopes.
Step 310, safeguard is detecting after client computer carried out malice RPC behavior the corresponding packet of blocking-up malice RPC behavior.
Particularly, the corresponding packet of safeguard blocking-up malice RPC behavior.When employing mode one detected in step 309 like safeguard, blocking-up ClientA attempted the packet to the RPC service execution write operation of UUID105 sign.Certainly; Safeguard can also be carried out other control measure to client computer according to blocking strategy is set in advance; Carried out malice RPC behavior as long as for example detect client computer; Just block all packets in this TCP session connection of client computer, with the sign of said client computer, for example user name, address etc. add blacklist storehouse or the like.
Step 311 if safeguard detects client computer and do not carry out malice RPC behavior, allows said RPC stream through safeguard, and server provides long-range RPC service to client computer.
The detection method of the malice RPC behavior that the embodiment of the invention provides; The safeguard that is arranged between the client-server is resolved the packet in the TCP session connection of this safeguard of flowing through; Obtain client-server and carry out the RPC stream in the RPC process, and therefrom obtain all UUID that client computer is bound in the RPC process; According to the strategy in the policy library legitimacy of each UUID is wherein detected; Only all UUID all meet said normal control strategy in testing result; Perhaps do not exist when meeting unusual control strategy UUID; The RPC behavior of just confirming said client computer is normal, otherwise the affirmation client computer has been carried out malice RPC behavior.Eliminated client computer and escaped the possibility that IPS detect, improved the validity of IPS detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
Correspondingly; The embodiment of the invention also provides a kind of checkout gear of malice RPC behavior, and this device can be integrated in the safeguards such as IPS or fire compartment wall, and is as shown in Figure 5; This device comprises logging modle 501, parsing module 502, acquisition module 503 and detection module 504, and is specific as follows:
Logging modle 501 is used in client computer when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests;
Parsing module 502 is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Acquisition module 503 is used for obtaining all UUIDs relevant with said RPC process according to the UUID of logging modle 501 records and the RPC stream of parsing module 502 acquisitions;
Detection module 504 is used for judging whether each UUID of all UUID that acquisition module 503 obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
Alternatively, this checkout gear also comprises:
Blocking-up module 505 is used for after detection module 504 confirms that said client computer has been carried out malice RPC behavior the packet that the RPC of malice shown in blocking-up behavior is corresponding.
Alternatively, shown in accompanying drawing 6, said checkout gear also comprises:
Memory module 506, the sequencing when being used for, the corresponding serial number of each UUID that obtains writing down, and the corresponding relation of preservation UUID and serial number according to the said UUID of logging modle 501 records;
Correspondingly, said acquisition module 503 comprises:
Resolution unit 601 is used for flowing the serial number that parses each RPC service of carrying from said RPC;
Obtain unit 602, be used for the serial number that parses for each, in the said corresponding relation that memory module 506 is preserved, search corresponding UUID, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, said detection module 504 comprises:
Screening unit 603 is used for all UUIDs relevant with said RPC behavior that acquisition module 503 obtains are screened, and removes the UUID of the unsupported RPC service of wherein said server;
Detecting unit 604 is used for through the query strategy storehouse, judges whether each UUID that screening unit 603 screenings keep meets the expectant control strategy.
Alternatively, the said resolution unit 601 in the accompanying drawing 6 also is used for parsing the serial number of each RPC service of carrying and the combination of operator from said RPC stream;
Said acquisition unit 602; Each serial number that also is used for parsing and the combination of operator for said resolution unit 601; In said corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all the UUID AND operators relevant with said RPC process.
Correspondingly, said screening unit 603, each the UUID AND operator that also is used for said acquisition unit is obtained be combined into row filter, the combination of removing the UUID AND operator of the unsupported RPC service of wherein said server;
Said detecting unit 604 also is used for through the query strategy storehouse, judges whether the combination of each UUID AND operator that said screening unit 603 screenings keep meets the expectant control strategy.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; This program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (13)

1.一种恶意远程过程调用RPC行为的检测方法,其特征在于,包括:1. A detection method for a malicious remote procedure call RPC behavior, characterized in that it comprises: 在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;When the client queries the server for the high port corresponding to the RPC service, record the UUIDs of all RPC services requested by the client; 在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;In the RPC process, the data packet transmitted in the session connection between the client and the server is analyzed to obtain the RPC stream carried on the session connection; 根据所述记录的UUID和RPC流,获得与所述RPC过程相关的所有UUID;Obtain all UUIDs related to the RPC process according to the recorded UUID and RPC flow; 判断获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。Judging whether each UUID among all obtained UUIDs conforms to the predetermined control policy in the policy library, so as to detect whether the client computer executes malicious RPC behavior. 2.如权利要求1所述的方法,其特征在于,所述获得所述数据包上承载的RPC流之前,还包括:2. The method according to claim 1, wherein, before obtaining the RPC flow carried on the data packet, further comprising: 根据记录所述UUID时的先后顺序,得到记录的每个UUID对应的顺序号,并保存UUID和顺序号的对应关系;According to the sequence when recording the UUIDs, obtain the sequence numbers corresponding to each UUID recorded, and save the correspondence between the UUIDs and the sequence numbers; 所述根据所述记录的UUID和RPC流,获得与所述RPC过程相关的所有UUID,包括:According to the recorded UUID and RPC flow, all UUIDs related to the RPC process are obtained, including: 从所述RPC流中解析出携带的每个RPC服务的顺序号;Parse the sequence number of each RPC service carried from the RPC stream; 对于每个解析出的顺序号,在所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID。For each parsed sequence number, the corresponding UUID is searched in the corresponding relationship, so as to obtain all UUIDs related to the RPC process. 3.如权利要求1所述的方法,其特征在于,所述判断获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,包括:3. The method according to claim 1, wherein the judging whether each UUID in all UUIDs obtained conforms to a predetermined control policy in the policy library comprises: 对获得的与所述RPC过程相关的所有UUID进行筛选,去除其中所述服务器不支持的RPC服务的UUID;Screening all obtained UUIDs related to the RPC process, and removing UUIDs of RPC services not supported by the server; 通过查询策略库,判断筛选保留的每个UUID是否符合预定的控制策略。By querying the policy library, it is judged whether each UUID retained by screening conforms to the predetermined control policy. 4.如权利要求1至3中任一所述的方法,其特征在于,所述策略库中包括正常控制策略或异常控制策略,所述正常控制策略包含正常的RPC行为相关的UUID、所述异常控制策略包括恶意RPC行为相关的UUID;4. The method according to any one of claims 1 to 3, wherein the policy library includes a normal control policy or an abnormal control policy, and the normal control policy includes a normal RPC behavior-related UUID, the Abnormal control strategy includes UUID related to malicious RPC behavior; 所述判断各UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为,包括:Described judging whether each UUID conforms to the predetermined control policy in the policy storehouse, thereby detecting whether the client computer has executed a malicious RPC behavior, including: 判断各UUID是否符合策略库中的正常控制策略,若不符合所述正常控制策略,则确定所述客户机执行了恶意RPC行为;或/和Judging whether each UUID complies with the normal control strategy in the policy library, if not, determining that the client computer has executed a malicious RPC behavior; or/and 判断各UUID是否符合策略库中的异常控制策略,若符合所述恶意控制策略,则确定所述客户机执行了恶意RPC行为。It is judged whether each UUID conforms to the abnormal control policy in the policy library, and if it conforms to the malicious control policy, it is determined that the client computer has executed a malicious RPC behavior. 5.如权利要求2所述的方法,其特征在于,所述根据所述记录的UUID和RPC流,获得与所述RPC行为相关的所有UUID后,还包括:5. The method according to claim 2, wherein, after obtaining all UUIDs related to the RPC behavior according to the recorded UUID and RPC flow, further comprising: 从所述RPC流中解析出携带的每个RPC服务的顺序号和操作符的组合;Analyzing the combination of sequence number and operator of each RPC service carried from the RPC stream; 对于每个所述组合,根据其中的顺序号在所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID与操作符的组合。For each combination, the corresponding UUID is searched in the corresponding relationship according to the sequence number therein, so as to obtain all combinations of UUIDs and operators related to the RPC process. 6.如权利要求5所述的方法,其特征在于,所述通过查询策略库,确定各UUID是否符合预定的控制策略,包括:6. The method according to claim 5, wherein, determining whether each UUID conforms to a predetermined control strategy by querying the strategy library includes: 对获得的每个UUID、以及每个UUID与操作符的组合进行筛选,去除其中所述服务器不支持的RPC服务的UUID、和不支持的RPC服务的UUID与操作符的组合;Filter each obtained UUID, and each combination of UUID and operator, and remove the UUID of the RPC service that the server does not support, and the combination of the UUID and operator of the RPC service that does not support; 通过查询策略库,判断筛选保留的每个UUID、每个UUID与操作符的组合是否符合预定的控制策略。By querying the strategy library, it is judged whether each UUID reserved by screening, and the combination of each UUID and operator conforms to the predetermined control strategy. 7.如权利要求1、2、3、5或6任一所述的方法,其特征在于,所述检测客户机执行了恶意RPC行为之后,还包括:7. The method according to any one of claims 1, 2, 3, 5 or 6, characterized in that, after the detection client executes the malicious RPC behavior, further comprising: 阻断所述恶意RPC行为对应的数据包。Blocking data packets corresponding to the malicious RPC behavior. 8.一种恶意RPC行为的检测装置,其特征在于,包括:8. A detection device for malicious RPC behavior, comprising: 记录模块,用于在客户机向服务器查询RPC服务对应的高位端口时,记录该客户机请求的所有RPC服务的UUID;The recording module is used to record the UUIDs of all RPC services requested by the client when the client queries the server for the high port corresponding to the RPC service; 解析模块,用于在RPC过程中,对所述客户机与服务器之间会话连接中所传输的数据包进行解析,获得所述会话连接上承载的RPC流;The analysis module is used to analyze the data packets transmitted in the session connection between the client and the server during the RPC process, and obtain the RPC stream carried on the session connection; 获取模块,用于根据记录模块记录的UUID和解析模块获得的RPC流,获得与所述RPC过程相关的所有UUID;An acquisition module, configured to obtain all UUIDs related to the RPC process according to the UUID recorded by the recording module and the RPC flow obtained by the parsing module; 检测模块,用于判断获取模块获得的所有UUID中的每个UUID是否符合策略库中预定的控制策略,以此检测客户机是否执行了恶意RPC行为。The detection module is used to judge whether each UUID among all the UUIDs obtained by the acquisition module conforms to the predetermined control strategy in the strategy library, so as to detect whether the client computer executes malicious RPC behavior. 9.