CN103905391B - Botnet order and the acquisition methods and device of control protocol - Google Patents
Botnet order and the acquisition methods and device of control protocol Download PDFInfo
- Publication number
- CN103905391B CN103905391B CN201210576206.XA CN201210576206A CN103905391B CN 103905391 B CN103905391 B CN 103905391B CN 201210576206 A CN201210576206 A CN 201210576206A CN 103905391 B CN103905391 B CN 103905391B
- Authority
- CN
- China
- Prior art keywords
- botnet
- control protocol
- perform track
- order
- acquisition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of Botnet order and the acquisition methods and device of control protocol, it is related to areas of information technology, improves the acquisition efficiency of Botnet order and control protocol, reduces the cost for obtaining Botnet order and control protocol process.Methods described includes:The perform track information in Botnet program process is obtained first, then target circulation body is determined from the perform track information, the target circulation body is the loop body where Botnet order and control protocol, finally obtains Botnet order and control protocol according to the target circulation body.
Description
Technical field
The present invention relates to areas of information technology, the acquisition methods of more particularly to a kind of Botnet order and control protocol and
Device.
Background technology
With the fast development of internet, the popularity rate of Web vector graphic also more and more higher, this allows for being used to steal calculating
Machine user property, acquisition privacy of user, all kinds of Botnet programs of control system resource gradually increase, and cause user to use mutual
The security of networking is more and more lower.Botnet order and control protocol, it is the guarantee that Botnet program is capable of normal operation.
Botnet order and control protocol are obtained, is the key for defending Botnet program,
The acquisition modes of existing Botnet order and control protocol mainly include dynamic analysis acquisition modes and static point
Analyse acquisition modes.Dynamic analysis acquisition modes are by the packet feature of statistical analysis Botnet program, to block corpse
The communication of network, the entire packet feature of Botnet program can not be divided yet with dynamic analysis acquisition modes
Analysis, causes the dynamic analysis acquisition modes can not get all Botnet orders and control protocol;Static analysis acquisition side
Formula is then by manually obtaining Botnet order and control protocol from the malicious code sample of Botnet, due to static state point
Analysing acquisition modes is completed by manual operation, therefore static analysis acquisition modes obtain Botnet order and control protocol
It is less efficient, cost is higher.
The content of the invention
The present invention provides the acquisition methods and device of a kind of Botnet order and control protocol, can get corpse net
All Botnet orders and control protocol in network program, and improve Botnet order and the acquisition of control protocol effect
Rate, reduce the cost for obtaining Botnet order and control protocol process.
The technical scheme that the embodiment of the present invention uses for:
A kind of Botnet order and the acquisition methods of control protocol, including:
Obtain the perform track information in Botnet program process;
Target circulation body is determined from the perform track information, the target circulation body is Botnet order and control
Loop body where agreement;
Botnet order and control protocol are obtained according to the target circulation body.
A kind of Botnet order and the acquisition device of control protocol, including:
Acquiring unit, for obtaining the perform track information in Botnet program process;
Determining unit, for determining target circulation body, the mesh in the perform track information that is obtained from the acquiring unit
It is the loop body where Botnet order and control protocol to mark loop body;
The acquiring unit, the target circulation body for being additionally operable to be determined according to the determining unit obtain Botnet life
Order and control protocol.
Botnet order provided in an embodiment of the present invention and the acquisition methods and device of control protocol, and in the prior art
By the packet feature of statistical analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet,
And with passing through manually acquisition Botnet order and the static analysis of control protocol from the malicious code sample of Botnet
Acquisition modes are compared, and according to the cycle specificity in Botnet program process in perform track information, can get deadlock
All Botnet orders and control protocol in corpse network program, and improve obtaining for Botnet order and control protocol
Efficiency is taken, reduces the cost for obtaining Botnet order and control protocol process.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be only the present invention some
Embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also be attached according to these
Figure obtains other accompanying drawings.
