CN103475663B - Trojan horse recognition method based on network service behavior characteristics - Google Patents
Trojan horse recognition method based on network service behavior characteristics Download PDFInfo
- Publication number
- CN103475663B CN103475663B CN201310419949.0A CN201310419949A CN103475663B CN 103475663 B CN103475663 B CN 103475663B CN 201310419949 A CN201310419949 A CN 201310419949A CN 103475663 B CN103475663 B CN 103475663B
- Authority
- CN
- China
- Prior art keywords
- network
- wooden horse
- network service
- service behavior
- horse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The present invention provides a kind of Trojan horse recognition method based on network service behavior characteristics, including the Markov model setting up wooden horse data traffic;Data traffic on network is monitored;Network service behavior to being monitored is screened;If the network service behavior not wooden horse communication session monitored, then prove that current data flow is unrelated flow;Otherwise, the time series of described network service behavior is obtained;Real network data traffic is reduced into some BlueDramas, then BlueDrama is mated with Markov model;If the two does not mates, then prove current network session not wooden horse communication data;Otherwise prove that current network session is wooden horse communication data.The present invention uses wooden horse communication behavior feature and timing thereof to realize the monitoring to wooden horse communication behavior, is prevented effectively from wooden horse deformation shell adding etc. and evades the technology impact on trojan horse detection result, improves efficiency and the accuracy rate of network trojan horse detection.
Description
Technical field
The invention belongs to field of information security technology, especially, relate to a kind of wooden horse identification side based on network service behavior characteristics
Method.
Background technology
Along with the universal of cyber-net and application, people are more and more higher to the degree of dependence of cyber-net.Each
The work in store substantial amounts of non-public or important documents of secrecy and personal information with on home-use computer. these computers are once
Implanted trojan horse program, its information can be stolen, thus cause important information leakage, secret papers divulge a secret, individual privacy information
Exposure and loss economically etc. problem.Additionally, wooden horse can also destroy information system, cause systemic breakdown and important number
According to loss.
At present, the detection of wooden horse and means of defence can be divided into two big classes:
One class is traditional detection mode based on file eigenvalue, and first the method extracts the condition code of trojan horse program file, so
Identify wooden horse file by whether Scanning Detction file comprises condition code afterwards.But wooden horse maker would generally give trojan horse program
File add various forms of " shells " so that wooden horse is propagated in the way of multiple types, multiple features code, thus give gather,
Monitoring, killing and pre-anti-Trojan bring increasing challenge.
Another kind of is wooden horse fire wall, and it is mounted in the software tool of subscriber's main station end, and it uses the mode of dynamically monitoring, net
Suspicious connection in network is monitored, and filters out unsafe network and connects, thus protected host is from the danger of outside world.But
It is, owing to needs operate in subscriber's main station system, to need in the course of the work to take the CPU of subscriber's main station system and internal memory money
Source, thus have impact on the performance of other work of system, and this type of method is very easy to produce wrong report.
Along with the fast development of Internet, the kind of wooden horse is the most numerous and diverse, and it is the most increasingly severe for the harm of computer.
Wooden horse network behavior is primarily referred to as the communication behavior on wooden horse and network between other main frame.Can reach real by network behavior wooden horse
Execute network attack, steal the purpose such as security information, operation compromised slave.Therefore, to wooden horse network behavior in time, know accurately
The most just seem most important.
Different trojan horse programs function, for operating system and employing network communication protocol in terms of exist the biggest difference, but
Communication behavior has again certain similarity.By a large amount of main flow wooden horse samples being analyzed discovery: the whole communication of wooden horse
Process is divided into three phases by communication behavior feature, sets up access phase, keeps access phase and mutual access phase.Wooden horse
The network service behavior of different phase shows as different features on flow, uses this feature can distinguish different wooden horse works
Make the stage.
Summary of the invention
The shortcoming of prior art in view of the above, it is an object of the invention to provide a kind of wood based on network service behavior characteristics
Horse recognition methods, by using wooden horse communication behavior feature and timing thereof to realize the identification to wooden horse, can be prevented effectively from wood
Horse deformation shell adding etc. evades the technology impact on trojan horse detection result.
For achieving the above object and other relevant purposes, the present invention provides a kind of wooden horse identification side based on network service behavior characteristics
Method, described Trojan horse recognition method at least comprises the following steps: set up the Markov model of wooden horse data traffic;To on network
Data traffic is monitored;Network service behavior to being monitored is screened;If the network service behavior monitored is not
Wooden horse communication session, then prove that current data flow is unrelated flow;If the network service behavior monitored is wooden horse communication meeting
Words, then obtain the time series of described network service behavior;Real network data traffic is reduced into some BlueDramas, then
BlueDrama is mated with Markov model;If the two does not mates, then prove current network session not wooden horse communication number
According to;If the two coupling, then prove that current network session is wooden horse communication data.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: further comprising the steps of: prove current net
After network session is wooden horse communication data, send the warning of wooden horse identification.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: the data traffic on network is monitored
Time, use switch to obtain the mirror image data flow of network traffic data.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: in described Markov model, bag is used
Length, bag direction and inter-packet gap describe the network service behavior characteristics of wooden horse as attribute, and with a TCP session for research
Elementary cell.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: in described Markov model, by wooden horse
The loaded packet of tool sent in communication session triggers the migration of a behavior state.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: described network service behavior includes that catalogue is clear
Look at, file download, remote terminal, keyboard record, screen monitor.
According to upper Trojan horse recognition method based on network service behavior characteristics, wherein: by BlueDrama and the Markov of reduction
During Model Matching, judge, according to the transfer matrix in Markov model, the stage that the network service behavior of wooden horse occurs.
As it has been described above, the Trojan horse recognition method based on network service behavior characteristics of the present invention, have the advantages that
(1) the network service behavior of wooden horse has certain particularity compared with normal network application, therefore uses the net of wooden horse
Network communication behavior feature and timing thereof realize the identification to wooden horse, can be prevented effectively from wooden horse deformation shell adding etc. and evade technology pair
The impact of trojan horse detection result;
(2) efficiency and the accuracy rate of network trojan horse detection it are effectively increased.
Accompanying drawing explanation
Fig. 1 is shown as the data attribute acquisition sequence schematic diagram of the mutual access phase of wooden horse;
Fig. 2 is shown as wooden horse and sets up access phase, keeps the data attribute acquisition sequence schematic diagram of access phase;
Fig. 3 is shown as data attribute acquisition sequence when normal browsing webpage, instant messaging, mail transmission/reception, data download behavior
Schematic diagram;
Fig. 4 is shown as the flow chart that PI wooden horse is current;
Fig. 5 is shown as the structure of the wooden horse identification system based on network service behavior characteristics of the present invention;
Fig. 6 is shown as the flow chart of the Trojan horse recognition method based on network service behavior characteristics of the present invention.
Detailed description of the invention
Below by way of specific instantiation, embodiments of the present invention being described, those skilled in the art can be by disclosed by this specification
Content understand other advantages and effect of the present invention easily.The present invention can also be added by the most different detailed description of the invention
To implement or application, the every details in this specification can also be based on different viewpoints and application, in the essence without departing from the present invention
Various modification or change is carried out under god.
It should be noted that the diagram provided in the present embodiment illustrates the basic conception of the present invention the most in a schematic way, the most graphic
In component count, shape and size time only display with relevant assembly in the present invention rather than is implemented according to reality draw, its reality
During enforcement, the kenel of each assembly, quantity and ratio can be a kind of random change, and its assembly layout kenel is likely to increasingly complex.
Generally, the network service behavior of a kind of application shows as different features on flow, uses this feature can distinguish not
Same network application.The a different set of attribute of this network service feature available network flow is described, and these attributes include:
Inter-packet gap time, packet length, bag direction, connection persistent period, TCP flag bit etc..
The present invention is directed to the feature of Trojan network communication behavior, by using Markov model that wooden horse data traffic is modeled,
Then the identification of wooden horse is carried out.First, investigating TCP flow top n and have loaded packet, being portrayed is that a Ma Er can
Husband's chain is to describe its communication feature, thus realizes the identification to Trojan network communication behavior.In view of Trojan network communication behavior
Concrete feature, the present invention uses packet length, bag direction and inter-packet gap to be described the network service row of wooden horse by modeling as attribute
It is characterized, and the elementary cell being research with a TCP session.
Describe the network service behavior of wooden horse by Markov process, select by the tool sent in wooden horse communication session
Loaded packet triggers the migration of a behavior state.In order to portray the direction of packet in a model, load and be spaced,
Use sign to describe a state plus data packet length and sign plus time interval, mail to from client on the occasion of representing
The direction of service end, negative value represents the direction mailing to client from service end, the absolute value of state be then packet load length and
The inter-packet gap time.
If the initial state probability vector of Markov process is ∏, at any one moment tiIt is in a certain state si, client and
The status change of primary network action process is just triggered so that it is enter next special when often sending a packet between service end
Fixed state.Each state is described plus sign by bag size inter-packet gap, i.e. state space is
S={si|-MSS<=si≤ MSS, ei, i=0,1,2 ....Wherein, eiFor inter-packet gap, MSS maximum burst size, transfer
Probability matrix is A.But, using the problem that packet length is brought as modeling attribute it is, due to the value that packet length in theory is possible
For [-MSS, MSS], the value that bag time interval is possible be [0 ,+∞), this makes state space scale become the hugest,
Add computation complexity, and in the training process, the transfering probability distribution of state excessively disperses, be not easy to determine each of model
Item parameter.Therefore, during actual realization, according to the network service behavior characteristics of wooden horse, packet length is divided into several district
Between, such as [-MSS ,-1400] (being-3 defined in transfer matrix), [-1399 ,-257] (being-2 defined in transfer matrix),
[-256 ,-1] (being-1 defined in transfer matrix), [0,256] (being 1 defined in transfer matrix), [257,1399]
(being 2 defined in transfer matrix), [1399, MSS] (being 3 defined in transfer matrix).Bag time interval is divided into
Several intervals, as (0,1] (being 1 defined in transfer matrix), (1,2] (being 2 defined in transfer matrix), (2,
5] (being 3 defined in transfer matrix), (5 ,+∞] (being 4 defined in transfer matrix).So, state space
Number just drops to the cartesian product of interval number, greatly reduces the complexity of Markov model.
For a kind of wooden horse, its purpose such as long-range control host machine to be reached and steal information then necessarily leads to network traffics.According to control
The sequential of system, mode, the difference of intention, a kind of wooden horse can produce the multiple network service behavior with multiple different flow feature.
Trojan network communication behavior includes catalogue browsing, file download, remote terminal, keyboard record, screen monitor etc..Wooden horse
Control end and controlled terminal is set up after connecting, control end and typically the most again build implementing any of the above network behavior when
Vertical one special is connected to this specific controlling behavior, and it is special also will to have its specific flow in a new TCP session
Levy.
Wooden horse mutual access phase data attribute acquisition sequence is as shown in Figure 1.As seen from the figure, Y-axis positive direction is controlled terminal data
Attribute, its attribute-value ranges is (-3 ,-1), and Y-axis negative direction is for controlling end data attribute, and its attribute-value ranges is (1,3),
X-axis is time shaft, and its attribute-value ranges is (Isosorbide-5-Nitrae).Owing to the attribute of stealing secret information of wooden horse can be seen that the mutual access phase of wooden horse,
Controlled terminal data significantly more than control end data.
Mutual for wooden horse rank linked section is inputted Markov model according to attribute acquisition value, is calculated transfer matrix as follows:
As access phase data attribute gatherer process mutual with wooden horse, wooden horse is set up access phase, is kept the sequence of access phase
Figure is as shown in Figure 2.Then wooden horse is set up access phase, is kept the data attribute collection value input Markov model meter of access phase
The transfer matrix obtained is as follows:
Normal browsing webpage, instant messaging, mail transmission/reception, data download behavior sequence figure as shown in Figure 3.Then normal browsing net
Page, instant messaging, mail transmission/reception, data attribute collection value calculated turn of the Markov model of input of data download behavior
Shifting matrix is as follows:
Relatively wooden horse sets up the transfer matrix of access phase, the transfer matrix keeping access phase and normal behaviour it can be seen that just
Its numerical discretization of the transfer matrix of Chang Hangwei is near leading diagonal, and the transfer matrix of wooden horse behavior is relatively concentrated in leading diagonal
On.More obviously, the transfer matrix numerical value of the mutual access phase of wooden horse is concentrated mainly near minor diagonal, with normal behaviour collection
In be formed about obvious contrast at leading diagonal.
Wooden horse is set up access phase, keeps the data of access phase and the mutual access phase of wooden horse according to call duration time scope, logical
Letter both sides address, communication sequential etc. carry out integrated relational analysis, then can judge Trojan network communication behavior more accurately.
