CN103905391B - Botnet order and the acquisition methods and device of control protocol - Google Patents

Botnet order and the acquisition methods and device of control protocol Download PDF

Info

Publication number
CN103905391B
CN103905391B CN201210576206.XA CN201210576206A CN103905391B CN 103905391 B CN103905391 B CN 103905391B CN 201210576206 A CN201210576206 A CN 201210576206A CN 103905391 B CN103905391 B CN 103905391B
Authority
CN
China
Prior art keywords
botnet
control protocol
perform track
order
acquisition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210576206.XA
Other languages
Chinese (zh)
Other versions
CN103905391A (en
Inventor
王志
邹赞
张晓康
贾春福
翁臣
黄志鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Nankai University
Original Assignee
Tencent Technology Shenzhen Co Ltd
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd, Nankai University filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201210576206.XA priority Critical patent/CN103905391B/en
Publication of CN103905391A publication Critical patent/CN103905391A/en
Application granted granted Critical
Publication of CN103905391B publication Critical patent/CN103905391B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention discloses a kind of Botnet order and the acquisition methods and device of control protocol, it is related to areas of information technology, improves the acquisition efficiency of Botnet order and control protocol, reduces the cost for obtaining Botnet order and control protocol process.Methods described includes:The perform track information in Botnet program process is obtained first, then target circulation body is determined from the perform track information, the target circulation body is the loop body where Botnet order and control protocol, finally obtains Botnet order and control protocol according to the target circulation body.

Description

Botnet order and the acquisition methods and device of control protocol
Technical field
The present invention relates to areas of information technology, the acquisition methods of more particularly to a kind of Botnet order and control protocol and Device.
Background technology
With the fast development of internet, the popularity rate of Web vector graphic also more and more higher, this allows for being used to steal calculating Machine user property, acquisition privacy of user, all kinds of Botnet programs of control system resource gradually increase, and cause user to use mutual The security of networking is more and more lower.Botnet order and control protocol, it is the guarantee that Botnet program is capable of normal operation. Botnet order and control protocol are obtained, is the key for defending Botnet program,
The acquisition modes of existing Botnet order and control protocol mainly include dynamic analysis acquisition modes and static point Analyse acquisition modes.Dynamic analysis acquisition modes are by the packet feature of statistical analysis Botnet program, to block corpse The communication of network, the entire packet feature of Botnet program can not be divided yet with dynamic analysis acquisition modes Analysis, causes the dynamic analysis acquisition modes can not get all Botnet orders and control protocol;Static analysis acquisition side Formula is then by manually obtaining Botnet order and control protocol from the malicious code sample of Botnet, due to static state point Analysing acquisition modes is completed by manual operation, therefore static analysis acquisition modes obtain Botnet order and control protocol It is less efficient, cost is higher.
The content of the invention
The present invention provides the acquisition methods and device of a kind of Botnet order and control protocol, can get corpse net All Botnet orders and control protocol in network program, and improve Botnet order and the acquisition of control protocol effect Rate, reduce the cost for obtaining Botnet order and control protocol process.
The technical scheme that the embodiment of the present invention uses for:
A kind of Botnet order and the acquisition methods of control protocol, including:
Obtain the perform track information in Botnet program process;
Target circulation body is determined from the perform track information, the target circulation body is Botnet order and control Loop body where agreement;
Botnet order and control protocol are obtained according to the target circulation body.
A kind of Botnet order and the acquisition device of control protocol, including:
Acquiring unit, for obtaining the perform track information in Botnet program process;
Determining unit, for determining target circulation body, the mesh in the perform track information that is obtained from the acquiring unit It is the loop body where Botnet order and control protocol to mark loop body;
The acquiring unit, the target circulation body for being additionally operable to be determined according to the determining unit obtain Botnet life Order and control protocol.
Botnet order provided in an embodiment of the present invention and the acquisition methods and device of control protocol, and in the prior art By the packet feature of statistical analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet, And with passing through manually acquisition Botnet order and the static analysis of control protocol from the malicious code sample of Botnet Acquisition modes are compared, and according to the cycle specificity in Botnet program process in perform track information, can get deadlock All Botnet orders and control protocol in corpse network program, and improve obtaining for Botnet order and control protocol Efficiency is taken, reduces the cost for obtaining Botnet order and control protocol process.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be only the present invention some Embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also be attached according to these Figure obtains other accompanying drawings.
Fig. 1 is the acquisition methods flow chart of a kind of Botnet order provided in an embodiment of the present invention and control protocol;
Fig. 2 is the acquisition methods flow chart of another Botnet order provided in an embodiment of the present invention and control protocol;
Fig. 3 is a kind of Botnet order provided in an embodiment of the present invention and the acquisition device structural representation of control protocol Figure;
Fig. 4 is another Botnet order provided in an embodiment of the present invention and the acquisition device structural representation of control protocol Figure.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained all other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.
The advantages of to make technical solution of the present invention, is clearer, and the present invention is made specifically with reference to the accompanying drawings and examples It is bright.
The embodiment of the present invention provides the acquisition methods of a kind of Botnet order and control protocol, as shown in figure 1, the side Method includes:
101st, the perform track information in Botnet program process is obtained.
Wherein, perform track information is specifically as follows each CPU (Central that Botnet program performed Processing Unit, central processing unit) instruction, the CPU information such as execution state.
102nd, target circulation body is determined from the perform track information.
Wherein, the target circulation body is the loop body where Botnet order and control protocol.
103rd, Botnet order and control protocol are obtained according to the target circulation body.
A kind of Botnet order provided in an embodiment of the present invention and the acquisition methods of control protocol, with leading in the prior art The packet feature of statistical analysis Botnet program is crossed, to block the dynamic analysis acquisition modes of the communication of Botnet, with And with being obtained by manually obtaining Botnet order and the static analysis of control protocol from the malicious code sample of Botnet Take mode to compare, according to the cycle specificity in Botnet program process in perform track information, corpse can be got All Botnet orders and control protocol in network program, and improve Botnet order and the acquisition of control protocol Efficiency, reduce the cost for obtaining Botnet order and control protocol process.
Further, the embodiments of the invention provide another Botnet order and the acquisition methods of control protocol, such as Shown in Fig. 2, methods described comprises the following steps:
201st, the perform track information in Botnet program process is obtained.
Wherein, perform track information is specifically as follows each CPU (Central that Botnet program performed Processing Unit, central processing unit) instruction, the CPU various information such as execution state.
202nd, affiliated thread identical information in the perform track information is divided into same perform track block.
Specifically, due to including the execution information of multiple thread implementation procedures in perform track information, therefore will can hold Information corresponding to affiliated thread identical cpu instruction is divided into same perform track block in row trace information.
203rd, the loop body in the perform track block is obtained.
Specifically, the jump instruction of malicious code block in the perform track block is obtained first, if the jump instruction The address that destination address is less than the jump instruction is redirected, then the address of destination address and the jump instruction is redirected described in acquisition Between code, and confirm that the code is the loop body.
Wherein, the region of memory that the malicious code stored in file is mapped to is defined as malicious code region, does not belong to Region of memory in malicious code region is defined as system code region.After internal memory is divided into two regions, the institute in internal memory There is instruction address of region of memory according to where it to be also divided into two classes, belong to the instruction in malicious code region and belong to system The instruction of code region, further according to instruction belonging to region of memory difference, by perform track block be divided into malicious code block and System code block.Each perform track block contains the detailed execution information of a thread, such as the address of instruction, assembly code, Command length, operand, CPU state etc..
For the embodiment of the present invention, due to there is no system function information in perform track block, performed in perform track block Cheng Zhong, malicious code block to the controlling stream transfer process of system code block be to be realized by function call, and Botnet Order and control protocol are contained only in malicious code block, therefore can carry out abbreviation to system code block, with function name, ginseng The detailed implementation of the abstract function call information replacement system code block such as number, return value, adjusted so as to reduce function With the complexity of process.
204th, the target circulation body is determined from the loop body of the perform track block.
Specifically, if the loop body meets fisrt feature and second feature simultaneously, it is determined that the loop body is described Target circulation body, the fisrt feature are that have invoked suspicious function in the loop body, and the second feature is the institute being called The different returning results for stating suspicious function indicate that the Botnet program performs different perform track blocks.
Wherein, the suspicious function in the embodiment of the present invention is specifically as follows comparison function, and suspicious function is Botnet journey Sequence realizes order and commonly used function during control protocol, Botnet program after order and control protocol is received, it is necessary to Suspicious function pair order and control protocol is called to be analyzed, so as to perform with ordering perform track corresponding with control protocol Block.
, can be by matching the purpose of function call instruction in loop body for whether have invoked suspicious function in loop body Address and whether the entry address of suspicious function is identical is judged.If the destination address of function call instruction and suspicious function Entry address it is identical, then confirm that the loop body have invoked suspicious function.
205th, Botnet order and control protocol are obtained according to the target circulation body.
Specifically, the input order of the suspicious function called in the target circulation body is replaced with into predetermined order first Afterwards, the perform track information in the Botnet program process is reacquired, then from the execution rail reacquired The Botnet order and control protocol are extracted in mark information.
Wherein, predetermined order is specifically as follows random data, so that the input order of suspicious function is not normal Botnet order and control protocol, but a wrong order.Due to Botnet program in the process of implementation, can The input for doubting function is ordered with all Botnet orders preserved in Botnet program compared with control protocol, is existed The Botnet order and the malicious act corresponding to control protocol are carried out after the Botnet order of matching and control protocol, Such as snatch password, delete file, starting network attack etc., therefore when input order replaces with preset bad command, it is stiff Corpse network program can be carried out the whole Botnet orders preserved in the bad command and Botnet program with control protocol Comparison match, so that all Botnet orders are fully recorded in perform track information with control protocol.
For the embodiment of the present invention, the scene of application can be but be not limited to following form, and Zeus's program is a kind of biography The extremely strong network trojan horse program of metachromia, the Botnet order and control protocol for obtaining Zeus's program include:Zeus is obtained first Perform track information of the program during network service, can be with as shown in the table:
The reception order of network packet The size of network packet(Byte)
1 504
2 171757
3 381
4 344
5 34511
Then according to execution information of the perform track packet containing 23 different threads, perform track information is divided into 23 Individual perform track block, specifically can be with as shown in the table:
So that thread number is 1024 perform track block as an example, loop body 372 is included in the perform track block of 1024 threads, It is as shown in the table:
Sequence number Start address End address Cycle-index Suspicious function The occurrence number of suspicious function
1 0x26e85a1 0x26e85b7 1 Nothing 0
2 0x26e877c 0x26e87a2 1 lstrcmpiw 24
3 0x26edda5 0x26eddab 1 Nothing 0
4 0x26e5c5b 0x26e5c80 24 Nothing 0
5 0x26e94cb 0x26e94d2 2 Nothing 0
6 0x26f2e89 0x26f2ef0 1 Nothing 0
7 0x26edda5 0x26eddab 1 Nothing 0
8 0x26f2e21 0x26f2e47 3 Nothing 0
The information of the part loop body of the perform track block of 1024 threads is listed in table, includes the start address of loop body And end address, the execution number of loop body, whether suspicious function is included according to the loop body that suspicious function list judges, and The call number of suspicious function.Loop body 2 as seen from the table(0x26e877c-0x26e87a2)It has invoked suspicious function Lstrcmpiw, meets fisrt feature, then analyzes the loop body and calls suspicious function altogether 24 times, wherein preceding 23 suspicious letters Number lstrcmpiw returning result is non-zero, and last time lstrcmpiw returning result is 0, and lstrcmpiw return When result is 0, the address of perform track block corresponding to program is 0x026f52da;When lstrcmpiw returning result is non-zero, The address of perform track block corresponding to program is 0x026e87a6, it is seen that suspicious function lstrcmpiw returning result instruction journey Sequence performs different perform track blocks.After lstrcmpiw input parameter finally is replaced with into random order, held from Zeus's program Perform track information extraction Botnet order and control protocol during row, the Botnet order extracted and control are assisted View can be with as shown in the table:
It is achieved thereby that to all Botnet orders and the acquisition of control protocol in Zeus's program.
It should be noted that above-mentioned application scenarios are only example explanation, the limitation to the embodiment of the present invention should not be formed.
Another Botnet order provided in an embodiment of the present invention and the acquisition methods of control protocol, and in the prior art By the packet feature of statistical analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet, And with passing through manually acquisition Botnet order and the static analysis of control protocol from the malicious code sample of Botnet Acquisition modes are compared, and according to the cycle specificity in Botnet program process in perform track information, can get deadlock All Botnet orders and control protocol in corpse network program, and improve obtaining for Botnet order and control protocol Efficiency is taken, reduces the cost for obtaining Botnet order and control protocol process.
Further, as the realization to embodiment of the method shown in Fig. 1, the embodiment of the present invention additionally provides a kind of corpse net Network order and the acquisition device of control protocol, to realize the embodiment of the method shown in Fig. 1, the entity of described device can be eventually End equipment, as shown in figure 3, described device includes:Acquiring unit 31, determining unit 32.
Acquiring unit 31, it can be used for obtaining the perform track information in Botnet program process.
Determining unit 32, it can be used for determining target circulation from the perform track information of the acquiring unit 31 acquisition Body, the target circulation body are the loop body where Botnet order and control protocol.
The acquiring unit 31, the target circulation body that can be also used for being determined according to the determining unit 32 obtain stiff Corpse networking command and control protocol.
Yet further, as the realization to embodiment of the method shown in Fig. 2, the embodiment of the present invention additionally provides another deadlock The acquisition device of corpse networking command and control protocol, to realize the embodiment of the method shown in Fig. 2.The entity of described device can be with For terminal device, as shown in figure 4, described device includes:Acquiring unit 41, determining unit 42, allocation unit 43.
Acquiring unit 41, it can be used for obtaining the perform track information in Botnet program process.
Determining unit 42, it can be used for determining target circulation from the perform track information of the acquiring unit 41 acquisition Body, the target circulation body are the loop body where Botnet order and control protocol.
Acquiring unit 41, the target circulation body that can be also used for being determined according to the determining unit 42 obtain corpse net Network order and control protocol.
Allocation unit 43, it can be used for affiliated thread identical in the perform track information that obtains the acquiring unit 41 Information is divided into same perform track block.
Acquiring unit 41, it can be also used for obtaining the loop body in the perform track block.
Determining unit 42, it can be used for from the loop body of the perform track block of the acquiring unit 41 acquisition described in determination Target circulation body.
Acquiring unit 41, it can be used for the jump instruction for obtaining malicious code block in the perform track block.
Acquiring unit 41, if can be used for the ground for redirecting destination address and being less than the jump instruction of the jump instruction Location, then the code between the address of destination address and the jump instruction is redirected described in acquisition, and confirm that the code is described Loop body.
Determining unit 42, if can be used for the loop body while meet fisrt feature and second feature, it is determined that described Loop body is the target circulation body, and the fisrt feature is that have invoked suspicious function, the second feature in the loop body Indicate that the Botnet program performs different perform track blocks for the different returning results of the called suspicious function.
Acquiring unit 41 can include:Replacement module 4101, acquisition module 4102, extraction module 4103.
Replacement module 4101, it can be used for replacing with the input order of the suspicious function called in the target circulation body Predetermined order.
Acquisition module 4102, it can be used for replacing with the input order of the suspicious function called in the target circulation body After predetermined order, the perform track information in the Botnet program process is reacquired.
Extraction module 4103, extract in the perform track information that can be used for reacquiring from the acquisition module 4102 The Botnet order and control protocol.
It should be noted that involved by the acquisition device of Botnet order provided in an embodiment of the present invention and control protocol Other corresponding descriptions of each functional unit, may be referred to corresponding description in Fig. 1 and Fig. 2, the embodiment of the present invention herein will no longer Repeat.
Botnet order provided in an embodiment of the present invention and the acquisition device of control protocol, with passing through system in the prior art The packet feature of meter analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet, Yi Jiyu By the static analysis acquisition side that Botnet order and control protocol are manually obtained from the malicious code sample of Botnet Formula is compared, and according to the cycle specificity in Botnet program process in perform track information, can get Botnet All Botnet orders and control protocol in program, and improve Botnet order and the acquisition of control protocol effect Rate, reduce the cost for obtaining Botnet order and control protocol process.
The acquisition device of Botnet order provided in an embodiment of the present invention and control protocol can realize above-mentioned offer Embodiment of the method, concrete function are realized the explanation referred in embodiment of the method, will not be repeated here.The embodiment of the present invention provides Botnet order and the acquisition methods and device of control protocol go for areas of information technology, but be not limited only to this.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only memory(Read-Only Memory, ROM)Or random access memory(Random Access Memory, RAM)Deng.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in, all should It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.

Claims (4)

1. a kind of Botnet order and the acquisition methods of control protocol, it is characterised in that including:
Obtain the perform track information in Botnet program process;
Affiliated thread identical information in the perform track information is divided into same perform track block;
Obtain the loop body in the perform track block;
The loop body obtained in the perform track block includes:Obtain redirecting for malicious code block in the perform track block Instruction;If the address for redirecting destination address and being less than the jump instruction of the jump instruction, destination is redirected described in acquisition Code between location and the address of the jump instruction, and confirm that the code is the loop body;
Target circulation body is determined from the perform track information, the target circulation body is Botnet order and control protocol The loop body at place;
It is described to determine that target circulation body includes from the perform track information:The target is determined from the perform track block Loop body;Determine that the target circulation body includes from the perform track block:If the loop body meets fisrt feature simultaneously And second feature, it is determined that the loop body is the target circulation body, and the fisrt feature is that have invoked in the loop body Suspicious function, the second feature indicate the Botnet program for the different returning results of the called suspicious function Perform different perform track blocks;
Botnet order and control protocol are obtained according to the target circulation body.
2. Botnet order according to claim 1 and the acquisition methods of control protocol, it is characterised in that the basis The target circulation body, which obtains Botnet order and control protocol, to be included:
After the input order of the suspicious function called in the target circulation body is replaced with into predetermined order, the deadlock is reacquired Perform track information in corpse network program implementation procedure;
The Botnet order and control protocol are extracted from the perform track information reacquired.
3. a kind of Botnet order and the acquisition device of control protocol, it is characterised in that including:
Acquiring unit, for obtaining the perform track information in Botnet program process;
Determining unit, for determining target circulation body in the perform track information that is obtained from the acquiring unit, the target is followed Ring body is the loop body where Botnet order and control protocol;
The acquiring unit, be additionally operable to according to the determining unit determine the target circulation body obtain Botnet order and Control protocol;
Allocation unit, it is divided into together for affiliated thread identical information in the perform track information that obtains the acquiring unit One perform track block;
The acquiring unit, it is additionally operable to obtain the loop body in the perform track block;
The acquiring unit, it is additionally operable to obtain the jump instruction of malicious code block in the perform track block;
The acquiring unit, if being additionally operable to the address for redirecting destination address and being less than the jump instruction of the jump instruction, The code between the address of destination address and the jump instruction is redirected described in acquisition, and confirms that the code is the circulation Body;
The determining unit, it is additionally operable to determine that the target is followed from the loop body of the perform track block of acquiring unit acquisition Ring body;
The determining unit, if being additionally operable to the loop body while meeting fisrt feature and second feature, it is determined that the circulation Body is the target circulation body, and the fisrt feature is that have invoked suspicious function in the loop body, and the second feature is quilt The different returning results of the suspicious function called indicate that the Botnet program performs different perform track blocks.
4. Botnet order according to claim 3 and the acquisition device of control protocol, it is characterised in that the acquisition Unit includes:
Replacement module, for the input order of the suspicious function called in the target circulation body to be replaced with into predetermined order;
Acquisition module, after the input order of the suspicious function called in the target circulation body is replaced with into predetermined order, Reacquire the perform track information in the Botnet program process;
Extraction module, for extracting the Botnet order in the perform track information that is reacquired from the acquisition module And control protocol.
CN201210576206.XA 2012-12-26 2012-12-26 Botnet order and the acquisition methods and device of control protocol Active CN103905391B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210576206.XA CN103905391B (en) 2012-12-26 2012-12-26 Botnet order and the acquisition methods and device of control protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210576206.XA CN103905391B (en) 2012-12-26 2012-12-26 Botnet order and the acquisition methods and device of control protocol

Publications (2)

Publication Number Publication Date
CN103905391A CN103905391A (en) 2014-07-02
CN103905391B true CN103905391B (en) 2018-01-30

Family

ID=50996546

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210576206.XA Active CN103905391B (en) 2012-12-26 2012-12-26 Botnet order and the acquisition methods and device of control protocol

Country Status (1)

Country Link
CN (1) CN103905391B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6246377B2 (en) * 2014-08-28 2017-12-13 三菱電機株式会社 Process analysis apparatus, process analysis method, and process analysis program
CN107454043A (en) * 2016-05-31 2017-12-08 阿里巴巴集团控股有限公司 The monitoring method and device of a kind of network attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing
CN102789420A (en) * 2012-07-24 2012-11-21 中国矿业大学 Dynamic slicing system based on execution tract of program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8752169B2 (en) * 2008-03-31 2014-06-10 Intel Corporation Botnet spam detection and filtration on the source machine

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing
CN102789420A (en) * 2012-07-24 2012-11-21 中国矿业大学 Dynamic slicing system based on execution tract of program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
僵尸网络命令控制机制与检测技术分析;李晓桢等;《计算机安全》;20090315;全文 *

Also Published As

Publication number Publication date
CN103905391A (en) 2014-07-02

Similar Documents

Publication Publication Date Title
JP5220236B2 (en) Method for detecting an NFC device emulating several contactless cards capable of using multiple protocols
CN107563201B (en) Associated sample searching method and device based on machine learning and server
CN104346148B (en) Obtain method, the apparatus and system of program feature consumption information
CN104412565B (en) For relating to the method that the socket of bearer independent protocol manages
CN103906272B (en) WLAN collocation method and wireless terminal
CN103714292A (en) Method for detecting exploit codes
CN109918907A (en) Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium
WO2015081693A1 (en) Network sharing user identification method and apparatus
WO2019047442A1 (en) Method and system for bypassing function call chain detection in ios application
JP2018537921A (en) Identification method and apparatus based on communication flow of different functions of Skype
CN103905391B (en) Botnet order and the acquisition methods and device of control protocol
CN105718793A (en) Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
CN104700030B (en) A kind of viral data search method, device and server
CN107102889B (en) Virtual machine resource adjusting method and device
CN103166942B (en) A kind of procotol analytic method of malicious code
CN101040258A (en) Method and apparatus for loading compatibly equipment software in distributed control system
CN109120731B (en) Universal communication method, system and device
US20110107395A1 (en) Method and apparatus for providing a fast and secure boot process
Roland et al. Comparison of the usability and security of NFC's different operating modes in mobile devices.
CN107547451A (en) A kind of multipath server, CPU connection methods and device
CN103561035A (en) Mobile subscriber safety protection method and system
CN103209181A (en) Achieving method for application and connection firewall under linux network architecture
WO2012143307A1 (en) Method of managing data sent to a secure element via a http response message
CN103077078A (en) Method of defining state transitions in a software and application control management object
CN103902895A (en) Botnet network control protocol mining method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant