CN105245495A - Similarity match based rapid detection method for malicious shellcode - Google Patents
Similarity match based rapid detection method for malicious shellcode Download PDFInfo
- Publication number
- CN105245495A CN105245495A CN201510534727.2A CN201510534727A CN105245495A CN 105245495 A CN105245495 A CN 105245495A CN 201510534727 A CN201510534727 A CN 201510534727A CN 105245495 A CN105245495 A CN 105245495A
- Authority
- CN
- China
- Prior art keywords
- detection
- shellcode
- similarity
- testing data
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a similarity match based rapid detection method for a malicious shellcode, and advantages of traditional dynamic and static detection technologies are combined in the rapid detection method. The rapid detection method comprises that data to be detected is determined; a decoder is called to implement simulated execution detection; simulatied detection is carried out on the data to be detected and a sample library via a Shingle algorithm; and when the similarity coefficient is greater than a threshold 40%, it can be determined that attack behavior of the malicious shellcode exists in the data to be detected, and early warning is made. According to the rapid detection method, a simulator which implements deep simulated execution and system function Hook is not needed, the detection consumption of the dynamic simulated detection technology is further reduced, the throughput of detection data is improved, the detection speed for multi-state malicious codes is improved, and influence on the network speed is reduced.
Description
Technical field
The present invention relates to a kind of combine traditional dynamic detection technology and stationary detection technique advantage based on similarity matching malice shellcode method for quick.
Background technology
Along with develop rapidly and the progress of network and computer technology, computer the more and more important role of the various aspects performer of our daily life, but also brings a lot of unavoidable safety problem.Wherein, network malicious attack and computer trojan horse become the chief threat of current computer safety.Because the defect of this body structure of computer and current many software developments are all use C/C++ language to realize, and C/C++ language is as senior development language, itself have very high flexibility, this makes to create a lot of security breaches in development and operation system and application software process.Therefore, some illegal one's shares of expenses for a joint undertaking can pass through network and viral wooden horse, utilize these leaks directly or indirectly to obtain the part operation authority of computer system, even obtain administrator right, the serious safety that threaten computer system.
From the data that protection capacity of safety protection software provider provides, buffer-overflow vulnerability is utilized to be the invasion mode of the most easily implementing to attack.The target that leak is just attacked, and that specifically implement to attack is malicious code Shellcode, namely implements the real attack load of attacking.
Mainly contain now two kinds of solutions for detecting Shellcode, namely static nature coupling and dynamic analog perform.But, along with the development of polymorphic coding techniques, malicious code Shellcode can be hidden easily self comprise composition characteristic, thus hide the detection of detection system.Therefore, the Detection results of Static and dynamic two kinds of detection technique schemes to the Shellcode after polymorphic coded treatment is unsatisfactory, and there is higher wrong report and rate of failing to report for the detection of general type.
Stationary detection technique mainly by analyzing the composition structure of malicious code Shellcode, thus extracts the composition characteristic code of Shellcode.Then, characteristic matching is carried out judge whether to there is attack to data to be tested.The stationary detection technique of feature based coupling is widely used in protection capacity of safety protection software.Stationary detection technique have detect efficient, dispose the features such as quick, be applicable to detect network data.
Dynamic detection technology is by carrying out virtual execution to detection data, parsing the instruction comprised in data, and carries out simulation execution to instruction.Thus the operation behavior in detailed understanding malicious code Shellcode phagocytic process.Be compared to stationary detection technique, dynamic detection technology can obtain detailed Detection Information, and testing result is more accurate.Detect accurate and lower wrong report and rate of failing to report, and detailed examining report, dynamic detection technology is widely used in the intruding detection systems such as Snort, BASE and honey jar.
The development of front the Internet is very rapid, is reducing the manual operation of user, and while strengthening Consumer's Experience, the secret protection strengthening user also seems most important.Some illegal one's shares of expenses for a joint undertaking, by network and viral wooden horse, utilize these leaks directly or indirectly to obtain the part operation authority of computer system, even obtain administrator right, the serious safety that threaten computer system.Therefore the detection for malice trojan horse program seems very important.Secondly, the problem of Sample Storehouse sample size needs to solve, and only containing common attack sample, therefore easily causes and very high fails to report event.And the code that this detection technique is write for present use fragmentation technique is invalid, if there is people that complete code segmentation is added in packet, so just killing can be escaped.
Summary of the invention
A kind of can be used for is the object of the present invention is to provide to detect that those utilize buffer-overflow vulnerability to carry out the malice Shellcode code attacked; Have while improving detection accuracy, reducing wrong report rate of failing to report detection rates faster based on similarity matching malice shellcode method for quick.
The object of the present invention is achieved like this:
Step 1: when detecting testing data, judges testing data, determines whether there is suspicious GetPC and call, jmp, fnstenv floating-point operation instruction; According to result of determination, if there is suspicious instruction, then use coded treatment, and determine that the simulation that starts using decoder performs detection position, enter step 2;
Step 2: the initial detection position determined in step 1, calls decoder and carries out simulation and perform detection, search in testing data and whether there is iterative decoding command sequence and internal memory repeatedly accessing operation; Use increases income Shellcode detection storehouse libemu to simulate execution testing data, as the decoder component part of detection method; Judge according to testing result, if there is no decoding instruction, then enter step 3, if there is decoding instruction directly enter step 4;
Step 3: use Shingle algorithm to carry out analog detection to testing data and Sample Storehouse, testing result is generated Jaccard coefficient of similarity R; Determine whether performing next step operation according to this coefficient, if R is greater than threshold value 40%, directly enter step 4; Otherwise detection of end flow process;
Step 4: coefficient of similarity is greater than threshold value 40%, can judge to there is malice Shellcode attack in testing data, provide alert.
Beneficial effect of the present invention is:
The present invention adopts ripe algorithm and detection of dynamic storehouse, is easy to realize.By effective combination of dynamic and static state detection technique, improve and the unification of malicious code Shellcode is effectively detected.The weak point of the stationary detection technique of feature based coupling is improved by similarity matching algorithm Shingle.By judging that the degree of similarity of example malicious code Shellcode in testing data and Sample Storehouse judges whether to there is buffer-overflow vulnerability attack.This algorithm can improve the accuracy of detection and reduce the rate of false alarm of the stationary detection technique that feature based mates.And using decode cycle command sequence and internal memory repeatedly accessing operation as the detection foundation of the malicious code Shellcode of polymorphic coded treatment.Therefore, do not need simulator to carry out Simulation of depth to perform and system function Hook.Thus reduce the check processing consumption of dynamic analog detection technique further, improve the throughput detecting data, improve the detection rates for polymorphic malicious code, reduce the impact on network rate.
Accompanying drawing explanation
Fig. 1 is block diagram of the present invention.
Fig. 2 is flow chart of the present invention.
Fig. 3 of the present inventionly contrasts schematic diagram based on similitude Shingle algorithm and feature based matching detection.
Fig. 4 is Dynamic decoder Detection results of the present invention contrast schematic diagram.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described further.
The present invention includes:
Step 1: when detecting testing data, simply can judge testing data based on similarity matching detection technique method, determines whether there is suspicious GetPC and floating-point operation instruction as call, jmp, fnstenv instruction.According to result of determination, if there is suspicious instruction, then should use coded treatment, and determine that the simulation that starts using decoder performs detection position, improve the execution efficiency of simulator, reduce the detection scale of testing data.Step 2 is entered after these steps complete;
Step 2: the initial detection position determined in the first step, calls decoder and carries out simulation and perform detection, search in testing data and whether there is iterative decoding command sequence and internal memory repeatedly accessing operation.Use increases income Shellcode detection storehouse libemu to simulate execution testing data, as the decoder component part of detection method.Realize the effective detection to the malicious code Shellcode after polymorphic coding techniques process.Judge according to testing result.If there is no decoding instruction, then enter step 3, if there is decoding instruction directly enter step 4;
Step 3: use Shingle algorithm to carry out analog detection to testing data and Sample Storehouse, testing result is generated Jaccard coefficient of similarity R.Determine whether performing next step operation according to this coefficient, if R is greater than threshold value 40%, directly enter step 4.Otherwise detection of end flow process;
Step 4: according to the result drawn in previous step, coefficient of similarity is greater than threshold value 40%, can judge to there is malice Shellcode attack in testing data, provide alert.
As shown in Figure 1 and Figure 2, the malicious code Shellcode Fast Detection Technique method that the present invention is based on similarity matching mode comprises three parts: malicious code Shellcode original position location and type judge, decoder simulation execution detects iterative decoding command sequence and internal storage access operation and similarity R and judges.
Main purpose of the present invention improves the weak point of original malicious code Shellcode detection technique.Combine the quick advantage of stationary detection technique, and dynamic analog detection technique is for the accuracy of polymorphic malicious code Shellcode aspect, thus it is more efficient to propose one, detection technique accurately.Combine with both and realize detecting fast and effectively the unification of malicious code Shellcode.Better protection computer is from buffer-overflow vulnerability attack.
Performing by using simulation based on similarity matching detection technique method, searching decoding instruction sequences, realizing the malicious code Shellcode after to polymorphic coding and detect.And the malicious code without polymorphic coding is mainly analyzed by bytes match, the malicious code Shellcode sample similarity degree in testing data and Sample Storehouse that detects judges whether to there is attack.Bytes match analysis selects Shingle algorithm to judge to complete similitude.The core concept of Shingle algorithm is the Similarity Problem gathered by string-similarity question variation.
The set that definition Shingle (str, len) forms for Shingle that length in character string str is len.Therefore, carry out str1 and str2 two character strings of similitude judgement, two Shingle set can be obtained, Shingle (str1, len), Shingle (str2, len).
The similarity R of set, can use Jaccard coefficient of similarity to judge.Namely the Jaccard coefficient of similarity of S set and T be R=|S ∩ T|/| S ∪ T|, the ratio namely between the common factor of S set and T and set union size.Because data to be tested derive from network data, document and computer system the various files comprised, file size is far longer than the string length of malicious code Shellcode in Sample Storehouse.Therefore, in order to improve the accuracy that similitude judges, adopting based on similarity matching detection technique method and judging coefficient of similarity by set common factor with the ratio of sample set size, i.e. R=|S ∩ T|/| T|.
In definition Shingle (str, len), len is that in character string, random length is the substring of len.Therefore, each character string can be expressed as the set of the Shingle of the len length occurred in character string once or repeatedly.In theory, the length of random length len as substring in set can be chosen.But, if len choose too little, then length can be caused to be that the substring of len appears in a lot of testing datas.Even if testing data is the normal data not comprising malicious code Shellcode, also a large amount of public substring can be there is.Make testing result rate of false alarm too high.Such as, len selected value is 1, makes there is higher similarity between testing data and Sample Storehouse.
Therefore, the accuracy chosen similitude judges of length len value has a great impact.In Shingle algorithm, choosing of len length is all fixed size, and fixing len length value is applicable to judge for the similitude of large-scale document.Due to, malicious code Shellcode is binary system executable machine code, and contacting between byte and byte is too tight.Therefore, carry out segmentation with regular length len value form the mode of substring set and be not suitable for.The destruction of original characteristic sequence in malicious code Shellcode sample can be caused like this, thus reduce the accuracy of similarity matching and increase rate of false alarm.
Be directed to the defect of conventional fixing len value, and combination is to the composition structure of sample malicious code Shellcode and the analysis of instruction features itself that have.Based in similarity matching detection technique method, take on-fixed length len value to carry out segmentation to malicious code Shellcode in Sample Storehouse and form substring set.The single effective instruction string comprised in malicious code Shellcode is as segmentation according to splitting, and the substring set that segmentation is formed is the instruction set needed for attack load all operations comprised in sample.
By feature location, judge the malicious code Shellcode type that may exist in testing data and the original position of attacking load.This method not only can improve the detection rates of the method, and effectively reduces system consumption.
The type of malicious code Shellcode to be judged and behind initial location completing.For the Shellcode through polymorphic coded treatment, then perform by calling decoder simulation, whether there is iterative decoding command sequence and internal memory repeatedly read and write access to search.With the malice character of this qualitative testing data.
By decoding instruction sequences dis-assembling result, can see clearly.Complete self-align after, namely from internal memory, read byte by lodsb string operation instruction according to this, and be stored in AL.And carry out XOR decoding with key 0xc4 is byte-by-byte, the initial data of reduction malicious code Shellcode.
