CN102497425A - Malicious software detecting system based on transparent proxy and method thereof - Google Patents
Malicious software detecting system based on transparent proxy and method thereof Download PDFInfo
- Publication number
- CN102497425A CN102497425A CN2011104119552A CN201110411955A CN102497425A CN 102497425 A CN102497425 A CN 102497425A CN 2011104119552 A CN2011104119552 A CN 2011104119552A CN 201110411955 A CN201110411955 A CN 201110411955A CN 102497425 A CN102497425 A CN 102497425A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- challenge
- response
- data control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a malicious software detecting system based on a transparent proxy, which comprises a monitoring module, a protocol detecting module, a challenge generating module, a response processing module and a data control module. The system sends data to a remote server through a detecting terminal, determines a protocol type of the data according to protocol fingerprints, and generates a challenge to be sent to an application program running at a terminal according to the protocol type. The application program sends response to the challenge to the detecting system, the system judges a response result through the response processing module so as to judge whether application software on the terminal is allowed to send data to the remote server continuously. Therefore, the malicious software is detected, and the system has the advantages that normal operation of the program is not disturbed, the system is transparent to users, and the like.
Description
Technical field
The present invention relates to a kind of malware detection system and method thereof, belong to information security field, relate to transparent proxy equipment based on Transparent Proxy.
Background technology
Spyware is a kind of Malware, can install on computers, and under their unwitting situation, collect relevant user's information.Spyware is hidden and is installed and operation, and the user is difficult to detect.Spyware monitored for prolonged periods of time user's computer, and collect a large amount of computerized informations, like online custom, visit network address, shopping custom or the like, but also may interference user to the control of computer, as extra software and redirected Web browser homepage or the like are installed.
For the reply spyware occurs, some companies have developed relevant Rogue Anti-Spyware.Especially the computer run Rogue Anti-Spyware of Windows has become quite general on computers.Subscriber computer generally can infect a plurality of and spyware, infects the computer of spyware and often finds that systematic function descends, and too high like CPU usage, disk is taken and network blockage or the like in a large number.
Many programmers have issued special deletion with some commercial companies or have stoped the product of spyware.The Rogue Anti-Spyware program generally only is used to detect and remove the spyware that has been installed to computer.The user can arrange every day, weekly or every month scanning computer, detects and any spyware that deletion has been installed on computers.Such Rogue Anti-Spyware scans the content in the windows registry on computers, operating system file and installation procedure, and provide one to threaten inventory, let the user select delete still and keep.
This type of Rogue Anti-Spyware is discerned Malware according to known spyware tabulation with signature, and is the same with antivirus software, needs real-time update spyware storehouse to keep its detectability.Usually spyware occurs after also a large amount of the propagation, and its sample is reported Rogue Anti-Spyware company, and companies to its research, make its " signature " that can be detected perhaps " definition " again, and therefore this testing mechanism usually lags behind.
At present by the solution of extensive employing this type of Host Based Rogue Anti-Spyware just; But this kind scheme faces following several kinds of problems: the first, be similar to virus base, and spyware needs real-time update; And requirement has minimum rate of failing to report and rate of false alarm; But this type of Rogue Anti-Spyware is all done well inadequately at present, phenomenons such as normal software mistake deletion can occur detecting lagging behind.The second, it is not independent operating that a lot of spyware are arranged, and often is packetized in music player or the download tool as a program assembly, more be as the plug-in unit of a browser in operation, this type of spyware is difficult to thoroughly removed.The 3rd, Host Based Rogue Anti-Spyware is easy to destroyed by Malware, and root-kits level spy software is more and more; It is a kind of special Malware; Basically be can't be detected, therefore, Host Based Rogue Anti-Spyware be insecure under many circumstances.
A kind of in addition scheme that is used to discern Malware is to utilize the network packet catcher, comprises siniffer, wireshark, Tcpdump, and whether this kind tool can be analyzed a network and infected.But this kind tool need grasp the lot of data bag, and neither be very effectively on the identification Malware, its be used for more Rogue Anti-Spyware find machine infected after forensics analysis perhaps be used for the phase-split network fault.
Summary of the invention
The object of the invention is exactly in order to address the above problem, and a kind of malware detection system and control method thereof based on Transparent Proxy is provided.This no client malware detection scheme is deployed in network gateway or router place, the connection of the network of coming in and going out is detected discern Malware, and this kind scheme is effective and easy to implement, and uses the Transparent Proxy technology to realize.
