CN1987717A - Method and system for real time detecting process integrity - Google Patents
Method and system for real time detecting process integrity Download PDFInfo
- Publication number
- CN1987717A CN1987717A CN 200510134081 CN200510134081A CN1987717A CN 1987717 A CN1987717 A CN 1987717A CN 200510134081 CN200510134081 CN 200510134081 CN 200510134081 A CN200510134081 A CN 200510134081A CN 1987717 A CN1987717 A CN 1987717A
- Authority
- CN
- China
- Prior art keywords
- described process
- hashed value
- whole procedure
- corresponding whole
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The method includes steps: monitoring the process going to run in memory, and determining whether the process is a first time to be executed; if yes, then collecting hashed value of the progress, and hashed value of whole program corresponding to the process, and storing the hashed value in reference table of process; otherwise, using hashed value of the progress hashed value of whole program corresponding to the process stored in the reference table of process to validate integrality of the process and the whole program corresponding to the process; if validated result is nonholonomic, then recovering the said process, and the whole program corresponding to the process.
Description
Technical field
The present invention proposes a kind of method and system of real time detecting process integrity,
Background technology
There is the multiple method that process integrity is detected at present.For example, there are some methods (such as antivirus software) based on signature.For example, this basic antivirus software scanning internal memory of kappa finds their image file on disk then by enumerating all process module names, and corresponding image file is carried out scanning based on condition code.In addition, also there is method based on the detection of filename.For example, Norton (Nuo Dun) obtain system loads by the ZwQuerySystemInformation function all drive tabulation and check that kernel state drives virus, and in conjunction with condition code scanning with to the integrity checking of file.
But all these methods all can not dynamically detect process destroyed or that distort.
Therefore, need a kind of method and system of real time detecting process integrity, thereby can dynamically detect process destroyed or that distort.
Summary of the invention
The method and system that the purpose of this invention is to provide a kind of real time detecting process integrity, can be safe and reliable and detection system process integrity in real time, so that the process that discovery in time is modified is also repaired with the assurance security of system and is stably moved, thus, can dynamically detect process destroyed or that distort.
To achieve these goals, according to invention, proposed a kind of method of real time detecting process integrity, described method comprises: monitor the process of soon moving and judge whether described process is the process of carrying out for the first time in internal memory; If described process is the process of carrying out for the first time, then collect with the hashed value of described process with the hashed value of the corresponding whole procedure of described process and be stored in the process reference table; If described process is not the process of carrying out for the first time, then utilize the described process of being stored in the process reference table hashed value and with the hashed value of the corresponding whole procedure of described process, verify described process and with the integrality of the corresponding whole procedure of described process; Described process and with the integrity verification result of the corresponding whole procedure of described process be under the incomplete situation, then recover described process and with the corresponding whole procedure of described process.
Preferably, describedly judge that whether described process is that the step of the process carried out for the first time realizes by checking the process reference table.
Preferably, the hashed value of described process is the hashed value with the code segment of the corresponding whole procedure of described process.
Preferably, the described hashed value of utilizing the described process of being stored in the process reference table and with the hashed value of the corresponding whole procedure of described process, verify described process and comprise with the step of the integrality of the corresponding whole procedure of described process: with the hashed value of the described process of being stored in the process reference table and with the current hash values of the hashed value of the corresponding whole procedure of described process and the described process of soon in internal memory, moving and with disk in stored compare with the described current hash values that is about to the process corresponding programs of operation, if two are more consistent, then show described process and with the integrity verification result of the corresponding whole procedure of described process for complete.
Preferably, the described process of described recovery and comprise with the step of the corresponding whole procedure of described process: utilize the copy of the whole procedure that prevents unauthorized access of storage in advance recover in described process in the internal memory and the disk with the corresponding whole procedure of described process.
According to the present invention, a kind of system of real time detecting process integrity has also been proposed, described system comprises: the real-time monitoring modular of process monitors the process of soon moving and judges whether described process is the process of carrying out for the first time in internal memory; If described process is the process of carrying out for the first time, then indicates the integrity information acquisition module to carry out hashed value and collect operation; And if described process is not the process of carrying out for the first time, then verify described process and with the integrality of the corresponding whole procedure of described process; If the checking result is imperfect, then indication process is repaired module and is repaired; The integrity information acquisition module is used for collecting with the hashed value of described process with the hashed value of the corresponding whole procedure of described process and be stored in the process reference table; Process is repaired module, be used to recover described process and with the corresponding whole procedure of described process; The process reference table, be used to store from the hashed value of the described process of integrity information acquisition module and with the hashed value of the corresponding whole procedure of described process so that use it to verify integrality by the real-time monitoring modular of process.
