CN102426634A - Method for finding back door of source code - Google Patents
Method for finding back door of source code Download PDFInfo
- Publication number
- CN102426634A CN102426634A CN2011103289024A CN201110328902A CN102426634A CN 102426634 A CN102426634 A CN 102426634A CN 2011103289024 A CN2011103289024 A CN 2011103289024A CN 201110328902 A CN201110328902 A CN 201110328902A CN 102426634 A CN102426634 A CN 102426634A
- Authority
- CN
- China
- Prior art keywords
- source code
- back door
- rule
- code file
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method and device for finding a back door of a source code and relates to the field of computer security. The problem of low system safety caused by the shortage of an effective detecting mode for the back door of the source code is solved. The method comprises the following steps of: searching for a plurality of related source code files; performing rule matching on the source code files according to a preset back door detecting strategy which comprises a plurality of rules related to the back door of the source code and a judging condition for judging the existence of the back door of the source code; and confirming the source code files as the back door of the source code when the rule matching between the source code files and the detecting strategy meets the judging condition. The technical scheme provided by the invention is suitable for the detection of the source code and a static efficient finding system for the back door of the source code is realized.
Description
Technical field
The present invention relates to computer safety field, relate in particular to a kind of source code back door discover method.
Background technology
The basic manual review of leaning on is found at back door in the source code at present, judges whether there is the back door in the source code according to the experience of manual work, confirms whether comprise the back door in the source code through the sensitivity function that may call the examination and the search of source code.Generally speaking, the purpose of the system of being injured is realized residing in through the certain procedure process invocation in the back door.
To above-mentioned situation, can adopt the method for dynamic monitoring, i.e. monitoring system process, at a certain process transfer when the function that is consistent of a series of and a certain back door flow process or program, think that the corresponding program source code of this process is the back door.But when source code is not carried out at the back door, just can't find this back door.Because; Can also adopt the method for static monitoring that source code is detected; Promptly some crucial function or key word are carried out match retrieval; But be distributed in different files, different directories when source code, and handling when making that multiple source code file relation each other is complicated through obscuring, static monitoring method also can't effectively detect the back door source code.To sum up, owing to lack, cause security of system to decrease to the effective detection mode in source code back door.
Summary of the invention
The invention provides a kind of source code back door discover method, solved owing to lack the problem that causes security of system to reduce to the effective detection mode in source code back door.
A kind of source code back door discover method comprises:
There is related multiple source code file in search;
Detect strategy according to the back door of presetting said multiple source code file is carried out rule match, said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
When the rule match situation in said multiple source code file and said detection strategy satisfies said decision condition, confirm that said multiple source code file is a source code back door.
Preferably, said search exists related multiple source code file to be specially:
Confirm initial Control Node source code file;
There are the source code file of direct or indirect parameter transitive relation in search and this Control Node source code file, and all files that search obtains is and has related multiple source code file.
Preferably, said search exists before the step of related multiple source code file, also comprises:
Definition detects strategy, and said detections be tactful to comprise a plurality of and the relevant rule in a source code back door;
Putting in order of each rule is set, and one weights is set for each rule;
The definition decision condition, said decision condition comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
Preferably, said detect strategy comprise in the rule any several:
API|apiname|*x, wherein, apiname is invoked api function title, and x is the number of times that calls this function, and this rule list is shown in thinks when existing x to the apinameb function calls in the said source code file that said source code coupling should rule;
API|apiname|argv [pos]: expr, wherein, pos representes parameter numbering, and expr is an expression formula, and this rule list is shown in thinks when said apiname function satisfies this expression formula that said source code coupling should rule;
API|apiname|argv_asign [pos]==return (RECORD [id]); Wherein, Return (RECORD [id]) is the rreturn value of the specified described function of RECORD of this id, and this rule list is shown in thinks when apiname parameter rreturn value is identical with parameter in the said source code file that said source code coupling should rule;
STR| " sting " | sf | * y, wherein, " sting " the expression character string; Y representes character string quantity; S representes case sensitive, f represent complete chain coupling, this rule list be shown in have in the said source code x should " sting " character string is to think that the said source code coupling of stating should rule;
BACKDOOR|tablename, wherein, tablename claims for the table name at other back doors, this rule list is shown in thinks when this tablename occurring in the said source code that said source code coupling should rule;
GRAM|str1+str2+str3+...+str n, wherein, str n is a syntactic element, this rule list is shown in thinks when the grammer that has str1+str2+str3+...+str n in the said source code calls rule that said source code coupling should rule.