For realizing above-mentioned purpose, the present invention realizes through following technical scheme:
A kind of malware detection system based on Transparent Proxy, this system comprises a data control module, it is connected with monitoring module and sends data to monitoring module; Said monitoring module sends the data to the protocol detection module and generates protocol type; Said protocol detection module is connected with a challenge generation module, and the challenge generation module links to each other with the Data Control module; Said system also comprises a response processing module, and this module is connected with monitoring module and Data Control module.
Described system is between terminating machine and remote server and accomplish communicating by letter between terminating machine and the server; Terminating machine sends the data to server through the Data Control module, and the Data Control module sends to monitoring module with all data; Said Data Control module receives the result of response processing module.
The protocol type that said challenge generation module is generated based on the agreement generation module generates challenge and challenge is sent to the terminal.
Said system also comprises a sort module, and this sort module is connected with a Reports module.This detection method may further comprise the steps:
Step1: the application program that operates on the terminating machine is sent initial data through the Data Control module in this detection system to remote server;
Step2: the Data Control module sends to monitoring module with initial data, and monitoring module sends the data to the agreement generation module;
Step3: the agreement generation module utilizes the agreement fingerprint to discern the protocol type of initial data, and this protocol type is sent to the challenge generation module;
Step4: the challenge generation module is that application program generates a challenge based on protocol type, and through the digital data control module challenge is sent to the application program on the terminal;
Step5: the application response on the terminal should be challenged, and response message sends to monitoring module through the Data Control module, is transferred to response processing module then;
Step6: response processing module receives the response of application program, makes effectively perhaps invalid judged result of response, and the result is sent to the Data Control module;
Step7: the Data Control module is made the judgement that whether continues to connect remote server according to the response judged result; Allow when effective application program to continue to connect remote server when detecting response, when detecting invalid response, the Data Control module can be reported and detect Malware and stop application program to continue to connect remote server.
The Data Control module can be suspended by the terminal and sends initial data to remote server among the said Step1.
The invention has the beneficial effects as follows: traditional method that signature mechanism detects known malware of passing through of comparing, method proposed by the invention can be confirmed the validity of the BlueDrama that all are gone out based on the network behavior of program.This method has two main points: the one, and the network characterization of application program can be confirmed based on the mode of agreement fingerprint recognition by the Transparent Proxy that is deployed in the enterprise network border.The 2nd, Transparent Proxy produces initiatively content challenge and distinguishes legal software and Malware.This method is the normal operation of interference program not, is transparent to the user.
Based on network Transparent Proxy can be deployed in the enterprise network outlet and detect all flows that flow out from enterprise.Transparent Proxy also can be disposed and be front on work station or the notebook computer, only needs inspection sending out on work station or the notebook computer that the data that spread out of are arranged.The flow that Transparent Proxy is gone out through analysis, can distinguish different browsers (Internet Explorer, Firefox, Opera, Chrome).
Malware to existing with browser (for example IE) assembly form also can be detected by this method.Transparent Proxy also can be discerned the Malware through the VOIP protocol communication, comprises Session Initiation Protocol, Session Description Protocol (SDP), RTCP Real-time Transport Control Protocol (RTCP), RTP (Transparent Proxy RTP) or the like.
This kind Transparent Proxy solution has been compared different as follows with Host Based scheme:
1, because client need be installed, avoided and the conflicting of other client softwares such as antivirus software, guarantee the availability of subscriber computer.
2, need not upgrade signature, also possibly need signature in some embodiments, but signature only is used to improve the known malware discrimination.Signature only need upgrade on Transparent Proxy, implements convenient.
3, because Transparent Proxy need not be installed on each computer, it can not destroyed by the Malware that the use process hiding on Rootkit or other main frames is escaped technology or disturb.On the contrary, when Malware is attempted outside communication, can be monitored by Transparent Proxy, and can under a kind of controlled environment, Malware further be analyzed.
Description of drawings
Fig. 1 is a structural representation of the present invention;
Fig. 2 is a Transparent Proxy Malware flow chart of the present invention;
Fig. 3 is the present invention's concrete network architecture diagram of using in an enterprise network;
Fig. 4 is the present invention's concrete Organization Chart of using in notebook computer or work station;
Fig. 5 is a Transparent Proxy Malware message flow diagram of the present invention;
Fig. 6 is the another kind of working method flow chart of Transparent Proxy Malware of the present invention;
Fig. 7 is the another kind of working method message flow diagram of Transparent Proxy Malware of the present invention;
Fig. 8 is the message flow diagram of the present invention and the Web browser malware detection when mutual.
Embodiment
Below in conjunction with accompanying drawing and embodiment the utility model is further specified.
In Fig. 1, a kind of malware detection system based on Transparent Proxy, this system comprises a data control module, it is connected with monitoring module and sends data to monitoring module; Monitoring module with send the data to the protocol detection module and generate protocol type; Detection module is connected with a challenge generation module, and the challenge generation module links to each other with the Data Control module; This system also comprises a response processing module, and this module is connected with monitoring module and Data Control module.This system is between terminating machine and remote server and accomplish communicating by letter between terminating machine and the server; Terminating machine sends the data to server through the Data Control module, and the Data Control module sends to monitoring module with all data; The Data Control module receives the result of response processing module.
Fig. 3 has shown that one is used this enterprise network based on the malware detection system of Transparent Proxy, comprises work station and notebook computer.Framework is fully transparent, the agreement and the data of turnover is not made any modification, can support variety of protocol, comprises HTTP, and HTTPS and VoIP agreement can be handled all and encrypt and non-encrypted flow.
Fig. 4 shows transparency and acts on behalf of the concrete application at a notebook computer or work station, and notebook computer or work station and remote server communicate through Transparent Proxy.The network traffics analytical technology has been used in this invention, but this technology is not directly to be used to discern Malware, and it is used to discern the application program of sending data.Data head information through to the data intercepted and captured is analyzed, and comprises sequential, source/destination address, port etc.In addition, " HTTP head " instruction and special HTTP leader will possibly be utilized to discern known browser application, confirm that these programs belong to known program, captive Malware or unknown flow.
In Fig. 1, Transparent Proxy comprises the interface that receives and send application rs traffic and remote server flow.Transparent Proxy possibly be deployed in network boundary, checks out the flow of network.
The application program of moving on all computers of monitoring module inspection is to the transfer of data of remote server.Application program is waited for the remote server response.Application program comprises: Web browser, VoIP program, point-to-point application program, database client, database server or the like.Monitoring module flows to the protocol detection module to the data traffic that receives through data-interface.
The data that protocol detection module analysis application program is sent also utilize the agreement fingerprint to confirm to carry the protocol type of data.。Protocol type possibly be one of following: http protocol, VoIP agreement, Session Description Protocol, Session initiation Protocol, RTCP Real-time Transport Control Protocol or the like.
The challenge generation module is that application program produces challenge based on protocol type, and this challenge is sent to application program, and between data and challenge, keeps a state table.When the detection generation module can further respond based on the state of application program, it was first transfer of data.Challenge does not influence the normal operation of application program, and is transparent to the user.For instance, application program is a Web browser, and challenge is the page reorientation request through coding, and this request is received and handles by objective browser.
Whether the challenge generation module challenges to application program, and response processing module receives the response of application program to this challenge, respond then and effectively handle.The response of application program does not relate to the end user.
When response when being effective, the Data Control module can allow data to be transferred to remote server through interface and interface.When response when being invalid, the Data Control module can stop data to be transferred to remote server through interface and interface.
The Data Control flow process can realize that also the Data Control module at first allows data to be passed to remote server with other a kind of mode, and when response when being effective, the Data Control module allows remote server to communicate through interface and application program; When response when being invalid, the Data Control module stops remote server to communicate through interface and application program.
This system also comprises the sort module of a Malware, is used to discern the Malware that moves on the computer, also comprises a Reports module, generates the Malware form.Malware is confirmed in first data, application type and nonreciprocal application response automatically through analysis application is sent.Whether response processing module responds effectively handles; And confirm thus whether application program is Malware; And export to sort module to the result, sort module writes down detected application program relevant parameter, and is included into relevant classification; And further export to Reports module to the result, be used to export relevant form.
Fig. 5 shows transparency and acts on behalf of the malware detection message flow.Application program attempts sending data through Transparent Proxy to remote server.The flow that all application of Transparent Proxy monitoring are sent is also analyzed employed protocol type when sending application program transmission information.The protocol type that Transparent Proxy uses according to application program produces an initiatively content challenge.The inherent attribute of concrete agreement capable of using produces challenge.
Initiatively the content challenge is that sightless it is relevant with application program to the user.Come the response contents challenge if application program is successfully sent effective information, Transparent Proxy can confirm that these data are produced by a normal application program.Malware is impossible active content challenge of structure meticulously of normal response.If the information of application response is invalid or in the set time, does not send response; Can assert that then this application program is a Malware; And stop these data to continue to be sent to remote server, and report on this machine and have Malware, shown in Fig. 5 scene 2.If Transparent Proxy is received an effective application program response, then can give remote server the data forwarding that receives and allow follow-up application program and the data communication between the server, as shown in Fig. 5 scene 1.
The end user need not participate in this process, and almost is directed against the user less than postponing, and favorable user experience can be provided.Even Malware is attempted being connected to again identical or other server is not allowed to.Therefore; This method is unsuccessful; For replacing through file; Modes such as thread injection are hidden self and are this kind of Malware method that flow is injected into normal procedure quite effective, and with respect to normal procedure, an effectively response can not correctly resolved and generate to the Malware of camouflage.
Fig. 2 is the malware detection flow chart of Transparent Proxy.The Transparent Proxy inspection is from arriving remote server to application's data and time-out transfer of data.Transparent Proxy identification protocol type and be that application program produces a challenge based on protocol type sends to application program to challenge then.State correspondence table between the challenge of Transparent Proxy storage detected data and generation.Transparent Proxy makes decisions according to the response of receiving, allows data to continue transmission if response is effectively, if the invalid continuation transmission of then blocking data.The state correspondence table is kept in the internal memory, and its record is trapped the data of detection and the corresponding relation of generate challenge, need determine the clearance of corresponding data perhaps to stop according to the response of challenge, and content is as shown in table 1,
Table 1 state correspondence table
| Data 1 | Challenge 1 |
| Data 2 | Challenge 2 |
| Data 3 | Challenge 3 |
| …… | …… |
Fig. 6 is the malware detection message flow of other a kind of Transparent Proxy.Application program sends data to remote server through Transparent Proxy.Transparent Proxy detects all data that spread out of, and the employed protocol type of application program of message is sent in identification.Produce the challenge of an active content then and send to application program.Whether Transparent Proxy allows remote server and application program to carry out transfer of data according to the response decision of application program.Fig. 7 is the malware detection flow chart relative with Fig. 6 that shows.
Fig. 8 has shown a Transparent Proxy at the malware detection message flow when mutual with Web browser, and Web browser is downloaded a page from Web server to page of Remote WEB server requests.The Hash that the Transparent Proxy utilization generates at random produces a challenge, and sends to Web browser to this challenge, and the challenge content utilizes the intrinsic characteristic of browser to construct, and comprises HTML, JAVASCRIPT, Flash etc.Challenge is a page reorientation request coding, is addressed to the WEB browser, and this coding can not show any content, and the user is invisible.Have only the browser of working as can correctly respond this redirect request, Web browser just is allowed to receive its initial page from remote server and obtains the request response.Malicious software program can not be made effective response or not make response within a certain period of time challenge, therefore can come to light.The detected Malware of Transparent Proxy can stop the remote server response and on certain computer, detect Malware.
The Transparent Proxy of this invention detects engine should formulate a framework, and this framework can be handled other protocol specification.This framework should be extendible, allows the third party to introduce New Deal and definition agreement behavior detection signature, and is the same as the definition http protocol.
The Transparent Proxy malware detection system of this invention can with one independently hardware device realize; It has the stable operating system of meticulous cutting; And the powerful processor of configuration performance, internal memory, network interface card etc., so that be applicable to a large-scale enterprise network.Each functional module can design separately, between module and the module communication interface is arranged.Module can realize with hardware, software and hardware combining body, firmware.Operable computer language such as C, C++, JAVA, Basic, Matlab or the like; Operable hardware such as computer; Microcontroller; Microprocessor; ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array) field programmable gate array, CPLD (Complex Programmable Logic Device) CPLD etc.Computer can use programming languages such as C, C++ on the microcontroller; ASIC, FPGA, CPLD then use HDL (Hardware Description Language) hardware description language, comprise VHSIC Hardware Description Language VHDL or Verilog HDL (using hardware description language the most widely at present).Above-mentioned various technical combinations is used and can be realized the described various functions of the utility model.
Claims (6)
1. malware detection system based on Transparent Proxy, it is characterized in that: this system comprises a data control module, it is connected with monitoring module and sends data to monitoring module; Said monitoring module sends the data to the protocol detection module and generates protocol type; Said protocol detection module is connected with a challenge generation module, and the challenge generation module links to each other with the Data Control module; Said system also comprises a response processing module, and this module is connected with monitoring module and Data Control module.
2. a kind of malware detection system according to claim 1 based on Transparent Proxy; It is characterized in that: network gateway or the router place of described system between terminating machine and remote server, and accomplish communicating by letter between terminating machine and the remote server; Terminating machine sends the data to remote server through the Data Control module, and the Data Control module sends to monitoring module with all data; Said Data Control module receives the result of response processing module.
3. a kind of malware detection system based on Transparent Proxy according to claim 1 is characterized in that: the protocol type that said challenge generation module is generated based on the agreement generation module generates challenge and challenge is sent to the terminal.
4. a kind of malware detection system based on Transparent Proxy according to claim 1 is characterized in that: said system also comprises a sort module, and this sort module is connected with a Reports module.
5. described malware detection method of claim 1 based on Transparent Proxy, it is characterized in that: this detection method may further comprise the steps:
Step1: the application program that operates on the terminating machine is sent initial data through the Data Control module in this detection system to remote server;
Step2: the Data Control module sends to monitoring module with initial data, and monitoring module sends the data to the agreement generation module;
Step3: the agreement generation module utilizes the agreement fingerprint to discern the protocol type of initial data, and this protocol type is sent to the challenge generation module;
Step4: the challenge generation module is that application program generates a challenge based on protocol type, and through the Data Control module challenge is sent to the application program on the terminal;
Step5: the application response on the terminal should be challenged, and response message sends to monitoring module through the Data Control module, is transferred to response processing module then;
Step6: response processing module receives the response of application program, makes effectively perhaps invalid judged result of response, and the result is sent to the Data Control module;
Step7: the Data Control module is made the judgement that whether continues to connect remote server according to the response judged result; Allow when effective application program to continue to connect remote server when detecting response, when detecting invalid response, the Data Control module can be reported and detect Malware and stop application program to continue to connect remote server.
6. a kind of malware detection method based on Transparent Proxy according to claim 5 is characterized in that: the Data Control module can be suspended by the terminal and sends initial data to remote server among the said Step1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104119552A CN102497425A (en) | 2011-12-12 | 2011-12-12 | Malicious software detecting system based on transparent proxy and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104119552A CN102497425A (en) | 2011-12-12 | 2011-12-12 | Malicious software detecting system based on transparent proxy and method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102497425A true CN102497425A (en) | 2012-06-13 |
Family
ID=46189210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104119552A Pending CN102497425A (en) | 2011-12-12 | 2011-12-12 | Malicious software detecting system based on transparent proxy and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102497425A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051617A (en) * | 2012-12-18 | 2013-04-17 | 北京奇虎科技有限公司 | Method, device and system for identifying network behaviors of program |
| CN103747035A (en) * | 2013-12-20 | 2014-04-23 | 深圳市金证科技股份有限公司 | Message middleware multi-target routing and copying technology based on rule |
| CN104363256A (en) * | 2014-10-11 | 2015-02-18 | 北京中创腾锐技术有限公司 | Cellphone virus recognition and control method, device and system |
| US9537885B2 (en) | 2013-12-02 | 2017-01-03 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1375775A (en) * | 2001-03-16 | 2002-10-23 | 联想(北京)有限公司 | Geteway level computer network virus preventing method and device |
| EP1010059B1 (en) * | 1996-09-05 | 2003-05-21 | Computer Associates Think, Inc. | Anti-virus agent for use with databases and mail servers |
| CN101605066A (en) * | 2009-04-22 | 2009-12-16 | 网经科技(苏州)有限公司 | Telecommunication network behavior method for real-time monitoring based on multilayer data interception |
| US20110099620A1 (en) * | 2009-04-09 | 2011-04-28 | Angelos Stavrou | Malware Detector |
-
2011
- 2011-12-12 CN CN2011104119552A patent/CN102497425A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1010059B1 (en) * | 1996-09-05 | 2003-05-21 | Computer Associates Think, Inc. | Anti-virus agent for use with databases and mail servers |
| CN1375775A (en) * | 2001-03-16 | 2002-10-23 | 联想(北京)有限公司 | Geteway level computer network virus preventing method and device |
| US20110099620A1 (en) * | 2009-04-09 | 2011-04-28 | Angelos Stavrou | Malware Detector |
| CN101605066A (en) * | 2009-04-22 | 2009-12-16 | 网经科技(苏州)有限公司 | Telecommunication network behavior method for real-time monitoring based on multilayer data interception |
Non-Patent Citations (2)
| Title |
|---|
| UDAYA KIRAN TUPAKULA、VIJAY VARADHARAJAN: "A Practical Method to Counteract Denial of Service Attacks", 《PROCEEDINGS OF THE 26TH AUSTRALASIAN COMPUTER SCIENCE CONFERENCE》 * |
| 陈雷,姜琳,刘新,叶德建: "流媒体服务 DoS 及 DDoS 攻击分析", 《计算机工程》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051617A (en) * | 2012-12-18 | 2013-04-17 | 北京奇虎科技有限公司 | Method, device and system for identifying network behaviors of program |
| US9537885B2 (en) | 2013-12-02 | 2017-01-03 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
| US9882928B2 (en) | 2013-12-02 | 2018-01-30 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
| US10200403B2 (en) | 2013-12-02 | 2019-02-05 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
| US10868826B2 (en) | 2013-12-02 | 2020-12-15 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
| US11516246B2 (en) | 2013-12-02 | 2022-11-29 | At&T Intellectual Property I, L.P. | Secure browsing via a transparent network proxy |
| CN103747035A (en) * | 2013-12-20 | 2014-04-23 | 深圳市金证科技股份有限公司 | Message middleware multi-target routing and copying technology based on rule |
| CN104363256A (en) * | 2014-10-11 | 2015-02-18 | 北京中创腾锐技术有限公司 | Cellphone virus recognition and control method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11736499B2 (en) | Systems and methods for detecting injection exploits | |
| US11330000B2 (en) | Malware detector | |
| US11783035B2 (en) | Multi-representational learning models for static analysis of source code | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| US10587636B1 (en) | System and method for bot detection | |
| US10735382B2 (en) | Detecting human activity to mitigate attacks on a host | |
| KR101689295B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| US9015839B2 (en) | Identifying malicious devices within a computer network | |
| US7941853B2 (en) | Distributed system and method for the detection of eThreats | |
| US11212305B2 (en) | Web application security methods and systems | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US8607340B2 (en) | Host intrusion prevention system using software and user behavior analysis | |
| US11615184B2 (en) | Building multi-representational learning models for static analysis of source code | |
| US20160078229A1 (en) | System And Method For Threat Risk Scoring Of Security Threats | |
| Hubballi et al. | LAN attack detection using discrete event systems | |
| US11258812B2 (en) | Automatic characterization of malicious data flows | |
| CN116860489A (en) | System and method for threat risk scoring of security threats | |
| US7325185B1 (en) | Host-based detection and prevention of malicious code propagation | |
| CN111859374B (en) | Method, device and system for detecting social engineering attack event | |
| KR102189361B1 (en) | Managed detection and response system and method based on endpoint | |
| CN102497425A (en) | Malicious software detecting system based on transparent proxy and method thereof | |
| JP2022094354A (en) | Context profiling for malware detection | |
| US11770361B1 (en) | Cobalt strike beacon HTTP C2 heuristic detection | |
| KR102661261B1 (en) | A system for detecting botnet and a method thereof | |
| US20240039952A1 (en) | Cobalt strike beacon https c2 heuristic detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: STATE GRID CORPORATION OF CHINA Effective date: 20121219 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20121219 Address after: 250002 Ji'nan City Central District, Shandong, No. 2 South Road, No. 500 Applicant after: Shandong Research Inst. of Electric Power Applicant after: State Grid Corporation of China Address before: 250002 Ji'nan City Central District, Shandong, No. 2 South Road, No. 500 Applicant before: Shandong Research Inst. of Electric Power |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120613 |