[go: up one dir, main page]

CN110516444B - Cross-terminal and cross-version Root attack detection and protection system based on kernel - Google Patents

Cross-terminal and cross-version Root attack detection and protection system based on kernel Download PDF

Info

Publication number
CN110516444B
CN110516444B CN201910664335.6A CN201910664335A CN110516444B CN 110516444 B CN110516444 B CN 110516444B CN 201910664335 A CN201910664335 A CN 201910664335A CN 110516444 B CN110516444 B CN 110516444B
Authority
CN
China
Prior art keywords
root
module
attack
monitoring
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910664335.6A
Other languages
Chinese (zh)
Other versions
CN110516444A (en
Inventor
李冬芬
杨雅茗
刘明哲
陈金莲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Univeristy of Technology
Original Assignee
Chengdu Univeristy of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Univeristy of Technology filed Critical Chengdu Univeristy of Technology
Priority to CN201910664335.6A priority Critical patent/CN110516444B/en
Publication of CN110516444A publication Critical patent/CN110516444A/en
Application granted granted Critical
Publication of CN110516444B publication Critical patent/CN110516444B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kernel-based cross-terminal cross-version Root attack detection and protection system, which comprises a Root monitoring subsystem for monitoring and detecting Root attack, a Root protection subsystem connected with the Root monitoring subsystem and stopping the Root attack through system management, and a private data protection module connected with the Root protection subsystem and hiding private data which are required to be read by a malicious program; the Root monitoring subsystem comprises a monitoring control module for monitoring Root attack, and a file operation monitoring module, a process operation monitoring module and a memory operation monitoring module which are respectively connected with the monitoring control module. Through the scheme, the method and the device achieve the purpose of protecting the Android system when the Root attack of the malicious program occurs, and have high practical value and popularization value.

Description

基于kernel的跨终端跨版本Root攻击检测与防护系统Kernel-based cross-terminal cross-version root attack detection and protection system

技术领域technical field

本发明属于Android技术领域,具体地讲,是涉及基于kernel的跨终端跨版本Root攻击检测与防护系统。The invention belongs to the technical field of Android, and specifically relates to a kernel-based cross-terminal and cross-version Root attack detection and protection system.

背景技术Background technique

随着科学技术的不断发展,智能手机已经深入人们的生活当中。作为手机操作系统的代表,截至2017年第一季度,Android系统已经占据中国智能手机市场份额的86.4%。但与此同时,针对Android系统的Root攻击与日俱增,被Root攻击的Android系统往往存在信息泄露,这其中不乏银行账户、工作内容、私人照片等信息,这些信息的泄露对使用者来说都是一个非常糟糕的事情,并且同款Android系统同品牌手机如果其中一款手机被Root攻击成功,其他的同款手机则被攻击的可能性很大,这样无论是对使用者还是手机生厂商都是一种损失,因此如何实现对Root攻击进行检测以提醒其他Android系统用户并且对阻止恶意程序的Root攻击进行防护是本领域技术人员亟需解决的问题。With the continuous development of science and technology, smart phones have penetrated into people's lives. As a representative of the mobile phone operating system, as of the first quarter of 2017, the Android system has occupied 86.4% of the Chinese smartphone market share. But at the same time, root attacks against the Android system are increasing day by day, and the rooted Android system often has information leakage, including bank accounts, work content, private photos and other information. The leakage of these information is a big problem for users. Very bad thing, and if one of the mobile phones with the same Android system and the same brand is successfully attacked by Root, the other mobile phones of the same model are very likely to be attacked. Therefore, how to detect root attacks to remind other Android system users and prevent root attacks of malicious programs is a problem that those skilled in the art need to solve urgently.

发明内容Contents of the invention

本发明的目的在于提供基于kernel的跨终端跨版本Root攻击检测与防护系统,主要解决现有技术中存在的恶意程序的Root攻击对Android用户和开发商造成损失的问题。The purpose of the present invention is to provide a kernel-based cross-terminal and cross-version root attack detection and protection system, which mainly solves the problem that root attacks of malicious programs in the prior art cause losses to Android users and developers.

为了实现上述目的,本发明采用的技术方案如下:In order to achieve the above object, the technical scheme adopted in the present invention is as follows:

基于kernel的跨终端跨版本Root攻击检测与防护系统,包括对Root攻击进行监控和检测的Root监控子系统,与Root监控子系统连接并对Root攻击通过系统治理进行终止的Root防护子系统,以及与Root防护子系统连接并对恶意程序想要读取的隐私数据进行隐藏的隐私数据保护模块;所述Root监控子系统包括用于监控Root攻击的监控控制模块,分别与监控控制模块连接的文件操作监控模块、进程操作监控模块和内存操作监控模块,其中,Root防护子系统进程操作监控模块连接。Kernel-based cross-terminal and cross-version root attack detection and protection system, including a root monitoring subsystem for monitoring and detecting root attacks, a root protection subsystem connected with the root monitoring subsystem and terminating root attacks through system governance, and A privacy data protection module that is connected with the Root protection subsystem and hides the privacy data that malicious programs want to read; the Root monitoring subsystem includes a monitoring control module for monitoring Root attacks, and files connected with the monitoring control module respectively An operation monitoring module, a process operation monitoring module and a memory operation monitoring module, wherein the Root protection subsystem process operation monitoring module is connected.

进一步地,所述Root防护子系统包括对Root攻击进行记录的攻击行为记录模块,用于接收Root监控子系统监控情况的攻击模式接收模块,分别用于接收手机端攻击行为记录模块和攻击模式接收模块反馈信息的位于云端的攻击模式提取模块和攻击模式数据库,用于对攻击模式接收模块进行接收的攻击模式对比模块,以及与攻击模式对比模块连接的攻击模式拦截模块。Further, the Root protection subsystem includes an attack behavior recording module for recording Root attacks, an attack pattern receiving module for receiving the monitoring situation of the Root monitoring subsystem, and an attack pattern receiving module for receiving the mobile phone terminal attack behavior record module and attack pattern receiving module respectively. An attack pattern extraction module and an attack pattern database located in the cloud for module feedback information, an attack pattern comparison module for receiving the attack pattern receiving module, and an attack pattern interception module connected with the attack pattern comparison module.

与现有技术相比,本发明具有以下有益效果:Compared with the prior art, the present invention has the following beneficial effects:

(1)本发明立足于Android kernel,在内核层面检测和拦截Root攻击,通过对Root攻击行为进行分析,挖掘其行为特征,提取其攻击模式,将该攻击模式上传到云端,更新Root攻击模式数据库,供其他Android手机用户下载使用,以保证及时辨识该模式并进行防护;Root Defender提供了隐私数据保护功能,采用主动应答的方式,通过伪造和隐藏用户隐私数据的方式,为不法分子提供虚假的数据,从而最大限度地保护隐私数据。本发明对现有的Root攻击行为进行检测、拦截与防护,有效地保护了用户信息安全;对未知的Root行为进行学习,有效地避免了其进一步危害更多用户的信息安全;对已被Root攻击的用户,系统还能预防并保护用户信息安全,并且Root Defender支持跨终端、跨版本防护Root攻击,对Android系统起到了很好的保护。(1) The present invention is based on the Android kernel, detects and intercepts Root attacks at the kernel level, analyzes the Root attack behavior, mines its behavioral characteristics, extracts its attack pattern, uploads the attack pattern to the cloud, and updates the Root attack pattern database , for other Android mobile phone users to download and use to ensure timely identification and protection of this mode; Root Defender provides privacy data protection function, adopts the method of active response, and provides false information for criminals by forging and hiding user privacy data. data, thereby maximizing the protection of privacy data. The present invention detects, intercepts and protects existing Root attack behaviors, effectively protecting user information security; learning unknown Root behaviors, effectively avoiding further harm to the information security of more users; The system can also prevent and protect the user's information security, and Root Defender supports cross-terminal and cross-version protection against Root attacks, which has played a very good role in protecting the Android system.

(2)本发明通过Root监控子系统对Root攻击进行检测,通过带有Root功能的监控控制模块APK对手机进行Root行为检测,能够有效地检测出该Root行为,并展示Root攻击行为记录。本发明的Root防护子系统中的Root攻击行为记录模块在Root监控子系统检测到攻击行为后将检测到的Root攻击行为进行记录,并上传至云端以待分析与提取;Root攻击模式提取模块分析Root攻击的核心行为,并提取该攻击模式,能够对Root攻击行为进行分析与提取,并记录下来;Root攻击模式数据库:在云端汇总的已知Root攻击模式的数据库,可以包含已知的所有的Root攻击模式;Root攻击模式接收模块将Root攻击行为的新的数据库下载到不同的客户端,并对旧的数据库进行更新;Root攻击模式拦截,当出现已知攻击模式的Root行为时,可以有效地进行拦截;(2) The present invention detects the Root attack through the Root monitoring subsystem, and detects the Root behavior of the mobile phone through the monitoring control module APK with the Root function, which can effectively detect the Root behavior and display the Root attack behavior record. The Root attack behavior recording module in the Root protection subsystem of the present invention records the detected Root attack behavior after the Root monitoring subsystem detects the attack behavior, and uploads to the cloud for analysis and extraction; Root attack pattern extraction module analyzes The core behavior of Root attack, and extracting the attack mode, can analyze and extract the Root attack behavior, and record it; Root attack mode database: a database of known Root attack modes summarized in the cloud, which can contain all known Root attack mode; the root attack mode receiving module downloads the new database of Root attack behavior to different clients, and updates the old database; Root attack mode interception, when there is a known attack mode Root behavior, can be effective to intercept;

(3)本发明Root Defender为每一个Android移动终端提供了一整套检测恶意Root攻击程序、拦截恶意Root攻击程序以及隐私数据防护的“保姆式服务”,既识别出恶意Root程序的攻击行为并提示给用户,又为每一个使用这套系统的用户提供了防止恶意Root程序对隐私数据的操作的保护。(3) The Root Defender of the present invention provides a complete set of "nanny service" for detecting malicious Root attack programs, intercepting malicious Root attack programs, and privacy data protection for each Android mobile terminal, which not only recognizes the attack behavior of malicious Root programs and prompts For users, and for each user who uses this system, it provides protection against the operation of private data by malicious Root programs.

(4)本发明的隐私数据保护模块当前期的Root监控子系统检测到有Root攻击行为后,把恶意程序想要读取的隐私数据进行隐藏,并对其恶意程序进行无应答保护,或者将伪造的数据展示给恶意程序,即可达到对Android系统的保护。(4) After the root monitoring subsystem of the present invention's current phase of the root monitoring subsystem detects a root attack behavior, the privacy data that the malicious program wants to read is hidden, and the malicious program is protected without response, or the The forged data is displayed to malicious programs to protect the Android system.

附图说明Description of drawings

图1为本发明的系统结构示意图。Fig. 1 is a schematic diagram of the system structure of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步说明,本发明的实施方式包括但不限于下列实施例。The present invention will be further described below with reference to the accompanying drawings and examples, and the embodiments of the present invention include but not limited to the following examples.

实施例Example

如图1所示,基于kernel的跨终端跨版本Root攻击检测与防护系统,包括对Root攻击进行监控和检测的Root监控子系统,与Root监控子系统连接并对Root攻击通过系统治理进行终止的Root防护子系统,以及与Root防护子系统连接并对恶意程序想要读取的隐私数据进行隐藏的隐私数据保护模块。As shown in Figure 1, the kernel-based cross-terminal and cross-version root attack detection and protection system includes a root monitoring subsystem that monitors and detects root attacks, and a root monitoring subsystem that is connected to terminate root attacks through system governance The root protection subsystem, and the privacy data protection module connected with the root protection subsystem and hiding the private data that malicious programs want to read.

本发明在实现Root攻击检测与防护系统时分为检测和防护两个步骤,其中,进行Root攻击检测的具体步骤为:The present invention is divided into two steps of detection and protection when realizing Root attack detection and protection system, wherein, the concrete steps of carrying out Root attack detection are:

前期准备:在Root监控子系统中的监控控制模块中配置文件monitor.cfg得到需要监控的APK的uid以及维护由此uid所产生进程的pid组成的动态链表,过滤不需要监控的内容。Preliminary preparation: Configure the file monitor.cfg in the monitoring control module of the Root monitoring subsystem to obtain the uid of the APK to be monitored and maintain a dynamic linked list consisting of the pid of the process generated by the uid, and filter the content that does not need to be monitored.

第一步:监控控制模块操作之后,进行文件操作监控模块,首先用户调用sys_ioctl系统获取当前进程uid、pid。若uid是执行uid,则记录操作时间戳,调用d_path函数由文件描述符fd找到文件路径并记录,记录由参数cmd得到的程序对设备的控制命令打开日志file.log,若成功则写入日志file.log并执行orig_sys_ioctl,保存返回值,cred完整性检查返回orig_sys_ioctl返回值,结束执行。Step 1: After the monitoring control module is operated, the file operation monitoring module is performed. First, the user calls the sys_ioctl system to obtain the current process uid and pid. If the uid is the execution uid, record the operation timestamp, call the d_path function to find the file path from the file descriptor fd and record it, and record the program’s control command to the device obtained by the parameter cmd Open the log file.log, if successful, write the log file.log and execute orig_sys_ioctl, save the return value, cred integrity check returns the return value of orig_sys_ioctl, and end the execution.

第二步:若上述uid不是指定uid,pid却是在监控列表中,则可正常完成执行。若pid不在监控列表汇总,则执行orig_sys_ioctl,保存返回值,返回orig_sys_ioctl返回值,结束执行。Step 2: If the above uid is not the specified uid, but the pid is in the monitoring list, the execution can be completed normally. If the pid is not in the monitoring list, execute orig_sys_ioctl, save the return value, return the return value of orig_sys_ioctl, and end the execution.

第三步:若第一步中所述打开日志file.log失败,则要创建日志file.log再写入日志file.log并完成执行。Step 3: If opening the log file.log fails as described in the first step, create a log file.log and then write to the log file.log and complete the execution.

第四步:用户再调用sys_fchmodat系统调用获取当前进程uid、pid,若是指定uid,则记录操作时间戳,记录由参数mode得到的改变后的读写执行属性,若pathname是绝对路径,则进行记录目标文件或文件夹的文件路径,打开日志file.log成功,则写入日志file.log,执行orig_sys_fchmodat,保存返回值,cred完整性检查,返回orig_sys_fchmodat返回值。Step 4: The user then calls the sys_fchmodat system call to obtain the current process uid and pid. If the uid is specified, record the operation timestamp and record the changed read-write execution attribute obtained by the parameter mode. If pathname is an absolute path, record it The file path of the target file or folder. If the log file.log is successfully opened, it will be written to the log file.log, execute orig_sys_fchmodat, save the return value, cred integrity check, and return the return value of orig_sys_fchmodat.

第五步:若不是制定uid,但pid在监控列表中,则记录操作时间戳,并如上所述完成执行。若pid不在监控列表中,执行orig_sys_fchmodat,保存返回值,返回orig_sys_fchmodat返回值,完成执行。Step 5: If the uid is not specified, but the pid is in the monitoring list, record the operation timestamp and complete the execution as described above. If the pid is not in the monitoring list, execute orig_sys_fchmodat, save the return value, return the return value of orig_sys_fchmodat, and complete the execution.

第六步:若第四步中所述的pathname不是绝对路径,则调用dirfd函数由文件路径描述符dfd寻找文件路径,记录目标文件或文件夹的文件路径再打开日志file.log完成执行。Step 6: If the pathname mentioned in Step 4 is not an absolute path, call the dirfd function to find the file path from the file path descriptor dfd, record the file path of the target file or folder, and then open the log file.log to complete the execution.

第七步:若第四步中所述的打开日志file.log失败,则需创建日志file.log,再写入日志file.log,并完成执行。Step 7: If opening the log file.log in step 4 fails, you need to create a log file.log, write to the log file.log, and complete the execution.

第八步:用户再调用sys_lseek系统调用获取当前进程的uid、pid,若是指定uid,则记录操作时间戳,记录由参数offset得到的文件内偏移,记录由参数whence得到的文件偏移方式调用d_path函数由文件描述符fd找到文件路径并记录。打开日志file.log,若成功则写入file.log,执行orig_sys_lseek,保存返回值,cred完整性检查,返回orig_sys_lseek返回值,结束执行。Step 8: The user calls the sys_lseek system call to obtain the uid and pid of the current process. If uid is specified, record the operation timestamp, record the offset in the file obtained by the parameter offset, and record the file offset obtained by the parameter whence. The d_path function finds and records the file path from the file descriptor fd. Open the log file.log, write to file.log if successful, execute orig_sys_lseek, save the return value, cred integrity check, return the return value of orig_sys_lseek, and end the execution.

第九步:如第二步中,第三步中所述,其中文件名为orig_sys_lseek。Step 9: As described in Step 2 and Step 3, the file name is orig_sys_lseek.

第十步:完成上述监控控制主模块操作及文件操作监控模块操作之后,进行进程操作监控模块操作,用户首先调用sys_execve,获取当前进程uid、pid,若是指定的uid,则记录操作时间戳,记录由参数filename得到的文件路径,记录由参数argv得到的执行参数,记录由参数envp得到的执行环境变量,并打开日志proc.log。若打开日志成功,则写入日志proc.log,执行orig_sys_execve,保存返回值,结束执行。Step 10: After completing the above monitoring and control main module operation and file operation monitoring module operation, perform process operation monitoring module operation. The user first calls sys_execve to obtain the current process uid and pid. If the uid is specified, record the operation timestamp and record The file path obtained by the parameter filename, record the execution parameters obtained by the parameter argv, record the execution environment variable obtained by the parameter envp, and open the log proc.log. If the log is opened successfully, write to the log proc.log, execute orig_sys_execve, save the return value, and end the execution.

第十一步:若第十步中,uid不为指定的uid,且pid在监控列表中,则可正常完成执行。若pid不在监控执行列表中,则执行orig_sys_execve,并返回orig_sys_execve返回值,结束执行。The eleventh step: If in the tenth step, the uid is not the specified uid, and the pid is in the monitoring list, then the execution can be completed normally. If the pid is not in the monitoring execution list, execute orig_sys_execve and return the return value of orig_sys_execve to end the execution.

第十二步:若第十步中,打开日志proc.log失败,则创建日志proc.log完成执行。Step 12: If opening the log proc.log fails in Step 10, create a log proc.log to complete the execution.

第十三步:用户调用sys_setuid系统调用之后,获取并保存当前进程uid、pid,并执行orig_sys_setuid,保存返回值,若为制定uid,则记录操作时间戳,记录当前进程远uid,记录新uid,并打开日志proc.log,若成功,则进行cred完整性监控,并返回orig_sys_setuid返回值。Step 13: After the user invokes the sys_setuid system call, obtain and save the current process uid and pid, execute orig_sys_setuid, and save the return value. If the uid is specified, record the operation timestamp, record the far uid of the current process, and record the new uid. And open the log proc.log, if successful, monitor the cred integrity and return the orig_sys_setuid return value.

第十四步:若不为指定uid,且pid在监控列表中,则完成正常执行。若不为指定uid,且pid不在监控列表中,则直接返回orig_sys_setuid返回值,结束执行。Step 14: If no uid is specified, and the pid is in the monitoring list, normal execution will be completed. If no uid is specified and the pid is not in the monitoring list, it will directly return the return value of orig_sys_setuid and end the execution.

第十五步:用户调用了sys_mmap系统调用之后,内核空间获取当前进程uid、pid,执行orig_sys_mmap,保存返回值,并指定uid,若为指定uid,则记录操作时间戳,记录由参数addr得到的开始地址,记录由参数prot、flages得到的内存保护标志、映射对象类型,记录由参数fd、offset得到的文件路径、文件中开始映射的起始位置,然后打开日志memory.log,若成功则写入日志memory.log,cred完整性监控,返回orig_sys_mmap返回值,结束执行。Step 15: After the user calls the sys_mmap system call, the kernel space obtains the uid and pid of the current process, executes orig_sys_mmap, saves the return value, and specifies the uid. If it is the specified uid, record the operation timestamp and record the value obtained by the parameter addr Start address, record the memory protection flag obtained by the parameters prot and flages, the type of the mapped object, record the file path obtained by the parameters fd and offset, and the starting position of the mapping in the file, and then open the log memory.log, if successful, write Enter the log memory.log, cred integrity monitoring, return the return value of orig_sys_mmap, and end the execution.

第十六步:若不为指定uid,且pid存在在监控列表中,则正常完成执行。若不为指定uid,且pid不存在在监控列表中,则直接返回orig_sys_mmap返回值,结束执行。若打开日志memory.log失败,则创建日志memory.log,完成执行。Step 16: If no uid is specified, and the pid exists in the monitoring list, the execution will be completed normally. If no uid is specified and the pid does not exist in the monitoring list, it will directly return the return value of orig_sys_mmap and end the execution. If opening the log memory.log fails, create a log memory.log to complete the execution.

第十七步:用户调用sys_mprotect系统调用,获取当前进程uid、pid,执行orig_sys_mprotect,保存返回值,并指定uid,若为指定uid,则记录操作时间戳,记录由调用参数start得到的内存区开始地址,记录由调用参数len、prot得到的内存区长度、内存保护标志,并能成功打开日志memory.log,写入日志memory.log,且cred完整性监控,返回orig_sys_mprotect返回值,完成执行。Step 17: The user invokes the sys_mprotect system call to obtain the uid and pid of the current process, execute orig_sys_mprotect, save the return value, and specify the uid. If it is the specified uid, record the operation timestamp, and record the start of the memory area obtained by calling the parameter start Address, record the length of the memory area obtained by calling the parameters len and prot, and the memory protection flag, and can successfully open the log memory.log, write the log memory.log, and cred integrity monitoring, return the return value of orig_sys_mprotect, and complete the execution.

第十八步:若不为指定uid,且pid在监控列表中,则正常完成执行。若不为指定uid,且pid不在监控列表中,则直接返回orig_sys_mprotect返回值,结束执行。Step 18: If no uid is specified and the pid is in the monitoring list, the execution will be completed normally. If no uid is specified and the pid is not in the monitoring list, the return value of orig_sys_mprotect will be returned directly, and the execution will end.

Root防护子系统实现防护的具体步骤为:The specific steps for the Root protection subsystem to implement protection are as follows:

第一步:Root检测子系统检测的信息由Root攻击模式的上传模块进行记录并上传(攻击行为记录模块实际实现的是记录和上传的行为)。Root攻击模块的上传模块是本地完成,把Root程序的“.so”文件的特征进行提取并且记录下Root攻击行为上传。调用dlopen(xxx.so)来运行so文件,将使用的so文件保存上传至云端。Step 1: The information detected by the Root detection subsystem is recorded and uploaded by the upload module of the Root attack mode (the attack behavior recording module actually realizes the behavior of recording and uploading). The upload module of the Root attack module is completed locally, extracting the characteristics of the ".so" file of the Root program and recording the Root attack behavior for upload. Call dlopen(xxx.so) to run the so file, save and upload the used so file to the cloud.

第二步:Root攻击行为记录模块记录上传的信息由攻击模式提取模块提取攻击特征。一个恶意软件进行了文件操作中的随机访问文件的操作,首先修改了时间戳,接下来随机修改了文件的路径,并进行了文件内偏移的操作,最后进行了网络操作,把文件传输了出去。这一系列的行为会被系统监控并记录。然后记录下的攻击行为上传到云端,供所有的移动终端连接后的调用与比对。检测到该应用进程是个恶意Root软件后,会对该软件的“.elf”文件中的内容进行提取。在“.elf”文件中提取Section header table这一部分,这一部分存储的是应用进程的文件节区的信息,把其中关于节区名称、节区大小等可以作为一种恶意进程的识别的特征的部分进行提取。把提取到的一系列的关于“.elf”文件的特征上传到云端,也供所有的移动终端连接后的调用与比对。Step 2: The Root attack behavior recording module records and uploads information, and the attack pattern extraction module extracts attack features. A malicious software performs random access file operations in file operations, first modifies the timestamp, then randomly modifies the path of the file, and performs an offset operation within the file, and finally performs a network operation to transfer the file go out. This series of behaviors will be monitored and recorded by the system. Then the recorded attack behavior is uploaded to the cloud for calling and comparison after all mobile terminals are connected. After detecting that the application process is a malicious Root software, it will extract the contents of the ".elf" file of the software. Extract the section header table from the ".elf" file. This part stores the information of the file section of the application process. The section name, section size, etc. can be used as a feature to identify malicious processes. Partially extracted. Upload a series of extracted features about ".elf" files to the cloud, and also for calling and comparing after all mobile terminals are connected.

第三步:攻击模式提取模块提取的攻击特征由攻击模式对比模块进行比对拦截。攻击模式对比模块中的Root Defender可以对恶意Root软件攻击进行拦截。Root Defender在把当前正在运行的软件的每一步的攻击行为进行记录,并进行攻击模式的提取,在某一特定的时刻,该时刻该软件还为完成所有的恶意行为,把云端的模式与本模式在本地进行比对,把“.elf”中Section header table中的特征信息进行比对,如果相似度很高,则马上对这个程序进行拦截,终止这个程序。如果在该软件一安装就把“.elf”文件中Sectionheader table中的特征信息与云端的相应的信息进行比对,并且相似度极高,则直接清理该软件,不会让其进行任何的恶意行为。Step 3: The attack features extracted by the attack pattern extraction module are compared and intercepted by the attack pattern comparison module. The Root Defender in the attack mode comparison module can intercept malicious Root software attacks. Root Defender is recording the attack behavior of each step of the currently running software and extracting the attack pattern. At a certain moment, the software also combines the cloud pattern with the local The patterns are compared locally, and the feature information in the Section header table in ".elf" is compared. If the similarity is high, the program is immediately intercepted and terminated. If the feature information in the Sectionheader table in the ".elf" file is compared with the corresponding information in the cloud as soon as the software is installed, and the similarity is extremely high, the software will be cleaned up directly to prevent any malicious activities Behavior.

第四步:隐私数据保护模块属于隐私保护子系统,但和Root防护子系统一起运行。攻击行为记录模块在记录攻击行为的同时,还会同时通知位于framework层的隐私数据保护模块。隐私保护模块会修改相应的关键函数,以对关键的隐私数据进行伪造,令攻击方无法读取或者读取伪造的隐私数据,从而实现了对Root攻击的保护。Step 4: The privacy data protection module belongs to the privacy protection subsystem, but runs together with the Root protection subsystem. The attack behavior recording module notifies the privacy data protection module at the framework layer while recording the attack behavior. The privacy protection module will modify the corresponding key functions to forge the key privacy data, so that the attacker cannot read or read the forged privacy data, thus realizing the protection against Root attacks.

上述实施例仅为本发明的优选实施例,并非对本发明保护范围的限制,但凡采用本发明的设计原理,以及在此基础上进行非创造性劳动而做出的变化,均应属于本发明的保护范围之内。The foregoing embodiments are only preferred embodiments of the present invention, and are not limitations on the scope of protection of the present invention. However, all changes made by adopting the design principle of the present invention and performing non-creative work on this basis shall all belong to the protection of the present invention. within range.

Claims (1)

1. The kernel-based cross-terminal cross-version Root attack detection and protection system is characterized by comprising a Root monitoring subsystem for monitoring and detecting the Root attack, a Root protection subsystem which is connected with the Root monitoring subsystem and terminates the Root attack through system management, and a private data protection module which is connected with the Root protection subsystem and hides private data which is required to be read by a malicious program; the Root monitoring subsystem comprises a monitoring control module for monitoring Root attack, and a file operation monitoring module, a process operation monitoring module and a memory operation monitoring module which are respectively connected with the monitoring control module, wherein the Root protection subsystem is connected with the process operation monitoring module;
the Root protection subsystem comprises an attack behavior recording module for recording Root attack, an attack mode receiving module for receiving the monitoring condition of the Root monitoring subsystem, an attack mode extracting module and an attack mode database which are respectively used for receiving feedback information of the attack behavior recording module and the attack mode receiving module at a mobile phone end, an attack mode comparing module for receiving the attack mode receiving module and an attack mode intercepting module connected with the attack mode comparing module;
the specific steps of the Root protection subsystem for realizing protection are as follows:
the first step is as follows: information detected by the Root monitoring subsystem is recorded by the attack behavior recording module and uploaded to the cloud;
the second step is that: the attack behavior recording module records the uploaded information and the attack pattern extraction module extracts attack characteristics;
the third step: the attack features extracted by the attack pattern extraction module are compared and intercepted by the attack pattern comparison module;
the fourth step: the private data protection module and the Root protection subsystem operate together, the attack behavior recording module can inform the private data protection module located on a frame layer while recording attack behaviors, and the private data protection module modifies corresponding key functions to forge key private data, so that an attacker cannot read or read forged private data.
CN201910664335.6A 2019-07-23 2019-07-23 Cross-terminal and cross-version Root attack detection and protection system based on kernel Active CN110516444B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910664335.6A CN110516444B (en) 2019-07-23 2019-07-23 Cross-terminal and cross-version Root attack detection and protection system based on kernel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910664335.6A CN110516444B (en) 2019-07-23 2019-07-23 Cross-terminal and cross-version Root attack detection and protection system based on kernel

Publications (2)

Publication Number Publication Date
CN110516444A CN110516444A (en) 2019-11-29
CN110516444B true CN110516444B (en) 2023-04-07

Family

ID=68623861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910664335.6A Active CN110516444B (en) 2019-07-23 2019-07-23 Cross-terminal and cross-version Root attack detection and protection system based on kernel

Country Status (1)

Country Link
CN (1) CN110516444B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797067B (en) * 2020-09-10 2020-12-08 北京志翔科技股份有限公司 Method and device for acquiring file path for file read-write operation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9825989B1 (en) * 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101877039A (en) * 2009-11-23 2010-11-03 浪潮电子信息产业股份有限公司 A Fault Detection Technology for Server Operating System
CN102222194A (en) * 2011-07-14 2011-10-19 哈尔滨工业大学 Module and method for LINUX host computing environment safety protection
CN103561004B (en) * 2013-10-22 2016-10-12 西安交通大学 Cooperating type Active Defending System Against based on honey net
CN103973700A (en) * 2014-05-21 2014-08-06 成都达信通通讯设备有限公司 Mobile terminal preset networking address firewall isolation application system
CN107016283B (en) * 2017-02-15 2019-09-10 中国科学院信息工程研究所 Android privilege-escalation attack safety defense method and device based on integrity verification
CN106921666B (en) * 2017-03-06 2020-10-02 中山大学 A DDoS attack defense system and method based on synergy theory
CN107204982B (en) * 2017-06-13 2019-02-05 成都四方伟业软件股份有限公司 Interactive data system universal safety guard system
CN108347430B (en) * 2018-01-05 2021-01-12 国网山东省电力公司济宁供电公司 Network intrusion detection and vulnerability scanning method and device based on deep learning
CN108197468A (en) * 2018-01-25 2018-06-22 郑州云海信息技术有限公司 A kind of Intranet attack intelligent protection system of mobile memory medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9825989B1 (en) * 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system

Also Published As

Publication number Publication date
CN110516444A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
US10417424B2 (en) Method of remediating operations performed by a program and system thereof
CN111931166B (en) Application anti-attack method and system based on code injection and behavior analysis
US20230185917A1 (en) Method of remediating operations performed by a program and system thereof
CN103198255B (en) Method and system for monitoring and intercepting sensitive behaviour of Android software
CN104766011B (en) The sandbox detection alarm method and system of Intrusion Detection based on host feature
CN103391216B (en) A kind of illegal external connection is reported to the police and blocking-up method
EP3362937B1 (en) Method of remediating a program and system thereof by undoing operations
CN104102878B (en) Malicious code analysis method and system under Linux platform
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
CN104881601A (en) Floating window display setting, control method and device
CN103780450B (en) The detection method and system of browser access network address
CN111683084B (en) A smart contract intrusion detection method, device, terminal device and storage medium
CN108920253B (en) An agentless virtual machine monitoring system and monitoring method
CN109597675B (en) Virtual machine malware behavior detection method and system
CN110737888B (en) Method for detecting attack behavior of kernel data of operating system of virtualization platform
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
CN105550573B (en) The method and apparatus for intercepting bundled software
CN117978474A (en) Abnormal traffic processing method, device, computer equipment and storage medium based on honeynet
CN110516444B (en) Cross-terminal and cross-version Root attack detection and protection system based on kernel
KR101308866B1 (en) Open type system for analyzing and managing malicious code
CN104426836A (en) Invasion detection method and device
CN114707144A (en) Virtual machine escape behavior detection method and device
CN113504971A (en) Container-based security interception method and system
CN110414220A (en) Method and device for extracting operation files in dynamic execution process of program in sandbox
CN116975846A (en) Text information extraction method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant