Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Linux platform process memory malicious code evidence obtaining method, controller and medium

A malicious code and process technology, applied in the field of network security, can solve problems such as lack of malicious code detection technology, and achieve the effect of avoiding complete acquisition and independent acquisition, simple and accurate method, universality and stability

Active Publication Date: 2019-06-21
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
View PDF22 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Existing security detection methods for Linux systems include: virus scanning detection, general rootkit detection class, host intrusion detection, log analysis detection and specific detection, etc., but the above methods are all for system file feature detection or detection of some specific content ( Such as hidden process, hidden connection), lack of a complete set of malicious code detection technology for Linux system process memory

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Linux platform process memory malicious code evidence obtaining method, controller and medium
  • Linux platform process memory malicious code evidence obtaining method, controller and medium
  • Linux platform process memory malicious code evidence obtaining method, controller and medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0064] Detect malicious code of each process according to all the memory segment data and program file path information corresponding to each process, including:

[0065] Step S301, obtaining a preset code segment in the process memory according to all memory segment data corresponding to each process;

[0066] Step S302, obtaining a program file according to the program file path information;

[0067] Step S303, analyzing the program header structure corresponding to the program file, to obtain a preset code segment corresponding to the program file;

[0068] Specifically, by analyzing the elf structure of the program file, the corresponding program header structure is obtained. The program header contains the layout of the file in memory when the file is running. The program linker (a necessary tool in the code compilation process) links many program segments (ie sections) are connected as a memory segment (ie segment), each segment has different purposes and memory permiss...

Embodiment 2

[0071] The malicious code of each process is detected according to all the memory segment data corresponding to each process and the dynamic library file path information contained in the memory-mapped file, including:

[0072] Step S311, obtaining a preset code segment in the process memory according to all memory segment data corresponding to each process;

[0073] Step S312, obtaining the dynamic library file according to the dynamic library file path information contained in the memory mapping file;

[0074] Step S313, analyzing the program header file corresponding to the dynamic library file, to obtain a preset code segment corresponding to the dynamic library file;

[0075] Specifically, the corresponding program header structure is obtained by analyzing the elf structure of the dynamic library file. As an example, the preset code segment is .text segment data.

[0076] Step S314: Compare the preset code segment in the process memory with the preset code segment corres...

Embodiment 3

[0078] According to the dynamic library file path information corresponding to the program file corresponding to each process, the malicious code of the process is detected, including:

[0079] Step S321, obtaining the dynamic library file list corresponding to the process according to the dynamic library file path information corresponding to the program file corresponding to each process;

[0080] Step S322, obtaining the dynamic library file information contained in the memory mapping file corresponding to the process;

[0081] Step S323, comparing the dynamic file information contained in the memory mapping file with the dynamic library file list;

[0082] Step S324: If the memory mapping file contains one or more dynamic files that are not in the dynamic library file list, it means that there is malicious code, and output the dynamic library file path and corresponding memory segment data.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a Linux platform process memory malicious code evidence obtaining method, a controller and a medium, and the method comprises the steps: traversing all processes of a Linux system, and reading memory mapping files of all the processes; Obtaining one or more of all memory segment data corresponding to the process based on each process memory mapping file, program file pathinformation and dynamic library file path information based on each process memory mapping file; and detecting the malicious code of the process according to all the memory segment data and the program file path information corresponding to each process, or all the memory segment data and the dynamic library file path information contained in the memory mapping file, or the dynamic library file path information corresponding to the program file. According to the invention, the process memory mapping file of the Linux operation system is utilized; The memory address layout of the process is determined, the complete memory of each process in the system is accurately obtained, malicious codes in the memory of the Linux system are effectively discovered, the security of the Linux system is improved, and the memory evidence obtaining method has universality and stability.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a Linux platform process memory malicious code forensics method, controller and medium. Background technique [0002] Linux system is a widely used computer operating system, which is widely deployed and used in many fields such as important national institutions, banks, operators, and the Internet industry. Hacker groups have long attached importance to the penetration and control of Linux systems, and Linux servers are also an important target for advanced persistent threats (APTs). At present, there are two main bottlenecks in the forensics of malicious code in the Linux system: first, malicious programs use advanced hiding technology and coding technology, making it difficult to find and analyze, and these malicious programs bring threats and harm to the entire information system. It is immeasurable; second, the current attack forensics technology for Linux server s...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
Inventor 吕志泉韩志辉张帅严寒冰丁丽李佳朱天饶毓高胜李志辉张腾刘婧何能强陈阳李世淙朱芸茜马莉雅周昊
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com