Fig. 1 is the acquisition methods flow chart of a kind of Botnet order provided in an embodiment of the present invention and control protocol;
Fig. 2 is the acquisition methods flow chart of another Botnet order provided in an embodiment of the present invention and control protocol;
Fig. 3 is a kind of Botnet order provided in an embodiment of the present invention and the acquisition device structural representation of control protocol
Figure;
Fig. 4 is another Botnet order provided in an embodiment of the present invention and the acquisition device structural representation of control protocol
Figure.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained all other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
The advantages of to make technical solution of the present invention, is clearer, and the present invention is made specifically with reference to the accompanying drawings and examples
It is bright.
The embodiment of the present invention provides the acquisition methods of a kind of Botnet order and control protocol, as shown in figure 1, the side
Method includes:
101st, the perform track information in Botnet program process is obtained.
Wherein, perform track information is specifically as follows each CPU (Central that Botnet program performed
Processing Unit, central processing unit) instruction, the CPU information such as execution state.
102nd, target circulation body is determined from the perform track information.
Wherein, the target circulation body is the loop body where Botnet order and control protocol.
103rd, Botnet order and control protocol are obtained according to the target circulation body.
A kind of Botnet order provided in an embodiment of the present invention and the acquisition methods of control protocol, with leading in the prior art
The packet feature of statistical analysis Botnet program is crossed, to block the dynamic analysis acquisition modes of the communication of Botnet, with
And with being obtained by manually obtaining Botnet order and the static analysis of control protocol from the malicious code sample of Botnet
Take mode to compare, according to the cycle specificity in Botnet program process in perform track information, corpse can be got
All Botnet orders and control protocol in network program, and improve Botnet order and the acquisition of control protocol
Efficiency, reduce the cost for obtaining Botnet order and control protocol process.
Further, the embodiments of the invention provide another Botnet order and the acquisition methods of control protocol, such as
Shown in Fig. 2, methods described comprises the following steps:
201st, the perform track information in Botnet program process is obtained.
Wherein, perform track information is specifically as follows each CPU (Central that Botnet program performed
Processing Unit, central processing unit) instruction, the CPU various information such as execution state.
202nd, affiliated thread identical information in the perform track information is divided into same perform track block.
Specifically, due to including the execution information of multiple thread implementation procedures in perform track information, therefore will can hold
Information corresponding to affiliated thread identical cpu instruction is divided into same perform track block in row trace information.
203rd, the loop body in the perform track block is obtained.
Specifically, the jump instruction of malicious code block in the perform track block is obtained first, if the jump instruction
The address that destination address is less than the jump instruction is redirected, then the address of destination address and the jump instruction is redirected described in acquisition
Between code, and confirm that the code is the loop body.
Wherein, the region of memory that the malicious code stored in file is mapped to is defined as malicious code region, does not belong to
Region of memory in malicious code region is defined as system code region.After internal memory is divided into two regions, the institute in internal memory
There is instruction address of region of memory according to where it to be also divided into two classes, belong to the instruction in malicious code region and belong to system
The instruction of code region, further according to instruction belonging to region of memory difference, by perform track block be divided into malicious code block and
System code block.Each perform track block contains the detailed execution information of a thread, such as the address of instruction, assembly code,
Command length, operand, CPU state etc..
For the embodiment of the present invention, due to there is no system function information in perform track block, performed in perform track block
Cheng Zhong, malicious code block to the controlling stream transfer process of system code block be to be realized by function call, and Botnet
Order and control protocol are contained only in malicious code block, therefore can carry out abbreviation to system code block, with function name, ginseng
The detailed implementation of the abstract function call information replacement system code block such as number, return value, adjusted so as to reduce function
With the complexity of process.
204th, the target circulation body is determined from the loop body of the perform track block.
Specifically, if the loop body meets fisrt feature and second feature simultaneously, it is determined that the loop body is described
Target circulation body, the fisrt feature are that have invoked suspicious function in the loop body, and the second feature is the institute being called
The different returning results for stating suspicious function indicate that the Botnet program performs different perform track blocks.
Wherein, the suspicious function in the embodiment of the present invention is specifically as follows comparison function, and suspicious function is Botnet journey
Sequence realizes order and commonly used function during control protocol, Botnet program after order and control protocol is received, it is necessary to
Suspicious function pair order and control protocol is called to be analyzed, so as to perform with ordering perform track corresponding with control protocol
Block.
, can be by matching the purpose of function call instruction in loop body for whether have invoked suspicious function in loop body
Address and whether the entry address of suspicious function is identical is judged.If the destination address of function call instruction and suspicious function
Entry address it is identical, then confirm that the loop body have invoked suspicious function.
205th, Botnet order and control protocol are obtained according to the target circulation body.
Specifically, the input order of the suspicious function called in the target circulation body is replaced with into predetermined order first
Afterwards, the perform track information in the Botnet program process is reacquired, then from the execution rail reacquired
The Botnet order and control protocol are extracted in mark information.
Wherein, predetermined order is specifically as follows random data, so that the input order of suspicious function is not normal
Botnet order and control protocol, but a wrong order.Due to Botnet program in the process of implementation, can
The input for doubting function is ordered with all Botnet orders preserved in Botnet program compared with control protocol, is existed
The Botnet order and the malicious act corresponding to control protocol are carried out after the Botnet order of matching and control protocol,
Such as snatch password, delete file, starting network attack etc., therefore when input order replaces with preset bad command, it is stiff
Corpse network program can be carried out the whole Botnet orders preserved in the bad command and Botnet program with control protocol
Comparison match, so that all Botnet orders are fully recorded in perform track information with control protocol.
For the embodiment of the present invention, the scene of application can be but be not limited to following form, and Zeus's program is a kind of biography
The extremely strong network trojan horse program of metachromia, the Botnet order and control protocol for obtaining Zeus's program include:Zeus is obtained first
Perform track information of the program during network service, can be with as shown in the table:
The reception order of network packet | The size of network packet(Byte) |
1 | 504 |
2 | 171757 |
3 | 381 |
4 | 344 |
5 | 34511 |
Then according to execution information of the perform track packet containing 23 different threads, perform track information is divided into 23
Individual perform track block, specifically can be with as shown in the table:
So that thread number is 1024 perform track block as an example, loop body 372 is included in the perform track block of 1024 threads,
It is as shown in the table:
Sequence number | Start address | End address | Cycle-index | Suspicious function | The occurrence number of suspicious function |
1 | 0x26e85a1 | 0x26e85b7 | 1 | Nothing | 0 |
2 | 0x26e877c | 0x26e87a2 | 1 | lstrcmpiw | 24 |
3 | 0x26edda5 | 0x26eddab | 1 | Nothing | 0 |
4 | 0x26e5c5b | 0x26e5c80 | 24 | Nothing | 0 |
5 | 0x26e94cb | 0x26e94d2 | 2 | Nothing | 0 |
6 | 0x26f2e89 | 0x26f2ef0 | 1 | Nothing | 0 |
7 | 0x26edda5 | 0x26eddab | 1 | Nothing | 0 |
8 | 0x26f2e21 | 0x26f2e47 | 3 | Nothing | 0 |
The information of the part loop body of the perform track block of 1024 threads is listed in table, includes the start address of loop body
And end address, the execution number of loop body, whether suspicious function is included according to the loop body that suspicious function list judges, and
The call number of suspicious function.Loop body 2 as seen from the table(0x26e877c-0x26e87a2)It has invoked suspicious function
Lstrcmpiw, meets fisrt feature, then analyzes the loop body and calls suspicious function altogether 24 times, wherein preceding 23 suspicious letters
Number lstrcmpiw returning result is non-zero, and last time lstrcmpiw returning result is 0, and lstrcmpiw return
When result is 0, the address of perform track block corresponding to program is 0x026f52da;When lstrcmpiw returning result is non-zero,
The address of perform track block corresponding to program is 0x026e87a6, it is seen that suspicious function lstrcmpiw returning result instruction journey
Sequence performs different perform track blocks.After lstrcmpiw input parameter finally is replaced with into random order, held from Zeus's program
Perform track information extraction Botnet order and control protocol during row, the Botnet order extracted and control are assisted
View can be with as shown in the table:
It is achieved thereby that to all Botnet orders and the acquisition of control protocol in Zeus's program.
It should be noted that above-mentioned application scenarios are only example explanation, the limitation to the embodiment of the present invention should not be formed.
Another Botnet order provided in an embodiment of the present invention and the acquisition methods of control protocol, and in the prior art
By the packet feature of statistical analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet,
And with passing through manually acquisition Botnet order and the static analysis of control protocol from the malicious code sample of Botnet
Acquisition modes are compared, and according to the cycle specificity in Botnet program process in perform track information, can get deadlock
All Botnet orders and control protocol in corpse network program, and improve obtaining for Botnet order and control protocol
Efficiency is taken, reduces the cost for obtaining Botnet order and control protocol process.
Further, as the realization to embodiment of the method shown in Fig. 1, the embodiment of the present invention additionally provides a kind of corpse net
Network order and the acquisition device of control protocol, to realize the embodiment of the method shown in Fig. 1, the entity of described device can be eventually
End equipment, as shown in figure 3, described device includes:Acquiring unit 31, determining unit 32.
Acquiring unit 31, it can be used for obtaining the perform track information in Botnet program process.
Determining unit 32, it can be used for determining target circulation from the perform track information of the acquiring unit 31 acquisition
Body, the target circulation body are the loop body where Botnet order and control protocol.
The acquiring unit 31, the target circulation body that can be also used for being determined according to the determining unit 32 obtain stiff
Corpse networking command and control protocol.
Yet further, as the realization to embodiment of the method shown in Fig. 2, the embodiment of the present invention additionally provides another deadlock
The acquisition device of corpse networking command and control protocol, to realize the embodiment of the method shown in Fig. 2.The entity of described device can be with
For terminal device, as shown in figure 4, described device includes:Acquiring unit 41, determining unit 42, allocation unit 43.
Acquiring unit 41, it can be used for obtaining the perform track information in Botnet program process.
Determining unit 42, it can be used for determining target circulation from the perform track information of the acquiring unit 41 acquisition
Body, the target circulation body are the loop body where Botnet order and control protocol.
Acquiring unit 41, the target circulation body that can be also used for being determined according to the determining unit 42 obtain corpse net
Network order and control protocol.
Allocation unit 43, it can be used for affiliated thread identical in the perform track information that obtains the acquiring unit 41
Information is divided into same perform track block.
Acquiring unit 41, it can be also used for obtaining the loop body in the perform track block.
Determining unit 42, it can be used for from the loop body of the perform track block of the acquiring unit 41 acquisition described in determination
Target circulation body.
Acquiring unit 41, it can be used for the jump instruction for obtaining malicious code block in the perform track block.
Acquiring unit 41, if can be used for the ground for redirecting destination address and being less than the jump instruction of the jump instruction
Location, then the code between the address of destination address and the jump instruction is redirected described in acquisition, and confirm that the code is described
Loop body.
Determining unit 42, if can be used for the loop body while meet fisrt feature and second feature, it is determined that described
Loop body is the target circulation body, and the fisrt feature is that have invoked suspicious function, the second feature in the loop body
Indicate that the Botnet program performs different perform track blocks for the different returning results of the called suspicious function.
Acquiring unit 41 can include:Replacement module 4101, acquisition module 4102, extraction module 4103.
Replacement module 4101, it can be used for replacing with the input order of the suspicious function called in the target circulation body
Predetermined order.
Acquisition module 4102, it can be used for replacing with the input order of the suspicious function called in the target circulation body
After predetermined order, the perform track information in the Botnet program process is reacquired.
Extraction module 4103, extract in the perform track information that can be used for reacquiring from the acquisition module 4102
The Botnet order and control protocol.
It should be noted that involved by the acquisition device of Botnet order provided in an embodiment of the present invention and control protocol
Other corresponding descriptions of each functional unit, may be referred to corresponding description in Fig. 1 and Fig. 2, the embodiment of the present invention herein will no longer
Repeat.
Botnet order provided in an embodiment of the present invention and the acquisition device of control protocol, with passing through system in the prior art
The packet feature of meter analysis Botnet program, to block the dynamic analysis acquisition modes of the communication of Botnet, Yi Jiyu
By the static analysis acquisition side that Botnet order and control protocol are manually obtained from the malicious code sample of Botnet
Formula is compared, and according to the cycle specificity in Botnet program process in perform track information, can get Botnet
All Botnet orders and control protocol in program, and improve Botnet order and the acquisition of control protocol effect
Rate, reduce the cost for obtaining Botnet order and control protocol process.
The acquisition device of Botnet order provided in an embodiment of the present invention and control protocol can realize above-mentioned offer
Embodiment of the method, concrete function are realized the explanation referred in embodiment of the method, will not be repeated here.The embodiment of the present invention provides
Botnet order and the acquisition methods and device of control protocol go for areas of information technology, but be not limited only to this.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with
The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only memory(Read-Only Memory, ROM)Or random access memory(Random Access
Memory, RAM)Deng.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in, all should
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.
Claims (4)
1. a kind of Botnet order and the acquisition methods of control protocol, it is characterised in that including:
Obtain the perform track information in Botnet program process;
Affiliated thread identical information in the perform track information is divided into same perform track block;
Obtain the loop body in the perform track block;
The loop body obtained in the perform track block includes:Obtain redirecting for malicious code block in the perform track block
Instruction;If the address for redirecting destination address and being less than the jump instruction of the jump instruction, destination is redirected described in acquisition
Code between location and the address of the jump instruction, and confirm that the code is the loop body;
Target circulation body is determined from the perform track information, the target circulation body is Botnet order and control protocol
The loop body at place;
It is described to determine that target circulation body includes from the perform track information:The target is determined from the perform track block
Loop body;Determine that the target circulation body includes from the perform track block:If the loop body meets fisrt feature simultaneously
And second feature, it is determined that the loop body is the target circulation body, and the fisrt feature is that have invoked in the loop body
Suspicious function, the second feature indicate the Botnet program for the different returning results of the called suspicious function
Perform different perform track blocks;
Botnet order and control protocol are obtained according to the target circulation body.
2. Botnet order according to claim 1 and the acquisition methods of control protocol, it is characterised in that the basis
The target circulation body, which obtains Botnet order and control protocol, to be included:
After the input order of the suspicious function called in the target circulation body is replaced with into predetermined order, the deadlock is reacquired
Perform track information in corpse network program implementation procedure;
The Botnet order and control protocol are extracted from the perform track information reacquired.
3. a kind of Botnet order and the acquisition device of control protocol, it is characterised in that including:
Acquiring unit, for obtaining the perform track information in Botnet program process;
Determining unit, for determining target circulation body in the perform track information that is obtained from the acquiring unit, the target is followed
Ring body is the loop body where Botnet order and control protocol;
The acquiring unit, be additionally operable to according to the determining unit determine the target circulation body obtain Botnet order and
Control protocol;
Allocation unit, it is divided into together for affiliated thread identical information in the perform track information that obtains the acquiring unit
One perform track block;
The acquiring unit, it is additionally operable to obtain the loop body in the perform track block;
The acquiring unit, it is additionally operable to obtain the jump instruction of malicious code block in the perform track block;
The acquiring unit, if being additionally operable to the address for redirecting destination address and being less than the jump instruction of the jump instruction,
The code between the address of destination address and the jump instruction is redirected described in acquisition, and confirms that the code is the circulation
Body;
The determining unit, it is additionally operable to determine that the target is followed from the loop body of the perform track block of acquiring unit acquisition
Ring body;
The determining unit, if being additionally operable to the loop body while meeting fisrt feature and second feature, it is determined that the circulation
Body is the target circulation body, and the fisrt feature is that have invoked suspicious function in the loop body, and the second feature is quilt
The different returning results of the suspicious function called indicate that the Botnet program performs different perform track blocks.
4. Botnet order according to claim 3 and the acquisition device of control protocol, it is characterised in that the acquisition
Unit includes:
Replacement module, for the input order of the suspicious function called in the target circulation body to be replaced with into predetermined order;
Acquisition module, after the input order of the suspicious function called in the target circulation body is replaced with into predetermined order,
Reacquire the perform track information in the Botnet program process;
Extraction module, for extracting the Botnet order in the perform track information that is reacquired from the acquisition module
And control protocol.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210576206.XA CN103905391B (en) | 2012-12-26 | 2012-12-26 | Botnet order and the acquisition methods and device of control protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210576206.XA CN103905391B (en) | 2012-12-26 | 2012-12-26 | Botnet order and the acquisition methods and device of control protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103905391A CN103905391A (en) | 2014-07-02 |
CN103905391B true CN103905391B (en) | 2018-01-30 |
Family
ID=50996546
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210576206.XA Active CN103905391B (en) | 2012-12-26 | 2012-12-26 | Botnet order and the acquisition methods and device of control protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103905391B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6246377B2 (en) * | 2014-08-28 | 2017-12-13 | 三菱電機株式会社 | Process analysis apparatus, process analysis method, and process analysis program |
CN107454043A (en) * | 2016-05-31 | 2017-12-08 | 阿里巴巴集团控股有限公司 | The monitoring method and device of a kind of network attack |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
CN102789420A (en) * | 2012-07-24 | 2012-11-21 | 中国矿业大学 | Dynamic slicing system based on execution tract of program |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8752169B2 (en) * | 2008-03-31 | 2014-06-10 | Intel Corporation | Botnet spam detection and filtration on the source machine |
-
2012
- 2012-12-26 CN CN201210576206.XA patent/CN103905391B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
CN102789420A (en) * | 2012-07-24 | 2012-11-21 | 中国矿业大学 | Dynamic slicing system based on execution tract of program |
Non-Patent Citations (1)
Title |
---|
僵尸网络命令控制机制与检测技术分析;李晓桢等;《计算机安全》;20090315;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103905391A (en) | 2014-07-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5220236B2 (en) | Method for detecting an NFC device emulating several contactless cards capable of using multiple protocols | |
CN107563201B (en) | Associated sample searching method and device based on machine learning and server | |
CN104346148B (en) | Obtain method, the apparatus and system of program feature consumption information | |
CN104412565B (en) | For relating to the method that the socket of bearer independent protocol manages | |
CN103906272B (en) | WLAN collocation method and wireless terminal | |
CN103714292A (en) | Method for detecting exploit codes | |
CN109918907A (en) | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium | |
WO2015081693A1 (en) | Network sharing user identification method and apparatus | |
WO2019047442A1 (en) | Method and system for bypassing function call chain detection in ios application | |
JP2018537921A (en) | Identification method and apparatus based on communication flow of different functions of Skype | |
CN103905391B (en) | Botnet order and the acquisition methods and device of control protocol | |
CN105718793A (en) | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification | |
CN104700030B (en) | A kind of viral data search method, device and server | |
CN107102889B (en) | Virtual machine resource adjusting method and device | |
CN103166942B (en) | A kind of procotol analytic method of malicious code | |
CN101040258A (en) | Method and apparatus for loading compatibly equipment software in distributed control system | |
CN109120731B (en) | Universal communication method, system and device | |
US20110107395A1 (en) | Method and apparatus for providing a fast and secure boot process | |
Roland et al. | Comparison of the usability and security of NFC's different operating modes in mobile devices. | |
CN107547451A (en) | A kind of multipath server, CPU connection methods and device | |
CN103561035A (en) | Mobile subscriber safety protection method and system | |
CN103209181A (en) | Achieving method for application and connection firewall under linux network architecture | |
WO2012143307A1 (en) | Method of managing data sent to a secure element via a http response message | |
CN103077078A (en) | Method of defining state transitions in a software and application control management object | |
CN103902895A (en) | Botnet network control protocol mining method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |