CN103679015A - Attacking control method for protecting kernel system - Google Patents
Attacking control method for protecting kernel system Download PDFInfo
- Publication number
- CN103679015A CN103679015A CN201210322679.7A CN201210322679A CN103679015A CN 103679015 A CN103679015 A CN 103679015A CN 201210322679 A CN201210322679 A CN 201210322679A CN 103679015 A CN103679015 A CN 103679015A
- Authority
- CN
- China
- Prior art keywords
- kernel
- control
- engine
- attack
- attacking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses an attacking control method for protecting a kernel system. The attacking control method includes the step 101 that an active trapping system is set up in pre-defense in a network defense system, an attacking control engine of the trapping system is arranged in the kernel system, and an attacking detection engine, an analysis engine and a control engine are set up in the kernel system of an operating system of a computer to detect and control act information, the step 102 that information from the step 101 is obtained through the attacking control engine arranged in the kernel system, and the attacking control engine can prevent files in a kernel from being maliciously attacked and replaced, prevent running of malicious acts and utilization of the functions of the malicious acts and finally uninstall the malicious acts from the kernel system, and the step 103 that the process is ended. According to the attacking control method, whether acts are control acts or not can be judged, and the malicious control acts can be timely blocked by conducting fine-grained searching and killing such as pilot system file protection check, loading system file protection check, drive module protection check and hardware supporting module protection check, and security and credibility of the kernel system are ensured.
Description
Technical field
the present invention is specifically related to a kind of attack control method of protecting kernel system, and for controlling the controlled malicious act of assailant to kernel system core position, protection trapping computing machine does not become attacks inner other real server.
Background technology
Nowadays along with the widespread use of network technology, assault emerges in an endless stream, network security becomes the focus of current study hotspot and social concerns, and existing network safety technique be take the defense technique that fire wall (firewall) and intruding detection system (IDS) be core and conventionally lagged behind various attack technologies.Honeypot Techniques, as a kind of new network security technology, receives people's concern gradually.It takes a proactive approach, and by its distinctive feature, attracts assailant, the method that effectively tackles is analyzed and found in assailant's various attack behavior simultaneously.
Traditional honey pot system adopts Data Control technology, and for all linkage records that enter honey pot system, honey pot system all allows to enter; And the connection of going out will suitably be limited, or revise these connection packet destination addresses of going out, be redirected to the main frame of appointment.For data, just play the effect of record, and there is no recognition capability, easily become springboard machine, then caused inner other real server to be attacked.The unknown attack of the non-feature formula of current appearance has formed serious threat to existing Data Control technology.Unknown attack is exactly unknown threat, refers to not yet foundly to have unknown characteristics and infosystem is existed the Activity Type of potential threat simultaneously.Unknown threat may be to be caused by unknown virus, wooden horse, hacker, or a kind of illegal abuse to resource.
Although Honeypot Techniques is under the cooperation of the safety practices such as network firewall, intruding detection system; can make up the deficiency of original passive security defence; but still there is the shortcoming that some cannot overcome: traditional Data Control technology just records the data that enter honey pot system or revise; and data itself are not had to recognition capability, greatly reduce the security of protection core system.
Summary of the invention
for addressing the above problem; the invention provides a kind of attack control method of protecting kernel system, can control the controlled malicious act of assailant to kernel system core position, guarantee that kernel security of system is credible; no matter be to the known attack of condition code formula, or the unknown attack to potential threat.
For realizing above-mentioned technical purpose, reach above-mentioned technique effect, the present invention is achieved through the following technical solutions:
An attack control method of protecting kernel system, comprises the following steps:
Step 101: initiatively trapping system is set up in the defence in advance in cyber-defence system, trapping system is deployed with to attack in kernel system controls engine, at operating system nucleus system made attack detecting engine, analysis engine, the control engine of computing machine, detect and control behavioural information;
Step 102: the attack control engine being deployed in kernel system obtains the information from step 101, proceeds to next step; Attacking control engine will stop malicious attack to replace the file in kernel; Stop the use of malicious act operation and its function; Malicious act unloads from kernel system the most at last;
Step 103: finish.
Some malicious acts of further, defending comprise: the operation that process creation, thread creation, file operation, stack manipulation and thread inject.
Further; the controlled malicious act of engine control assailant to system core position controlled in described attack; according to the judged result of behavior danger classes, guarantee the not victim control of trapping system, protection trapping computing machine does not become attacks inner other real server.
The invention has the beneficial effects as follows:
Energy kernel system made of the present invention is attacked and is controlled engine; can determine whether control behavior; simultaneously by fine granularity killings such as guidance system file protection inspection, loading system file protection inspection, driver module and the inspections of hardware support module protection; by the control Behavior blocking of malice, guarantee that kernel security of system is credible in time.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of an embodiment of the present invention;
Fig. 2 is the composition diagram of the embodiment of the present invention based on Fig. 1.
Embodiment
The embodiment of the present invention provides a kind of attack control method of protecting kernel system, to solve existing traditional Data Control technology, only the data that enter honey pot system is recorded or is revised, and data itself are not had to recognition capability.The present invention is mainly used in defense system in advance, server, the active trapping system of network and carries out active, efficient, system-level Prevention-Security.
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The present invention attacks engine by being deployed in control in kernel system, stops kernel file to be replaced by attack, stops attack operation, so that attacks the use of loss of function, finally by it from kernel system-kill.Some malicious acts of defending comprise: the operation that process creation, thread creation, file operation, stack manipulation and thread inject.The controlled malicious act of engine control assailant to system core position controlled in described attack, according to the judged result of behavior danger classes, guarantees the not victim control of trapping system, and protection trapping computing machine does not become attacks inner other real server.
Process flow diagram in conjunction with Fig. 1 illustrates.
Step 101: initiatively trapping system is set up in the defence in advance in cyber-defence system, trapping system is deployed with to attack in kernel system controls engine, at operating system nucleus system made attack detecting engine, analysis engine, the control engine of computing machine, detect and control behavioural information;
Step 102: the attack control engine being deployed in kernel system obtains the information from step 101, proceeds to next step; Attacking control engine will stop malicious attack to replace the file in kernel; Stop the use of malicious act operation and its function; Malicious act unloads from kernel system the most at last;
Step 103: finish.
Flow process by above embodiment is described, and the file in engine prevention malicious attack replacement kernel is controlled in the attack being deployed in kernel system, stops the use of malicious act operation and its function, and finally just malicious act unloads from kernel system; Stoping and unload not to be corrupted to system file, is before malicious act occurs, and this abnormal behavior detected, thereby has stoped the destruction to kernel system, guarantees that kernel security of system is credible.The present invention adopts and attacks the method for controlling, and provides the attack of protection kernel system to control engine.
Composition diagram in conjunction with Fig. 2 illustrates.
Step 101: interception carrys out the attack of automatic network;
Step 102: to coming the attack of automatic network to judge, whether be control behavior;
Step 103: if the determination result is YES, proceed to step 105, blocking-up enters the control behavior of kernel system;
Step 104: if the determination result is NO, let pass;
Step 105: blocking-up enters the control behavior of kernel system.
Attacking and controlling engine is an engine being deployed in kernel system, and it is according to the judged result of behavior danger classes, thus the controlled malicious act of control assailant to system core position.Attacking control technology is to guarantee the not victim control of trapping system, is that protection trapping computing machine does not become the important technology of attacking inner other real server.Control computing machine and can control target of attack by kernel system.
Active method for entrapping and the system of a kind of the behavioural analysis above embodiment of the present invention being provided are described in detail, and the explanation of above embodiment is just for helping to understand method of the present invention and thought thereof; , for one of ordinary skill in the art, according to thought of the present invention, will change in specific embodiments and applications, in sum, this description should not understood limitation of the present invention meanwhile.
Claims (3)
1. an attack control method of protecting kernel system, is characterized in that, comprises the following steps:
Step 101: initiatively trapping system is set up in the defence in advance in cyber-defence system, trapping system is deployed with to attack in kernel system controls engine, at operating system nucleus system made attack detecting engine, analysis engine, the control engine of computing machine, detect and control behavioural information;
Step 102: the attack control engine being deployed in kernel system obtains the information from step 101, proceeds to next step; Attacking control engine will stop malicious attack to replace the file in kernel; Stop the use of malicious act operation and its function; Malicious act unloads from kernel system the most at last;
Step 103: finish.
2. the attack control method of protection kernel system according to claim 1, is characterized in that: some malicious acts of defending comprise: the operation that process creation, thread creation, file operation, stack manipulation and thread inject.
3. the attack control method of protection kernel system according to claim 1; it is characterized in that: the controlled malicious act of engine control assailant to system core position controlled in described attack; judged result according to behavior danger classes; guarantee the not victim control of trapping system, protection trapping computing machine does not become attacks inner other real server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210322679.7A CN103679015A (en) | 2012-09-04 | 2012-09-04 | Attacking control method for protecting kernel system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210322679.7A CN103679015A (en) | 2012-09-04 | 2012-09-04 | Attacking control method for protecting kernel system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103679015A true CN103679015A (en) | 2014-03-26 |
Family
ID=50316526
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210322679.7A Pending CN103679015A (en) | 2012-09-04 | 2012-09-04 | Attacking control method for protecting kernel system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103679015A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
CN111158937A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Software core file endogenous protection method and device based on kernel drive |
CN113127873A (en) * | 2021-04-26 | 2021-07-16 | 中国邮政储蓄银行股份有限公司 | Credible measurement system of fortress machine and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5842002A (en) * | 1994-06-01 | 1998-11-24 | Quantum Leap Innovations, Inc. | Computer virus trap |
CN1761939A (en) * | 2003-03-17 | 2006-04-19 | 精工爱普生株式会社 | Method and system for preventing virus infection |
CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Method and system for defending network virus |
-
2012
- 2012-09-04 CN CN201210322679.7A patent/CN103679015A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5842002A (en) * | 1994-06-01 | 1998-11-24 | Quantum Leap Innovations, Inc. | Computer virus trap |
CN1761939A (en) * | 2003-03-17 | 2006-04-19 | 精工爱普生株式会社 | Method and system for preventing virus infection |
CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Method and system for defending network virus |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
CN111158937A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Software core file endogenous protection method and device based on kernel drive |
CN113127873A (en) * | 2021-04-26 | 2021-07-16 | 中国邮政储蓄银行股份有限公司 | Credible measurement system of fortress machine and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11657152B2 (en) | Methods for behavioral detection and prevention of cyberattacks, and related apparatus and techniques | |
Javaheri et al. | Detection and elimination of spyware and ransomware by intercepting kernel-level system routines | |
JP6829718B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
US10334083B2 (en) | Systems and methods for malicious code detection | |
CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
JP5326062B1 (en) | Non-executable file inspection apparatus and method | |
CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
CN107819731B (en) | Network security protection system and related method | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
CN104850780A (en) | Discrimination method for advanced persistent threat attack | |
CN107566401B (en) | Protection method and device for virtualized environment | |
CN105095751A (en) | Method for detecting malicious phishing application for Android platform | |
US9275226B1 (en) | Systems and methods for detecting selective malware attacks | |
CN103581104A (en) | Active trapping method based on behavior capturing | |
CN103428212A (en) | Malicious code detection and defense method | |
US9959406B2 (en) | System and method for zero-day privilege escalation malware detection | |
Mishra et al. | PSI-NetVisor: Program semantic aware intrusion detection at network and hypervisor layer in cloud | |
CN103634264A (en) | Active trapping method based on behavior analysis | |
CN103679015A (en) | Attacking control method for protecting kernel system | |
Yuan et al. | Research of intrusion detection system on android | |
CN109460658B (en) | Detection method for malicious Lesso sample | |
Ham et al. | Vulnerability monitoring mechanism in Android based smartphone with correlation analysis on event-driven activities | |
CN103685171A (en) | Attack control method for protecting account system | |
RU2665909C1 (en) | Method of selective use of patterns of dangerous program behavior |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140326 |