如权利要求8所述的装置,其特征在于,还包括:9. The apparatus of claim 8, further comprising: 存储模块,用于根据记录模块记录所述UUID时的先后顺序,得到记录的每个UUID对应的顺序号,并保存UUID和顺序号的对应关系;The storage module is used to obtain the sequence number corresponding to each UUID recorded according to the order in which the UUID is recorded by the recording module, and save the correspondence between the UUID and the sequence number; 所述获取模块包括:The acquisition module includes: 解析单元,用于从所述RPC流中解析出携带的每个RPC服务的顺序号;A parsing unit, configured to parse out the sequence number of each RPC service carried from the RPC stream; 获得单元,用于对于每个解析出的顺序号,在存储单元保存的所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID。The obtaining unit is configured to, for each parsed sequence number, search for the corresponding UUID in the corresponding relationship stored in the storage unit, so as to obtain all UUIDs related to the RPC process. 10.如权利要求8或9所述的装置,其特征在于,所述检测模块包括:10. The device according to claim 8 or 9, wherein the detection module comprises: 筛选单元,用于对获取模块获得的与所述RPC过程相关的所有UUID进行筛选,去除其中所述服务器不支持的RPC服务的UUID;A screening unit, configured to screen all UUIDs related to the RPC process obtained by the acquisition module, and remove UUIDs of RPC services that are not supported by the server; 检测单元,用于通过查询策略库,判断筛选单元筛选保留的每个UUID是否符合预定的控制策略。The detection unit is configured to query the policy library to determine whether each UUID screened and retained by the screening unit conforms to a predetermined control policy. 11.如权利要求9所述的装置,其特征在于,11. The apparatus of claim 9, wherein: 所述解析单元,还用于从所述RPC流中解析出携带的每个RPC服务的顺序号和操作符的组合;The parsing unit is further configured to parse out the combination of sequence number and operator of each RPC service carried from the RPC stream; 所述获得单元,还用于对于所述解析单元解析出的每个顺序号和操作符的组合,根据其中的顺序号在所述对应关系中查找对应的UUID,从而获得与所述RPC过程相关的所有UUID与操作符的组合。The obtaining unit is further configured to, for each sequence number and operator combination parsed by the parsing unit, search for the corresponding UUID in the corresponding relationship according to the sequence number therein, so as to obtain the corresponding UUID related to the RPC process. All combinations of UUIDs and operators. 12.如权利要求11所述的装置,其特征在于,12. The apparatus of claim 11, wherein 所述筛选单元,还用于对所述获得模块获得的每个UUID与操作符的组合进行筛选,去除其中所述服务器不支持的RPC服务的UUID与操作符的组合;The screening unit is further configured to screen each combination of UUID and operator obtained by the obtaining module, and remove the combination of UUID and operator of the RPC service not supported by the server; 所述检测单元,还用于通过查询策略库,判断所述筛选单元筛选保留的每个UUID与操作符的组合是否符合预定的控制策略。The detection unit is further configured to query the strategy library to determine whether the combination of each UUID and operator screened and retained by the screening unit conforms to a predetermined control strategy. 13.如权利要求8至12任一所述的装置,其特征在于,还包括:13. The device according to any one of claims 8 to 12, further comprising: 阻断模块,用于在检测模块确定所述客户机执行了恶意RPC行为之后,阻断所述恶意RPC行为对应的数据包。A blocking module, configured to block data packets corresponding to the malicious RPC behavior after the detection module determines that the client computer has executed the malicious RPC behavior.
CN201110449688.8A 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors Expired - Fee Related CN102438023B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110449688.8A CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110449688.8A CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Publications (2)

Publication Number Publication Date
CN102438023A true CN102438023A (en) 2012-05-02
CN102438023B CN102438023B (en) 2014-08-20

Family

ID=45985895

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110449688.8A Expired - Fee Related CN102438023B (en) 2011-12-29 2011-12-29 Method and device for detecting malicious remote procedure call (RPC) behaviors

Country Status (1)

Country Link
CN (1) CN102438023B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036895A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for state tracking
CN112738123A (en) * 2021-01-05 2021-04-30 成都安思科技有限公司 Method and device for detecting malicious remote process tracing calling behavior
CN112929365A (en) * 2021-02-05 2021-06-08 深信服科技股份有限公司 Remote command detection method and device and electronic equipment
CN114218564A (en) * 2021-11-17 2022-03-22 奇安信科技集团股份有限公司 A fileless attack detection method and device
US11409871B1 (en) * 2019-03-22 2022-08-09 Ca, Inc. Universal tracing of side-channel processes in computing environments

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070033597A1 (en) * 2001-09-29 2007-02-08 Anil Mukundan Method, apparatus, and system for implementing notifications in a framework to suppot web-based applications
US7257818B2 (en) * 2002-08-29 2007-08-14 Sap Aktiengesellschaft Rapid application integration using functional atoms
CN101039324A (en) * 2007-03-12 2007-09-19 华为技术有限公司 Method, system and apparatus for defending network virus
CN101116068A (en) * 2004-10-28 2008-01-30 思科技术公司 Intrusion Detection in Data Center Environments

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070033597A1 (en) * 2001-09-29 2007-02-08 Anil Mukundan Method, apparatus, and system for implementing notifications in a framework to suppot web-based applications
US7257818B2 (en) * 2002-08-29 2007-08-14 Sap Aktiengesellschaft Rapid application integration using functional atoms
CN101116068A (en) * 2004-10-28 2008-01-30 思科技术公司 Intrusion Detection in Data Center Environments
CN101039324A (en) * 2007-03-12 2007-09-19 华为技术有限公司 Method, system and apparatus for defending network virus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036895A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for state tracking
CN103036895B (en) * 2012-12-20 2015-11-11 北京奇虎科技有限公司 A kind of status tracking method and system
US11409871B1 (en) * 2019-03-22 2022-08-09 Ca, Inc. Universal tracing of side-channel processes in computing environments
CN112738123A (en) * 2021-01-05 2021-04-30 成都安思科技有限公司 Method and device for detecting malicious remote process tracing calling behavior
CN112929365A (en) * 2021-02-05 2021-06-08 深信服科技股份有限公司 Remote command detection method and device and electronic equipment
CN114218564A (en) * 2021-11-17 2022-03-22 奇安信科技集团股份有限公司 A fileless attack detection method and device

Also Published As

Publication number Publication date
CN102438023B (en) 2014-08-20

Similar Documents

Publication Publication Date Title
US12413553B2 (en) Methods and systems for efficient network protection
CN108881211B (en) Illegal external connection detection method and device
EP1382154B8 (en) System and method for computer security using multiple cages
US8544099B2 (en) Method and device for questioning a plurality of computerized devices
CN101588247A (en) System and method for detecting server vulnerabilities
CN105659245A (en) Context-aware network forensics
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
WO2002086724A1 (en) System and method for analyzing logfiles
CN102438023A (en) Method and device for detecting malicious remote procedure call behavior
US20040252692A1 (en) Method and apparatus for controlling packet transmission and generating packet billing data on wired and wireless network
CN109587122A (en) Realize that self ensures the system and method for Web subsystem safety based on WAF system function
JP5549281B2 (en) Unauthorized intrusion detection and prevention system, client computer, unauthorized intrusion detection and prevention device, method and program
JP2008079028A (en) Recording system and method for unauthorized access information
JP2006332997A (en) Communication management device, network system, communication disconnecting method, and program
CN104753955A (en) Interconnection auditing method based on rebound port Trojans
JP2003167786A (en) Network monitoring system
CN108809891B (en) Server intrusion detection method and device
Mukhopadhyay et al. HawkEye solutions: a network intrusion detection system
Rahmansyah et al. Network Security System Implementation Using Intrusion Prevention System and Honeypot Technology at the Regional Revenue Office (Bapenda) of Padang City
Kiltz et al. A transparent bridge for forensic sound network traffic data acquisition
JP2005057522A (en) Network attack impact analysis system, network attack impact analysis method, and network attack impact analysis program
JP2005099893A (en) Data transfer system
CN117278232A (en) Terminal asset discovery methods, systems, storage media and computer equipment
Korać Digital archaeology of volatile data on Linux platform
JP2003273929A (en) Intrusion analysis support device and intrusion analysis support method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB02 Change of applicant information

Address after: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221009

Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041

Patentee after: Chengdu Huawei Technologies Co.,Ltd.

Address before: 611731 Hi Tech University of Electronic Science and Technology, No. 88, Tianchen Road, Qingshuihe District, Western Park, Hi Tech Zone, Chengdu, Sichuan

Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140820