Preferably, described system also comprises: the program code segments memory block is used to store the process instruction collection that is about to operation; Program execute file memory block is used to store and the described process corresponding programs that is about to operation; Program file copy memory block is used to store and the described copy that is about to the process corresponding programs of operation, so as by process repair module recover described process and with the corresponding whole procedure of described process.
Preferably, described program execute file memory block and described program file copy memory block are realized by memory disk.
Preferably, described program code segments memory block is realized by internal memory.
Preferably, the real-time monitoring modular of described process comprises the thread scheduling monitor module, is used for monitoring soon the process of moving at internal memory and judges whether described process is the process of carrying out for the first time; And the completeness check module, be used for utilizing the described process that the process reference table stored hashed value and with the hashed value of the corresponding whole procedure of described process, verify described process and with the integrality of the corresponding whole procedure of described process.
Preferably, the hashed value of described process is the hashed value with the code segment of the corresponding whole procedure of described process.
Description of drawings
Below in conjunction with the detailed description of preferred embodiment of accompanying drawing to being adopted, above-mentioned purpose of the present invention, advantage and feature will become apparent by reference, wherein:
Fig. 1 is the schematic block diagram according to the system of real time detecting process integrity of the present invention;
Fig. 2 is the more detailed block diagram according to the system of real time detecting process integrity of the present invention;
Fig. 3 is according to the present invention, collects the process flow diagram of process integrity hashed value summary info process; And
Fig. 4 is the overall flow figure according to the method for real time detecting process integrity of the present invention.
Embodiment
The integrality of the disk mirroring file that main thought of the present invention is the detecting process correspondence, detecting process is in the integrality of memory headroom code segment.Integrity checking mainly is to calculate hashed value (HASH value) by Message Digest 5 (for example MD5 algorithm).Program code segments is normally read-only in the modern operating system, and program self can not revised the data of its code segment.Have only some rogue programs can revise the read only attribute of other program code segments, promote self authority and revise the code of other programs or inject some malicious codes.If the destroy integrity of the code segment of a program in internal memory then can judge by virus or Malware substantially and destroy or distort.
The preferred embodiments of the present invention are described below with reference to the accompanying drawings.
Fig. 1 is the schematic block diagram according to the system of real time detecting process integrity of the present invention.
As shown in Figure 1, the system of real time detecting process integrity of the present invention comprises the real-time monitoring modular 101 of process, process reparation module 102, integrity information acquisition module 103, disk 104 and internal memory 105.
The real-time monitoring modular 101 of process is responsible for all processes that have been loaded and just have been loaded in the system are carried out integrity checking, wherein, for the integrality of the process that has loaded, and detect integrality by its disk mirroring file for the process that is loading by code segment in its memory headroom of inspection.When the real-time monitoring modular 101 of process was found ruined process, in time notification process was repaired module 102 and is done corresponding process repair.Integrity information acquisition module 103 collection system process integrity message samples (hashed value).Internal memory 105 is used for storage process, as example, a plurality of processes has been shown among Fig. 1.Disk 104 is used for storage and corresponding each program of described process, as example, also shows a plurality of programs corresponding with described a plurality of processes among Fig. 1.
Fig. 2 is the more detailed block diagram according to the system of real time detecting process integrity of the present invention.
As shown in Figure 2, system according to the present invention repairs module 102, the integrity information acquisition module 103 except comprising the real-time monitoring modular 101 of above-mentioned process, process, also comprise: process reference table 204, be used to store from the hashed value of the process of integrity information acquisition module 103 and with the hashed value of the corresponding whole procedure of described process so that use it to verify integrality by the real-time monitoring modular 101 of process; Program code segments memory block 207 is used to store the process instruction collection that is about to operation; Program execute file memory block 206 is used to store and the described process corresponding programs that is about to operation; And program file copy memory block 205, be used to store and the described copy that is about to the process corresponding programs of operation, so as by process repair module 102 recover described process and with the corresponding whole procedure of described process.Described program execute file memory block 206 and described program file copy memory block 205 can be realized by memory disk.And described program code segments memory block 207 can be realized by internal memory.
In addition, the real-time monitoring modular 101 of described process comprises thread scheduling monitor module 202, is used for monitoring soon the process of moving at internal memory and judges whether described process is the process of carrying out for the first time; And completeness check module 201, be used for utilizing the described process that the process reference table stored hashed value and with the hashed value of the corresponding whole procedure of described process, verify described process and with the integrality of the corresponding whole procedure of described process.
Not only check the image file integrality that leaves process correspondence on the hard disk in according to native system of the present invention, also pass through the integrality of real-time monitoring module detection of dynamic process code segment in internal memory.Can in time find destroyed or the malicious code distorted and in time repairing.
Fig. 3 is according to the present invention, collects the process flow diagram of process integrity hashed value summary info process.
As shown in Figure 3, the first time after a program in the disk is installed first by the user, promptly in the time will carrying out with the corresponding process of this program in internal memory, the real-time monitoring modular 101 of process can be intercepted and captured this incident (step 301) when carrying out.Then, the real-time monitoring modular 101 of process suspends its process of moving of execution, checks with the corresponding process of this program whether in the process reference table record is arranged; If record then think that this program (process) is to install first to carry out and load this program to carry out and the corresponding process of this program (step 303) not; At this moment, by integrity information acquisition module 103 gather whole procedure hashed value and with the hashed value of the corresponding process of this program, the hashed value of described process is loaded into the hashed value (step 305) of the corresponding code segment in the internal memory for this program, and the hashed value of whole procedure and the hashed value of corresponding process are deposited in respectively in the process reference table (step 307).By the way, if the record of this program is arranged in the process reference table, then carry out verification by 101 pairs of real-time monitoring modulars of process and the corresponding process of this program.
Fig. 4 is the overall flow figure according to the method for real time detecting process integrity of the present invention.
As shown in Figure 4, beginning monitors the next corresponding process of thread that is about to operation by the real-time monitoring modular of process 101, so that detect its whether complete (step 401) subsequently.At this moment, when entering described process, check whether described process is operation (step 403) for the first time.If operation (step 403 be) for the first time then notifies integrity information acquisition module 103 to collect the integrity information (hashed value) (step 405) of described process, collect the process of the integrity information of described process and describe in detail at Fig. 3.
If be not operation for the first time (in the step 403 not), then complete verification (step 407), at this moment, with comparing in the current hash values of this process in the internal memory and the process reference table, and being stored in the disk and the current hash values corresponding whole procedure of this process and the process reference table compared (step 409) with the corresponding hashed value of described whole procedure with the corresponding hashed value of this process.If twice result relatively is unanimity (being in the step 411), that is, expression completeness check result is complete, then continues the normal operation of subsequent operation.And it is opposite; represent that then the completeness check result is for imperfect; repair module 102 by process and carry out rejuvenation (413) this moment; that is, repair this program that module 102 utilizes shielded and this process corresponding programs of being stored to back up to recover in the disk and this process in the internal memory by process.
According to the present invention, can the killing unknown virus and can not destroy the execution of the function of process own.In addition, virus or malicious code in can the killing internal memory.In addition, can also prevent the attack of thread injecting type.
Although below show the present invention in conjunction with the preferred embodiments of the present invention, one skilled in the art will appreciate that under the situation that does not break away from the spirit and scope of the present invention, can carry out various modifications, replacement and change to the present invention.Therefore, the present invention should not limited by the foregoing description, and should be limited by claims and equivalent thereof.
Claims (11)
1, a kind of method of real time detecting process integrity, described method comprises:
Monitor the process of soon in internal memory, moving and judge whether described process is the process of carrying out for the first time;
If described process is the process of carrying out for the first time, then collect with the hashed value of described process with the hashed value of the corresponding whole procedure of described process and be stored in the process reference table;
If described process is not the process of carrying out for the first time, then utilize the described process of being stored in the process reference table hashed value and with the hashed value of the corresponding whole procedure of described process, verify described process and with the integrality of the corresponding whole procedure of described process;
Described process and with the integrity verification result of the corresponding whole procedure of described process be under the incomplete situation, then recover described process and with the corresponding whole procedure of described process.
2, method according to claim 1 is characterized in that describedly judging that whether described process is that the step of the process carried out for the first time realizes by checking the process reference table.
3, method according to claim 1, the hashed value that it is characterized in that described process are the hashed values with the code segment of the corresponding whole procedure of described process.
4, method according to claim 1, it is characterized in that the described hashed value of utilizing the described process of being stored in the process reference table and with the hashed value of the corresponding whole procedure of described process, verify described process and comprise with the step of the integrality of the corresponding whole procedure of described process: with the hashed value of the described process of being stored in the process reference table and with the current hash values of the hashed value of the corresponding whole procedure of described process and the described process of soon in internal memory, moving and with disk in stored compare with the described current hash values that is about to the process corresponding programs of operation, if two are more consistent, then show described process and with the integrity verification result of the corresponding whole procedure of described process for complete.
5, method according to claim 1 is characterized in that the described process of described recovery and comprises with the step of the corresponding whole procedure of described process: utilize the copy of the whole procedure that prevents unauthorized access of storage in advance recover in described process in the internal memory and the disk with the corresponding whole procedure of described process.
6, a kind of system of real time detecting process integrity, described system comprises:
The real-time monitoring modular of process monitors the process of soon moving and judges whether described process is the process of carrying out for the first time in internal memory; If described process is the process of carrying out for the first time, then indicates the integrity information acquisition module to carry out hashed value and collect operation; And if described process is not the process of carrying out for the first time, then verify described process and with the integrality of the corresponding whole procedure of described process; If the checking result is imperfect, then indication process is repaired module and is repaired;
The integrity information acquisition module is used for collecting with the hashed value of described process with the hashed value of the corresponding whole procedure of described process and be stored in the process reference table;
Process is repaired module, be used to recover described process and with the corresponding whole procedure of described process;
The process reference table, be used to store from the hashed value of the described process of integrity information acquisition module and with the hashed value of the corresponding whole procedure of described process so that use it to verify integrality by the real-time monitoring modular of process.
7, system according to claim 6 is characterized in that also comprising: the program code segments memory block is used to store the process instruction collection that is about to operation; Program execute file memory block is used to store and the described process corresponding programs that is about to operation; Program file copy memory block is used to store and the described copy that is about to the process corresponding programs of operation, so as by process repair module recover described process and with the corresponding whole procedure of described process.
8, system according to claim 7 is characterized in that described program execute file memory block and described program file copy memory block realized by memory disk.
9, system according to claim 7 is characterized in that described program code segments memory block realized by internal memory.
10, system according to claim 6 is characterized in that the real-time monitoring modular of described process comprises the thread scheduling monitor module, is used for monitoring soon the process of moving at internal memory and judges whether described process is the process of carrying out for the first time; And the completeness check module, be used for utilizing the described process that the process reference table stored hashed value and with the hashed value of the corresponding whole procedure of described process, verify described process and with the integrality of the corresponding whole procedure of described process.
11, system according to claim 6, the hashed value that it is characterized in that described process are the hashed values with the code segment of the corresponding whole procedure of described process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101340815A CN100489730C (en) | 2005-12-23 | 2005-12-23 | Method and system for real time detecting process integrity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101340815A CN100489730C (en) | 2005-12-23 | 2005-12-23 | Method and system for real time detecting process integrity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1987717A true CN1987717A (en) | 2007-06-27 |
| CN100489730C CN100489730C (en) | 2009-05-20 |
Family
ID=38184541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101340815A Expired - Fee Related CN100489730C (en) | 2005-12-23 | 2005-12-23 | Method and system for real time detecting process integrity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100489730C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306261A (en) * | 2011-09-02 | 2012-01-04 | 福建四创软件有限公司 | Method for automatically upgrading and preventing falsification of software based on combination of network and USB (Universal Serial Bus) flash disk |
| CN104077522A (en) * | 2014-06-30 | 2014-10-01 | 江苏华大天益电力科技有限公司 | Process integrity detection method of operation system |
| WO2016041419A1 (en) * | 2014-09-16 | 2016-03-24 | 华为技术有限公司 | Trusted metric method and device |
| CN106709337A (en) * | 2015-11-18 | 2017-05-24 | 中兴通讯股份有限公司 | Malicious bundled software processing method and apparatus |
| CN107194249A (en) * | 2017-05-22 | 2017-09-22 | 福州汇思博信息技术有限公司 | System attack detection method and its system |
| WO2017215663A1 (en) * | 2016-06-16 | 2017-12-21 | 广东欧珀移动通信有限公司 | Sound effect processing method and terminal |
| CN108199827A (en) * | 2018-01-09 | 2018-06-22 | 武汉斗鱼网络科技有限公司 | Client code integrity checking method, storage medium, electronic equipment and system |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
-
2005
- 2005-12-23 CN CNB2005101340815A patent/CN100489730C/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306261A (en) * | 2011-09-02 | 2012-01-04 | 福建四创软件有限公司 | Method for automatically upgrading and preventing falsification of software based on combination of network and USB (Universal Serial Bus) flash disk |
| CN104077522A (en) * | 2014-06-30 | 2014-10-01 | 江苏华大天益电力科技有限公司 | Process integrity detection method of operation system |
| WO2016041419A1 (en) * | 2014-09-16 | 2016-03-24 | 华为技术有限公司 | Trusted metric method and device |
| US10713352B2 (en) | 2014-09-16 | 2020-07-14 | Huawei Technologies Co., Ltd. | Method and apparatus for trusted measurement |
| CN106709337A (en) * | 2015-11-18 | 2017-05-24 | 中兴通讯股份有限公司 | Malicious bundled software processing method and apparatus |
| WO2017215663A1 (en) * | 2016-06-16 | 2017-12-21 | 广东欧珀移动通信有限公司 | Sound effect processing method and terminal |
| US10853092B2 (en) | 2016-06-16 | 2020-12-01 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for sound effect processing |
| US11023254B2 (en) | 2016-06-16 | 2021-06-01 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for sound effect processing and storage medium |
| CN107194249A (en) * | 2017-05-22 | 2017-09-22 | 福州汇思博信息技术有限公司 | System attack detection method and its system |
| CN108199827A (en) * | 2018-01-09 | 2018-06-22 | 武汉斗鱼网络科技有限公司 | Client code integrity checking method, storage medium, electronic equipment and system |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100489730C (en) | 2009-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8621624B2 (en) | Apparatus and method for preventing anomaly of application program | |
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| US8132257B2 (en) | Anti-virus method based on security chip | |
| WO2014000613A1 (en) | System repair method and device, and storage medium | |
| US10121004B2 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
| CN109558726B (en) | Control flow hijacking attack detection method and system based on dynamic analysis | |
| CN107688531A (en) | Geo-database integration method of testing, device, computer equipment and storage medium | |
| CN100489730C (en) | Method and system for real time detecting process integrity | |
| CN103428212A (en) | Malicious code detection and defense method | |
| US9734330B2 (en) | Inspection and recovery method and apparatus for handling virtual machine vulnerability | |
| CN101145983B (en) | A self-diagnosis and self-discovery subsystem and method of network management system | |
| KR101327740B1 (en) | apparatus and method of collecting action pattern of malicious code | |
| JP2010134536A (en) | Pattern file update system, pattern file update method, and pattern file update program | |
| CN102110204A (en) | Removable apparatus and method for verifying an executable file in a computing apparatus | |
| US11574049B2 (en) | Security system and method for software to be input to a closed internal network | |
| JP2006330864A (en) | Control method for server computer system | |
| CN108959915A (en) | A kind of rookit detection method, device and server | |
| US11256492B2 (en) | Computer program trust assurance for internet of things (IoT) devices | |
| CA3121054A1 (en) | Computer program trust assurance for internet of things (iot) devices | |
| KR101421630B1 (en) | system and method for detecting code-injected malicious code | |
| CN107403097A (en) | A kind of core system software running guard method | |
| CN101739519B (en) | Monitoring apparatus and monitoring method for hardware | |
| KR101650445B1 (en) | Apparatus and method for detecting webshell in real time using kernel-based file event notification function | |
| CN112562774B (en) | Storage device mounting method and device, computer device and storage medium | |
| CN111610778B (en) | Self-adaptive monitoring system for improving stability of industrial control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090520 Termination date: 20201223 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |