Rebound shell detection method based on behavior detection

A detection method and behavioral technology, applied in the field of information security, can solve the problems of many false positives, false positives, loss of usability, etc., and achieve the effect of reducing judgment links, good reliability, and high accuracy

Inactive Publication Date: 2019-10-25
BEIJING SHENGXIN NETWORK TECH CO LTD
View PDF10 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

These two methods are characterized by the need for a learning process, or the need for a large amount of security data as back-end support. If the support of security data is required, zero-day vulnerabilities and attacks cannot be resisted.
However, the current rebound shell detection method also has a relatively large problem. The terminal attribute of the judgment program can only be used in specific scenarios, such as webshell detection. In other environments, the judgment method of the terminal attribute will face normal programs and The terminal attribute of the behavioral program meets the conditions for abnormal judgment, resulting in false positives, too many false positives to handle, and finally loss of usability

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Rebound shell detection method based on behavior detection
  • Rebound shell detection method based on behavior detection

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] In order to make the technical means, creative features, goals and effects achieved by the present invention easy to understand, the present invention will be further described below in conjunction with specific embodiments.

[0034] refer to Figure 1-2 , the specific embodiment adopts the following technical solutions: a detection method based on a behavior detection rebound shell, the steps of which are:

[0035] (1) Obtain the timing of shell process creation:

[0036] When a process is generated, it is necessary to obtain a notification from the system kernel. Different systems adopt different methods, such as using a driver to obtain a notification from the kernel under a Windows system, or other existing notification mechanisms can be used. The process creation notification of the system has some basic attributes, such as the process identifier PID, which can be used to uniquely identify a process on the system; it is also necessary to obtain the file path corre...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a rebound shell detection method based on behavior detection, and relates to the technical field of information security. The method comprises the following steps of: (1) obtaining a shell process creation opportunity; (2) checking the network connection state of the shell process; and (3) comprehensively judging whether the network connection belongs to rebound and whetherthe process belongs to a shell process. According to the invention, higher accuracy and real-time performance can be achieved, judgment links are reduced, the speed is high, the accuracy is high, thereliability is good, and the availability is high.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a detection method of a rebound shell based on behavior detection. Background technique [0002] Reverse shell technology is a kind of reverse Trojan horse, but there is a major difference. The difference is that the attacker does not need to install a special Trojan horse program on the intranet to use the vulnerability to start the shell program on the system to manipulate the intranet machine. . The Trojan horse in the rebound Trojan horse is a specific program, but the program corresponding to the reverse shell is a normal program that can execute scripts. The attacker uses the script to attack. The attacker uses the reverse shell to enter the system from the outside smoothly, and Perform various operations; historically, there has been little detection of this behavior due to the rebound characteristics and script nature of the network action of the reverse she...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06F21/56
CPCH04L63/1416G06F21/56
Inventor 唐仕强程度张福
Owner BEIJING SHENGXIN NETWORK TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap