Linux platform process memory malicious code forensics method, controller and medium

A malicious code and process technology, applied in the field of network security, can solve the problem of lack of malicious code detection technology, and achieve the effect of avoiding complete acquisition and independent acquisition, the method is simple and accurate, and the security is improved

Active Publication Date: 2021-05-25
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Existing security detection methods for Linux systems include: virus scanning detection, general rootkit detection class, host intrusion detection, log analysis detection and specific detection, etc., but the above methods are all for system file feature detection or detection of some specific content ( Such as hidden process, hidden connection), lack of a complete set of malicious code detection technology for Linux system process memory

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Linux platform process memory malicious code forensics method, controller and medium
  • Linux platform process memory malicious code forensics method, controller and medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0064] Detect malicious codes of the process based on all memory segment data and program file path information corresponding to each process, including:

[0065] Step S301. Obtain the preset code segment in the process memory according to all the memory segment data corresponding to each process;

[0066] Step S302, acquiring the program file according to the program file path information;

[0067] Step S303, analyzing the program header structure corresponding to the program file, and obtaining the preset code segment corresponding to the program file;

[0068] Specifically, by analyzing the elf structure of the program file, the corresponding program header structure is obtained. The program header contains the layout of the file in memory when the file is running. The program linker (a necessary tool in the code compilation process) connects many program segments (ie sections) are connected as a memory segment (segment), and each segment has a different purpose and memory...

Embodiment 2

[0071] Detect the malicious code of the process according to all the memory segment data corresponding to each process and the dynamic library file path information contained in the memory mapping file, including:

[0072] Step S311, acquiring the preset code segment in the process memory according to all the memory segment data corresponding to each process;

[0073] Step S312, obtaining the dynamic library file according to the dynamic library file path information contained in the memory-mapped file;

[0074] Step S313, analyzing the program header file corresponding to the dynamic library file, and obtaining the preset code segment corresponding to the dynamic library file;

[0075] Specifically, by analyzing the elf structure of the dynamic library file, the corresponding program header structure is obtained. As an example, the preset code segment is .text segment data.

[0076] Step S314 , comparing the preset code segment in the process memory with the preset code segm...

Embodiment 3

[0078] According to the dynamic library file path information corresponding to the program file corresponding to each process, the malicious code of the process is detected, including:

[0079] Step S321, according to the dynamic library file path information corresponding to the program file corresponding to each process, obtain the dynamic library file list corresponding to the process;

[0080] Step S322, obtaining the dynamic library file information contained in the memory-mapped file corresponding to the process;

[0081] Step S323, comparing the dynamic file information contained in the memory-mapped file with the list of dynamic library files;

[0082] Step S324, if the memory-mapped file contains one or more dynamic files not in the dynamic library file list, it means that there is malicious code, and the path of the dynamic library file and the corresponding memory segment data are output.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a Linux platform process memory malicious code forensics method, controller and medium. The method includes traversing all processes of the Linux system and reading the memory mapping files of all processes; One or more of all memory segment data, program file path information and dynamic library file path information, according to all memory segment data and program file path information corresponding to each process, or all memory segment data and memory mapped files The contained dynamic library file path information, or the dynamic library file path information corresponding to the program file detects the malicious code of the process. The present invention utilizes the process memory mapping file of the Linux operating system to determine the memory address layout of the process, accurately obtain the complete memory of each process in the system, effectively discover malicious codes in the Linux system memory, and improve the security of the system Linux. The method of memory forensics is versatile and stable.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a Linux platform process memory malicious code evidence collection method, a controller and a medium. Background technique [0002] The Linux system is a widely used computer operating system, which has been widely deployed and used in many fields such as important national institutions, banks, operators, and the Internet industry. Hacker organizations have long attached importance to the penetration and control of Linux systems, and Linux servers are also important targets of advanced persistent threats (APTs). At present, there are two main bottlenecks in Linux system malicious code forensics: first, malicious programs use advanced hiding and coding techniques, making it difficult to be discovered and analyzed, and these malicious programs pose threats and harm to the entire information system It is immeasurable; second, the current attack forensics technology for Lin...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
Inventor 吕志泉韩志辉张帅严寒冰丁丽李佳朱天饶毓高胜李志辉张腾刘婧何能强陈阳李世淙朱芸茜马莉雅周昊
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap