A network attack defense method based on system events

Abstract

The invention discloses a network attack defense method based on system events, aiming at accurate detection and rapid defense of remote loophole exploit attacks. The technical solution is to build a system event-based network attack defense system composed of a system event generation module, an event filtering module, and an event processor. The system event generation module monitors key changes in the operating system, generates system events, and sends system events to Event filtering module; the event filtering module filters and analyzes the system events according to the filtering rules, obtains the processing action for the event, and sends an event processing request with the system event and its corresponding processing action as parameters to the event processor; the event processor according to Event processing requests defense against remote exploit attacks. The invention can capture all remote vulnerability exploit attacks, and avoids the processing of normal system events, and has high efficiency, good compatibility and universality.

Description

technical field [0001] The invention relates to the field of defense against network attacks, in particular to a defense method against remote loophole exploit attacks. Background technique [0002] A remote vulnerability exploit attack refers to a behavior that exploits a software vulnerability to produce unexpected results. This behavior usually includes gaining control of a computer system, denial of service attacks, privilege escalation, etc. Remote vulnerability exploit attacks are network-based and do not require prior login to the attacked system, so they are extremely harmful. Currently, the most common software vulnerabilities include stack overflow vulnerabilities, reuse-after-free vulnerabilities, and format string vulnerabilities. Taking the stack overflow vulnerability as an example, the reason is that when the programmer writes the program, he does not fully consider the buffer capacity on the stack and the actual data size, which may cause an overflow when th...

AI Technical Summary

Problems solved by technology

A typical filtering method is a firewall, which can detect malware and remote attack traffic in the traffic in a timely manner through the detection of network traffic, and then block the traffic before it reaches the program. However, there are some problems in this method : On the one hand, detecting a large amount of traffic will cause a great burden on performance (storage, computing); on the other hand, detecting attacks through traffic is easy to be bypassed by attackers using encoding, encryption, obfuscation, etc., resulting in weak defense

The intrusion detection method mainly detects attacks through abuse detection and anomaly detection. Abuse detection detects attacks by matching behaviors based on specific attack characteristics. It can only detect some known attacks. Usually, the false positive rate is low and the false negative rate is low. High; anomaly detection hopes to detect some unknown attacks, but attack detection itself is very difficult, and this method usually has a high false positive rate

At the same time, the intrusion detection method still has problems such as slow detection speed and huge software system.

Images