As follows with reference to Fig. 4, PI wooden horse step of passing through:
(1) on controlled terminal main frame, PI wooden horse controlled terminal is run;
(2) operation PI wooden horse control end on end main frame, open 110 miniport service, the company of returning password admin are being controlled;
(3) the PI controlled terminal actively company of returning controls end main frame 110 port, enables password admin;
(4) control end main frame and receive controlled terminal Hui Lian, and show control end relevant information;
(5) control end main frame and browse controlled terminal host computer system dish catalogue by remote command, and steal the relevant money of system disk storage
Material.
The above-mentioned PI process of stealing secret information is analyzed, it appeared that its connection procedure has a following common network behavior feature:
The size of first the loaded packet of tool 1, connected is 256 bytes, and this packet is to be sent to from controlled terminal
Control end;
2, start to count from initially setting up connection, controlled terminal and control end after certain interaction, enter mutually to send
The stage that the packet of 48 bytes connects as heart beating, and until connect and terminate;
3, having before heart beating access phase in loaded packet, the overwhelming majority is big packet;
4, produce mass communication data in the man-machine interaction stage, and this communication data mostly is from controlled terminal traffic organising end.
Conversate reduction to actual mirror image data flow, network data flow is reduced to some BlueDramas, calculates network
Session connection and heart beating connect interval transfer matrix, and result is as follows:
From this transfer matrix: network data flow exists and access phase set up by typical wooden horse and heart phase matches
Pattern, can determine that and alert in network data flow comprise wooden horse set up connect data.
By data attribute value input Markov process interval for mass data transmission in BlueDrama, calculated transfer matrix
For:
From this transfer matrix: network data flow exists the pattern that access phase mutual with typical wooden horse matches, can sentence
Determine and alert network data flow exists wooden horse man-machine interaction behavior.
In order to not disturb normal network service, with reference to Fig. 5, in the wooden horse identification system based on network service behavior of the present invention,
Switch 4 carries out controlled terminal main frame 1 and the data exchange controlled between end main frame 2, Trojan network communication behavioral value server
3 capture and analyze the network traffic data bypassed from switch 4, are found the net of wooden horse by monitoring network mirror image data
Network communication behavior, and questionable conduct are reported to the police.
As shown in Figure 6, concrete in present invention Trojan horse recognition method step is as follows:
Step S1: set up the Markov model of wooden horse data traffic;
Step S2: the data traffic on network is monitored;
Step S3: the network service behavior to being monitored is screened;If the network service behavior not wooden horse monitored leads to
Letter session, then prove that present flow rate is unrelated flow;
Step S4: if wooden horse communication session, then obtain the time series of network service behavior;
Step S5: real network flow is imported, and network data flow is reduced into some BlueDramas, then by BlueDrama
Mate with Markov model;If the two does not mates, then prove current network session not wooden horse communication data;
Step S6: if the two coupling, then prove that current network session is wooden horse communication data.
Preferably, it is also possible to include not shown in step S7(figure): send warning.
In sum, the Trojan horse recognition method based on communication behavior feature of the present invention uses wooden horse communication behavior feature and sequential thereof
Property realize the monitoring to wooden horse communication behavior, being prevented effectively from wooden horse deformation shell adding etc. evades the technology impact on trojan horse detection result,
It is effectively increased efficiency and the accuracy rate of network trojan horse detection.So, the present invention effectively overcomes various shortcoming of the prior art
And have high industrial utilization.
The principle of above-described embodiment only illustrative present invention and effect thereof, not for limiting the present invention.Any it is familiar with this skill
Above-described embodiment all can be modified under the spirit and the scope of the present invention or change by the personage of art.Therefore, such as
All that in art, tool usually intellectual is completed under without departing from disclosed spirit and technological thought etc.
Effect is modified or changes, and must be contained by the claim of the present invention.
Claims (6)
1. a Trojan horse recognition method based on network service behavior characteristics, it is characterised in that described Trojan horse recognition method at least include with
Lower step:
Set up the Markov model of wooden horse data traffic;
Data traffic on network is monitored;
Network service behavior to being monitored is screened;If the network service behavior not wooden horse communication session monitored,
Then prove that current data flow is unrelated flow;
If the network service behavior monitored is wooden horse communication session, then obtain the time series of described network service behavior;
Real network data traffic is reduced into some BlueDramas, then BlueDrama is mated with Markov model;
When being mated with Markov model by the BlueDrama of reduction, judge the net of wooden horse according to the transfer matrix in Markov model
In the stage that network communication behavior occurs, if the two does not mates, then prove current network session not wooden horse communication data;If the two
Coupling, then prove that current network session is wooden horse communication data.
Trojan horse recognition method based on network service behavior characteristics the most according to claim 1, it is characterised in that: also include following
Step: after proving that current network session is wooden horse communication data, send the warning of wooden horse identification.
Trojan horse recognition method based on network service behavior characteristics the most according to claim 1, it is characterised in that: on network
When data traffic is monitored, switch is used to obtain the mirror image data flow of network traffic data.
Trojan horse recognition method based on network service behavior characteristics the most according to claim 1, it is characterised in that: described Ma Erke
In husband's model, packet length, bag direction and inter-packet gap is used to describe the network service behavior characteristics of wooden horse as attribute, and with
One TCP session is the elementary cell of research.
Trojan horse recognition method based on network service behavior characteristics the most according to claim 1, it is characterised in that: described Ma Erke
In husband's model, the loaded packet of tool sent in wooden horse communication session trigger moving of a behavior state
Move.
Trojan horse recognition method based on network service behavior characteristics the most according to claim 1, it is characterised in that: described network leads to
Letter behavior includes catalogue browsing, file download, remote terminal, keyboard record, screen monitor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310419949.0A CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310419949.0A CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103475663A CN103475663A (en) | 2013-12-25 |
| CN103475663B true CN103475663B (en) | 2016-08-17 |
Family
ID=49800359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310419949.0A Expired - Fee Related CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103475663B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
| CN104660584B (en) * | 2014-12-30 | 2018-12-18 | 赖洪昌 | Analysis of Trojan Virus technology based on network session |
| CN105243328A (en) * | 2015-09-24 | 2016-01-13 | 哈尔滨工程大学 | Behavioral characteristic based Ferry horse defense method |
| CN107086978B (en) * | 2016-02-15 | 2019-12-10 | 中国移动通信集团福建有限公司 | Method and device for identifying Trojan horse virus |
| CN107370752B (en) * | 2017-08-21 | 2020-09-25 | 北京工业大学 | Efficient remote control Trojan detection method |
| CN107733851B (en) * | 2017-08-23 | 2020-05-01 | 刘胜利 | DNS tunnel Trojan detection method based on communication behavior analysis |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102202064A (en) * | 2011-06-13 | 2011-09-28 | 刘胜利 | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis |
-
2013
- 2013-09-13 CN CN201310419949.0A patent/CN103475663B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102202064A (en) * | 2011-06-13 | 2011-09-28 | 刘胜利 | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis |
Non-Patent Citations (1)
| Title |
|---|
| 田雪峰.基于马尔可夫链的网络异常检测系统研究与实现.《中国优秀硕士学位论文全文数据库信息科技辑》.2006,(第11期),第3-19页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103475663A (en) | 2013-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103475663B (en) | Trojan horse recognition method based on network service behavior characteristics | |
| CN112769821B (en) | Threat response method and device based on threat intelligence and ATT & CK | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| CN102801697B (en) | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) | |
| EP2863611B1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| AU2017254815A1 (en) | Anomaly detection to identify coordinated group attacks in computer networks | |
| CN112383546A (en) | Method for processing network attack behavior, related device and storage medium | |
| CN110933060B (en) | Excavation Trojan detection system based on flow analysis | |
| CN103493061A (en) | Methods and apparatus for dealing with malware | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| Duan et al. | Application of a dynamic line graph neural network for intrusion detection with semisupervised learning | |
| CN105743880A (en) | Data analysis system | |
| CN107733863A (en) | Daily record adjustment method and device under a kind of distributed hadoop environment | |
| CN113315742A (en) | Attack behavior detection method and device and attack detection equipment | |
| CN112804263A (en) | Vulnerability scanning method, system and equipment for Internet of things | |
| CN108055166A (en) | A kind of the state machine extraction system and its extracting method of the application layer protocol of nesting | |
| Wang et al. | Identifying DApps and user behaviors on ethereum via encrypted traffic | |
| CN114422211B (en) | HTTP malicious traffic detection method and device based on graph attention network | |
| CN108712369A (en) | A kind of more attribute constraint access control decision system and method for industrial control network | |
| Hatcher et al. | Secure Iot search engine: survey, challenges issues, case study, and future research direction | |
| CN110941823B (en) | Threat information acquisition method and device | |
| CN103023891B (en) | The detection method of Botnet and device, the countercheck of Botnet and device | |
| CN110460620B (en) | Website defense method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160817 Termination date: 20190913 |