Nothing Special   »   [go: up one dir, main page]

CN104811453A - Active defense method and device - Google Patents

Active defense method and device Download PDF

Info

Publication number
CN104811453A
CN104811453A CN201510221827.XA CN201510221827A CN104811453A CN 104811453 A CN104811453 A CN 104811453A CN 201510221827 A CN201510221827 A CN 201510221827A CN 104811453 A CN104811453 A CN 104811453A
Authority
CN
China
Prior art keywords
file
source file
path
danger classes
described source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510221827.XA
Other languages
Chinese (zh)
Other versions
CN104811453B (en
Inventor
闫继平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510221827.XA priority Critical patent/CN104811453B/en
Publication of CN104811453A publication Critical patent/CN104811453A/en
Application granted granted Critical
Publication of CN104811453B publication Critical patent/CN104811453B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses an active defense method and device. The method includes tracking the remote calling protocol RPC calling produced by a preset interface; when the progress of user permission emits a system service progress calling request through the preset interface, intercepting the request, extracting the path of source files from the request, and establishing the relevance between the source files and the called system service progress; if the operational action triggers the HIPS (host intrusion prevention system) rules and the called system service progress is traced according to the progress chain, determining the path of the source files to be the source of the operational action; according to the dangerous level of the source files, executing the host intrusion prevention. Thus, the misjudge rate can be decreased.

