CN110611675A - Vector magnitude detection rule generation method and device, electronic equipment and storage medium - Google Patents
Vector magnitude detection rule generation method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110611675A CN110611675A CN201910896725.6A CN201910896725A CN110611675A CN 110611675 A CN110611675 A CN 110611675A CN 201910896725 A CN201910896725 A CN 201910896725A CN 110611675 A CN110611675 A CN 110611675A
- Authority
- CN
- China
- Prior art keywords
- detection rule
- rule
- client
- detection
- base
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a vector level detection rule generation method, a vector level detection rule generation device, electronic equipment and a storage medium, which are used for solving the problem that rapid response cannot be performed on malicious events in the prior art. The method comprises the following steps: monitoring the operation of the client; if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated; the client side sends the detection rule to a server side, and the server side evaluates the detection rule; and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for generating vector level detection rules, an electronic device, and a storage medium.
Background
With the development and popularization of computer technology, computer applications have fully penetrated into the work and life of people and become indispensable important tools and home entertainment equipment for people. Along with the wide use of computers, corresponding computer security problems also occur.
Due to the fact that the resources of the attacker and the defender are not equal, the attacker can easily obtain the detection engine of the defender, and therefore the malicious sample is modified and further processed to be disguised, and the engine cannot detect the detection evasion. In the traditional malicious behavior response, after a malicious behavior occurs, an analyst sorts out malicious behavior information and summarizes an identification method, so that a malicious sample is detected. However, human intervention by analysts can be time consuming, waiting for manual analysis of the summary methods, and malware may have exploded in the network when samples can be detected. Therefore, a method strategy for rapidly finishing emergency response and preventing further spread of malicious events is imperative.
Disclosure of Invention
The embodiment of the invention provides a vector level detection rule generation method, a vector level detection rule generation device, electronic equipment and a storage medium, which are used for solving the problem that rapid response cannot be performed on malicious events in the prior art.
Based on the above problem, a method for generating a vector level detection rule provided in an embodiment of the present invention includes:
monitoring the operation of the client; if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated; the client side sends the detection rule to a server side, and the server side evaluates the detection rule; and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server side also comprises a rule base, and the rule base is used for storing the detection rules sent by the client side;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library.
The embodiment of the invention provides a vector level detection rule generation device, which comprises:
the system comprises a server and a client, wherein the server and the client establish a data connection relationship through a data transmission management unit and a data transmission unit; the server side comprises an evaluation unit, and the client side comprises a detection engine, an extraction analysis unit, a detection rule generation unit and a detection unit; a detection engine: the client is used for monitoring the operation of the client; an extraction and analysis unit: the system is used for extracting vectors of suspicious behaviors and automatically analyzing the suspicious behaviors by combining with current scene information if the suspicious behaviors are monitored; a detection rule generation unit: for generating a detection rule; a detection unit: the client side is used for detecting suspicious behaviors according to the detection rules if the detection rules pass evaluation; an evaluation unit: and the detection rule is used for evaluating the detection rule sent by the client to the server.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server side also comprises a rule base, and the rule base is used for storing the detection rules sent by the client side;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library.
The embodiment of the invention also discloses a vector level detection rule generation electronic device, which comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing any one of the aforementioned vector magnitude detection rule generation methods.
An embodiment of the present invention provides a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores one or more programs, and the one or more programs are executable by one or more processors to implement any of the aforementioned vector level detection rule generation methods.
Compared with the prior art, the vector level detection rule generation method, the vector level detection rule generation device, the electronic equipment and the storage medium provided by the embodiment of the invention at least realize the following beneficial effects: monitoring the operation of the client; if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated; the client side sends the detection rule to a server side, and the server side evaluates the detection rule; and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule. The embodiment of the invention does not need manual intervention, is automatically processed in the whole process, and can realize timely response to the malicious behaviors, thereby preventing the malicious behaviors from being further diffused.
Drawings
Fig. 1 is a flowchart of a method for generating a vector-level detection rule according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for generating vector level detection rules according to an embodiment of the present invention;
fig. 3 is a structural diagram of a vector-level detection rule generating apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In the field of malicious software analysis, since security software is a resource which is easy to obtain, an attacker can modify malicious codes aiming at the security software so as to attack the security software more easily, and a security manufacturer is difficult to defend; in the traditional method, manual intervention is performed after malicious behaviors are found, but the manual intervention takes long time, and the malicious behaviors are already erupted in the network when a manual analysis summary method is waited and samples can be detected; and often some simple character strings and program logic codes behind a section of compiler frame codes can completely realize the detection of malicious behaviors.
Based on this, the following describes specific embodiments of a vector level detection rule generation method, device, electronic device, and storage medium according to embodiments of the present invention with reference to the accompanying drawings.
The method for generating the vector level detection rule provided by the embodiment of the invention, as shown in fig. 1, specifically comprises the following steps:
s101, a detection engine monitors the operation of a client;
s102, if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated;
the vector extraction refers to obtaining various valuable information in a sample; the content of vector extraction comprises: the APT organizes specific character strings (mutex, PDB path, special component name, etc.), IP addresses and domain names, behavior information obtained by static analysis and dynamic analysis, file structural information, etc.
