[go: up one dir, main page]

CN104200162A - Computer program product for information security monitoring and defense and method thereof - Google Patents

Computer program product for information security monitoring and defense and method thereof Download PDF

Info

Publication number
CN104200162A
CN104200162A CN201410418166.5A CN201410418166A CN104200162A CN 104200162 A CN104200162 A CN 104200162A CN 201410418166 A CN201410418166 A CN 201410418166A CN 104200162 A CN104200162 A CN 104200162A
Authority
CN
China
Prior art keywords
information
program
virtual
white list
check
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410418166.5A
Other languages
Chinese (zh)
Inventor
蔡天浩
陈彦仲
王贞力
谢秀芬
林宗毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chunghwa Telecom Co Ltd
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Publication of CN104200162A publication Critical patent/CN104200162A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种信息安全监控与防御的计算机程序产品及其方法,其方法包含下列步骤:首先,经由虚拟层撷取虚拟机欲执行的程序的程序信息。接着,将程序信息与快取信息进行比对,若匹配即判断此程序为正常程序,再者,若程序信息未匹配取信息时,则把程序信息与白名单信息进行比对,若匹配白名单信息时,即判断程序为正常程序。接着,若程序信息未匹配白名单信息时,则对程序信息的执行参数进行检查,若通过检查即判断程序为正常程序,若未通过检查即判断程序为异常程序。最后,于程序为异常程序即判断执行安全防护操作。

The invention discloses a computer program product for information security monitoring and defense and a method thereof. The method includes the following steps: first, retrieving program information of a program to be executed by a virtual machine through a virtual layer. Then, the program information is compared with the cache information. If they match, the program is judged to be a normal program. Furthermore, if the program information does not match the cache information, the program information is compared with the whitelist information. If it matches, the program information is compared with the cache information. When the list information is displayed, the program is judged to be a normal program. Next, if the program information does not match the whitelist information, the execution parameters of the program information are checked. If the program passes the check, it is determined that the program is a normal program. If it does not pass the check, the program is determined to be an abnormal program. Finally, if the program is an abnormal program, it is judged to perform security protection operations.

Description

信息安全监控与防御的计算机程序产品及其方法Computer program product and method for information security monitoring and defense

【技术领域】【Technical field】

本发明涉及一种信息安全监控与防御的计算机程序产品及其方法,尤指一种设置在虚拟层,以对辖下的虚拟机进行信息安全监控与防御的计算机程序产品及其方法。The present invention relates to a computer program product and method for information security monitoring and defense, in particular to a computer program product and method for information security monitoring and defense of a virtual machine that is set in a virtual layer.

【背景技术】【Background technique】

随着网络通讯的进步的快速发展,网络服务提供商推出各式各样的云端服务,而一般用户与企业主为了节省购置计算机硬件装置的成本,逐渐把先前于个人计算机上进行的操作移至云端服务器上进行处理。With the rapid development of network communication, network service providers have launched various cloud services. In order to save the cost of purchasing computer hardware devices, ordinary users and business owners gradually move the operations previously performed on personal computers to processing on cloud servers.

由于云端服务已成为电子商务、电子化办公室的重要一环,因此黑客也把攻击的重心逐渐的移至云端服务器,由于目前恶意程序技术的普及,使得恶意程序相当的泛滥,而对计算机/服务器造成极大的危害。根据国际组织shadowserver研究报告指出,其组织每月可收集到数百万甚至千万个全新的恶意程序样本,且迄今已收集超过两亿个不重复的恶意程序样本。而本国的趋势科技公司亦指出每日大约需要分析4000万笔以上的可疑程序。As cloud services have become an important part of e-commerce and electronic offices, hackers have gradually shifted the focus of their attacks to cloud servers. Due to the popularity of malicious program technology, malicious programs are quite rampant, and computer/server cause great harm. According to the research report of the international organization shadowserver, its organization can collect millions or even tens of millions of new malicious program samples every month, and has collected more than 200 million unique malicious program samples so far. And the domestic Trend Micro company also pointed out that it needs to analyze more than 40 million suspicious programs every day.

由于传统防毒软件是监控程序的特征或者是行为来辨别是否为恶意程序,但随着恶意程序的迅速发展,其不仅可通过加密、变形或加壳等技术躲避防毒的侦测,甚至可能会直接关闭防毒软件再进行恶意活动。使得传统的防毒软件已无法负荷防护工作。因此,如何提供一种可有效的侦测多变的恶意程序乃本领域亟须解决的技术问题。Traditional anti-virus software monitors the characteristics or behavior of a program to identify whether it is a malicious program. Turn off antivirus software before performing malicious activities. The traditional antivirus software has been unable to load the protection work. Therefore, how to provide an effective detection of changeable malicious programs is an urgent technical problem in this field.

【发明内容】【Content of invention】

为解决上述传统技术的技术问题,本发明提供一种信息安全监控与防御的计算机程序产品及其方法,以有效的进行病毒防护操作。In order to solve the above-mentioned technical problems of the conventional technology, the present invention provides a computer program product and method for information security monitoring and defense, so as to effectively perform virus protection operations.

为达上述目的,本发明提供一种信息安全监控与防御的计算机程序产品。信息安全监控与防御计算机程序产品应用于计算机装置上,而计算机装置提供了至少一云端虚拟平台,其云端虚拟平匹配虚拟层(Hypervisor)以及包含至少一虚拟机(Virtual Machine,简称VM)。虚拟层的权限高于虚拟机,而计算机程序产品包含了至少一信息搜集模块以及中央控管模块。各个信息搜集模块分别设置于虚拟平台,而各信息搜集模块经由虚拟层,来撷取虚拟机欲执行的程序的程序信息。中央控管模块除连接信息搜集模块,且包含白名单记录模块、信息监控模块以及异常处理模块。白名单记录模块为提供白名单信息,所述白名单信息用于记录允许执行的程序名称。而信息监控模块连接白名单记录模块,并执行:(1)将程序信息与快取信息进行比对,若程序信息匹配于快取信息,即判断程序为正常程序,快取信息记录允许执行且已执行的程序,快取信息为暂存记录允许执行且已执行的程序;(2)若程序信息未匹配快取信息,即把程序信息与设置于计算机装置的数据库的一白名单信息进行比对,若程序信息匹配白名单信息,即判断程序为正常程序;(3)若程序信息未匹配白名单信息,即对程序信息的执行参数进行检查,若通过检查即判断此程序为正常程序,若未通过检查即判断程序为异常程序。而异常处理模块为连接信息监控模块,并于此程序被判断为异常程序即判断执行安全防护操作。To achieve the above purpose, the present invention provides a computer program product for information security monitoring and defense. The information security monitoring and defense computer program product is applied to a computer device, and the computer device provides at least one cloud virtual platform, and the cloud virtual platform matches a virtual layer (Hypervisor) and includes at least one virtual machine (Virtual Machine, referred to as VM). The authority of the virtual layer is higher than that of the virtual machine, and the computer program product includes at least one information collection module and a central control module. Each information collection module is respectively set on the virtual platform, and each information collection module retrieves the program information of the program to be executed by the virtual machine through the virtual layer. In addition to the connection information collection module, the central control module also includes a whitelist recording module, an information monitoring module, and an exception handling module. The white list recording module provides white list information, and the white list information is used to record the names of programs that are allowed to be executed. The information monitoring module is connected to the white list recording module, and executes: (1) comparing the program information with the cache information, if the program information matches the cache information, it is judged that the program is a normal program, and the cache information record is allowed to execute and For the program that has been executed, the cache information is the program that is temporarily stored and allowed to be executed; (2) If the program information does not match the cache information, compare the program information with a white list information set in the database of the computer device Yes, if the program information matches the whitelist information, the program is judged to be a normal program; (3) if the program information does not match the whitelist information, the execution parameters of the program information are checked, and if the check is passed, the program is judged to be a normal program, If the check fails, the program is judged to be an abnormal program. The exception processing module is a connection information monitoring module, and when the program is judged to be an abnormal program, it is judged to execute a security protection operation.

为达上述目的,本发明还提供一种信息安全监控与防御方法,所述方法应用于计算机装置,计算机装置提供至少一云端虚拟平台,云端虚拟平台匹配虚拟层以及包含至少一虚拟机,虚拟层的权限高于虚拟机,所述方法包含下列步骤:首先,经由虚拟层撷取虚拟机欲执行程序的程序信息。接着,将程序信息与快取信息进行比对,若程序信息匹配于快取信息,即判断程序信息所描述的程序为正常程序,快取信息为暂存记录允许执行且已执行的程序。再者,当程序信息未匹配取信息时,则把程序信息与设置于计算机装置数据库的白名单信息进行比对,若程序信息匹配白名单信息,即判断程序为正常程序。接着,若程序信息未匹配白名单信息时,则对程序信息的执行参数进行检查,若通过检查即判断程序为正常程序,若未通过检查即判断程序为异常程序。最后,于此程序被判定为异常程序即判断是否执行安全防护操作。To achieve the above object, the present invention also provides a method for information security monitoring and defense, the method is applied to a computer device, the computer device provides at least one cloud virtual platform, the cloud virtual platform matches the virtual layer and includes at least one virtual machine, the virtual layer The authority of the virtual machine is higher than that of the virtual machine, and the method includes the following steps: firstly, the program information of the program to be executed by the virtual machine is captured through the virtual layer. Then, the program information is compared with the cache information, and if the program information matches the cache information, it is judged that the program described in the program information is a normal program, and the cache information is a program that is temporarily stored and allowed to be executed. Furthermore, when the program information does not match the retrieved information, the program information is compared with the white list information set in the database of the computer device, and if the program information matches the white list information, it is determined that the program is a normal program. Next, if the program information does not match the whitelist information, the execution parameters of the program information are checked, and if the check is passed, the program is judged to be a normal program, and if the check is not passed, the program is judged to be an abnormal program. Finally, if the program is judged as an abnormal program, it is judged whether to execute the security protection operation.

综上所述,由于本发明系在权限高于虚拟机的虚拟层进行信息监控与防御,因此存在虚拟机的病毒无论想通过加密、加壳、变形等技术来躲避侦测,本发明皆能有效的进行监控与防范。To sum up, since the present invention monitors and defends information at the virtual layer with higher authority than the virtual machine, no matter if the virus in the virtual machine wants to evade detection through encryption, packing, deformation and other technologies, the present invention can Effective monitoring and prevention.

【附图说明】【Description of drawings】

图1为本发明的信息安全监控与防御的计算机程序产品的方块图;Fig. 1 is the block diagram of the computer program product of information security monitoring and defense of the present invention;

图2为本发明的信息安全监控与防御方法流程图。Fig. 2 is a flowchart of the information security monitoring and defense method of the present invention.

附图标记说明Explanation of reference signs

1、信息安全监控与防御的计算机程序产品;1. Computer program products for information security monitoring and defense;

11、中央控管模块;11. Central control module;

111、白名单记录模块;111. Whitelist recording module;

112、信息监控模块;112. Information monitoring module;

113、异常处理模块;113. Exception handling module;

12、信息搜集模块;12. Information collection module;

121、存储器信息分析模块;121. Memory information analysis module;

122、档案系统分析模块;122. File system analysis module;

2、云端虚拟平台;2. Cloud virtual platform;

21、虚拟机;21. Virtual machine;

S101~S105、步骤。S101-S105, steps.

【具体实施方式】【Detailed ways】

以下面将结合附图及实施例对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,但并不用于限定本发明。The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.

请参阅图1,其为本发明的一种信息安全监控与防御的计算机程序产品。信息安全监控与防御的计算机程序产品1应用于计算机装置,计算机装置提供至少一云端虚拟平台2,云端虚拟平台2为匹配一虚拟层以及包含至少一虚拟机21。且虚拟层的权限高于虚拟机21,且虚拟机21与云端虚拟平台2设置于信息安全监控与防御的计算机程序产品1的外部。信息安全监控与防御的计算机程序产品1包含至少一信息搜集模块12以及中央控管模块11。而各个信息搜集模块12则分别设置于云端虚拟平台2上,各信息搜集模块12经由虚拟层撷取匹配的虚拟机21所欲执行程序的程序信息。中央控管模块11连接信息搜集模块12,并包含白名单记录模块111、信息监控模块112以及异常处理模块113。白名单记录模块111为提供白名单信息,而白名单信息记录允许执行的程序名称。而信息监控模块112连接白名单记录模块111,且信息监控模块112执行:Please refer to FIG. 1 , which is a computer program product for information security monitoring and defense according to the present invention. The computer program product 1 for information security monitoring and defense is applied to a computer device. The computer device provides at least one cloud virtual platform 2 . The cloud virtual platform 2 matches a virtual layer and includes at least one virtual machine 21 . And the authority of the virtual layer is higher than that of the virtual machine 21, and the virtual machine 21 and the cloud virtual platform 2 are set outside the computer program product 1 for information security monitoring and defense. The computer program product 1 for information security monitoring and defense includes at least one information collection module 12 and a central control module 11 . Each information collection module 12 is respectively installed on the cloud virtual platform 2 , and each information collection module 12 retrieves the program information of the program to be executed by the matching virtual machine 21 through the virtual layer. The central control module 11 is connected to the information collection module 12 and includes a whitelist recording module 111 , an information monitoring module 112 and an exception handling module 113 . The white list recording module 111 provides white list information, and the white list information records the names of programs that are allowed to be executed. The information monitoring module 112 is connected to the whitelist recording module 111, and the information monitoring module 112 executes:

(1)将程序信息与快取信息进行比对,若程序信息匹配于快取信息,即判断此程序为正常程序,快取信息为暂存记录允许执行且已执行的程序;(1) Comparing the program information with the cache information, if the program information matches the cache information, it is judged that the program is a normal program, and the cache information is a program that is allowed to be executed by the temporary storage record and has been executed;

(2)若程序信息未匹配快取信息,即把程序信息与设置于计算机装置数据库的白名单信息进行比对,若程序信息匹配白名单信息,即判断程序为正常程序;(2) If the program information does not match the cache information, compare the program information with the white list information set in the database of the computer device, and if the program information matches the white list information, it is determined that the program is a normal program;

(3)若程序信息未匹配设置于数据库的白名单信息,即对程序信息的执行参数进行检查,若通过检查即判断此程序为正常程序,若未通过检查即判断程序为异常程序。(3) If the program information does not match the white list information set in the database, the execution parameters of the program information are checked. If the check is passed, the program is judged to be a normal program, and if the check is not passed, the program is judged to be an abnormal program.

而异常处理模块113连接信息监控模块112,异常处理模块113于程序被判定为异常程序即判断是否执行安全防护操作。The exception processing module 113 is connected to the information monitoring module 112 , and the exception processing module 113 judges whether to perform a security protection operation when the program is determined to be an abnormal program.

所述白名单信息包含复数个程序记录信息,各个记录信息包含允许程序的名称信息、程序的执行档案路径信息、载入档案信息、档案散列值(hash)或日期信息。而对程序信息的执行参数其检查项目包含了:(1)检查新程序的存储器内容、(2)检查载入档案、(3)检查是否为恶意隐藏程序、(4)检查是否被植入恶意程序码,以及(5)检查存储器的各区段是否正常。安全防护操作包含隔离网络操作、终止恶意程序执行操作,或者令虚拟机21暂停执行操作。The white list information includes a plurality of program record information, and each record information includes name information of the allowed program, information about the execution file path of the program, loading file information, file hash value (hash) or date information. The inspection items for the execution parameters of the program information include: (1) Check the memory content of the new program, (2) Check the loaded file, (3) Check whether it is a malicious hidden program, (4) Check whether it is implanted with a malicious program. program code, and (5) checking whether each section of the memory is normal. The security protection operation includes isolating the network operation, terminating the malicious program execution operation, or suspending the execution operation of the virtual machine 21 .

所述信息搜集模块12包含存储器信息分析模块121以及档案系统分析模块122。存储器信息分析模块121分析计算机装置的存储器内欲载入的程序名称信息、原档案路径信息,以及载入档案信息,以配置前述的程序信息。而档案系统分析模块122则根据存储器信息分析模块121的程序信息(程序名称信息、档案路径信息、载入档案信息),进一步分析虚拟机21的档案系统所执行或载入档案的日期信息、MD5散列值,或者是数字签章信息等。The information collection module 12 includes a memory information analysis module 121 and a file system analysis module 122 . The memory information analysis module 121 analyzes the name information of the program to be loaded, the original file path information, and the loaded file information in the memory of the computer device, so as to configure the aforementioned program information. The file system analysis module 122 further analyzes the date information, MD5 of the file system of the virtual machine 21 executed or loaded into the file according to the program information (program name information, file path information, and loaded file information) of the memory information analysis module 121. Hash value, or digital signature information, etc.

请接着参阅图2,其为本发明的一种信息安全监控与防御方法,所述方法应用于计算机装置。计算机装置提供至少一云端虚拟平台2,而各个云端虚拟平台2匹配一虚拟层以及包含至少一虚拟机21。虚拟层的权限高于等虚拟机21,信息安全监控与防御方法包含下列步骤:Please refer to FIG. 2 , which is an information security monitoring and defense method of the present invention, which is applied to a computer device. The computer device provides at least one cloud virtual platform 2 , and each cloud virtual platform 2 matches a virtual layer and includes at least one virtual machine 21 . The authority of the virtual layer is higher than that of the virtual machine 21, and the information security monitoring and defense method includes the following steps:

S101:发现新的执行程序。S101: Discover a new execution program.

S102:经由虚拟层撷取虚拟机欲执行程序的程序信息。S102: Capture program information of a program to be executed by the virtual machine through the virtualization layer.

S103:将程序信息与快取信息进行比对,若程序信息匹配于快取信息,即判断程序信息所描述的程序为正常程序,并跳至步骤S106,所述快取信息为暂存记录允许执行且已执行的程序。S103: Compare the program information with the cache information, if the program information matches the cache information, it is judged that the program described in the program information is a normal program, and jump to step S106, the cache information is allowed by the temporary storage record A program that is executed and has been executed.

S104:若程序信息未匹配快取信息时,则把程序信息与设置于计算机装置数据库的白名单信息进行比对,若程序信息匹配白名单信息,即判断程序为正常程序,并跳至步骤S106。S104: If the program information does not match the cache information, compare the program information with the whitelist information set in the database of the computer device, if the program information matches the whitelist information, it is judged that the program is a normal program, and skip to step S106 .

S105:若程序信息未匹配设置于数据库的白名单信息时,则对程序信息的执行参数及其存储器内容信息进行检查,若通过检查即判断程序为正常程序,并跳至步骤S106;若未通过检查即判断程序为异常程序,并跳至步骤S107S105: If the program information does not match the white list information set in the database, then check the execution parameters of the program information and its memory content information, if the check is passed, it is judged that the program is a normal program, and skip to step S106; if not Checking means judging that the program is an abnormal program, and jumping to step S107

S106:将程序视为正常程序。S106: Treat the program as a normal program.

S107:将程序视为异常程序,跳至S108。S107: regard the program as an abnormal program, and skip to S108.

S108:判断是否执行安全防护操作。S108: Determine whether to execute a security protection operation.

请共同参阅图1以及图2,其为本发明的一实施例。本发明的信息安全监控与防御的计算机程序产品1利用云端虚拟平台的特性,将计算机程序产品设置于服务器的高权限的虚拟层,以取得较低权限的虚拟机21的运行状态、存储器内容、档案系统等信息。Please refer to FIG. 1 and FIG. 2 together, which is an embodiment of the present invention. The computer program product 1 for information security monitoring and defense of the present invention utilizes the characteristics of the cloud virtual platform to set the computer program product on the virtual layer with high authority of the server, so as to obtain the running state, memory content, file system and other information.

本计算机程序产品采用多对一的Client-Server架构,且分可为中央控管模块11(Server端)以及设置于虚拟平台的信息搜集模块12(Client端)。所述的中央控管模块11为应用程序软件模块,而中央控管模块11可安装在服务器、服务器的虚拟层,或者进一步安装置虚拟机21内(Virtual Appliance),当此计算机程序产品开始运作时,信息搜集模块12通过结合虚拟层来监视服务器处理器的暂存器(Register),如CR3的变化等,来实时得知虚拟机21是否有欲执行或者是新的初始执行程序,接着再撷取程序的程序信息。撷取后会先检查服务器的暂存器的快取信息内是否有允许执行且已执行过的程序,若撷取的程序信息与快取信息内的程序匹配相符时,则让此程序通过检验。若不通过时,则再把程序信息与白名单信息进行比对,若此程序属于信赖的白名单,且程序的内容信息完全未经过变更或修改(如程序名称、执行档案路径、载入档案信息、档案杂凑值、日期等信息皆正确),则让此程序通过检验,让其继续执行,而本计算机程序产品可再依据用户安全的需求,并通过指派信息监控模块112、存储器信息分析模块121,或档案系统分析模块122进行进阶档案检验,如检验程序的档案数字签章是否合法、深入分析程序关联的档案内容是否夹藏恶意行为。若无发现异常,则持续监控程序所对应的存储器内容,包含相关载入档案(DLL、Library、Module等)是否合法、是否为恶意隐藏的程序、是否被植入恶意程序码,以及深入分析存储器各区段是否正常。The computer program product adopts a many-to-one Client-Server architecture, and can be divided into a central control module 11 (Server side) and an information collection module 12 (Client side) set on a virtual platform. The central control and management module 11 is an application software module, and the central control and management module 11 can be installed in the server, the virtual layer of the server, or further installed in the virtual machine 21 (Virtual Appliance), when the computer program product starts to operate At this time, the information collection module 12 monitors the temporary register (Register) of the server processor by combining the virtual layer, such as the change of CR3, etc., to know in real time whether the virtual machine 21 has a program to execute or a new initial execution program, and then Retrieves program information for a program. After retrieval, it will first check whether there is a program that is allowed to execute and has been executed in the cache information of the server's temporary storage. If the retrieved program information matches the program in the cache information, the program will pass the inspection. . If it fails, then compare the program information with the whitelist information. If the program belongs to the trusted whitelist, and the content information of the program has not been changed or modified at all (such as program name, execution file path, loading file Information, file hash value, date and other information are all correct), then let this program pass the test and let it continue to execute, and this computer program product can be based on the user's security needs, and by assigning the information monitoring module 112, memory information analysis module 121, or the file system analysis module 122 performs advanced file inspection, such as checking whether the file digital signature of the program is legal, and deeply analyzing whether the file content associated with the program contains malicious behavior. If no abnormalities are found, continuously monitor the memory content corresponding to the program, including whether the relevant loaded files (DLL, Library, Module, etc.) are legal, whether they are malicious hidden programs, whether malicious program codes are implanted, and deeply analyze the memory Whether each section is normal.

上述的快取检查、白名单检查以及针对执行参数所为的进阶存储器检查,其中任一步骤通过即视为正常程序,而全部不符合则视为异常程序。藉由此流程的检查,可补强现有防毒软件无法侦测未知病毒的不足、而能有效防范进阶持续威胁,且不用持续更新病毒特征码。当发现异常时,将会通过异常处理模块113发出告警信息;并根据虚拟机21的用户需求进行对应措施,例如:隔离网络、终止恶意程序执行、对虚拟机21暂停执行等安全防护。The above-mentioned cache check, whitelist check, and advanced memory check for execution parameters, if any of the steps pass, it is considered a normal program, and if all of them fail to comply, it is considered an abnormal program. Through the inspection of this process, the deficiency that the existing anti-virus software cannot detect unknown viruses can be strengthened, and advanced persistent threats can be effectively prevented, and the virus signature code does not need to be continuously updated. When an exception is found, an alarm message will be sent through the exception processing module 113; and corresponding measures will be taken according to the user requirements of the virtual machine 21, such as: isolating the network, terminating the execution of malicious programs, and suspending the execution of the virtual machine 21 and other security protections.

本发明通过云端虚拟化平台的架构,在高权限的虚拟层来监控低权限的虚拟机21操作系统和运行程序,与传统技术相较下,本发明的优点在于:The present invention uses the architecture of the cloud virtualization platform to monitor the virtual machine 21 operating system and running programs with low privileges in the virtual layer with high privileges. Compared with the traditional technology, the present invention has the following advantages:

有别于传统防毒机制安装于操作系统,防护能力容易受到病毒的干扰(如:病毒可利用漏洞取得操作系统的高权限);而本发明则在虚拟机外部进行监控,由权限高于虚拟机的操作系统,故不受病毒的影响。Different from the traditional anti-virus mechanism installed in the operating system, the protection ability is easily disturbed by viruses (such as: viruses can use loopholes to obtain high authority of the operating system); and the present invention monitors outside the virtual machine, and the authority is higher than that of the virtual machine. operating system, so it is not affected by viruses.

本发明可监控虚拟机操作系统的完整性,并针对user & kernel mode的Rootkit攻击(包含Ring3与Ring0 hooking,DKOM等)加以防范,达到完善的防护。The present invention can monitor the integrity of the virtual machine operating system, and prevent rootkit attacks in user & kernel mode (including Ring3 and Ring0 hooking, DKOM, etc.), so as to achieve perfect protection.

针对虚拟机使用操作系统存储器分析技术,可有效观察虚拟机内的程序实际运作状况,避免病毒使用加密、加壳、变形等技术来躲避侦测。可补强防毒软件无法侦测未知病毒的不足,并有效防范进阶持续威胁。Using operating system memory analysis technology for virtual machines can effectively observe the actual operation status of programs in virtual machines and prevent viruses from using encryption, packing, deformation and other technologies to avoid detection. It can strengthen the inability of anti-virus software to detect unknown viruses, and effectively prevent advanced persistent threats.

本发明所述的计算机软件产品及其方法安装于虚拟层,故不需要个别安装程序于虚拟机21,也不用持续更新病毒特征码。The computer software product and the method thereof described in the present invention are installed on the virtual layer, so there is no need to individually install programs on the virtual machine 21, and it is not necessary to continuously update virus signatures.

以上所述实施例仅表达了本发明的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对本发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变形和改进,这些都属于本发明的保护范围。因此,本发明专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation modes of the present invention, and the description thereof is relatively specific and detailed, but should not be construed as limiting the patent scope of the present invention. It should be pointed out that those skilled in the art can make several modifications and improvements without departing from the concept of the present invention, and these all belong to the protection scope of the present invention. Therefore, the protection scope of the patent for the present invention should be based on the appended claims.

Claims (10)

1. the computer program of an information spy and defence, be applied to computer installation, described computer installation provides at least one high in the clouds virtual platform, described high in the clouds virtual platform matching virtual layer and comprise at least one virtual machine, the authority of described virtual level is higher than described virtual machine, and described virtual machine and described high in the clouds virtual platform are arranged at the outside of the computer program of information spy and defence, it is characterized in that, described computer installation program product comprises:
At least one information search module, is arranged at respectively described at least one high in the clouds virtual platform, and each described information search module is wanted the program information of executive routine via the described virtual machine of described virtual level acquisition coupling;
Central authorities' control module, connects described at least one information search module, and described central control module comprises:
White list logging modle, provides white list information, and described white list information record allows the program name of carrying out;
Information monitoring module, connects described white list logging modle, and described information monitoring module is carried out:
Described program information and cache information are compared, if described program information is matched with described cache information, judge that described program is normal procedure, described cache information recording permission is carried out and executed program, and described cache information is the program that temporary record allows execution and executed;
If described program information does not mate described cache information, described program information and the white list information that is arranged at described computer installation database are compared, if described program information mates described white list information, judge that described program is normal procedure;
If described program information does not mate the described white list information that is arranged at described database, the execution parameter of described program information is checked, if judge that by checking described program is normal procedure, if do not judge that by checking described program is abnormal program.
2. the computer program of information spy according to claim 1 and defence, it is characterized in that, the described white list information that is arranged at computer installation comprises a plurality of program recorded informations, the name information that each program recorded information comprises permission program, the execution file route information of program, is written into archive information, archives hashed value or date and time information.
3. the computer program of information spy according to claim 1 and defence, it is characterized in that, the described execution parameter to program information institute inspection item comprise check new procedures memory content, check whether be written into archives, check is malice concealing program, whether check implanted rogue program code, and check that whether each section of storer normal.
4. the computer program of information spy according to claim 1 and defence, it is characterized in that, described central management and control module also comprises abnormality processing module, described abnormality processing module link information monitoring module, described abnormality processing module is that abnormal program judges that carrying out security protection operates in program, and wherein said security protection operation comprises isolation network operation, termination rogue program executable operations or virtual machine and suspends executable operations.
5. the computer program of information spy according to claim 1 and defence, is characterized in that, each described information search module comprises:
Memorizer information analysis module, the program name information of wanting to be written in the storer of described memorizer information analysis module analytical calculation machine, former file route information, or be written into archive information, to configure described program information; And
Archives economy analysis module, described archives economy analysis module is analyzed program name information, the file route information in the storer of described computer installation and is written into archive information, and the performed archives of routine analyzer are positioned at date and time information, the MD5 hashed value of archives economy, or digital signature information.
6. an information spy and defence method, be applied to computer installation, described computer installation provides at least one high in the clouds virtual platform, described high in the clouds virtual platform matching virtual layer and comprise at least one virtual machine, the authority of described virtual level is higher than described virtual machine, it is characterized in that, information spy and defence method comprise the following step:
Want the program information of executive routine via the described at least one virtual machine of described virtual level acquisition;
Described program information and cache information are compared, if described program information is matched with described cache information, judge that the described described program of described program information is normal procedure, described cache information is the program that temporary record allows execution and executed;
If described program information when described cache information, is not compared described program information and the white list information that is arranged at described computer installation database, if described program information mates described white list information, judge that described program is normal procedure; And
If when described program information does not mate the described white list information that is arranged at described database, the execution parameter of described program information is checked, if judge that by checking described program is normal procedure, if do not judge that by checking described program is abnormal program.
7. information spy according to claim 6 and defence method, it is characterized in that, the described white list that is arranged at database comprises a plurality of program recorded informations, name information, Program path information, archives hashed value or date and time information that each described program recorded information comprises permission program.
8. information spy according to claim 6 and defence method, it is characterized in that, the project that the execution parameter of described program information is checked comprise check described program memory content, check whether be written into archives, check is malice concealing program, whether check implanted rogue program code, and check that whether each section of storer normal.
9. information spy according to claim 6 and defence method, it is characterized in that, be that abnormal program judges that carrying out security protection operates in described program further, described security protection operation comprises isolation network operation, termination rogue program executable operations or virtual machine and suspends executable operations.
10. information spy according to claim 6 and defence method, is characterized in that, described program information comprises:
Storer analytical information, records program name information, former file route information that the storer of described computer installation is wanted to be written into, maybe needs to be written into archive information; And
Archives economy analytical information, record program described in described computer installation file name information, carry out file route information, be written into archive information, date and time information, MD5 hashed value, or digital signature information.
CN201410418166.5A 2014-03-17 2014-08-22 Computer program product for information security monitoring and defense and method thereof Pending CN104200162A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TW103109856 2014-03-17
TW103109856A TWI515599B (en) 2014-03-17 2014-03-17 Computer program products and methods for monitoring and defending security

Publications (1)

Publication Number Publication Date
CN104200162A true CN104200162A (en) 2014-12-10

Family

ID=52085453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410418166.5A Pending CN104200162A (en) 2014-03-17 2014-08-22 Computer program product for information security monitoring and defense and method thereof

Country Status (2)

Country Link
CN (1) CN104200162A (en)
TW (1) TWI515599B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529315A (en) * 2016-11-04 2017-03-22 杭州华澜微电子股份有限公司 Hard disk security protection method and system
CN106529284A (en) * 2016-11-02 2017-03-22 深圳前海生生科技有限公司 Security chip-based security reinforcement method for virtual machine monitor
CN110443876A (en) * 2019-07-31 2019-11-12 新华三大数据技术有限公司 3D rendering rendering method and device
CN116074108A (en) * 2023-02-17 2023-05-05 深圳依时货拉拉科技有限公司 Method, device, computer equipment and computer readable storage medium for protecting application program safety

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI668592B (en) * 2017-07-28 2019-08-11 中華電信股份有限公司 Method for automatically determining the malicious degree of Android App by using multiple dimensions
TWI765690B (en) * 2021-04-30 2022-05-21 精品科技股份有限公司 Method of application control based on observation mode
TWI800135B (en) 2021-12-03 2023-04-21 財團法人工業技術研究院 Method and system for establishing applicaiton white list

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110113426A1 (en) * 2009-11-09 2011-05-12 Hsiang-Tsung Kung Apparatuses for switching the running of a virtual machine between multiple computer devices belonging to the same computer platform and the associated switching methods
TW201118739A (en) * 2009-11-30 2011-06-01 Inventec Corp A management system of the virtual machine for the application and a method therefore
CN102999716A (en) * 2011-09-14 2013-03-27 财团法人资讯工业策进会 virtual machine monitoring system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110113426A1 (en) * 2009-11-09 2011-05-12 Hsiang-Tsung Kung Apparatuses for switching the running of a virtual machine between multiple computer devices belonging to the same computer platform and the associated switching methods
TW201118739A (en) * 2009-11-30 2011-06-01 Inventec Corp A management system of the virtual machine for the application and a method therefore
CN102999716A (en) * 2011-09-14 2013-03-27 财团法人资讯工业策进会 virtual machine monitoring system and method

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529284A (en) * 2016-11-02 2017-03-22 深圳前海生生科技有限公司 Security chip-based security reinforcement method for virtual machine monitor
CN106529315A (en) * 2016-11-04 2017-03-22 杭州华澜微电子股份有限公司 Hard disk security protection method and system
CN106529315B (en) * 2016-11-04 2019-04-16 杭州华澜微电子股份有限公司 A kind of hard disk secure means of defence and system
CN110443876A (en) * 2019-07-31 2019-11-12 新华三大数据技术有限公司 3D rendering rendering method and device
CN116074108A (en) * 2023-02-17 2023-05-05 深圳依时货拉拉科技有限公司 Method, device, computer equipment and computer readable storage medium for protecting application program safety

Also Published As

Publication number Publication date
TW201537379A (en) 2015-10-01
TWI515599B (en) 2016-01-01

Similar Documents

Publication Publication Date Title
US11960605B2 (en) Dynamic analysis techniques for applications
Roseline et al. A comprehensive survey of tools and techniques mitigating computer and mobile malware attacks
US11010474B2 (en) Dynamic analysis techniques for applications
US10055585B2 (en) Hardware and software execution profiling
EP3161709B1 (en) Automated code lockdown to reduce attack surface for software
Alazab et al. Analysis of malicious and benign android applications
US9158915B1 (en) Systems and methods for analyzing zero-day attacks
Čeponis et al. Towards a robust method of dataset generation of malicious activity for anomaly-based HIDS training and presentation of AWSCTD dataset
CN104200162A (en) Computer program product for information security monitoring and defense and method thereof
Choi et al. Toward extracting malware features for classification using static and dynamic analysis
US12223044B1 (en) Identifying malware based on system API function pointers
Kumara et al. Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment
Barabosch et al. Bee master: Detecting host-based code injection attacks
Javaheri et al. A framework for recognition and confronting of obfuscated malwares based on memory dumping and filter drivers
Monnappa Automating linux malware analysis using limon sandbox
Andriatsimandefitra et al. Detection and identification of android malware based on information flow monitoring
Nadim et al. Characteristic features of the kernel-level rootkit for learning-based detection model training
Dai et al. Behavior-based malware detection on mobile phone
KR20110087826A (en) Malicious software detection method using virtual machine
Jang et al. Function‐Oriented Mobile Malware Analysis as First Aid
Xie et al. Lightweight examination of dll environments in virtual machines to detect malware
CN118094545A (en) Virtual machine malicious software detection method and device, electronic equipment and storage medium
Ross et al. Pevuln: A benchmark dataset for using machine learning to detect vulnerabilities in pe malware
Kaur et al. Hybrid real-time zero-day malware analysis and reporting system
Reeves Autoscopy Jr.: Intrusion detection for embedded control systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20141210