Preferably, the said basis back door of presetting is detected strategy and said multiple source code file is carried out rule match is specially:
Each rule compositor according to presetting carries out rule match with said multiple source code file one by one with the rule in the said detection strategy.
The present invention also provides a kind of source code back door to find device, comprising:
File is found module, is used to search for the multiple source code file that has association;
Matching and executing module is used for detecting strategy according to the back door of presetting said multiple source code file is carried out rule match, and said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
Determination module is used for when the rule match situation of said multiple source code file and said detection strategy satisfies said decision condition as a result, confirms that said multiple source code file is a source code back door.
Preferably, said file finds that module comprises:
Initial Control Node is searched the unit, is used for confirming initial Control Node source code file;
Search unit is used to search for the source code file that has direct or indirect parameter transitive relation with this Control Node source code file, and all files that search obtains is and has related multiple source code file.
Preferably, above-mentioned source code back door discovery device also comprises:
Policy management module; Be used for definition and detect strategy, said detections strategy comprises and a plurality of and the relevant rule in a source code back door each regular putting in order is set; And one weights are set for each rule; The definition decision condition, said decision condition comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
The invention provides a kind of source code back door discover method and device; Detect strategy through the self-defined back door of presetting the multiple source code file is carried out rule match; And the rule match situation in said multiple source code file and said detection strategy is when satisfying said decision condition; Confirm that said multiple source code file is a source code back door; Realized efficiently based on the back door discovery mechanism of source code, solved owing to lack to the effective detection mode in source code back door, the problem that causes security of system to decrease.
Description of drawings
The process flow diagram of a kind of source code back door detection method that Fig. 1 provides for embodiments of the invention one;
The structural representation of a kind of source code back door pick-up unit that Fig. 2 provides for embodiments of the invention three;
Fig. 3 finds the structural representation of module 201 for Fig. 2 file.
Embodiment
For detection resources code back door, need construct potential back gate code, this also is that source code back door embedding person is in order to hide the work that the examination of manual review or software will be done.The mode that back gate code exists mainly comprises following several types:
1, do not do any protection.This back gate code is not done any protection, and all function calls, parameter assignment, operational scheme etc. all exist as normal code clearly, and manual review can be seen the existence at back door clearly.
2, source code has been done certain processing of obscuring, and looks picture name at random such as variable, function name, and delegation comprises a plurality of statements, and code is mingled in note, and source code looks that to look like mess code the same.
3, each variable, the function of composition back door function are distributed in different functions, the source code file, and the call relation between the function is complicated chaotic, and the transfer complex between the variable is chaotic.In carrying out function call, variable transmittance process, introduce temporary variable or pointer, carry out equivalence operation through the mode of operation temporary variable or pointer again.For example; Back gate code deliberately splits a plurality of subfunctions of cause with one section continuous code and accomplishes, and subfunction is called corresponding subfunction again, perhaps in the code body, adds some redirect statements; Increase control flow graph and the complicacy of calling flow graph, reach the difficulty of detection with this.
With the variable assignments is example:
int?a=100;
Be equivalent to:
int?b=100;
memcpy(&a,&b,4);
Perhaps:
_asm{mov?a,100}
Perhaps
_asm{push?100
pop?a}
Also has other countless versions scheme of equal value.The function call mode has countless versions method of calling of equal value too, and these equivalence transformations have seriously influenced detection.For example the simplest function call:
Func();
Be equivalent to:
_asm{
Lea?eax,Func
Jmp?eax}
For above-mentioned several examples, when detecting, need carry out equivalence transformation to the obfuscated codes in the source code, be reduced into the standard code after the standardization, detection could normally be carried out.
Talk about the equivalence transformation when common subfunction called above, for core sensory system function, promptly crucial api function calls, and except possibly using above-mentioned equivalence transformation, also possibly use complicated more call method.For example, through the back door that the mode of dynamically calculating the api function address is called, its dynamic calculation itself is just complicated to being difficult to detection.Explain with process creation api function CreateProcess at present:
Calling of tentative standard is: CreateProcess (pszProcessName);
This is examined easily.