Description

Active defense method and device
Technical field
The present invention relates to computer security technique field, particularly relate to active defense method and device.
Background technology
Rogue program is a recapitulative term, refers to that any intentional establishment is used for performing without permission and the software program of normally harmful act.Computer virus, backdoor programs, Key Logger, password steal taker, Word and excel macro virus, leading viruses, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and ad ware etc., be all that some can be referred to as the example of rogue program.
Anti-the killing of traditional rogue program depends on feature database pattern.The condition code of the rogue program sample that feature database is collected by manufacturer forms, and condition code is then that analysis project is an apprentice of in rogue program the difference found with proprietary software, intercepts the program code that a section is similar to " search keyword ".When in killing process, engine meeting file reading also mates with all condition codes " keyword " in feature database, if find that file routine code is hit, just can judge that this file routine is as rogue program.
Feature database coupling is the effectively technology of killing known malicious program.But global rogue program quantity is that geometry level increases now, based on the speedup of this explosion type, the generation of feature database is delayed often with renewal, and many times antivirus software cannot be prevented killing the unknown rogue program emerged in an endless stream.
HIPS (Host-based Intrusion Prevention System; Host Based intrusion prevention system) be a kind of by the common dangerous play in intercepting system; not using condition code as the foundation judging rogue program; but from the most original definition; directly using the behavior of program as the foundation judging rogue program; wherein derive in local use characteristic storehouse, behavior that the mode of behavior asset pricing and the heuristic virus killing in this locality that arranges in this locality differentiates, tackles rogue program, thus reach the object of protection user computer to a certain extent.By oneself understanding to software and system, artificial or some trigger condition systems+only some abnormal actions that software is built-in, to reach software systems of system safety, this trigger condition is commonly referred to as HIPS rule.
But, when using HIPS rule to carry out Initiative Defense in the prior art, often there is the phenomenon of wrong report.Therefore, the technical problem solved in the urgent need to those skilled in the art is just, how when using HIPS rule to carry out Initiative Defense, reduces the probability of wrong report.
Summary of the invention
The invention provides active defense method and device, the probability of erroneous judgement can be reduced.
The invention provides following scheme:
The embodiment of the present invention provides a kind of active defense method, comprising:
The remote procedure call protocol RPC produced preset interface calls and follows the tracks of;
When the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
If having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to according to chain of processes the process initiating described operation behavior is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
According to the danger classes of described source file, perform the process of main frame intrusion prevention.
Alternatively, described source file comprises MSI installation kit file, and the described RPC to preset interface calls and carries out tracking and comprise:
The RPC of docking port IMSIServer::DoInstal lRemote calls and follows the tracks of, to obtain described MSI installation kit file storing path in systems in which.
Alternatively, described source file comprises the dynamic link library (DLL) file in MSI installation kit file, and the described RPC to preset interface calls and carries out tracking and comprise:
The RPC of docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, to obtain the DLL path of the dll file in described MSI installation kit file.
Alternatively, the described danger classes according to described source file, performs the process of main frame intrusion prevention and comprises:
Determine the danger classes of source file;
According to the danger classes of described source file, interception is performed to described operation behavior.
Alternatively, the described danger classes according to described source file, performs the process of main frame intrusion prevention and comprises:
According to the danger classes of described source file, carry out indicating risk to user, and the information of described source file is prompted to user.
The embodiment of the present invention provides a kind of Initiative Defense device, comprising:
Tracking cell, the remote procedure call protocol RPC for producing preset interface calls and follows the tracks of;
Interception unit, for when initiating the request of calling system service processes when the process of user right by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
Source determining unit, if for there being operation behavior trigger Host Based intrusion prevention system HIPS rule and trace back to described invoked system service process according to chain of processes, be then defined as the source of described operation behavior by the path of described source file;
Processing unit, for the danger classes according to described source file, performs the process of main frame intrusion prevention.
Alternatively, described source file comprises MSI installation kit file, and described tracking cell comprises:
First follows the tracks of subelement, and the RPC for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, to obtain described MSI installation kit file storing path in systems in which.
Alternatively, described source file comprises the dynamic link library (DLL) file in MSI installation kit file, and described tracking cell comprises:
Second follows the tracks of subelement, and the RPC for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, to obtain the DLL path of the dll file in described MSI installation kit file.
Alternatively, described processing unit comprises:
Operation intercepting subelement, for the danger classes according to described source file, performs interception to described operation behavior.
Alternatively, described processing unit comprises:
Indicating risk subelement, for the danger classes according to described source file, carries out indicating risk to user, and the information of described source file is prompted to user.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Pass through the present invention, after user's startup optimization file, can be transferred to by the process of under user right in another process under system service authority and go to perform, cause the situation of chain of processes chain rupture, can will set up associating between source file with invoked system service authority process, thus when certain operation behavior triggers HIPS rule, the real source of operation behavior can be traced back to, and then the judgement of danger classes is carried out by the file located real source, determine whether that needs carry out tackling or ejecting prompting, the probability of erroneous judgement can be reduced like this.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is HIPS system schematic;
Fig. 2 is the flow chart of the method that the embodiment of the present invention provides;
Fig. 3 is the schematic diagram of the device that the embodiment of the present invention provides;
Fig. 4 is the schematic diagram of the system that the embodiment of the present invention provides;
Fig. 5 is the schematic diagram of another system that the embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
For the ease of understanding the present invention, first the related content of HIPS is simply introduced.See Fig. 1, modal HIPS is the software by regular hook procedure action of " 3D " class.So-called 3D comprises AD (Application Defend; application program defense system), RD (Registry Defend; registration table defense system), FD (File Defend; file defense system); these three HIPS are on the defensive adopted action the most intuitively, by tackling the safety playing protection system of these actions intuitively.Wherein, the effect of AD is the key operation that physical memory, operation bottom disk, keyboard record etc. were run, loaded, access to monitoring program; The effect of FD is exactly supervisory control system to the reading of any file, amendment, establishment, deletion action; The effect of RD is the operation of monitoring to registration table.
Such as: computer of supposing that there are viruses, then:
First virus can set up viral entities on hard disk, at this time will trigger " establishment " rule of FD;
Then read virion, FD " reading " rule can be triggered;
Then run virion again, every rule of AD can be triggered;
If infection type is viral, in running, also can revise the file of hard disk, such as, infect exe file, now, FD " amendment " rule can be triggered; If damage type is viral, also can deletes the file of hard disk in running, such as, delete the files such as exe, gho, now, FD " deletion " rule can be triggered;
Next, virus usually meeting edit the registry reaches the object of self-starting or destruction, now can trigger RD rule.
Each triggering rule, HIPS will search inside rule base, if had the rule to this operation inside rule base, just regularly processes; If no, will user be inquired.If have operation behavior to be blocked in above-mentioned testing process, even if so this is one and has question file, can not work the mischief to system.
When certain behavior triggers HIPS rule, HIPS needs to find the process performing the behavior, according to the safe class of the process of the execution behavior, determines whether to need interception or prompting.But some rogue programs, in order to better hide oneself, may start another process B by its process A, perform concrete malicious act by process B, even also may have more multistage process transfer, just finally perform a malicious act.Now, if only get the current process performing the behavior, then judge whether to need interception to be then inaccurate according to current process.Therefore, just need the chain of processes finding the process place performing the behavior, trace to source, find the real source of behavior, such as, the process A in previous example, if the safe class of process A is lower, then can carry out tackling or pointing out to user, etc.
The present inventor is realizing finding in process of the present invention; why prior art can often have the phenomenon of wrong report to occur; although be because prior art can get the chain of processes at the behavior place of triggering rule; but; carry out in the process of Initiative Defense at the file for some specific types; after triggering HIPS rule; when reviewing the source of behavior according to chain of processes; real source cannot be traced back to; therefore often there will be the situation of wrong report, some normal behaviors also cannot be performed smoothly.Such as, installing in the process of certain program by a MSI (Windows Installer) installation kit, as long as find the behavior performing an edit the registry startup item, HIPS system does not just all eject prompting with making any distinction between, if find it is an operation that can allow after user judges, after then manually have selected options such as " allowing this time operation " user, just installation process can be continued.
The present inventor is realizing also finding in process of the present invention, why when carrying out Initiative Defense for some file, real source cannot be traced back to, be because, may be there is following phenomenon in some file: after this file of user's startup optimization in running, can be transferred to by the process of under user right in another process under system service authority and go to perform, the behavior triggering HIPS rule may be just perform after transferring to the process under system service authority, and when HIPS obtains chain of processes, the originating processes under this system service authority can only be traced back to, and cannot associate with the chain of processes under user right, that is, this special file in the process of implementation, the chain rupture of chain of processes can be caused, therefore, also just real source cannot be traced back to.
Such as, user double-clicks a MSI installation kit, and system can associate according to extension name, and first start the process of the msiexec.exe of active user's authority, ms iexec.exe, system process is a part of WindowsInstaller.For installing Windows Installer installation kit (MSI), then this user right ms iexec.exe can calling interface by request forward to Server corresponding to interface, the msiexec.exe of i.e. system service authority is (if the msiexec.exe of this system service authority not yet starts, then need first to be started with DCOM), perform follow-up operation behavior more afterwards.Like this, after certain operation behavior triggers HIPS authority, when being reviewed by chain of processes, the ms iexec.exe of system service authority can only be traced back to, but in fact the source of this operation behavior should be this MSI installation kit itself, or certain DLL (Dynamic Link Library, the dynamic link library) file in MSI installation kit.Like this, in the prior art, due to the behavior of specifically which MSI installation kit or the execution of which dynamic link library cannot be known, as long as therefore find to trigger HIPS rule, and trace back to the msiexec.exe of system service authority, just carry out indicating risk without exception, obviously, this can cause a large amount of wrong reports.
Therefore, in embodiments of the present invention, just can by setting up associating between source file with invoked system service authority process, trace back to the real source of operation behavior, and then carry out fail safe judgement by the file located real source, determine whether that needs carry out tackling or ejecting prompting.Just the method that the embodiment of the present invention provides is introduced in detail below.
See Fig. 2, the active defense method that the embodiment of the present invention provides comprises the following steps:
S201: the remote procedure call protocol RPC produced preset interface calls and follows the tracks of;
S202: when the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
During specific implementation, follow the tracks of by calling the RPC of preset interface, intercept the request of calling system Service Privileges process, from request, then extract the fullpath of source file, so just can set up associating between source file with invoked system service process.Wherein, the RPC of this interface of IMSIServer::DoInstallRemote is called and follows the tracks of, and interception request bag, the complete trails of original MSI installation kit can be got, the RPC of this interface of CMsiCustomAction::PrepareDLLCustomAction is called and follows the tracks of, and interception request bag, just can get the DLL path that dll file inside MSI installation kit is corresponding.
During specific implementation, communicated between can being carried out to RPC by monitoring (such as HOOK) relevant api function, reach the object of above-mentioned tracking, wherein, need according to different operating system versions, the api function that HOOK is different, to reach the object of following the tracks of accurately and tackling, in Windows XP operating system, can below HOOK api function: NtRequestWaitReplyPort etc., in Windows Vista and version afterwards thereof, can below HOOK api function: NtAlpcSendWaitReplyPort etc.
Like this, in previous example, still suppose that user double-clicks after a MSI installation kit starts the installation process of certain program, first system still can start the process of the ms iexec.exe of active user's authority, then the msiexec.exe of this user right can call corresponding interface (if the request that MSI installation kit file itself is initiated, then this process can call this interface of IMSIServer::DoInstallRemote, if the request that certain DLL in installation kit file initiates, then this process can call this interface of CMsiCustomAction::PrepareDLLCustomAction), by request forward to Server corresponding to interface, after HOOK is carried out to aforementioned api function, when the process Forward-reques of user right to Server time, just can intercept this request, then by resolving the parameter of this function, just can get the fullpath of MSI installation kit, or the DLL path of certain dll file in MSI installation kit file.And then by this request forward to the process msiexec.exe of system service authority, next, the process msiexec.exe of system service authority can pass the path of coming according to this interface of IMSIServer::DoInstallRemote or this interface of CMsiCustomAction::PrepareDLLCustomAction and start a thread and carry out concrete fitting operation, this thread also can create new thread to do concrete thing (such as written document, write registration table etc.), when the behavior is triggered to HIPS rule time, just first can trace back to this system service authority process of msiexec.exe, then, just can according to the relation between the source file recorded and this system service authority process msiexec.exe, getting is the action which dll file in which MSI installation kit or MSI installation kit is corresponding, in the fullpath of this MSI installation kit or MSI installation kit, namely the DLL path of this dll file is real source.
Certainly, specifically when carrying out HOOK api function, a series of functions with interprocess communication all can be carried out HOOK, such as, under Windows XP operating system, NtCreatePort can be comprised, NtConnectPort, NtRequestPort, NtAcceptPort, NtListenPort, NtReplyPort, NtReplyWaitReceivePort etc.
S203: if there is operation behavior trigger Host Based intrusion prevention system HIPS rule and trace back to described invoked system service process according to chain of processes, then the path of described source file is defined as the source of described operation behavior;
After having operation behavior triggering HIPS rule, just can first review according to chain of processes, if trace back to system service process, then can according to the association of setting up before, finding the real source of operation behavior, such as, may be certain installation kit file, or certain dll file in certain installation kit file, etc.
Such as, still suppose that user double-clicks a MSI installation kit, system can associate according to extension name, start the process of the msiexec.exe of active user's authority, then this msiexec.exe meeting calling interface IMSIServer::DoInstallRemote, system can be transmitted to Server corresponding to interface it, i.e. the msiexec.exe (if there is no, can adjust with DCOM) of SYSTEM authority.
And in embodiments of the present invention, NtRequestWaitReplyPort (xp) is served by intercepting system, NtAlpcSendWaitReplyPort (Vista Later), the fullpath of MSI bag can be got when system forwards request is to Server, like this, when service processes msiexec.exe is triggered to main anti-rule time, according to the relation of thread chain, can get is that MSI wraps corresponding action, and namely the fullpath that this MSI wraps is the real source of current operation behavior.
Wherein, specifically when obtaining chain of processes, can realize by API, such as, NtQueryInformationProcess can obtain the PID of parent process, and like this, one-level one-level is upwards looked for, and just can find all processes.In addition, the embodiment of the present invention can also have oneself chain of processes management function, uses driving obtain a process creation and exit event, oneself creates a chain of processes, like this, as long as go the chain of processes management function looking into oneself just can obtain the father and son's process relation in whole chain of processes.
S204: according to the danger classes of described source file, performs the process of main frame intrusion prevention.
After finding the real source of operation behavior, just can determine the danger classes of real source files, and according to the danger classes of this real source files, perform the process of main frame intrusion prevention.Wherein, the danger classes of the file in real source can be known according to special danger classes evaluation system, such as, can be recorded in the list of server end by the class information of each source file in advance.This list contains the information such as PID, establishment relation, file hierarchies of each process, then by this list of inquiry, just can obtain the danger classes of current source file.
During specific implementation, the form of presentation of danger classes can have multiple, such as, and the first estate: trusted file, second grade: grey file, the tertiary gradient: apocrypha, the fourth estate is virus or wooden horse etc., specifically when performing main frame intrusion prevention process, directly can perform interception to the operation behavior of the higher source file of danger classes, or, also first can carry out dangerous tip to user, be selected whether to perform interception by user.Certainly, when carrying out dangerous tip to user, the source being shown to the operation behavior of user is exactly the real source got in the embodiment of the present invention, instead of system service process.Such as, in previous example, suppose to find that real source is this dll file of MSI1F.tmp, then by modes such as pop-up windows, this file can be prompted to user, instead of only point out corresponding system service process msiexec.exe, certainly, when judging the harmful grade of source file, also be the harmful grade judging this MSI1F.tmp, instead of msiexec.exe.Specifically when pointing out, not only the filename of source file user can be shown to, the information such as the path of this source files user can also be shown in the lump.
In a word, in embodiments of the present invention, after user's startup optimization file, can be transferred to by the process of under user right in another process under system service authority and go to perform, cause the situation of chain of processes chain rupture, can will set up associating between source file with invoked system service authority process, thus when certain operation behavior triggers HIPS rule, the real source of operation behavior can be traced back to, and then the judgement of danger classes is carried out by the file located real source, determine whether that needs carry out tackling or eject prompting interface, the probability of wrong report can be reduced like this.
Corresponding with the active defense method that the embodiment of the present invention provides, the embodiment of the present invention additionally provides a kind of Initiative Defense device, and see Fig. 3, this device comprises:
Tracking cell 301, the remote procedure call protocol RPC for producing preset interface calls and follows the tracks of;
