CN102438023A - Method and device for detecting malicious remote procedure call (RPC) behaviors - Google Patents
Method and device for detecting malicious remote procedure call (RPC) behaviors Download PDFInfo
- Publication number
- CN102438023A CN102438023A CN2011104496888A CN201110449688A CN102438023A CN 102438023 A CN102438023 A CN 102438023A CN 2011104496888 A CN2011104496888 A CN 2011104496888A CN 201110449688 A CN201110449688 A CN 201110449688A CN 102438023 A CN102438023 A CN 102438023A
- Authority
- CN
- China
- Prior art keywords
- rpc
- uuid
- behavior
- control strategy
- client computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method and a device for detecting malicious remote procedure call (RPC) behaviors and is used for solving the problems of poor detection effect and high failure rate of report of the malicious RPC behaviors in the prior art. The method comprises the following steps of: when a client queries a high-order port which corresponds to RPC service to a server, recording universally unique identifiers (UUID) of all pieces of RPC service which are requested by the client; in the RPC process, analyzing a data packet which is transmitted in conversation connection between the client and the server to obtain all UUIDs which are associated with the RPC process; and judging whether each UUID in all obtained UUIDs accords with a control policy which is preset in a policy library to detect whether the client performs the malicious RPC behaviors. By the invention, the detection effectiveness of the malicious RPC behaviors by protection equipment is improved, and the safety of a protected RPC server is improved.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to a kind of malice remote procedure call (RPC, Remote Procedure Call) detection method of behavior and a kind of checkout gear of malice RPC behavior.
Background technology
The RPC agreement provides the communication mechanism between a kind of process, and through this mechanism, the program of on a computer, moving can the PROGRAMMED REQUESTS service on another computer in network.The RPC agreement adopts Client when using, the program of request service is as a client computer, and the program that service is provided is as a server.
In order to distinguish a plurality of different service based on the RPC agreement (hereinafter to be referred as the RPC service) that same computer provides, prior art comes to identify uniquely each the RPC service on the same server through UUID.When each the PRC service on the server starts; Can application obtain the high-order port of a port numbers in 1024~65525 scopes; And the UUID according to this PRC service registers high-order port, promptly preserves the mapping relations one by one between UUID and the high order end slogan.When client computer during to RPC of server requests service, need connect with the corresponding high-order port of this PRC service on the server, serve through this connection request again.Particularly: client computer needs at first through the predetermined queries port; Connect like 135 ports and server;,, close inquiry and connect behind the high order end slogan that the acquisition server returns to the corresponding high order end slogan of this RPC service of server lookup according to the UUID that waits to ask the RPC service; Then, utilize waiting of obtaining to ask the corresponding high order end slogan of RPC service, set up a connection request service with server.
Because there is leak in server system in design; Client computer can be carried out risky operation through asking the corresponding RPC of some UUID to serve; For example when the RPC service is carried out in request; Make buffering area through transmission form or the incorrect packet of parameter and overflow, thereby obtain control fully server.In order to address this problem; Prior art proposes; Through intrusion prevention system (IPS; Intrusion PreventionSystem) the RPC invoked procedure is detected, if the corresponding service of the UUID that the RPC invoked procedure is bound be dangerous, have leak, should be under an embargo call, or the performed operation execution that is under an embargo, then block this invoked procedure.
The inventor finds that there is following defective at least in prior art in realizing process of the present invention:
When malicious client is bound a plurality of UUID in the RPC process; Wherein comprise malice RPC service UUID, or attempt carry out forbidden operation the time; Existing IPS can't effectively detect malice RPC behavior wherein, produces more failing to report, thereby can't guarantee the safety of server.
Summary of the invention
The embodiment of the invention provides a kind of detection method of malice RPC behavior, in order to solve the detection poor effect of prior art to malice RPC behavior, fails to report more problem.
Accordingly, the embodiment of the invention also provides a kind of checkout gear of malice RPC behavior.
The technical scheme that the embodiment of the invention provides is following:
The detection method of a kind of malice remote procedure call RPC behavior comprises:
When server lookup RPC serves corresponding high-order port, write down the UUID of all RPC services of this client requests in client computer;
In the RPC process, institute's data packets for transmission in the session connection between said client computer and the server is resolved, obtain the RPC stream that carries in the said session connection;
UUID and RPC stream according to said record obtain all UUIDs relevant with said RPC process;
Judge that whether each UUID among all UUID that obtain meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
A kind of checkout gear of malice RPC behavior comprises:
Logging modle is used in client computer when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests;
Parsing module is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Acquisition module is used for obtaining all UUIDs relevant with said RPC process according to the UUID of logging modle record and the RPC stream of parsing module acquisition;
Detection module is used for judging whether each UUID of all UUID that acquisition module obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
The embodiment of the invention obtains all UUID that client computer is bound through to the parsing of interaction data bag in the RPC process, and according to the strategy in the policy library legitimacy of each UUID is wherein detected, and detects client computer with this and whether has carried out malice RPC behavior.Avoid client computer to escape safeguards and detect, improved the validity of safeguard detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the main realization principle flow chart of the embodiment of the invention;
The sketch map of the network design structure that Fig. 2 provides for the embodiment of the invention;
The detail flowchart of the detection method of the malice RPC behavior that Fig. 3 provides for the embodiment of the invention;
Fig. 4 provides RPC the sketch map of service for server in the embodiment of the invention flows to client computer through RPC;
The structural representation of the checkout gear of the malice RPC behavior that Fig. 5 provides for the embodiment of the invention;
The another kind of structural representation of the checkout gear of the malice RPC behavior that Fig. 6 provides for the embodiment of the invention.
Embodiment
When the inventor binds a plurality of UUID to existing IPS in the RPC process; The situation that can't effectively detect malice RPC service call behavior is wherein analysed in depth; Find that its reason is: in view of the RPC invoked procedure is that corresponding port number is a parameter need be with UUID and this UUID registration the time; Thereby connect service is provided, the design premises of therefore existing IPS is in RPC invoked procedure, promptly transmits in the TCP session connection of RPC content; Only bound a UUID, as long as IPS detects first UUID that wherein carries and just can realize protecting the purpose that malice RPC calls.
But malicious client can be escaped detection through the mode of in a RPC calls, binding a plurality of UUID, as long as the corresponding RPC service of first UUID wherein is allowed to, IPS just assert that it is non-malice that this RPC calls.Malicious client can be accomplished in several ways the purpose of in a RPC calls, binding a plurality of UUID; For example utilize the Alter Context option of RPC to be implemented in and call the corresponding respectively RPC service of a plurality of UUID in the TCP session connection, perhaps in a TCP session connection, carry a plurality of UUID but wherein first UUID corresponding be that server does not support service manner to escape detection.
On the basis of above-mentioned analysis, in RPC invoked procedure, escape the situation of detection through binding a plurality of UUID, the inventor provides a kind of malice RPC to call the detection method of behavior.
Carry out detailed elaboration below in conjunction with each accompanying drawing to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach.
As shown in Figure 1, the main realization principle process of the embodiment of the invention is following:
Alternatively; Because the address of client computer or port are normally fixed; The safeguard that is deployed between the client-server can like the flow of 135 ports, obtain the UUID of all RPC services of each client requests through predetermined queries port on the monitoring server.Said safeguard includes but not limited to IPS and fire compartment wall.
Step 20 in the RPC process, is resolved institute's data packets for transmission in the session connection between said client computer and the server, obtains the RPC stream that carries in the said session connection.
Wherein, The data that the payload segment of each the tcp data bag in the TCP session connection can carry upper-layer protocols such as session layer, application layer; Payload segment through to each the tcp data bag in the TCP session connection carries out protocol analysis, can obtain the mutual RPC that packet the carried stream of a session connection of client-server.
Because safeguard can't learn in advance which port the RPC service will use, thereby safeguard allows the packet of all high-order ports to pass through usually, therefore needs the session connection of all high-order ports on the monitoring server in order to ensure safety protection equipment.
The scheme safeguard that present embodiment provides is through resolving RPC stream, obtains all UUID of being bound in this RPC stream, rather than as prior art, is resolved to first UUID and just stops parsing.
Particularly; Policy library and search request can be provided with according to the requirement of the different safety class of safeguard network environments of living in such as IPS or fire compartment wall; For example: for the network environment higher to safety requirements; Can in policy library, dispose normal control strategy; Said normal control strategy comprises the relevant UUID of normal RPC process, if judge that at least one UUID relevant with said client computer RPC process do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior; For the network environment lower to safety requirements; Can be in policy library the arrangement abnormalities control strategy; Said unusual control strategy comprises the UUID that malice RPC behavior is relevant, meets said unusual control strategy if judge at least one relevant UUID of said client computer RPC process, and then definite said client computer has been carried out malice RPC behavior; As long as each UUID does not meet said unusual control strategy, what all think said client computer execution is normal RPC behavior.
Alternatively, detecting after client computer carried out malice RPC behavior, also comprise: block the corresponding packet of malice RPC behavior in the said TCP session connection, can certainly block said TCP session connection.
The detection method of the malice RPC behavior that the embodiment of the invention provides; Through parsing to packet payload content in the TCP session connection; Obtain all UUID that client computer is bound in the RPC process; And according to the strategy in the policy library legitimacy of each UUID is wherein detected, detect client computer with this and whether carried out malice RPC behavior.Eliminated client computer and escaped the possibility that safeguards detect, improved the validity of safeguard detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
To introduce an embodiment in detail and come the main realization principle of the inventive method is carried out detailed elaboration and explanation according to foregoing invention principle of the present invention below.
The sketch map of the network design structure that accompanying drawing 2 provides for the embodiment of the invention.Safeguard is deployed between the client-server, and packets need mutual between the client-server just can be issued the other side through the detection of safeguard.Provided the example of several packet repeating process in the accompanying drawing 2 according to the sequencing of time.Safeguard includes but not limited to IPS, fire compartment wall etc.Certainly client-server can for brevity, be that example describes with a client computer and a server only in Fig. 2 and Fig. 3 for a plurality of.
The detail flowchart of the detection method of the malice RPC behavior that accompanying drawing 3 provides for the embodiment of the invention.
Step 301, safeguard obtain the interface querying request of client computer ClientA through the flow of monitoring server predetermined queries port (like 135 ports).
Alternatively, client computer is when the corresponding high order end slogan of the UUID of server lookup RPC service, and the Packet Flag field in the interface querying request of transmission is set to 0x03.Safeguard can identify query requests according to the feature field that comprises Packet Flag field.
If the content of Packet Flag field is not 0x03; What then represent to carry in the packet load is that (sometimes the UUID of inquiry is more for fragment data; Can't be carried in the same packet), the fragment data splicing reorganization that safeguard sends client computer, thus splice complete query requests.
Step 302, safeguard carries out protocol analysis to the interface querying request of client computer ClientA, obtains the UUID and the record of all RPC services of this client requests.
Alternatively, safeguard can adopt forms such as record sheet, single-track link table, tree to come the UUID of storage client request.When adopting the record sheet mode to store, as shown in table 1.
Table 1
Alternatively; Because server is not the corresponding RPC service of all UUID of supporting client requests; Even client computer is to the unsupported RPC service of server requests, server can not provide these services yet, therefore in order to alleviate the follow-up traffic monitoring burden of safeguard; Can delete by his-and-hers watches 1 execution in step 303.