Equivalence transformation can be carried out in the back door:
F=GetProcAddress(hKernelHandle,“CreateProcess”);
F(pszProcessName);
This is a kind of mode that dynamically obtains the api function address and call of standard, but this code has such sensitivity function of " CreateProcess " after all.In order to walk around the detection of audit crew or software, the back door developer can encode, obscure this character string, even carries out high-intensity encryption.For example:
If the Decrypt function is complicated a little, detection is difficult to carry out.Be a complete back door source code as follows:
More than be the back door source code instance of obscuring later, in above-listed code, Name is a very complicated function, is difficult to identification.
For the low problem of resolution system security, embodiments of the invention provide a kind of source code back door discover method.Hereinafter will combine accompanying drawing that embodiments of the invention are elaborated.Need to prove that under the situation of not conflicting, embodiment among the application and the characteristic among the embodiment be combination in any each other.
At first combine accompanying drawing, embodiments of the invention one are described.
The embodiment of the invention one provides a kind of source code back door detection method, uses the flow process at this method detection back door as shown in Figure 1, comprising:
In this step, at first need define one and detect strategy, said detections be tactful to comprise a plurality of and the relevant rule in a source code back door, and one weights is set for each rule.In addition, this detection strategy also comprises the said decision condition of a decision condition and comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
Generally speaking, corresponding a kind of detection strategy of each back door type, each strategy is made up of one or more rule statements.When definition detects wherein rule statements of strategy, can use script, can also use the self-defining syntax rule similar with the script syntax rule.
Below, be illustrated detecting strategy.For example, for the back door of cmdshell type defines a kind of back door rule set, in this rule set, comprise 10 rules, and in these 10 rules, each rule all there are weights respectively.When detecting, begin to detect (rule is mated with code one by one) from article one according to priority, if mate successfully, total weight value correspondingly increases, and finishes up to these 10 detections, obtains the corresponding weights sum of the successful rule of final matching.
Owing to be related mutually between the rule, the expression formula of a certain rule possibly comprise the testing result of front bar rule, so matching order must carry out in order.
There are related multiple source code file in step 102, search;
In the embodiment of the invention, classify the multiple source code file that has parameter transitive relation or call relation as have association source code file, these source code file can be stored in the different paths.
When there is related multiple source code file in the embodiment of the invention in search, be based on other pattern match of text level, the source code that therefore is directed against does not need and can completely compile, and can be the source code file of part, can be the source code fragment yet.
After confirming initial Control Node, there are the source code file of direct or indirect parameter transitive relation in search and this Control Node source code file, and all files that search obtains is and has related multiple source code file.
The back door that step 103, basis preset is detected strategy said multiple source code file is carried out rule match, and said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
In this step, can when detecting, all be used as Control Node to the inlet of each function, detect one by one according to existing source code searching to all function entrance.
Below, embodiments of the invention two are described.
The embodiment of the invention provides a kind of source code back door discover method; To back door type based on process invocation character; Adopt the method for pattern match, the behavior of common backdoor programs is defined, summarize a kind of pattern-matching rule that is used to describe the back door operation; To source code rule is mated then, thereby find the back door that hides in the source code.
The employed detection of the embodiment of the invention is tactful as follows:
Rule 1, API Calls are described (1):
API|apiname|*x, wherein, apiname is invoked api function title, and x is the number of times that calls this function, and this rule list is shown in thinks when existing x to the apinameb function calls in the said source code file that said source code coupling should rule.
As: API|CreatePipe|2 refers to have 2 CreatePipe and calls.If the back does not have * x, then expression has only this API Calls.
Rule 2, API Calls are described (2):
API|apiname|argv [pos]: expr, wherein, pos representes the parameter numbering, and expr is an expression formula, and this rule list is shown in thinks when said apiname function satisfies this expression formula that said source code coupling should rule.The expression of the value of parameter.
Pos representes pos parameter, since 0 counting.
Expression formula is:
Greater than:>
Less than:<
Equal :==
More than or equal to:>=
Smaller or equal to:<=
Parameter: SELF itself
For example:
(SELF&0x80)>0
Rule 3, API Calls are described (3):
API|apiname|argv_asign [pos]==return (RECORD [id]); Wherein, Return (RECORD [id]) is the rreturn value of the specified described function of RECORD of this id, and this rule list is shown in thinks when apiname parameter rreturn value is identical with parameter in the said source code file that said source code coupling should rule.
Pos representes pos parameter, since 0 counting.If this rreturn value equals API_apiname_argv_asign [pos], then expression formula is TRUE.
API_apiname_argv_asign [pos] refers to pos parameter
Rule 4, character string quoting:
STR| " sting " | sf|*y, wherein, " sting " the expression character string; Y representes character string quantity; S representes case sensitive, f represent complete chain coupling, this rule list be shown in have in the said source code x should " sting " and character string be think said state the source code coupling should rule.
Like STR_ " BACKDOOR " * 2 refers to have 2 character strings " BACKDOOR ".If the back does not have * x, then expression has only this character string.S: case sensitive, f: complete chain coupling
Rule 5, have an another kind of back door characteristic:
BACKDOOR|tablename, wherein, tablename claims that for the table name at other back doors this rule list is shown in thinks when this tablename occurring in the said source code that said source code coupling should rule.
As: in the responsive behavior of HOOK API, the behavior that must have remote thread to insert can be described as: BACKDOOR_Remote_thread so.
Rule 6, grammer call:
GRAM|str1+str2+str3+...+str n, wherein, str n is a syntactic element, this rule list is shown in thinks when the grammer that has str1+str2+str3+...+str n in the said source code calls rule that said source code coupling should rule.
The grammer of describing in the source code calls rule, and a plurality of syntactic elements are combined.For example, suppose to think that following this statement has the back door function:
b.StartInfo.FileName=“cmd.exe”,
Just be described as with this rule so:
GRAM|″.″+″StartInfo″|s+″.″+″FileName″|s+″=″+″″cmd.exe″″+″;″
Above-mentioned 6 rules have constituted a complete detection strategy, when mating, need to carry out coupling successively according to rule 1 to the order of rule 6.
Below in conjunction with accompanying drawing, embodiments of the invention three are described.
The invention provides a kind of source code back door and find device, its structure is as shown in Figure 2, comprising:
File is found module 201, is used to search for the multiple source code file that has association;
Matching and executing module 202 is used for detecting strategy according to the back door of presetting said multiple source code file is carried out rule match, and said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
Determination module 203 as a result, are used for when the rule match situation of said multiple source code file and said detection strategy satisfies said decision condition, confirm that said multiple source code file is a source code back door.
Preferably, said file finds that the inner structure of module 201 is as shown in Figure 3, comprising:
Initial Control Node is searched unit 2011, is used for confirming initial Control Node source code file;
Preferably, this source code back door finds that device also comprises:
Policy management module 204; Be used for definition and detect strategy, said detections strategy comprises and a plurality of and the relevant rule in a source code back door each regular putting in order is set; And one weights are set for each rule; The definition decision condition, said decision condition comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
Device is found at the source code back door that embodiments of the invention provide; Can combine with a kind of source code back door discover method that embodiments of the invention are provided; Detect strategy through the self-defined back door of presetting the multiple source code file is carried out rule match; And the rule match situation in said multiple source code file and said detection strategy confirms that said multiple source code file is a source code back door when satisfying said decision condition, realized efficiently the back door discovery mechanism based on source code; Solved owing to lack the effective detection mode in source code back door, the problem that causes security of system to decrease.
The all or part of step that the one of ordinary skill in the art will appreciate that the foregoing description program circuit that can use a computer is realized; Said computer program can be stored in the computer-readable recording medium; Said computer program (like system, unit, device etc.) on the relevant hardware platform is carried out; When carrying out, comprise one of step or its combination of method embodiment.
Alternatively, all or part of step of the foregoing description also can use integrated circuit to realize, these steps can be made into integrated circuit modules one by one respectively, perhaps a plurality of modules in them or step is made into the single integrated circuit module and realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
Each device/functional module/functional unit in the foregoing description can adopt the general calculation device to realize, they can concentrate on the single calculation element, also can be distributed on the network that a plurality of calculation element forms.
Each device/functional module/functional unit in the foregoing description is realized with the form of software function module and during as independently production marketing or use, can be stored in the computer read/write memory medium.The above-mentioned computer read/write memory medium of mentioning can be a ROM (read-only memory), disk or CD etc.
Any technician who is familiar with the present technique field can expect changing or replacement in the technical scope that the present invention discloses easily, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection domain of claim.
Claims (8)
1. a source code back door discover method is characterized in that, comprising:
There is related multiple source code file in search;
Detect strategy according to the back door of presetting said multiple source code file is carried out rule match, said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
When the rule match situation in said multiple source code file and said detection strategy satisfies said decision condition, confirm that said multiple source code file is a source code back door.
2. source code according to claim 1 back door discover method is characterized in that, said search exists related multiple source code file to be specially:
Confirm initial Control Node source code file;
There are the source code file of direct or indirect parameter transitive relation in search and this Control Node source code file, and all files that search obtains is and has related multiple source code file.
3. source code according to claim 1 back door discover method is characterized in that, said search exists before the step of related multiple source code file, also comprises:
Definition detects strategy, and said detections be tactful to comprise a plurality of and the relevant rule in a source code back door;
Putting in order of each rule is set, and one weights is set for each rule;
The definition decision condition, said decision condition comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
4. source code according to claim 3 back door discover method is characterized in that, said detect strategy comprise in the rule any several:
API|apiname|*x, wherein, apiname is invoked api function title, and x is the number of times that calls this function, and this rule list is shown in thinks when existing x to the apinameb function calls in the said source code file that said source code coupling should rule;
API|apiname|argv [pos]: expr, wherein, pos representes parameter numbering, and expr is an expression formula, and this rule list is shown in thinks when said apiname function satisfies this expression formula that said source code coupling should rule;
API|apiname|argv_asign [pos]==return (RECORD [id]); Wherein, Return (RECORD [id]) is the rreturn value of the specified described function of RECORD of this id, and this rule list is shown in thinks when apiname parameter rreturn value is identical with parameter in the said source code file that said source code coupling should rule;
STR| " sting " | sf|*y, wherein, " sting " the expression character string; Y representes character string quantity; S representes case sensitive, f represent complete chain coupling, this rule list be shown in have in the said source code x should " sting " character string is to think that the said source code coupling of stating should rule;
BACKDOOR|tablename, wherein, tablename claims for the table name at other back doors, this rule list is shown in thinks when this tablename occurring in the said source code that said source code coupling should rule;
GRAM|str1+str2+str3+...+str n, wherein, str n is a syntactic element, this rule list is shown in thinks when the grammer that has str1+str2+str3+...+str n in the said source code calls rule that said source code coupling should rule.
5. source code according to claim 3 back door discover method is characterized in that, the back door detection strategy that said basis presets carries out rule match to said multiple source code file and is specially:
Each rule compositor according to presetting carries out rule match with said multiple source code file one by one with the rule in the said detection strategy.
6. device is found at a source code back door, it is characterized in that, comprising:
File is found module, is used to search for the multiple source code file that has association;
Matching and executing module is used for detecting strategy according to the back door of presetting said multiple source code file is carried out rule match, and said detection strategy comprises the decision condition that there are the source code back door in a plurality of rules relevant with a source code back door and judgement;
Determination module is used for when the rule match situation of said multiple source code file and said detection strategy satisfies said decision condition as a result, confirms that said multiple source code file is a source code back door.
7. device is found at source code according to claim 6 back door, it is characterized in that, said file finds that module comprises:
Initial Control Node is searched the unit, is used for confirming initial Control Node source code file;
Search unit is used to search for the source code file that has direct or indirect parameter transitive relation with this Control Node source code file, and all files that search obtains is and has related multiple source code file.
8. device is found at source code according to claim 6 back door, it is characterized in that this device also comprises:
Policy management module; Be used for definition and detect strategy, said detections strategy comprises and a plurality of and the relevant rule in a source code back door each regular putting in order is set; And one weights are set for each rule; The definition decision condition, said decision condition comprises a weights standard value, when institute's matching rules weights sum reaches said weights standard value, confirms that said multiple source code file is a source code back door.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103289024A CN102426634A (en) | 2011-10-26 | 2011-10-26 | Method for finding back door of source code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103289024A CN102426634A (en) | 2011-10-26 | 2011-10-26 | Method for finding back door of source code |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102426634A true CN102426634A (en) | 2012-04-25 |
Family
ID=45960613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011103289024A Pending CN102426634A (en) | 2011-10-26 | 2011-10-26 | Method for finding back door of source code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102426634A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN105488404A (en) * | 2014-12-23 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for preventing data from being stolen by backdoor |
| CN106685970A (en) * | 2016-12-29 | 2017-05-17 | 北京奇虎科技有限公司 | Reverse connection backdoor detecting method and device |
| CN107104924A (en) * | 2016-02-22 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The verification method and device of website backdoor file |
| CN111327569A (en) * | 2018-12-14 | 2020-06-23 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing layer |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090235339A1 (en) * | 2008-03-11 | 2009-09-17 | Vasco Data Security, Inc. | Strong authentication token generating one-time passwords and signatures upon server credential verification |
| CN101551836A (en) * | 2008-04-03 | 2009-10-07 | 西门子(中国)有限公司 | Code audit method and device |
| CN101571828A (en) * | 2009-06-11 | 2009-11-04 | 北京航空航天大学 | Method for detecting code security hole based on constraint analysis and model checking |
-
2011
- 2011-10-26 CN CN2011103289024A patent/CN102426634A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090235339A1 (en) * | 2008-03-11 | 2009-09-17 | Vasco Data Security, Inc. | Strong authentication token generating one-time passwords and signatures upon server credential verification |
| CN101551836A (en) * | 2008-04-03 | 2009-10-07 | 西门子(中国)有限公司 | Code audit method and device |
| CN101571828A (en) * | 2009-06-11 | 2009-11-04 | 北京航空航天大学 | Method for detecting code security hole based on constraint analysis and model checking |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN103607413B (en) * | 2013-12-05 | 2017-01-18 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN105488404A (en) * | 2014-12-23 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for preventing data from being stolen by backdoor |
| CN105488404B (en) * | 2014-12-23 | 2019-01-15 | 哈尔滨安天科技股份有限公司 | A kind of method and system for preventing data from being stolen by back door |
| CN107104924A (en) * | 2016-02-22 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The verification method and device of website backdoor file |
| CN107104924B (en) * | 2016-02-22 | 2020-10-09 | 阿里巴巴集团控股有限公司 | Verification method and device for website backdoor file |
| CN106685970A (en) * | 2016-12-29 | 2017-05-17 | 北京奇虎科技有限公司 | Reverse connection backdoor detecting method and device |
| CN111327569A (en) * | 2018-12-14 | 2020-06-23 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing layer |
| CN111327569B (en) * | 2018-12-14 | 2022-05-10 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Enhancing state-of-the-art classifiers with api semantics to detect evolved android malware | |
| Halfond et al. | Preventing SQL injection attacks using AMNESIA | |
| Schultz et al. | Data mining methods for detection of new malicious executables | |
| CN100401224C (en) | Computer anti-virus protection system and method | |
| US9418227B2 (en) | Detecting malicious software | |
| EP2609506B1 (en) | Mining source code for violations of programming rules | |
| CN106796640A (en) | Classification malware detection and suppression | |
| Kaplan et al. | " NOFUS: Automatically Detecting"+ String. fromCharCode (32)+" ObFuSCateD". toLowerCase ()+" JavaScript Code | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| US9798981B2 (en) | Determining malware based on signal tokens | |
| CN103679032B (en) | Method and device for preventing malicious software | |
| CN109614795B (en) | Event-aware android malicious software detection method | |
| US9038161B2 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
| CN101826139A (en) | Method and device for detecting Trojan in non-executable file | |
| Palahan et al. | Extraction of statistically significant malware behaviors | |
| CN105046152B (en) | Malware detection method based on function call graph fingerprint | |
| CN102426634A (en) | Method for finding back door of source code | |
| CN101183414A (en) | Program detection method, device and program analyzing method | |
| Dhaya et al. | Detecting software vulnerabilities in android using static analysis | |
| CN114077741B (en) | Software supply chain safety detection method and device, electronic equipment and storage medium | |
| El Boujnouni et al. | New malware detection framework based on N-grams and support vector domain description | |
| CN112149124A (en) | Android malicious program detection method and system based on heterogeneous information network | |
| CN110069927A (en) | Malice APK detection method, system, data storage device and detection program | |
| WO2012078349A1 (en) | Automatic correction of program logic | |
| Wu | A systematical study for deep learning based android malware detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120425 |