CN101719846A - Security monitoring method, device and system - Google Patents

Security monitoring method, device and system Download PDF

Info

Publication number
CN101719846A
CN101719846A CN200810223727A CN200810223727A CN101719846A CN 101719846 A CN101719846 A CN 101719846A CN 200810223727 A CN200810223727 A CN 200810223727A CN 200810223727 A CN200810223727 A CN 200810223727A CN 101719846 A CN101719846 A CN 101719846A
Authority
CN
China
Prior art keywords
network
new
characteristic information
file
connects
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810223727A
Other languages
Chinese (zh)
Inventor
张学红
李安平
王真
李永春
邱思恒
赵强
杨芳芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Tianjin Co Ltd
Original Assignee
China Mobile Group Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Tianjin Co Ltd filed Critical China Mobile Group Tianjin Co Ltd
Priority to CN200810223727A priority Critical patent/CN101719846A/en
Publication of CN101719846A publication Critical patent/CN101719846A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses security monitoring method, device and system for solving the problems of untimely and inaccurate security monitoring of computer equipment of the prior art. The security monitoring method comprises the following steps of: storing characteristic information of a valid monitoring object; generating characteristic information of a new monitoring object occurring on the monitored equipment; comparing the characteristic information of the new monitoring object with the characteristic information of the stored valid monitoring object; and confirming whether the monitoring object is secured or not according to a comparison result. By adopting the invention, invalid files or network connection and potential invalid files or network connection can be found in time, thereby providing insurance for effectively stopping the attract activities on the computer equipment in time.

Description

Method for safety monitoring, Apparatus and system
Technical field
The present invention relates to communication and field of computer technology, relate in particular to method for safety monitoring, Apparatus and system.
Background technology
Along with development of internet technology, information security becomes the very important problem in whole the Internet, and information security events emerges in an endless stream at present, and existing safety monitoring technology and protecting information safety technology always lag behind the change and progress of all kinds of attack meanses.
Invasion to main frame is attacked, and generally includes two kinds of forms: attacked executive system attack code on the main frame, perhaps be established to by the network interface channel of attack main frame and by this passage and intrude into main frame.
Existing information spy technology and information safety protection technique, mainly comprise following a few class: virus protection system, network firewall, host firewall, intruding detection system (Intrusion Detect System, IDS), intrusion prevention system (Intrusion Prevention System, IPS) etc.
At being attacked the invasion mode of executive system attack code on the main frame, mainly comprised by the technology of large-scale application in the existing protecting information safety technology:, comprise in addition based on heuristic filtering technique based on the code scans technology of malicious code feature database, packet filtering technology, rule-based packet filtering technology based on feature database; The information spy technology mainly is to finish by the relevant daily record of said system is analyzed in the prior art, and real-time and accuracy can not guarantee.
Below three kinds of safe practices the most commonly used in the prior art are described:
1, based on the safe practice of condition code
In the prior art, safe practice based on condition code is the condition code that stores the malicious code that has occurred in feature database, judge according to feature database whether emerging code is malicious code, when the condition code that detects this code is identical with preservative feature sign indicating number in the feature database, judge that then this code is a malicious code, and it is handled timely; When the condition code of emerging code is not in feature database, whether the code that just can not detect this appearance is malicious code, the condition code that just can put out this malicious code in order when having only this malicious code to produce more serious consequence, and it is saved in the feature database, and upgrade information in the feature database.Therefore adopt its effective protection lag period of safety product of this class technology to be generally 1-2 more than week.And along with the kind and the quantity of malicious code are on the increase, in fact feature database is difficult to guarantee the very condition code of overall collection malicious code.
2, rule-based safe practice
Rule is normally artificial to be provided with, and therefore rule-based safe practice can only be defendd the malicious act of utilizing Rules Filtering to go out usually, then can not defend those malicious acts of hiding in rule.Because the rule that is provided with has generality and mandatory,, also can exert an influence to some normal application programs though therefore adopt rule-based information security technology can resist the part malicious act.
3, based on didactic safe practice
Propose for solving problems such as the continuous mutation of malicious code based on didactic safe practice, but heuristic safe practice has been used based on condition code and rule-based safe practice, therefore also there is this shortcoming of above-mentioned two kinds of safe practices based on heuristic safe practice, just the degree difference.
Attacked executive system attack code on the main frame in order to prevent at present, the safety system of large-scale application is normally comprehensively formed by above-mentioned three types of technology, so prior art exists following defective: the one, and the hysteresis quality that attack is found; The 2nd, to the unpredictability of the attack of new generation.Because these two defectives, make and when a kind of new attack behavior occurring, can not find and handle, and do not have efficient ways to go control in time or defend the new attack behavior in the very first time.
Intrude into main frame at being established to by the network interface channel of attack main frame and by this passage, existing host firewall adopts the host-network security preventive means based on main frame process network access strategy; Network firewall adopts the network safety prevention means based on source IP address, purpose IP address, port numbers, protocol type; IDS adopts the network security monitoring means of packet content Network Based; IPS then is the means of the combination of network firewall and IDS.
Above-mentioned existing network safe practice can be guarded to a great extent, be defendd from all kinds of attacks on main frame and the network.But above-mentioned security means can not realize absolute safety, especially because the continuous appearance of new attack mode only can not be carried out monitoring in full force and effect and defence to some emerging, potential attacks by the simple combination of above-mentioned technology or above-mentioned technology.
Therefore prior art lacks efficient ways and goes control in time or defence in the face of connect the unpredictability of the attack of carrying out by network.
Summary of the invention
The invention provides a kind of method, Apparatus and system of security monitoring, to solve in the prior art to the untimely and inaccurate problem of the security monitoring of the illegal object on the computer equipment.
The invention provides following technical scheme:
A kind of method for safety monitoring comprises:
Preserve the characteristic information of legal monitored object;
When on monitored device, new monitored object occurring, generate the characteristic information of this new monitored object;
The characteristic information of the characteristic information of newer monitored object and the legal monitored object of preservation is confirmed whether safety of new monitored object according to comparative result.
A kind of Host Security supervising device comprises:
Memory module is used to preserve the characteristic information of legal monitored object;
Monitoring module when being used for new monitored object occurring on monitored device, generates the characteristic information of this new monitored object;
Confirm module, be used for the characteristic information of newer monitored object and the characteristic information of the legal monitored object of preservation, according to the new monitored object of comparative result affirmation safety whether.
A kind of safety monitoring system comprises:
Customer's representative's device when being used for new monitored object occurring on the equipment that this Client Agent device is monitored, generates the characteristic information and the transmission of this new monitored object;
Server is used to receive the characteristic information of the described new monitored object that customer's representative's device sends, and its characteristic information with the legal monitored object of preserving is compared, and confirm whether safety of new monitored object according to comparative result.
In the above embodiment of the present invention, preserve the characteristic information of legal monitored object in advance, when new monitored object occurring on the monitored device, generate the characteristic information of new monitored object, and its characteristic information with the legal monitored object of preserving in advance compared, thereby determine whether safety of this new monitored object according to comparative result.When new monitored object occurs, carry out the analysis and judgement of characteristic information on the one hand, thereby can in time find the illegal object on the monitored device, for the malicious act of in time preventing this illegal object to attack monitored device provides the prerequisite guarantee; On the other hand, the characteristic information based on the legal monitored object of preserving in advance when carrying out the judgement of monitored object legitimacy carries out, and can improve the accuracy of security monitoring.Such as, when monitored object is file, all confirm as unsafe file for the file that the characteristic information of characteristic information and the legitimate files of preserving in advance is not inconsistent, wherein may comprise potential illegal file, malicious code as continuous new life or distortion, thereby improved the accuracy of security monitoring to a certain extent, and further provide guarantee to the attack of equipment for the malicious code of in time preventing continuous mutation.Again such as, when monitored object is the network connection, the network that the characteristic information that is connected with the legitimate network of preserving in advance for characteristic information is not inconsistent connects all confirms as unsafe network connection, may comprise that wherein because of connect the process that allows by this network illegally be that unsafe network connects with this network connection judgment, thereby improved the validity of security monitoring to a certain extent, and further in time preventing the attack that connects equipment by potential insecure network that guarantee is provided.
Description of drawings
Fig. 1 is the Host Security monitor mode flow chart of the embodiment of the invention one;
Fig. 2 is the structural representation of the safety monitoring device of the embodiment of the invention one;
Fig. 3 is the structural representation of the safety monitoring system of the embodiment of the invention one;
Fig. 4 is the illustrative view of functional configuration of the safety monitoring system of the embodiment of the invention one;
Fig. 5 is the security monitoring mode flow chart of the embodiment of the invention two;
Fig. 6 is the structural representation of the safety monitoring device of the embodiment of the invention two;
Fig. 7 is the structural representation of the safety monitoring system of the embodiment of the invention two;
Fig. 8 is the illustrative view of functional configuration of the safety monitoring system of the embodiment of the invention two.
Embodiment
The present invention proposes method, the Apparatus and system of security monitoring, can be applicable to computer equipment (as main frame).In the technical scheme provided by the invention, by preserving the characteristic information of legal monitored object in advance, when new monitored object occurring on the monitored device, generate the characteristic information of this new monitored object, and its characteristic information with the legal monitored object of preserving in advance compared, and confirm whether safety of new monitored object according to comparative result.Below in conjunction with accompanying drawing the embodiment of the invention is described in detail.
Embodiment one
Security monitoring scheme when the present embodiment description is file at monitored object is promptly at being attacked the security monitoring scheme of the invasion mode of executive system attack code on the main frame.
Rely on the attack of code implementation to be divided into two kinds usually: a kind of attack that is based on script, another kind is based on the attack of binary executable.No matter the assailant adopts any attack pattern, usually all will be at the file that is generated one or more direct execution or execution indirectly in the operating system of attacking (as executable file, dynamic link libraries file etc., be designated hereinafter simply as file), and different attack patterns, the corresponding file content that generates also is different.
In the present embodiment, before computer equipment or the network equipment (as main frame) are carried out security monitoring, need do statistical summaries, and the characteristic information of the pairing binary code of record legitimate files, as the foundation of judging that file is whether legal to legitimate files.Because the quantity of documents in the operating system is many, and the data volume of a file may be also bigger, therefore in the present embodiment, generate the condition code of the certain-length length of file binary code (usually less than) and store according to the binary code of legal file.
Generate the condition code of this document according to the binary code of legal file, can adopt unified algorithm to realize.The algorithm of selecting for use should guarantee as far as possible that the condition code that generates according to different document codes is also inequality, for example, can select hashing algorithm commonly used in the information security field cryptographic algorithm for use, adopt this algorithm specific implementation can for:
Select message digest algorithm for use: h=H (f) is as the algorithmic function of spanned file condition code, according to h=H (f) respectively to legitimate files f 1, f 2... f nBinary code carry out calculation process, can get the condition code of these legitimate files: h respectively 1=H (f 1), h 2=H (f 2) ..., h n=H (f n), be kept at the condition code of these legitimate files on the main frame that need carry out security monitoring or be saved on the miscellaneous equipment that this main frame can visit.The message digest algorithm of selecting for use can be MD5, MD4 or SHA1, SHA128, SHA512 etc. and some other message digest algorithm commonly used.
Based on the condition code of the legal file of preserving, the flow process of the ruuning situation of main frame being carried out security monitoring can be referring to Fig. 1.
Referring to Fig. 1, be the schematic flow sheet that the Host Security of the embodiment of the invention is monitored, this flow process comprises:
File on step 101, the monitoring host computer mainly is whether to occur new file on the monitoring host computer.
In this step, whether monitoring new file occurs can be by modes such as file snapshot or process monitorings.
Step 102, when new file on monitoring main frame, occurring, execution in step 103, otherwise execution in step 101.
The binary code of step 103, this new file of basis generates this document characteristic of correspondence sign indicating number.
In this step, the algorithm that condition code adopted that generates this new file is consistent with the algorithm that the condition code that generates the legitimate files of preserving in advance adopts.
Step 104, will this new file condition code and the condition code of the legitimate files of preservation compare, if the comparative result unanimity, then execution in step 105; Otherwise execution in step 106.
In this step, the condition code of the condition code of the file that this is new and the legitimate files of preservation compares, if in the time of in the condition code of the legitimate files of preserving, finding the condition code identical with this new file, confirm that then this new file is a legitimate files, otherwise, think that this new file is non-method file or legitimacy file undetermined, as undelegated file or aggressive file.
Step 105, confirm that this new file is a legitimate files, and further handle in the usual way, as carrying out this document.
Step 106, confirm that this new file is illegal file or legitimacy file undetermined, and can further refuse to carry out this new file or/and start security alarm.
In this step, after confirming that this new file is illegal file or legitimacy file undetermined, take comparatively strict security monitoring measure if desired, then can require the host computer system refusal to carry out this document, also can further start the operation of security alarm and security log, can write down the relevant information (as filename, rise time) and the alarm cause of this document by the security log operation.If take security monitoring measure comparatively flexibly, then can require host computer system to start security alarm, with warning information (as filename, information such as alarm cause) and optionally operate (carry out or allow as refusal and carry out) and offer the user, and carry out respective handling according to user's selection, and can further start the security log operation, whether the system manager can be non-method file according to the file of security log registration confirmed record, when this document is a new legitimate files rather than illegal file, can generate the condition code of this document and with its preservation according to the binary code of this new file, so that in the follow-up Host Security monitor procedure, can again this document be judged as illegal file.
An example according to above-mentioned flow process is: on the system disk of main frame (as disk C) three legal file: a.exe, b.exe and c.bat are arranged, and these three legitimate files characteristic of correspondence sign indicating numbers are as shown in table 1:
Table 1
Sequence number Filename Condition code
??1 ??a.exe ??83A915AF6CE79A4702FB02EDC48EF8D22D4D86EA
??2 ??b.exe ??321C45ADD50F913550954EC452347B6B863AAB8F
??3 ??c.bat ??986210DE55154E01C7D739333D44122B98B1DA38
When monitoring disk C when two new file d.exe and f.cmd go up occurring, adopt message digest algorithm to calculate the condition code of two files respectively according to the binary code of these two new files, as follows:
The condition code of d.exe is: 83A915AF6CE79A4702FB02EDC48EF8D22D4D86EA;
The condition code of f.cmd is: 30EA7CB0E511D949376A114DDAC8510993CFDFE7;
Respectively the condition code (table 1 shown in) of the condition code of d.exe file and f.cmd file with the legitimate files of preserving in advance compared, condition code by d.exe file more as can be known is identical with the condition code of a.exe file in the table 1, can judge that then the d.exe file is a legitimate files; And the condition code of f.cmd file can not find the condition code identical with it in table 1, can judge that then file f .cmd is non-method file or legitimacy file undetermined.
The Host Security monitoring flow process that present embodiment provides can be carried out on unit, also can carry out based on C/S (client/server) framework.
Under single cpu mode, this main frame can carry out security monitoring to this main frame by the safety monitoring device of installing on it, and the structure of safety monitoring device can comprise memory module 20, monitoring module 21, affirmation module 22 as shown in Figure 2, wherein:
Store the condition code of legitimate files in the memory module 20;
Monitoring module 21 is used for whether occurring on the monitoring host computer new file, and when occurring new file on the main frame, generates the condition code of described new file;
Confirm module 22, the condition code that is used for the legitimate files that condition code that monitoring module 21 is generated and memory module 20 preserve in advance compares, and confirm according to comparative result whether this new file is legitimate files, be specially: when comparative result shows that the condition code of the condition code of generation and the legal file of preserving in advance is consistent, determine that described new file is a legitimate files; Otherwise, determine that described new file is illegal file or legitimacy file undetermined.
Optionally, this safety monitoring device can also comprise processing module 23, is used for keeping this new file to handle in the usual way when confirming that module 22 confirms that new file is legitimate files, continues to carry out as this new file; After confirming that new file is illegal file or legitimacy file undetermined, stop or refuse to carry out this document, or/and the startup security alarm.
Safety monitoring system framework under C/S model can be as shown in Figure 3, comprising customer's representative's device (Agent) 31 and server (Server) 32, Agent is one or more (only illustrating one among Fig. 3), and Agent is installed in usually to be needed on the monitored equipment (as main frame), wherein:
Agent 31, are used to monitor on the main frame that main frame or this Agent monitored at this Agent place new file whether occurs, when monitoring new file, generate the characteristic information of this new file and send;
Server 32, be used to receive the characteristic information that Agent 31 sends, its characteristic information with the legal file of preserving is in advance compared, whether is legitimate files according to the comparative result affirmation with the characteristic information corresponding file (being the new file that occurs on the monitored main frame) that receives, and can further start security alarm when confirming that this document is illegal file or legitimacy file undetermined.
Agent 31 in this system can comprise monitoring module 311 and output module 312, wherein:
Monitoring module 311, be used to monitor the main frame at these Agent 31 places or the main frame monitored on whether new file appears, when monitoring when new file occurring, generate this document characteristic of correspondence sign indicating number according to the binary code of this new file;
Output module 312 is used for the condition code information that monitoring module 311 generates is sent to server 32.
Server 32 in this system can comprise memory module 320, receiver module 321, affirmation module 322 and alarm module 323, wherein:
Store the condition code of legitimate files in the memory module 320;
Receiver module 321 is used to receive the condition code information that Agent sends;
Confirm module 322, the condition code that is used for the legitimate files that condition code that receiver module 321 is received and memory module 320 preserve in advance compares, confirm according to comparative result whether this new file is legitimate files, be specially: when comparative result is consistent, confirm that this new file is a legitimate files; When comparative result is inconsistent, confirm that this new file is illegal file or legitimacy file undetermined;
Alarm module 323 is used for starting security alarm, and can further warning information being sent to Agent31 when the affirmation result who confirms module 322 is illegal file or legitimacy file undetermined for this new file.
Because the quantity of legitimate files is many on the main frame, thereby the condition code amount of information of these legitimate files that need preserve is also many, and the workload that condition code is compared is also bigger, adopt centralized stores, concentrate the C/S model of judging security monitoring and Processing tasks reasonable distribution can be brought in realization to client and server, reduce the load of main frame, improved treatment effeciency.C/S model is more conducive to handle mass data, and client realizes directly linking to each other with server, do not have intermediate link, so response speed is fast.
Whether new file appears on the embodiment of the invention monitoring host computer, and when monitoring new file, calculate the condition code of this document according to the binary code of this new file, and this condition code compared with the condition code that is kept at the legitimate files on server or the main frame in advance judge whether this new file is legal.In this way, limited the assailant effectively by in the malicious act of attacking by executive system attack code on the main frame of attacking and to main frame, reaching timely discovery malicious act, and the purpose of further in time malicious act being prevented.
Need to prove that except that above-mentioned binary code by file generated the condition code of this document, those skilled in the art also can adopt the characteristic information of other mode spanned files according to prior art.
In actual applications, during specific implementation, both can adopt single cpu mode also can adopt C/S model.
Referring to Fig. 4, be the Host Security supervisory control system functional frame composition of the embodiment of the invention.This system architecture is a three-tier architecture: Client is (corresponding to acquisition function layer-recognition function layer-application function layer for customer's representative Agent-server S erver-client, each function all can be realized by program code), wherein Agent is installed on each monitored main frame, Server runs on the server in the network, be used for the collection of each host information and the identification of security incident, Client may operate on any administration PC terminal, is used for monitoring and processing to security incident.Wherein:
The acquisition function layer is used to realize information collection function, comprises that the condition code of file generates, and for example, when monitoring new file on main frame, generate the condition code of this document, and the condition code information that will generate is sent to the recognition function layer;
Can comprise trusted file feature code storehouse (HDB), violation Identification of events module, security incident warning processing module, security log processing module and credible policy update module in the recognition function layer.After violation Identification of events module in the recognition function layer receives file characteristic sign indicating number information, compare with the condition code of the legitimate files of preserving in advance among the HDB, when or legitimacy illegal according to comparative result affirmation corresponding file are treated regularly, start the security incident warning processing module and alarm, warning information is sent to the application function layer.Optionally, also can further start the security log processing module, so that note the characteristic information and the alarm cause of this document, so that follow-up security incident analysis and the statistics of carrying out of keeper, and upgrade HDB.
The application function layer is used for representing to the user behind the warning information that receives, and can show by multimedia mode.
Embodiment two
Security monitoring scheme when the present embodiment description is the network connection at monitored object, that is, and at being established to the network interface channel of being attacked main frame and the security monitoring scheme of invading the intrusion behavior of main frame by this passage.
Carry out obtaining on the computer equipment of security monitoring or the network equipment (as main frame) the connection attribute information that current network connects and generate the characteristic information that connects the process of operation by this network at needs, and the characteristic information of the process of connection attribute information that the network that gets access to is connected and generation, is connected corresponding coupling of characteristic information of the legal process of permission execution with this secure network with being regarded as of preserving the in advance connection attribute information that safe network connects (being that legitimate network connects), confirm that according to matching result whether network on the main frame connects safety, and can be further according to confirming that the result handles accordingly, as, when confirming this network attachment security, handle (connecting) in the usual way as keeping this network to connect or being communicated with this network; When confirming that this network connects when dangerous, starts security alarm.
In the present embodiment, before main frame is carried out security monitoring, need do statistical summaries to being considered as the legal process that safe network connects and this secure network connection allows to carry out, and preserve and to be considered as the connection attribute information that safe network connects and to be connected the characteristic information that institute allows the legal process of execution with this secure network, as the foundation of judging that the network connection is whether safe.Can preserve the characteristic information of connection attribute information that secure network connects and corresponding process in the tabulation mode.The connection attribute information that network connects comprises protocol type, source address, destination address, the port numbers of this connection, and secure network connects the condition code of the legal process that characteristic information that institute allows the legal process carried out carries out for permission on the port of this network connection.The characteristic information of connection attribute information that the network of safety connects and corresponding process thereof can be kept at other equipment that main frame this locality or main frame can be visited.
The port that secure network connects allows the condition code of the legal process carried out can be according to the binary code generation of this process.The process that generates the condition code of this process according to the binary code of process can not repeat them here as previously mentioned.
The characteristic information of connection attribute information that connects based on the secure network of preserving and corresponding legal process thereof can carry out security monitoring to the ruuning situation of this main frame.
Fig. 5 has provided the Host Security monitor mode flow process of the embodiment of the invention, comprises the steps:
Network on step 501, the monitoring host computer connects, and obtains the connection attribute information that the current network of main frame connects, and generates the condition code that connects the process of operation by this network.
To those skilled in the art, can realize that connection is monitored to the network on the main frame by existing multiple mode, as situation by the IP stack on the monitoring host computer, monitoring host computer TCP/UDP connection situation etc.A kind of concrete implementation is: check that by execution the instruction that network connects inquires about the situation that the network on the current main frame connects, the characteristic information that inquires can comprise information such as protocol type that network connects, source address, destination address, port numbers.And when the port that connects by network when the process of monitoring is moving, generate the condition code of this process.
Step 502, the connection attribute information that the network on the main frame is connected and the characteristic information that is connected the process of moving by this network, corresponding the comparing of characteristic information of connection attribute information that connects with the secure network of preserving in advance and corresponding legal process thereof, if the connection attribute information that the connection attribute information that the network on the main frame connects is connected with secure network is complementary, and the condition code of the process of moving by this network connection on the main frame is complementary with the condition code that secure network connects corresponding legal process, and then execution in step 503; Otherwise then execution in step 504.
In this step, main frame is current to have a plurality of networks to connect if monitor, and then the condition code of the connection attribute information of the condition code of connection attribute information that each network is connected and corresponding process thereof and secure network connection and corresponding legal process thereof compares.When carrying out the characteristic information comparison, if the corresponding information in the connection attribute information that protocol type, source address, destination address and port numbers in the connection attribute information that network connects are connected with secure network respectively is consistent, and the condition code of the process of the port operation that connects by the network on the main frame is consistent with the condition code that secure network connects corresponding legal process, thinks that then comparative result mates.If the address (source address is or/and destination address) in the connection attribute information that secure network connects is represented with IP address range, then under the consistent prerequisite of corresponding information that the condition code of protocol type, port numbers and process that the network on the main frame connects is connected with secure network respectively, if the IP address that the network on the main frame connects thinks that then comparative result is complementary in this corresponding IP address scope.
Network on step 503, the affirmation main frame is connected to safe network and connects, and can further handle in the usual way.
Network on step 504, the affirmation main frame is connected to unsafe network and connects, and can further start security alarm.
In the above-mentioned flow process, when getting access to protocol type that the current network of main frame connects, source IP address, purpose IP address and port numbers, the relevant information that can be connected with secure network earlier compares, and when both do not match, can determine that then this network is connected to unsafe network and connects; When both mate, the process generating feature sign indicating number carried out of the port that further connects then, and the condition code that generates is connected pairing legal process condition code with corresponding safe network compares according to this network, thus judge that whether this network connects safety.Like this, can connect the judgement of passing through the process condition code again, determine that finally whether safe it is, compare with the flow process of Fig. 1 and can reduce system resources consumption, raising system effectiveness at tentatively be judged as safe network by protocol type, address, port information.
But the above-mentioned flow process cycle carries out, promptly, but the network on the monitoring host computer connects, obtains the operation cycle of connection attribute information that network connects and the condition code of the process that connects operation by this network to carry out, analyze and judge so that can be in time the network on the main frame be connected, thereby find that in time unsafe network connects.
An example according to above-mentioned flow process is: the information of the secure network connection of preserving in advance is as shown in table 2:
Table 2
Sequence number Protocol type Source IP address Purpose IP address The destination slogan The executive process condition code
??1 ??TCP ??10.142.8. * ??10.142.1.1 ??80 ??83A915AF6CE79A4702FB02EDC48EF8D22D4D86EA
??2 ??TCP ??10.142.6. * ??10.142.3.2 ??9901 ??321C45ADD50F913550954EC452347B6B863AAB8F
??3 ??UDP ??10.142.4.32 ??10.142.9.3 ??8804 ??321C45ADD50F913550954EC452347B6B863AAB8F
As shown in table 2, store the information that secure network connects in advance, record protocol type, source IP address, purpose IP address, the destination slogan of secure network connection and the information such as condition code that allow the legal process of execution in the table.
The IP address of monitored computer equipment host A is 10.142.1.1, host A monitors currently on this main frame has network to connect, and the protocol type that gets access to this network connection is that TCP, source IP address are that 10.142.8.31, purpose IP address are that 10.142.1.1, destination slogan are 80, there are two processes to move at this port, one is iexplorer.exe (IE browser), another is spy.exe (hacker's a trojan horse program, function is for stealing user account/password).Host A generates the process condition code according to the binary code of iexplorer.exe process, binary code according to the spy.exe process generates the process condition code, and the protocol type that network is connected, the address, respective record in the process condition code of port and generation and the table 2 (sequence number is that 1 network is connected) compares, comparative result is the protocol type that the network on the host A connects, the address, port, the process condition code that generates according to the iexplorer.exe process and sequence number are that 1 network connection corresponding information is consistent, but the process condition code that generates according to the spy.exe process is not have respective record during 1 network connects in sequence number, judge that then on the host A this is connected to unsafe network and connects, that is, there is unsafe process (spy.exe process) to connect and carries out data access by this network.
The IP address of monitored computer equipment host B is 10.142.3.2, host B monitors currently on this main frame has network to connect, and to get access to the protocol type that this network connects be that TCP, source IP address are that 10.142.8.31, destination slogan are 9901, has the iexplorer.exe process to move at this port.Respective record in the protocol type that host B connects network, address, port and the table 2 (sequence number is that 2 network is connected) compares, comparative result is the protocol type that connects of the network on the host B, port with sequence number is that the corresponding information of 2 network connection is consistent, but the corresponding information that source IP address and sequence number are 2 network to be connected is inconsistent, judges that then on the host B this is connected to unsafe network and connects.
The IP address of monitored computer equipment host C is 10.142.9.3, host C monitors currently on this main frame has network to connect, and the protocol type that gets access to this network connection is that UDP, source IP address are that 10.142.4.32, destination slogan are 8804, there is the iexplorer.exe process to move at this port, but this process has been injected into the code of illegal process, and promptly this process is controlled by illegal process.Host C generates the process condition code according to the binary code of the process of iexplorer.exe, and the respective record in the process condition code of protocol type, address, port and generation that network is connected and the table 2 (sequence number is that 3 network is connected) compares, comparative result is the protocol type that connects of the network on the host C, address, port with sequence number is that 3 network connection corresponding information is consistent, but the process condition code that generates and sequence number are 3 network, and to connect corresponding process characteristic information inconsistent, judges that then on the host C this is connected to unsafe network connection.
By above-mentioned example as can be seen, in the security monitoring process of carrying out the network connection, both protocol types that network is connected, the address, information such as port are monitored, again the legitimacy of the process of the port operation that connects by this network is monitored, and as long as wherein there is an information that is connected with the network of safety not to be inconsistent, then this network is connected and be considered as unsafe network connection, so that carry out subsequent treatment such as security alarm, the protocol type that only is connected with prior art from network, the address, port carries out security monitoring, or only carry out security monitoring from the legitimacy of process and compare, improved the validity of security monitoring.
The Host Security monitoring flow process that present embodiment provides can be carried out on unit, also can carry out based on the C/S framework.
Under single cpu mode, this main frame can carry out security monitoring to this main frame by the safety monitoring device of installing on it, and the structure of safety monitoring device can comprise memory module 60, monitoring module 61 and affirmation module 62 as shown in Figure 6, wherein:
Store the characteristic information that legitimate network connects in the memory module 60, comprise that connection attribute information is connected the characteristic information of the legal process of execution that allows with this network;
Monitoring module 61 is used for obtaining the connection attribute information that this new network connects when occurring new network connection on the main frame at this safety monitoring device place, and at connecting the characteristic information that the process of carrying out generates this process by this new network;
Confirm module 62, be used for the connection attribute information that network that monitoring module 61 is obtained connects and compare, the characteristic information of the process of generation is compared with the characteristic information that corresponding secure network is connected pairing legal process with the connection attribute information that the secure network that memory module 60 is preserved in advance is connected; And confirm that according to comparative result whether this network connects safety, its specific implementation process can not repeat them here as previously mentioned.
Optionally, this safety monitoring device can also comprise processing module 63, be used for confirming that module 62 confirms that network on these equipment connects when dangerous, start security alarm, further starting log record also, write down connection attribute information that this unsafe network connects, connect the condition code of the illegal process of carrying out and alarm cause by this network.
Safety monitoring system framework under C/S model can be as shown in Figure 7, comprise customer's representative's device (Agent) 71 and server (Server) 72, Agent is one or more (only illustrating one among Fig. 7), and Agent is installed in usually to be needed on the monitored equipment (as main frame), wherein:
Agent 71, the current network that is used to monitor on the main frame that this Agent place main frame or this Agent monitored connects, when new network connection occurring, obtain the also transmission of connection attribute information that new network connects, and at connect characteristic information and the transmission that the process of carrying out generates this process by this new network;
Server 72, be used to receive the connection attribute information that network that Agent 71 sends connects and the characteristic information of process, it is compared with the characteristic information that this secure network is connected corresponding legal process with the connection attribute information that the secure network of preserving in advance connects respectively, confirm that according to comparative result whether the network of Agent 71 connects safety, and can be further when confirming that this network connects when dangerous, starts security alarm.
Agent 71 in this system can comprise monitoring module 711 and output module 712, wherein
Monitoring module 711 is used to obtain the connection attribute information that network new on the main frame connects, at connecting the characteristic information that the process of carrying out generates this process by network new on the main frame;
Output module 712 is used for the connection attribute information that monitoring module 711 is obtained and the characteristic information of generation and is sent to server 72.
Server 72 in this system can comprise memory module 720, receiver module 721, affirmation module 722 and alarm module 723, wherein:
Store the characteristic information that legitimate network connects in the memory module 720, comprise that connection attribute information is connected the characteristic information of the legal process of execution that allows with this network;
Receiver module 721 is used for and will receives the connection attribute information of Agent 71 transmissions and the characteristic information of process;
Confirm module 722, be used for the connection attribute information that receiver module 721 is received and the characteristic information of process, respectively with memory module 720 in the connection attribute information that connects of the secure network preserved in advance compare with the characteristic information that this secure network is connected corresponding legal process, confirm that according to comparative result whether new network that Agent 71 monitors connects safety, its specific implementation process can not repeat them here as previously mentioned.
Alarm module 723 is used for starting security alarm when the affirmation result who confirms module 722 is dangerous for network connects, and can further warning information be sent to Agent 71.
In actual applications, during specific implementation, both can adopt single cpu mode also can adopt C/S model.
Referring to Fig. 8, be a kind of safety monitoring system functional frame composition of the embodiment of the invention.This system architecture is a three-tier architecture: Client is (corresponding to acquisition function layer-recognition function layer-application function layer for customer's representative Agent-server S erver-client, each function all can be realized by program code), wherein Agent is installed on each monitored main frame, Server runs on the server in the network, be used for the collection of each host information and the identification of security incident, Client may operate on any administration PC terminal, is used for monitoring and processing to security incident.Wherein:
The acquisition function layer is used to realize information collection function, comprises the generation with the characteristic information that is connected the process of moving by network of obtaining of connection attribute information that network connects.For example, obtain connection attribute information that the current network on the main frame connects and generate the process condition code, and the connection attribute information that the process condition code that generates is connected with the network that gets access to is sent to the recognition function layer at the process that connects operation by this network;
Can comprise credible concatenate rule storehouse (ADB), violation Identification of events module, security incident warning processing module, security log processing module and credible policy update module in the recognition function layer.After violation Identification of events module in the recognition function layer receives the connection attribute information and process condition code of network connection, compare with the connection attribute information of the secure network connection of preserving in advance among the ADB and corresponding process condition code, when confirming that according to comparative result the network corresponding with the characteristic information that receives connects when dangerous, start the security incident warning processing module and alarm, warning information is sent to the application function layer.Optionally, also can further start the security log processing module and note connection attribute information that this network connects, corresponding process condition code and alarm cause so that follow-up security incident analysis and the statistics of carrying out of keeper.Information in the recognition function layer among HDB and the ADB can be upgraded by credible policy update module.
The application function layer is used for representing to the user behind the warning information that receives, and can show by multimedia mode.
The applied environment of the above embodiment of the present invention can be an enterprise network, promptly in enterprise network inside all kinds of main process equipments is carried out security monitoring.In enterprise network inside, because the application and the calling party group of operation are metastable, thereby the server that operates in enterprises on the one hand possesses more stable application usually, all kinds of executable code versions on the server are relatively stable, as long as in the starting stage initialization information that carries out limited number of time of associated server is collected the setting that can finish the characteristic information of legitimate files with calculating easily; On the other hand, because the customer group of enterprise network inside is generally the fixedly IP address of the network segment, and quantity is relatively limited, therefore only need the collection by a period of time in the starting stage, substantially the data access rule between the server be can grasp, thereby the connection attribute information of legitimate network connection and the setting of the legal process characteristic information of correspondence finished.Therefore it is simple to carry out security monitoring in the inner use of the enterprise network embodiment of the invention.And use the embodiment of the invention to carry out security monitoring, can avoid since the appearance of newborn attack pattern cause must the continual renovation feature database problem, thereby reduced the workload and the difficulty of system maintenance work.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (18)

1. a method for safety monitoring is characterized in that, comprising:
Preserve the characteristic information of legal monitored object;
When on monitored device, new monitored object occurring, generate the characteristic information of this new monitored object;
The characteristic information of the characteristic information of newer monitored object and the legal monitored object of preservation is confirmed whether safety of new monitored object according to comparative result.
2. the method for claim 1 is characterized in that, described monitored object is a file, and described characteristic information is the condition code according to the binary code generation of file;
Confirm whether safety of described new monitored object according to comparative result, be specially:
When comparative result when to be the condition code of new file consistent with the condition code of the legitimate files of preserving in advance, confirm that described new file is legal; Otherwise, confirm that described new file is illegal or legitimacy is undetermined.
3. the method for claim 1 is characterized in that, described monitored object is that network connects, and described characteristic information comprises network connection attribute information that connects and the characteristic information that is connected the process of carrying out by this network;
Confirm whether safety of described new monitored object according to comparative result, be specially:
When comparative result is new network connection attribute information that connects and the characteristic information that is connected the process of carrying out by this network, when the corresponding information that is connected with the legitimate network of preserving in advance is complementary respectively, confirm described new network attachment security; Otherwise it is dangerous to confirm that described new network connects.
4. method as claimed in claim 3 is characterized in that, the connection attribute information that network connects comprises: protocol type, address, port information;
The connection attribute information that new network connects is complementary with the connection attribute information that the legitimate network of preserving in advance is connected, and comprising:
The protocol type that new network connects, port numbers are identical with protocol type and the port numbers that legitimate network connects respectively, the source address that source address and legitimate network connect is identical or in its address realm, and destination address is identical with legitimate network purpose of connecting address or in its address realm.
5. method as claimed in claim 3 is characterized in that, the characteristic information of process is the condition code according to the binary code generation of this process;
The characteristic information that connects the process that the characteristic information of the process of carrying out is connected with the legitimate network of preserving in advance by new network is complementary, and be specially: it is consistent with the condition code of the process of the legitimate network connection of preservation in advance to connect the condition code of the process of carrying out by new network.
6. as each described method of claim 1 to 5, it is characterized in that, confirm that new monitored object is dangerous after, also comprise: start security alarm.
7. a safety monitoring device is characterized in that, comprising:
Memory module is used to preserve the characteristic information of legal monitored object;
Monitoring module when being used for new monitored object occurring on monitored device, generates the characteristic information of this new monitored object;
Confirm module, be used for the characteristic information of newer monitored object and the characteristic information of the legal monitored object of preservation, according to the new monitored object of comparative result affirmation safety whether.
8. device as claimed in claim 7 is characterized in that described memory module is further used for, and preserves the characteristic information of legitimate files;
Described monitoring module is further used for, and when new file occurring on monitored device, generates the characteristic information of described new file;
Confirm that module is further used for, the characteristic information that described monitoring module is generated compares with the characteristic information of the legitimate files of described memory module preservation, and confirms according to comparative result whether this new file is legal.
9. device as claimed in claim 8 is characterized in that, described characteristic information is the condition code according to the binary code generation of file;
Described affirmation module is further used for, and when comparative result is the condition code of condition code and the legitimate files of preservation of new file when consistent, confirms that described new file is legal; Otherwise, confirm that described new file is illegal or legitimacy is undetermined.
10. device as claimed in claim 7 is characterized in that described memory module is further used for, connection attribute information that the storage legitimate network connects and the characteristic information that is connected the process of carrying out by this network;
Described monitoring module is further used for, and when new network connection occurring on monitored device, obtains the connection attribute information that new network connects, at connecting the characteristic information that the process of carrying out generates this process by this network;
Described affirmation module is further used for, the characteristic information of the connection attribute information that the new network that obtains is connected and the process of generation, and the corresponding information that is connected with legitimate network that described memory module is preserved compares; When comparative result is coupling, confirm new network attachment security; Otherwise it is dangerous to confirm that described new network connects.
11. device as claimed in claim 10, it is characterized in that, described monitoring module is further used for, and obtains protocol type, address, port information that new network connects, generates the condition code of this process according to the binary code that connects the process of carrying out by this new network;
Described affirmation module is further used for, the protocol type, the port numbers that connect when the new network that obtains are identical with protocol type and the port numbers that legitimate network connects respectively, the source address that source address and legitimate network connect is identical or in its address realm, destination address is identical with legitimate network purpose of connecting address or in its address realm, and when the condition code of the process that the process condition code that generates and the legitimate network of preservation connect was consistent, the affirmation comparative result mated; Otherwise, confirm that comparative result does not match.
12. as each described device of claim 7 to 11, it is characterized in that, also comprise: processing module is used for starting security alarm after described affirmation module confirms that new monitored object is dangerous.
13. a safety monitoring system is characterized in that, comprising:
Customer's representative's device when being used for new monitored object occurring on the equipment that this Client Agent device is monitored, generates the characteristic information and the transmission of this new monitored object;
Server is used to receive the characteristic information of the described new monitored object that customer's representative's device sends, and its characteristic information with the legal monitored object of preserving is compared, and confirm whether safety of new monitored object according to comparative result.
14. system as claimed in claim 13 is characterized in that, described customer's representative's device is further used for, and when new file occurring on the equipment of being monitored, generates the characteristic information and the transmission of described new file;
Described server is further used for, and receives the characteristic information of the described new file of customer's representative's device transmission, and its characteristic information with the legitimate files of preserving is in advance compared, and confirms according to comparative result whether this new file is legal.
15. system as claimed in claim 14 is characterized in that, described characteristic information is the condition code according to the binary code generation of file;
Described server is further used for, and when comparative result when to be the condition code of described new file consistent with the condition code of the legitimate files of preserving in advance, confirms that described file is legal; Otherwise, confirm that described file is illegal or legitimacy is undetermined.
16. system as claimed in claim 13, it is characterized in that, described customer's representative's device is further used for, the connection attribute information of obtaining the new network connection that occurs on the equipment of being monitored also sends, and at connect the also transmission of characteristic information that the process of carrying out generates this process by this new network;
Described server is further used for, the characteristic information of the connection attribute information that the described new network that receives is connected and the process of generation, with the legitimate network of preserving in advance connection attribute information that connects and corresponding the comparing of characteristic information that is connected the process of carrying out by this legitimate network, when comparative result is coupling, confirm described new network attachment security; Otherwise it is dangerous to confirm that described new network connects.
17. system as claimed in claim 16, it is characterized in that, described customer's representative's device is further used for, obtain protocol type, address, port information that described new network connects, and the condition code that generates this process according to the binary code that connects the process of carrying out by described new network;
Described server is further used for, the protocol type, the port numbers that connect when described new network are identical with protocol type and the port numbers that legitimate network connects respectively, the source address that source address and legitimate network connect is identical or in its address realm, destination address is identical with legitimate network purpose of connecting address or in its address realm, and when the process condition code that described new network connects is consistent with the condition code that connects the process of carrying out by legitimate network, confirm the comparative result coupling; Otherwise, confirm that comparative result does not match.
18. as each described system of claim 13 to 17, it is characterized in that described server is further used for, confirm that new monitored object is dangerous after, start security alarm.
CN200810223727A 2008-10-09 2008-10-09 Security monitoring method, device and system Pending CN101719846A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810223727A CN101719846A (en) 2008-10-09 2008-10-09 Security monitoring method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810223727A CN101719846A (en) 2008-10-09 2008-10-09 Security monitoring method, device and system

Publications (1)

Publication Number Publication Date
CN101719846A true CN101719846A (en) 2010-06-02

Family

ID=42434367

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810223727A Pending CN101719846A (en) 2008-10-09 2008-10-09 Security monitoring method, device and system

Country Status (1)

Country Link
CN (1) CN101719846A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325061A (en) * 2011-09-16 2012-01-18 北京星网锐捷网络技术有限公司 Method for monitoring network, equipment and system
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN104348795A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Common gateway interface (CGI) service intrusion prevention method and device
CN104461830A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Method and device for monitored progress
CN105323246A (en) * 2015-09-30 2016-02-10 中国南方电网有限责任公司电网技术研究中心 Tamper-proofing method and system for key management system
CN105825124A (en) * 2015-01-06 2016-08-03 中国移动通信集团广西有限公司 Server illegal operation monitoring method and monitoring system
CN106304067A (en) * 2016-07-29 2017-01-04 成都轻车快马网络科技有限公司 High in the clouds data processing method for mobile Internet
CN106603493A (en) * 2016-11-11 2017-04-26 北京安天电子设备有限公司 Safeguard device embedded in network device and safeguard method

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325061B (en) * 2011-09-16 2014-07-02 北京星网锐捷网络技术有限公司 Network monitoring method, equipment and system
CN102325061A (en) * 2011-09-16 2012-01-18 北京星网锐捷网络技术有限公司 Method for monitoring network, equipment and system
CN103281325B (en) * 2013-06-04 2018-03-02 北京奇虎科技有限公司 Document handling method and device based on cloud security
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
US9948670B2 (en) 2013-06-04 2018-04-17 Beijing Qihoo Technology Company Limited Cloud security-based file processing by generating feedback message based on signature information and file features
WO2014194803A1 (en) * 2013-06-04 2014-12-11 北京奇虎科技有限公司 Cloud security-based file processing method and device
CN104348795A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Common gateway interface (CGI) service intrusion prevention method and device
CN104348795B (en) * 2013-07-30 2019-09-20 深圳市腾讯计算机系统有限公司 The method and device of CGI(Common gateway interface) business intrusion prevention
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN103944915B (en) * 2014-04-29 2017-11-14 浙江大学 A kind of industrial control system threat detection defence installation, system and method
CN104461830A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Method and device for monitored progress
WO2016095626A1 (en) * 2014-12-19 2016-06-23 北京奇虎科技有限公司 Process monitoring method and device
CN104461830B (en) * 2014-12-19 2017-09-22 北京奇虎科技有限公司 The method and apparatus of monitoring process
CN105825124A (en) * 2015-01-06 2016-08-03 中国移动通信集团广西有限公司 Server illegal operation monitoring method and monitoring system
CN105323246B (en) * 2015-09-30 2019-03-22 中国南方电网有限责任公司电网技术研究中心 The tamper resistant method and system of key management system
CN105323246A (en) * 2015-09-30 2016-02-10 中国南方电网有限责任公司电网技术研究中心 Tamper-proofing method and system for key management system
CN106304067A (en) * 2016-07-29 2017-01-04 成都轻车快马网络科技有限公司 High in the clouds data processing method for mobile Internet
CN106304067B (en) * 2016-07-29 2019-12-24 成都轻车快马网络科技有限公司 Cloud data processing method for mobile internet
CN106603493A (en) * 2016-11-11 2017-04-26 北京安天电子设备有限公司 Safeguard device embedded in network device and safeguard method
CN106603493B (en) * 2016-11-11 2020-04-24 北京安天网络安全技术有限公司 Safety protection device and protection method built in network equipment

Similar Documents

Publication Publication Date Title
CN101719846A (en) Security monitoring method, device and system
Vigna et al. A stateful intrusion detection system for world-wide web servers
Sabahi et al. Intrusion detection: A survey
KR101057432B1 (en) System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process
Lanzi et al. Accessminer: using system-centric models for malware protection
US6477651B1 (en) Intrusion detection system and method having dynamically loaded signatures
US8549649B2 (en) Systems and methods for sensitive data remediation
EP2923295B1 (en) Using telemetry to reduce malware definition package size
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN101582883A (en) System and method for managing security of general network
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
KR20080047261A (en) Anomaly malicious code detection method using process behavior prediction technique
CN110602044A (en) Network threat analysis method and system
CN101667232A (en) Terminal credible security system and method based on credible computing
Garg et al. Analysis of software vulnerability classification based on different technical parameters
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
Deng et al. Lexical analysis for the webshell attacks
CN115314286A (en) Safety guarantee system
Eom et al. A framework of defense system for prevention of insider's malicious behaviors
Vigna et al. Host-based intrusion detection
US10880316B2 (en) Method and system for determining initial execution of an attack
CN107196960A (en) A kind of net horse detecting system and its detection method based on sandbox technology
CN115086081B (en) Escape prevention method and system for honeypots
Kono et al. An unknown malware detection using execution registry access

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100602