And for the malicious code Shellcode without coded treatment, wherein comprise feature specific to a large amount of composition structure self.Corresponding to the malicious code Shellcode that can see uncoded process ASCII character comprise a large amount of system functions.By static mode, namely similarity matching can accomplish effective detection.If there is GetPC instruction in uncoded malicious code, after decoder does not find decode cycle command sequence, again can carry out similarity matching detection with Sample Storehouse, as shown in flow process in Fig. 2, prevent to fail to report mistake.
Fig. 3 and Fig. 4 is of the present invention to contrast based on similitude Shingle algorithm and feature based matching detection and Dynamic decoder Detection results contrasts schematic diagram.
By showing the malicious code Shellcode Analysis of test results of uncoded process.Detect feature accordingly as long as comprise, the detection technique based on similarity matching detection technique method and feature based coupling can accomplish good detection to the malicious code Shellcode of uncoded process.When only having a sample set in the Sample Storehouse based on similarity matching detection technique, only recognition detection can be carried out to the sample that this sample generates.Therefore, the degree of enriching of Sample Storehouse sample set affects the Detection results to uncoded malicious code Shellcode.
By known to the malicious code Shellcode Analysis of test results of polymorphic coded treatment.90% is not less than based on similarity matching detection method accuracy of detection.Shown by contrast test result, by GetPC self-align instruction location malicious code Shellcode original position, and the detection method accuracy of searching decoding instruction sequences and memory read-write operation is higher than the Libscizzle only judging whether to exist attack by detecting GetPC command sequence.And the rate of false alarm that normal data is detected can be reduced.
By the advantage in conjunction with Static and dynamic detection technique, and in conjunction with similitude Shingle algorithm and further optimal decoder detection algorithm.The present invention is made to have range of application widely, for computer system provides more fully security protection.
Claims (1)
1., based on a similarity matching malice shellcode method for quick, it is characterized in that:
Step 1: when detecting testing data, judges testing data, determines whether there is suspicious GetPC and call, jmp, fnstenv floating-point operation instruction; According to result of determination, if there is suspicious instruction, then use coded treatment, and determine that the simulation that starts using decoder performs detection position, enter step 2;
Step 2: the initial detection position determined in step 1, calls decoder and carries out simulation and perform detection, search in testing data and whether there is iterative decoding command sequence and internal memory repeatedly accessing operation; Use increases income Shellcode detection storehouse libemu to simulate execution testing data, as the decoder component part of detection method; Judge according to testing result, if there is no decoding instruction, then enter step 3, if there is decoding instruction directly enter step 4;
Step 3: use Shingle algorithm to carry out analog detection to testing data and Sample Storehouse, testing result is generated Jaccard coefficient of similarity R; Determine whether performing next step operation according to this coefficient, if R is greater than threshold value 40%, directly enter step 4; Otherwise detection of end flow process;
Step 4: coefficient of similarity is greater than threshold value 40%, can judge to there is malice Shellcode attack in testing data, provide alert.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510534727.2A CN105245495A (en) | 2015-08-27 | 2015-08-27 | Similarity match based rapid detection method for malicious shellcode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510534727.2A CN105245495A (en) | 2015-08-27 | 2015-08-27 | Similarity match based rapid detection method for malicious shellcode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105245495A true CN105245495A (en) | 2016-01-13 |
Family
ID=55042995
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510534727.2A Pending CN105245495A (en) | 2015-08-27 | 2015-08-27 | Similarity match based rapid detection method for malicious shellcode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105245495A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847302A (en) * | 2016-05-31 | 2016-08-10 | 北京奇艺世纪科技有限公司 | Abnormity detection method and device |
| CN106874758A (en) * | 2016-08-22 | 2017-06-20 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for recognizing document code |
| CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
| CN109492389A (en) * | 2018-10-31 | 2019-03-19 | 施勇 | A kind of behavior threat analysis method of machine learning Automatic behavior analysis |
| CN113051574A (en) * | 2021-03-11 | 2021-06-29 | 哈尔滨工程大学 | Vulnerability detection method for intelligent contract binary code |
| CN113378165A (en) * | 2021-06-25 | 2021-09-10 | 中国电子科技集团公司第十五研究所 | Malicious sample similarity judgment method based on Jaccard coefficient |
| CN114527986A (en) * | 2021-12-31 | 2022-05-24 | 北京邮电大学 | C + + language-oriented source code de-anonymization method and related equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090187968A1 (en) * | 2003-07-29 | 2009-07-23 | Enterasys Networks, Inc. | System and method for dynamic network policy management |
| US20140157405A1 (en) * | 2012-12-04 | 2014-06-05 | Bill Joll | Cyber Behavior Analysis and Detection Method, System and Architecture |
| CN103944920A (en) * | 2014-05-09 | 2014-07-23 | 哈尔滨工业大学 | Network worm active hampering method based on driver checking and confronting tool automatic generation system |
| CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
-
2015
- 2015-08-27 CN CN201510534727.2A patent/CN105245495A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090187968A1 (en) * | 2003-07-29 | 2009-07-23 | Enterasys Networks, Inc. | System and method for dynamic network policy management |
| US20140157405A1 (en) * | 2012-12-04 | 2014-06-05 | Bill Joll | Cyber Behavior Analysis and Detection Method, System and Architecture |
| CN103944920A (en) * | 2014-05-09 | 2014-07-23 | 哈尔滨工业大学 | Network worm active hampering method based on driver checking and confronting tool automatic generation system |
| CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
Non-Patent Citations (1)
| Title |
|---|
| NIDHI VERMA, ETC.: "Detection of alphanumeric shellcodes using similarity index", 《2014 INTERNATIONAL CONFERENCE ON ADVANCES IN COMPUTING, COMMUNICATIONS AND INFORMATICS (ICACCI)》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847302A (en) * | 2016-05-31 | 2016-08-10 | 北京奇艺世纪科技有限公司 | Abnormity detection method and device |
| CN105847302B (en) * | 2016-05-31 | 2019-04-12 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
| CN106874758A (en) * | 2016-08-22 | 2017-06-20 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for recognizing document code |
| CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
| CN108092948B (en) * | 2016-11-23 | 2021-04-02 | 中国移动通信集团湖北有限公司 | Network attack mode identification method and device |
| CN109492389A (en) * | 2018-10-31 | 2019-03-19 | 施勇 | A kind of behavior threat analysis method of machine learning Automatic behavior analysis |
| CN109492389B (en) * | 2018-10-31 | 2020-08-21 | 上海境领信息科技有限公司 | Behavior threat analysis method for machine learning automated behavior analysis |
| CN113051574A (en) * | 2021-03-11 | 2021-06-29 | 哈尔滨工程大学 | Vulnerability detection method for intelligent contract binary code |
| CN113378165A (en) * | 2021-06-25 | 2021-09-10 | 中国电子科技集团公司第十五研究所 | Malicious sample similarity judgment method based on Jaccard coefficient |
| CN114527986A (en) * | 2021-12-31 | 2022-05-24 | 北京邮电大学 | C + + language-oriented source code de-anonymization method and related equipment |
| CN114527986B (en) * | 2021-12-31 | 2023-12-26 | 北京邮电大学 | C++ language-oriented source code anonymization method and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105245495A (en) | Similarity match based rapid detection method for malicious shellcode | |
| CN109002721B (en) | Mining analysis method for information security vulnerability | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| Xu et al. | Polymorphic malicious executable scanner by API sequence analysis | |
| KR101027928B1 (en) | Apparatus and Method for detecting obfuscated web page | |
| Wagner et al. | Mimicry attacks on host-based intrusion detection systems | |
| CN102622543B (en) | A kind of method and apparatus of dynamic detection malicious web pages script | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| CN105868630A (en) | Malicious PDF document detection method | |
| CN106611122A (en) | Virtual execution-based unknown malicious program offline detection system | |
| WO2021017318A1 (en) | Cross-site scripting attack protection method and apparatus, device and storage medium | |
| CN105046152B (en) | Malware detection method based on function call graph fingerprint | |
| KR20040080843A (en) | Method to decrypt and analyze the encrypted malicious scripts | |
| CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
| CN102012988A (en) | Automatic binary unwanted code behavior analysis method | |
| CN101719204B (en) | Heapspray detection method based on intermediate command dynamic instrumentation | |
| CN105760762A (en) | Unknown malicious code detection method for embedded processor | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| Bai et al. | Dynamic k-gram based software birthmark | |
| CN107085687B (en) | Binary entropy-based fuzzy test encryption and decryption function positioning method | |
| CN108573148B (en) | Confusion encryption script identification method based on lexical analysis | |
| CN107368740B (en) | Detection method and system for executable codes in data file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160113 |