S103, the client sends the detection rule to a server, and the server evaluates the detection rule;
the method specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
S104, if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule;
the detection rule comprises: a malicious behavior hash, a string in a malicious behavior (e.g., wanancryv2019), a compiler-framework code post-program logic code binary, and the like.
The embodiment of the invention does not need manual intervention, is automatically processed in the whole process, and can realize timely response to the malicious behaviors, thereby preventing the malicious behaviors from being further diffused.
As shown in fig. 2, the further method for generating a vector-level detection rule provided in the embodiment of the present invention specifically includes the following steps:
s201, a detection engine monitors the operation of a client;
s202, if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated;
s203, the client sends the detection rule to the server, the detection rule received by the server is compared with the detection rule in the rule base, and if the detection rule exists in the rule base, the step S204 is executed; if not, go to step S205;
s204, the server side informs the client side, the client side detects suspicious behaviors according to the detection rules, and then step S207 is executed;
if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base; and the server side collects security samples and continuously updates the white list sample library.
S205, testing the detection rule by using a white list sample library, if the detection rule cannot detect a sample in a white list and indicates that the detection rule basically has no false alarm, passing the test, judging that the detection rule is effective, and executing the step S204; if the detection rule detects a sample in the white list, it indicates that the detection rule has a false alarm condition, and if the test does not pass, step S206 is executed;
s206, the server side informs the client side that the detection rule fails to be evaluated, and the client side does not execute any detection rule.
S207, sending the suspicious behavior and the corresponding detection rule to manual analysis, further extracting detailed vector characteristics, and generating a more effective detection rule;
and storing the perfect detection rules after manual analysis into a rule base.
According to the embodiment of the invention, manual intervention is not needed, the whole process is automated, and the timely response to the malicious behaviors can be realized, so that the malicious behaviors are prevented from being further diffused; the server side continuously updates the white list to reduce false alarm of the detection rule; meanwhile, manual analysis is introduced subsequently, so that the corresponding detection rule can be further improved.
An embodiment of the present invention further provides a vector-level detection rule generating apparatus, as shown in fig. 3, including:
the system comprises a server terminal 00 and a client terminal 01, wherein the server terminal and the client terminal establish a data connection relationship through a data transmission management unit 001 and a data transmission unit 011; the server comprises an evaluation unit 002, and the client comprises a detection engine 012, an extraction analysis unit 013, a detection rule generation unit 014, and a detection unit 015; a detection engine: the client is used for monitoring the operation of the client; an extraction and analysis unit: the system is used for extracting vectors of suspicious behaviors and automatically analyzing the suspicious behaviors by combining with current scene information if the suspicious behaviors are monitored; a detection rule generation unit: for generating a detection rule; a detection unit: the client side is used for detecting suspicious behaviors according to the detection rules if the detection rules pass evaluation; an evaluation unit: and the detection rule is used for evaluating the detection rule sent by the client to the server.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server further includes a rule base 003, where the rule base is used to store the detection rule sent by the client;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library 004.
An embodiment of the present invention further provides an electronic device, fig. 4 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiment shown in fig. 1-2 of the present invention can be implemented, as shown in fig. 4, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, and is configured to execute the program starting method according to any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1-2 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
An embodiment of the present invention also provides a computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, and the one or more programs are executable by one or more processors to implement the aforementioned program starting method.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A vector level detection rule generation method, comprising:
monitoring the operation of the client;
if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated;
the client sends the detection rule to the server, and the server evaluates the detection rule:
and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule.
2. The method of claim 1, wherein the content of the vector extraction comprises: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
3. The method of claim 1, wherein the server further comprises a rule base, and the rule base is used for storing the detection rules sent by the client;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
4. The method of claim 3, wherein if the received detection rule does not exist in a rule base and it is finally determined that the detection rule is valid, the detection rule is recorded in a rule base;
and the server side collects security samples and continuously updates the white list sample library.
5. A vector level detection rule generation device is characterized by comprising a server side and a client side, wherein the server side and the client side establish a data connection relation through a data transmission management unit and a data transmission unit; the server side comprises an evaluation unit, and the client side comprises a detection engine, an extraction analysis unit, a detection rule generation unit and a detection unit;
a detection engine: the client is used for monitoring the operation of the client;
an extraction and analysis unit: the system is used for extracting vectors of suspicious behaviors and automatically analyzing the suspicious behaviors by combining with current scene information if the suspicious behaviors are monitored;
a detection rule generation unit: for generating a detection rule;
a detection unit: the client side is used for detecting suspicious behaviors according to the detection rules if the detection rules pass evaluation;
an evaluation unit: and the detection rule is used for evaluating the detection rule sent by the client to the server.
6. The apparatus of claim 5, wherein the content of the vector extraction comprises: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
7. The apparatus of claim 5, wherein the server further comprises a rule base, and the rule base is used for storing the detection rule sent by the client;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
8. The apparatus of claim 7, wherein if the received detection rule does not exist in a rule base and it is finally determined that the detection rule is valid, the detection rule is recorded in a rule base;
and the server side collects security samples and continuously updates the white list sample library.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the vector level detection rule generation method of any one of the preceding claims 1 to 4.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the vector level detection rule generation method of any one of the preceding claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910896725.6A CN110611675A (en) | 2019-09-20 | 2019-09-20 | Vector magnitude detection rule generation method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910896725.6A CN110611675A (en) | 2019-09-20 | 2019-09-20 | Vector magnitude detection rule generation method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110611675A true CN110611675A (en) | 2019-12-24 |
Family
ID=68891952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910896725.6A Pending CN110611675A (en) | 2019-09-20 | 2019-09-20 | Vector magnitude detection rule generation method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110611675A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084503A (en) * | 2020-09-18 | 2020-12-15 | 珠海豹趣科技有限公司 | Interception rule base generation method and device and electronic equipment |
| WO2021169730A1 (en) * | 2020-02-25 | 2021-09-02 | 深信服科技股份有限公司 | Method and device for data processing, and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927483A (en) * | 2014-04-04 | 2014-07-16 | 西安电子科技大学 | Decision model used for detecting malicious programs and detecting method of malicious programs |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
| CN105488091A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Network data detection method and system based on keyword matching |
| CN106302440A (en) * | 2016-08-11 | 2017-01-04 | 国家计算机网络与信息安全管理中心 | A kind of method obtaining suspicious fishing website by all kinds of means |
| CN108040075A (en) * | 2018-01-31 | 2018-05-15 | 海南上德科技有限公司 | A kind of APT attack detection systems |
| CN108200087A (en) * | 2018-02-01 | 2018-06-22 | 平安科技(深圳)有限公司 | Web intrusion detection methods, device, computer equipment and storage medium |
| US20190166141A1 (en) * | 2017-11-30 | 2019-05-30 | Shape Security, Inc. | Detection of malicious activity using behavior data |
| CN110210216A (en) * | 2018-04-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
-
2019
- 2019-09-20 CN CN201910896725.6A patent/CN110611675A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927483A (en) * | 2014-04-04 | 2014-07-16 | 西安电子科技大学 | Decision model used for detecting malicious programs and detecting method of malicious programs |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
| CN105488091A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Network data detection method and system based on keyword matching |
| CN106302440A (en) * | 2016-08-11 | 2017-01-04 | 国家计算机网络与信息安全管理中心 | A kind of method obtaining suspicious fishing website by all kinds of means |
| US20190166141A1 (en) * | 2017-11-30 | 2019-05-30 | Shape Security, Inc. | Detection of malicious activity using behavior data |
| CN108040075A (en) * | 2018-01-31 | 2018-05-15 | 海南上德科技有限公司 | A kind of APT attack detection systems |
| CN108200087A (en) * | 2018-02-01 | 2018-06-22 | 平安科技(深圳)有限公司 | Web intrusion detection methods, device, computer equipment and storage medium |
| CN110210216A (en) * | 2018-04-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021169730A1 (en) * | 2020-02-25 | 2021-09-02 | 深信服科技股份有限公司 | Method and device for data processing, and storage medium |
| CN113381962A (en) * | 2020-02-25 | 2021-09-10 | 深信服科技股份有限公司 | Data processing method, device and storage medium |
| CN113381962B (en) * | 2020-02-25 | 2023-02-03 | 深信服科技股份有限公司 | Data processing method, device and storage medium |
| CN112084503A (en) * | 2020-09-18 | 2020-12-15 | 珠海豹趣科技有限公司 | Interception rule base generation method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| Schmidt et al. | Monitoring smartphones for anomaly detection | |
| CN108875364B (en) | Threat determination method and device for unknown file, electronic device and storage medium | |
| CN110868377B (en) | Method and device for generating network attack graph and electronic equipment | |
| CN110866248B (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN111030974A (en) | APT attack event detection method, device and storage medium | |
| CN114282212A (en) | Rogue software identification method and device, electronic equipment and storage medium | |
| CN110740117A (en) | Counterfeit domain name detection method and device, electronic equipment and storage medium | |
| CN111062035B (en) | Lesu software detection method and device, electronic equipment and storage medium | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN111027063A (en) | Method, device, electronic equipment and storage medium for preventing terminal from infecting worm | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN111030977A (en) | Attack event tracking method and device and storage medium | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| CN114692150A (en) | Sandbox environment-based malicious code analysis method and device and related equipment | |
| CN105787302B (en) | A kind of processing method of application program, device and electronic equipment | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN108881151B (en) | Joint-point-free determination method and device and electronic equipment | |
| CN113139179A (en) | Web attack-based analysis method and device | |
| CN115967566A (en) | Network threat information processing method and device, electronic equipment and storage medium | |
| CN111797393B (en) | Method and device for detecting malicious mining behavior based on GPU | |
| CN111030987A (en) | Correlation analysis method and device for multiple safety devices and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191224 |
|
| RJ01 | Rejection of invention patent application after publication |