Step 303, safeguard carries out protocol analysis to the interface querying response that server returns, and obtains the information whether server supports the UUID that client is asked, and the UUID of the unsupported RPC service of deletion server in the said record.
The service that server is corresponding as if the UUID that carries in the query requests of supporting the client computer transmission is then returned corresponding high order end slogan, otherwise is returned refusal information, like Providerrejection (0x02) in inquiry response.Safeguard is then explained the server support RPC that UUID identified service if can from inquiry response, obtain the corresponding high order end slogan of UUID, otherwise the RPC service that the explanation server is not supported UUID and identified.
Server is not supported UUID121, the RPC service that UUID80 is corresponding in the present embodiment, and table 2 is the result after his-and-hers watches 1 are deleted.
Table 2
Step 304, the high order end slogan that client computer is corresponding according to the UUID that inquires is set up the TCP session connection with server.Carry RPC stream through the TCP session connection between server and the client computer, interaction parameter and data, thus RPC is provided service.
Wherein, server flows to client computer through RPC provides the process of RPC service to be:
Step 401, client computer is sent " serial number+operator of UUID " to server, the order when this serial number is illustrated in interface querying stage client computer transmission UUID;
Operator includes but not limited to: the operator " r " of the operator " w " that write operation is corresponding, read operation correspondence, operator " q " that query manipulation is corresponding or the like.
Step 402, server are carried out corresponding processing according to " serial number+operator ";
Step 403 comprises that in said " serial number+operator " corresponding processing need be to the client computer return information time, server returns to client computer with result;
For example, when said operator was the operator " r " of read operation correspondence, server need return to client computer with the data that read; When said operator was the operator " w " of write operation correspondence, server needed the result that will write success or failure to return to client computer.
Above-mentioned steps 401 can repeat repeatedly to carry out with step 403, and the each serial number that sends of client computer can be different with operator.
Step 305, safeguard is resolved institute's data packets for transmission in the TCP session connection between client computer through this safeguard and the server, obtains RPC stream.
Safeguard carries out the IP fragmentation reorganization to the packet of this safeguard of flowing through that client computer is sent, and carries out the session content reorganization on this basis again.Then session content is carried out protocol analysis, therefrom obtain RPC stream.
Safeguard obtains all relevant UUID of client computer RPC process through step 306~step 308.
Step 306, safeguard parse the serial number of each RPC service of carrying from said RPC stream.
Alternatively, safeguard can also be resolved from RPC stream and obtained the corresponding operator of each serial number.
For example, safeguard obtains S1, S2+ " r ", S3+ " w " from the RPC stream of client computer ClientA and server.
Step 307, safeguard be according to the sequencing of record during said UUID, the corresponding serial number of each UUID that obtains writing down, and preserve the corresponding relation of UUID and serial number, as shown in table 3.
Table 3
Step 308, safeguard are searched corresponding UUID for each serial number that parses in said corresponding relation, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, through searching the combination that can also obtain the UUID AND operator relevant with said RPC process.
For example, can also obtain being combined as of each UUID relevant and each UUID AND operator: UUID2, UUID75+ " r ", UUID105+ " w " through searching with the RPC process.
Step 309, safeguard query strategy storehouse judges whether each UUID relevant with this RPC process meets the expectant control strategy, detects client computer with this and whether has carried out malice RPC behavior, if get into step 310, otherwise gets into step 311.
Whether the combination of alternatively, also judging each UUID AND operator that this RPC process is relevant meets the expectant control strategy.
Concrete detection mode includes but not limited to following two kinds:
Mode one: if comprise normal control strategy in the policy library; Said normal control strategy comprises the relevant UUID of normal RPC behavior; Then if safeguard judges that at least one UUID relevant with this RPC behavior do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 4,
Table 4
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 1; UUID75+ " r " meets strategy 2; UUID105+ " w " does not meet strategy 3, because regulation is for the RPC service of UUID105 sign in the strategy 3, only allow to carry out read operation, and ClientA attempts the RPC service execution write operation to the UUID105 sign.Owing to do not meet strategy 3, so safeguard confirms that ClientA has carried out malice RPC behavior.
Mode two:
If comprise unusual control strategy in the policy library; Said unusual control strategy comprises the relevant UUID of RPC behavior of malice; At least one relevant UUID meets said unusual control strategy if safeguard is judged this RPC process, and then definite said client computer has been carried out malice RPC behavior.
Normal policy library is as shown in table 5,
Table 5
Through inquiry, in each UUID that the RPC behavior of safeguard affirmation ClientA is relevant and the combination of each UUID AND operator, UUID2 meets strategy 4; UUID75+ " r " meets strategy 5; UUID105+ " w " does not meet strategy 6, because regulation does not allow to carry out read operation for the RPC service of UUID105 sign in the strategy 3, and ClientA attempts the write operation of the RPC service execution of UUID105 sign is allowed.Owing to meet strategy 4 and 5, so safeguard confirms that ClientA has carried out malice RPC behavior.
Need to prove that concrete detection mode is not limited to above two kinds, can be provided with flexibly.For example, carry out normal control strategy for the UUID in first preset range, normal control strategy is carried out in the UUID and the combination of the UUID AND operator in this scope that for example UUID are in 0~100 scope; To the UUID execute exception control strategy in second preset range, for example UUID is in UUID and the combination execute exception control strategy of the UUID AND operator in this scope in 101~200 scopes.
Step 310, safeguard is detecting after client computer carried out malice RPC behavior the corresponding packet of blocking-up malice RPC behavior.
Particularly, the corresponding packet of safeguard blocking-up malice RPC behavior.When employing mode one detected in step 309 like safeguard, blocking-up ClientA attempted the packet to the RPC service execution write operation of UUID105 sign.Certainly; Safeguard can also be carried out other control measure to client computer according to blocking strategy is set in advance; Carried out malice RPC behavior as long as for example detect client computer; Just block all packets in this TCP session connection of client computer, with the sign of said client computer, for example user name, address etc. add blacklist storehouse or the like.
Step 311 if safeguard detects client computer and do not carry out malice RPC behavior, allows said RPC stream through safeguard, and server provides long-range RPC service to client computer.
The detection method of the malice RPC behavior that the embodiment of the invention provides; The safeguard that is arranged between the client-server is resolved the packet in the TCP session connection of this safeguard of flowing through; Obtain client-server and carry out the RPC stream in the RPC process, and therefrom obtain all UUID that client computer is bound in the RPC process; According to the strategy in the policy library legitimacy of each UUID is wherein detected; Only all UUID all meet said normal control strategy in testing result; Perhaps do not exist when meeting unusual control strategy UUID; The RPC behavior of just confirming said client computer is normal, otherwise the affirmation client computer has been carried out malice RPC behavior.Eliminated client computer and escaped the possibility that IPS detect, improved the validity of IPS detection of malicious RPC behavior through binding a plurality of UUID, thus the fail safe of the RPC server of having strengthened being protected.
Correspondingly; The embodiment of the invention also provides a kind of checkout gear of malice RPC behavior, and this device can be integrated in the safeguards such as IPS or fire compartment wall, and is as shown in Figure 5; This device comprises logging modle 501, parsing module 502, acquisition module 503 and detection module 504, and is specific as follows:
Parsing module 502 is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Alternatively, this checkout gear also comprises:
Blocking-up module 505 is used for after detection module 504 confirms that said client computer has been carried out malice RPC behavior the packet that the RPC of malice shown in blocking-up behavior is corresponding.
Alternatively, shown in accompanying drawing 6, said checkout gear also comprises:
Correspondingly, said acquisition module 503 comprises:
Obtain unit 602, be used for the serial number that parses for each, in the said corresponding relation that memory module 506 is preserved, search corresponding UUID, thereby obtain all UUIDs relevant with said RPC process.
Alternatively, said detection module 504 comprises:
Detecting unit 604 is used for through the query strategy storehouse, judges whether each UUID that screening unit 603 screenings keep meets the expectant control strategy.
Alternatively, the said resolution unit 601 in the accompanying drawing 6 also is used for parsing the serial number of each RPC service of carrying and the combination of operator from said RPC stream;
Said acquisition unit 602; Each serial number that also is used for parsing and the combination of operator for said resolution unit 601; In said corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all the UUID AND operators relevant with said RPC process.
Correspondingly, said screening unit 603, each the UUID AND operator that also is used for said acquisition unit is obtained be combined into row filter, the combination of removing the UUID AND operator of the unsupported RPC service of wherein said server;
Said detecting unit 604 also is used for through the query strategy storehouse, judges whether the combination of each UUID AND operator that said screening unit 603 screenings keep meets the expectant control strategy.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; This program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (13)
1. the detection method of malice remote procedure call RPC behavior is characterized in that, comprising:
When server lookup RPC serves corresponding high-order port, write down the UUID of all RPC services of this client requests in client computer;
In the RPC process, institute's data packets for transmission in the session connection between said client computer and the server is resolved, obtain the RPC stream that carries in the said session connection;
UUID and RPC stream according to said record obtain all UUIDs relevant with said RPC process;
Judge that whether each UUID among all UUID that obtain meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
2. the method for claim 1 is characterized in that, before the RPC stream that carries on the said packet of said acquisition, also comprises:
Sequencing during according to the said UUID of record, the corresponding serial number of each UUID that obtains writing down, and the corresponding relation of preservation UUID and serial number;
Said UUID and RPC stream according to said record obtain all UUIDs relevant with said RPC process, comprising:
From said RPC stream, parse the serial number of each RPC service of carrying;
For each serial number that parses, in said corresponding relation, search corresponding UUID, thereby obtain all UUIDs relevant with said RPC process.
3. the method for claim 1 is characterized in that, whether each UUID among all UUID that said judgement obtains meets expectant control strategy in the policy library, comprising:
All UUIDs relevant with said RPC process to obtaining screen, and remove the UUID of the unsupported RPC service of wherein said server;
Through the query strategy storehouse, judge whether each UUID that screening keeps meets the expectant control strategy.
4. like arbitrary described method in the claim 1 to 3; It is characterized in that; Comprise normal control strategy or unusual control strategy in the said policy library, said normal control strategy comprises normal RPC behavior relevant UUID, said unusual control strategy and comprises the UUID that malice RPC behavior is relevant;
Saidly judge whether each UUID meets expectant control strategy in the policy library, detect client computer with this and whether carried out malice RPC behavior, comprising:
Judge whether each UUID meets the normal control strategy in the policy library, if do not meet said normal control strategy, then definite said client computer has been carried out malice RPC behavior; Or/and
Judge whether each UUID meets the unusual control strategy in the policy library, if meet said malice control strategy, then definite said client computer has been carried out malice RPC behavior.
5. method as claimed in claim 2 is characterized in that, said UUID and RPC stream according to said record, obtain all UUIDs relevant with said RPC behavior after, also comprise:
From said RPC stream, parse the serial number of each RPC service of carrying and the combination of operator;
For each said combination, in said corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all the UUID AND operators relevant with said RPC process.
6. method as claimed in claim 5 is characterized in that, and is said through the query strategy storehouse, confirms that whether each UUID meets the expectant control strategy, comprising:
To the row filter that is combined into of each UUID of obtaining and each UUID AND operator, remove the combination of UUID AND operator of UUID and the unsupported RPC service of the unsupported RPC service of wherein said server;
Through the query strategy storehouse, judge whether each UUID of screening reservation, the combination of each UUID AND operator meet the expectant control strategy.
7. like claim 1,2,3,5 or 6 arbitrary described methods, it is characterized in that said detection client computer has been carried out after the malice RPC behavior, also comprises:
Block the corresponding packet of said malice RPC behavior.
8. the checkout gear of malice RPC behavior is characterized in that, comprising:
Logging modle is used in client computer when server lookup RPC serves corresponding high-order port, writes down the UUID of all RPC services of this client requests;
Parsing module is used for the process at RPC, and institute's data packets for transmission in the session connection between said client computer and the server is resolved, and obtains the RPC stream that carries in the said session connection;
Acquisition module is used for obtaining all UUIDs relevant with said RPC process according to the UUID of logging modle record and the RPC stream of parsing module acquisition;
Detection module is used for judging whether each UUID of all UUID that acquisition module obtains meets expectant control strategy in the policy library, detects client computer with this and whether has carried out malice RPC behavior.
9. device as claimed in claim 8 is characterized in that, also comprises:
Memory module, the sequencing when being used for writing down said UUID according to logging modle, the corresponding serial number of each UUID that obtains writing down, and preserve the corresponding relation of UUID and serial number;
Said acquisition module comprises:
Resolution unit is used for flowing the serial number that parses each RPC service of carrying from said RPC;
Obtain the unit, be used for the serial number that parses for each, in the said corresponding relation that memory cell is preserved, search corresponding UUID, thereby obtain all UUIDs relevant with said RPC process.
10. like claim 8 or 9 described devices, it is characterized in that said detection module comprises:
Screening unit is used for all UUIDs relevant with said RPC process that acquisition module obtains are screened, and removes the UUID of the unsupported RPC service of wherein said server;
Detecting unit is used for through the query strategy storehouse, judges whether each UUID that the screening unit screening keeps meets the expectant control strategy.
11. device as claimed in claim 9 is characterized in that,
Said resolution unit also is used for parsing the serial number of each RPC service of carrying and the combination of operator from said RPC stream;
Said acquisition unit; Each serial number that also is used for parsing and the combination of operator for said resolution unit; In said corresponding relation, search corresponding UUID according to serial number wherein, thereby obtain the combination of all the UUID AND operators relevant with said RPC process.
12. device as claimed in claim 11 is characterized in that,
Said screening unit, each the UUID AND operator that also is used for said acquisition module is obtained be combined into row filter, the combination of removing the UUID AND operator of the unsupported RPC service of wherein said server;
Said detecting unit also is used for through the query strategy storehouse, judges whether the combination of each UUID AND operator that said screening unit screening keeps meets the expectant control strategy.
13. like the arbitrary described device of claim 8 to 12, it is characterized in that, also comprise:
The blocking-up module is used for after detection module confirms that said client computer has been carried out malice RPC behavior, blocks the corresponding packet of said malice RPC behavior.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110449688.8A CN102438023B (en) | 2011-12-29 | 2011-12-29 | Method and device for detecting malicious remote procedure call (RPC) behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110449688.8A CN102438023B (en) | 2011-12-29 | 2011-12-29 | Method and device for detecting malicious remote procedure call (RPC) behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102438023A true CN102438023A (en) | 2012-05-02 |
| CN102438023B CN102438023B (en) | 2014-08-20 |
Family
ID=45985895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110449688.8A Active CN102438023B (en) | 2011-12-29 | 2011-12-29 | Method and device for detecting malicious remote procedure call (RPC) behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102438023B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036895A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for state tracking |
| CN112738123A (en) * | 2021-01-05 | 2021-04-30 | 成都安思科技有限公司 | Method and device for detecting malicious remote process tracing calling behavior |
| CN112929365A (en) * | 2021-02-05 | 2021-06-08 | 深信服科技股份有限公司 | Remote command detection method and device and electronic equipment |
| US11409871B1 (en) * | 2019-03-22 | 2022-08-09 | Ca, Inc. | Universal tracing of side-channel processes in computing environments |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070033597A1 (en) * | 2001-09-29 | 2007-02-08 | Anil Mukundan | Method, apparatus, and system for implementing notifications in a framework to suppot web-based applications |
| US7257818B2 (en) * | 2002-08-29 | 2007-08-14 | Sap Aktiengesellschaft | Rapid application integration using functional atoms |
| CN101039324A (en) * | 2007-03-12 | 2007-09-19 | 华为技术有限公司 | Method, system and apparatus for defending network virus |
| CN101116068A (en) * | 2004-10-28 | 2008-01-30 | 思科技术公司 | Intrusion detection in a data center environment |
-
2011
- 2011-12-29 CN CN201110449688.8A patent/CN102438023B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070033597A1 (en) * | 2001-09-29 | 2007-02-08 | Anil Mukundan | Method, apparatus, and system for implementing notifications in a framework to suppot web-based applications |
| US7257818B2 (en) * | 2002-08-29 | 2007-08-14 | Sap Aktiengesellschaft | Rapid application integration using functional atoms |
| CN101116068A (en) * | 2004-10-28 | 2008-01-30 | 思科技术公司 | Intrusion detection in a data center environment |
| CN101039324A (en) * | 2007-03-12 | 2007-09-19 | 华为技术有限公司 | Method, system and apparatus for defending network virus |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036895A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for state tracking |
| CN103036895B (en) * | 2012-12-20 | 2015-11-11 | 北京奇虎科技有限公司 | A kind of status tracking method and system |
| US11409871B1 (en) * | 2019-03-22 | 2022-08-09 | Ca, Inc. | Universal tracing of side-channel processes in computing environments |
| CN112738123A (en) * | 2021-01-05 | 2021-04-30 | 成都安思科技有限公司 | Method and device for detecting malicious remote process tracing calling behavior |
| CN112929365A (en) * | 2021-02-05 | 2021-06-08 | 深信服科技股份有限公司 | Remote command detection method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102438023B (en) | 2014-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881211B (en) | Illegal external connection detection method and device | |
| EP1382154B8 (en) | System and method for computer security using multiple cages | |
| EP1805641B1 (en) | A method and device for questioning a plurality of computerized devices | |
| US11290424B2 (en) | Methods and systems for efficient network protection | |
| CN101237326B (en) | Method, device and system for real time parsing of device log | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| WO2002086724A1 (en) | System and method for analyzing logfiles | |
| CN110677381A (en) | Penetration testing method and device, storage medium and electronic device | |
| CN110881024B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN102438023A (en) | Method and device for detecting malicious remote procedure call (RPC) behaviors | |
| CN110768948A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN110765333A (en) | Method and device for collecting website information, storage medium and electronic device | |
| CN109587122A (en) | Realize that self ensures the system and method for Web subsystem safety based on WAF system function | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| JP2008079028A (en) | Recording system and method for unauthorized access information | |
| JP2006332997A (en) | Communication management device, network system, communication disconnecting method, and program | |
| CA3122328A1 (en) | A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space | |
| CN104753955A (en) | Interconnection auditing method based on rebound port Trojans | |
| US10320751B2 (en) | DNS server selective block and DNS address modification method using proxy | |
| JP2003167786A (en) | Network monitoring system | |
| CN108809891B (en) | Server intrusion detection method and device | |
| RU2274910C2 (en) | Method of providing confidentiality of information | |
| JP2003281003A (en) | Support method for guaranteeing operation of system | |
| JP2005189996A (en) | Network intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D Applicant after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611731 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D Applicant before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221009 Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041 Patentee after: Chengdu Huawei Technologies Co.,Ltd. Address before: 611731 Hi Tech University of Electronic Science and Technology, No. 88, Tianchen Road, Qingshuihe District, Western Park, Hi Tech Zone, Chengdu, Sichuan Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |
|
| TR01 | Transfer of patent right |