Method and device for detecting malicious remote procedure tracing calling behaviors

Abstract

The invention relates to a method and device for detecting malicious remote procedure tracing calling behaviors. The method comprises the steps of: initilizing a set E0, intercepting all RPC calling requests, obtaining an interface identifier to be called, an API number, a specific function needing to call an interface and calling request parameter information, and establishing inter-procedure calling relation information called by each remote procedure; judging whether the interface identifier called by the remote procedure exists in a pre-configured list L0 or not, continuously judging whether the requested interface identifier exists in a pre-configured list L1 or not according to a judgment result, and implementing corresponding operation according to two judgment results; and if the client process ID does not exist in the set E0, searching a corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether I exists in the set E0 or not, and implementing corresponding operation according to a judgment result. System resources can be saved, and the processing flow of the system is accelerated; and meanwhile, the accuracy of RPC detection is also ensured.

Description

technical field [0001] The invention relates to the technical field of network monitoring, in particular to a detection method and device for traceability and invocation behavior of malicious remote procedures. Background technique [0002] With the rapid development of the Internet, malicious programs are more easily spread, and the attack techniques used by malicious programs are also continuously upgraded. They are not limited to behavioral confrontation within the process of malicious programs, but use RPC (Remote Procedure Call) calls, using The existing rpc components of the system release malicious behaviors; to bypass the sandbox, main defense and other security monitoring systems. At the same time, on the Windows operating system, there are not only directly connected rpc servers, but also multi-level proxy rpc servers. This request will jump multiple times, and finally the request will reach the process where the service is located. When using a level proxy, it is...

AI Technical Summary

Problems solved by technology

[0003] In addition, on the latest version of the Windows operating system, there are a large number of system processes, which are created or terminated all the time. If a large number of system behaviors cannot be strictly distinguished, a large number of false positives will be generated. ; Especially in the sandbox system, the behavior of the system seriously interferes with the detection of malicious behavior; the traditional process chain based on the association of malicious programs is not enough to deal with the release behavior through RPC; and if the entire system process relationship chain Based on this, many system behaviors emerge

Images