Interception unit 302, for when the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
Source determining unit 303, if for there being operation behavior trigger Host Based intrusion prevention system HIPS rule and trace back to described invoked system service process according to chain of processes, be then defined as the source of described operation behavior by the path of described source file;
Processing unit 304, for the danger classes according to described source file, performs the process of main frame intrusion prevention.
Wherein, described source file comprises MSI installation kit file, and described tracking cell 301 can comprise:
First follows the tracks of subelement, and the RPC for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, to obtain described MSI installation kit file storing path in systems in which.
Or described source file comprises the dynamic link library (DLL) file in MSI installation kit file, now, described tracking cell 201 can comprise:
Second follows the tracks of subelement, and the RPC for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, to obtain the DLL path of the dll file in described MSI installation kit file.
In actual applications, described processing unit 304 specifically can comprise:
Operation intercepting subelement, for the danger classes according to described source file, performs interception to described operation behavior.
Or described processing unit 304 also can comprise:
Indicating risk subelement, for the danger classes according to described source file, carries out indicating risk to user, and the information of described source file is prompted to user.
Corresponding with the active defense method that the embodiment of the present invention provides and device, the embodiment of the present invention additionally provides a kind of Active Defending System Against, and see Fig. 4, this system can comprise client 401 and server end 402:
Tracking cell 4011, the remote procedure call protocol RPC for producing preset interface calls and follows the tracks of;
Interception unit 4012, for when the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
Source determining unit 4013, if triggering Host Based intrusion prevention system HIPS rule for there being operation behavior and tracing back to according to chain of processes the process initiating described operation behavior is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
Feature extraction unit 4014, for extracting the feature of described source file; Concrete, the source file feature extracted can be the static nature such as title, MD5 of source file, or also can dispose sandbox system on a client device, source file is put into sandbox run, extract its dynamic behaviour feature, to be uploaded onto the server end, so that server end judges source file according to these features.
Uploading unit 4015, for end 402 of the feature of described source file being uploaded onto the server;
Described server end 402 comprises:
Danger classes determining unit 4021, for judging the danger classes of described source file according to the feature of described source file, and returns to client;
Described client 401 also comprises:
Processing unit 4016, for the danger classes of described source file returned according to described server end, performs the process of main frame intrusion prevention.
Certainly, in actual applications, client also can be by whole files passe to server end, by the feature of server end extraction document, or directly judges the danger classes of file according to file white list or blacklist etc.Therefore, the embodiment of the present invention additionally provides another kind of Active Defending System Against, and see Fig. 5, this system comprises client 501 and server end 502 equally, wherein:
Client specifically can comprise:
Tracking cell 5011, the remote procedure call protocol RPC for producing preset interface calls and follows the tracks of;
Interception unit 5012, for when the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
Source determining unit 5012, if triggering Host Based intrusion prevention system HIPS rule for there being operation behavior and tracing back to according to chain of processes the process initiating described operation behavior is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
Uploading unit 5014, for end 502 of being uploaded onto the server by described source file;
Described server end 502 comprises:
Feature extraction unit 5021, for extracting the feature of described source file;
Danger classes determining unit 5022, for judging the danger classes of described source file according to the feature of described source file, and returns to client;
Described client 501 also comprises:
Processing unit 5015, for the danger classes of described source file returned according to described server end, performs the process of main frame intrusion prevention.
In a word, in the Initiative Defense device that the embodiment of the present invention provides, after user's startup optimization file, can be transferred to by the process of under user right in another process under system service authority and go to perform, cause the situation of chain of processes chain rupture, can will set up associating between source file with invoked system service authority process, thus when certain operation behavior triggers HIPS rule, the real source of operation behavior can be traced back to, and then the judgement of danger classes is carried out by the file located real source, determine whether that needs carry out tackling or ejecting prompting, the probability of wrong report can be reduced like this.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the main frame intrusion prevention equipment of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The application can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.

Claims (10)

1. an active defense method, comprising:
The remote procedure call protocol RPC produced preset interface calls and follows the tracks of;
When the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
If having operation behavior to trigger Host Based intrusion prevention system HIPS rule and trace back to according to chain of processes the process initiating described operation behavior is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
According to the danger classes of described source file, perform the process of main frame intrusion prevention.
2. method according to claim 1, described source file comprises MSI installation kit file, and the described RPC to preset interface calls and carries out tracking and comprise:
The RPC of docking port IMSIServer::DoInstallRemote calls and follows the tracks of, to obtain described MSI installation kit file storing path in systems in which.
3. method according to claim 1, described source file comprises the dynamic link library (DLL) file in MSI installation kit file, and the described RPC to preset interface calls and carries out tracking and comprise:
The RPC of docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, to obtain the DLL path of the dll file in described MSI installation kit file.
4. the method according to any one of claims 1 to 3, the described danger classes according to described source file, performs the process of main frame intrusion prevention and comprises:
Determine the danger classes of source file;
According to the danger classes of described source file, interception is performed to described operation behavior.
5. the method according to any one of claims 1 to 3, the described danger classes according to described source file, performs the process of main frame intrusion prevention and comprises:
According to the danger classes of described source file, carry out indicating risk to user, and the information of described source file is prompted to user.
6. an Initiative Defense device, comprising:
Tracking cell, the remote procedure call protocol RPC for producing preset interface calls and follows the tracks of;
Interception unit, for when the process of user right initiates the request of calling system service processes by preset interface, interception described request, the path of extraction source file from described request, and set up the path of described source file and associating between invoked system service process;
Source determining unit, if triggering Host Based intrusion prevention system HIPS rule for there being operation behavior and tracing back to according to chain of processes the process initiating described operation behavior is invoked system service process, then the path of described source file is defined as the source of described operation behavior;
Processing unit, for the danger classes according to described source file, performs the process of main frame intrusion prevention.
7. device according to claim 6, described source file comprises MSI installation kit file, and described tracking cell comprises:
First follows the tracks of subelement, and the RPC for docking port IMSIServer::DoInstallRemote calls and follows the tracks of, to obtain described MSI installation kit file storing path in systems in which.
8. device according to claim 6, described source file comprises the dynamic link library (DLL) file in MSI installation kit file, and described tracking cell comprises:
Second follows the tracks of subelement, and the RPC for docking port CMsiCustomAction::PrepareDLLCustomAction calls and follows the tracks of, to obtain the DLL path of the dll file in described MSI installation kit file.
9. the device according to any one of claim 6 to 8, described processing unit comprises:
Danger classes determination subelement, for determining the danger classes of source file;
Operation intercepting subelement, for the danger classes according to described source file, performs interception to described operation behavior.
10. the device according to any one of claim 6 to 8, described processing unit comprises:
Indicating risk subelement, for the danger classes according to described source file, carries out indicating risk to user, and the information of described source file is prompted to user.
CN201510221827.XA 2012-09-29 2012-09-29 Active defense method and device Active CN104811453B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510221827.XA CN104811453B (en) 2012-09-29 2012-09-29 Active defense method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510221827.XA CN104811453B (en) 2012-09-29 2012-09-29 Active defense method and device
CN201210376903.0A CN102882875B (en) 2012-09-29 2012-09-29 Active defense method and device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201210376903.0A Division CN102882875B (en) 2012-09-29 2012-09-29 Active defense method and device

Publications (2)

Publication Number Publication Date
CN104811453A true CN104811453A (en) 2015-07-29
CN104811453B CN104811453B (en) 2018-05-01

Family

ID=47484018

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201510221827.XA Active CN104811453B (en) 2012-09-29 2012-09-29 Active defense method and device
CN201210376903.0A Active CN102882875B (en) 2012-09-29 2012-09-29 Active defense method and device

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201210376903.0A Active CN102882875B (en) 2012-09-29 2012-09-29 Active defense method and device

Country Status (1)

Country Link
CN (2) CN104811453B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108717509A (en) * 2018-06-05 2018-10-30 厦门安胜网络科技有限公司 A kind of method, apparatus, equipment and the readable medium of the extraction procedure derivative in sandbox
CN109787886A (en) * 2019-01-22 2019-05-21 北京北信源信息安全技术有限公司 A kind of mail auditing method and system
CN109784051A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Protecting information safety method, device and equipment
CN112596932A (en) * 2021-01-04 2021-04-02 天冕信息技术(深圳)有限公司 Service registration and interception method and device, electronic equipment and readable storage medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811453B (en) * 2012-09-29 2018-05-01 北京奇虎科技有限公司 Active defense method and device
CN108491736B (en) * 2018-04-02 2020-09-22 北京顶象技术有限公司 Tamper monitoring method and device
CN111367684B (en) * 2018-12-26 2023-11-10 北京天融信网络安全技术有限公司 Method and device for filtering remote procedure call
CN110717183B (en) * 2019-12-09 2020-10-27 深信服科技股份有限公司 Virus checking and killing method, device, equipment and storage medium
CN113742074A (en) * 2021-09-07 2021-12-03 杭州雾联科技有限公司 Method and related device for tracing shutdown source by cloud host
CN114466053B (en) * 2022-04-11 2022-07-08 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for call control of remote procedure call
CN114697131B (en) * 2022-04-27 2024-08-16 京东科技控股股份有限公司 Data calling method and device, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005497A (en) * 2006-11-27 2007-07-25 科博技术有限公司 System and method for preventing vicious code attach
CN101588358A (en) * 2009-07-02 2009-11-25 西安电子科技大学 System and method for detecting host intrusion based on danger theory and NSA
US7913078B1 (en) * 2000-06-22 2011-03-22 Walter Mason Stewart Computer network virus protection system and method
CN102663289A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Method and device for intercepting rogue program of modifying page elements
CN102882875B (en) * 2012-09-29 2015-06-10 北京奇虎科技有限公司 Active defense method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003021376A2 (en) * 2001-09-04 2003-03-13 E-Cop.Net Pte Ltd Computer security event management system
CN101414341B (en) * 2007-10-15 2014-12-10 北京瑞星信息技术有限公司 Software self-protection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7913078B1 (en) * 2000-06-22 2011-03-22 Walter Mason Stewart Computer network virus protection system and method
CN101005497A (en) * 2006-11-27 2007-07-25 科博技术有限公司 System and method for preventing vicious code attach
CN101588358A (en) * 2009-07-02 2009-11-25 西安电子科技大学 System and method for detecting host intrusion based on danger theory and NSA
CN102663289A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Method and device for intercepting rogue program of modifying page elements
CN102882875B (en) * 2012-09-29 2015-06-10 北京奇虎科技有限公司 Active defense method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108717509A (en) * 2018-06-05 2018-10-30 厦门安胜网络科技有限公司 A kind of method, apparatus, equipment and the readable medium of the extraction procedure derivative in sandbox
CN108717509B (en) * 2018-06-05 2020-06-23 厦门安胜网络科技有限公司 Method, device and equipment for extracting program derivative in sandbox and readable medium
CN109784051A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Protecting information safety method, device and equipment
CN109784051B (en) * 2018-12-29 2021-01-15 360企业安全技术(珠海)有限公司 Information security protection method, device and equipment
CN109787886A (en) * 2019-01-22 2019-05-21 北京北信源信息安全技术有限公司 A kind of mail auditing method and system
CN109787886B (en) * 2019-01-22 2021-03-02 北京北信源信息安全技术有限公司 Mail auditing method and system
CN112596932A (en) * 2021-01-04 2021-04-02 天冕信息技术(深圳)有限公司 Service registration and interception method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN102882875A (en) 2013-01-16
CN102882875B (en) 2015-06-10
CN104811453B (en) 2018-05-01

Similar Documents

Publication Publication Date Title
CN102882875B (en) Active defense method and device
CN102651061B (en) System and method of protecting computing device from malicious objects using complex infection schemes
CN102902919B (en) A kind of identifying processing methods, devices and systems of suspicious operation
CN101373502B (en) Automatic analysis system of virus behavior based on Win32 platform
KR102307534B1 (en) Systems and methods for tracking malicious behavior across multiple software entities
US11455400B2 (en) Method, system, and storage medium for security of software components
US9614867B2 (en) System and method for detection of malware on a user device using corrected antivirus records
CN107992751B (en) Real-time threat detection method based on branch behavior model
EP2637121A1 (en) A method for detecting and removing malware
CN103001947A (en) Program processing method and program processing system
CN102629310A (en) System and method for protecting computer system from being infringed by activities of malicious objects
CN103473501B (en) A kind of Malware method for tracing based on cloud security
CN102999720B (en) Program identification method and system
CN103077353A (en) Method and device for actively defending rogue program
CN103679031A (en) File virus immunizing method and device
CN103020524A (en) Computer virus monitoring system
CN102982281B (en) Program state testing method and system
CN102857519B (en) Active defensive system
CN104517054A (en) Method, device, client and server for detecting malicious APK
CN103049695A (en) Computer virus monitoring method and device
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN102999721B (en) A kind of program processing method and system
CN102446253B (en) Webpage trojan detection method and system
CN102270132A (en) Control method for script action in Linux operating system
Chen et al. Vulnerability-based backdoors: Threats from two-step trojans

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220707

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.