CN105260662A - Detection device and method of unknown application bug threat - Google Patents
Detection device and method of unknown application bug threat Download PDFInfo
- Publication number
- CN105260662A CN105260662A CN201410342634.5A CN201410342634A CN105260662A CN 105260662 A CN105260662 A CN 105260662A CN 201410342634 A CN201410342634 A CN 201410342634A CN 105260662 A CN105260662 A CN 105260662A
- Authority
- CN
- China
- Prior art keywords
- sample
- annex
- leak
- simulation
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of computer communication, in particular to a detection device and method of unknown application bug threat. The detection device comprises a sample acquisition device, a preprocessing filter device, an analog behavior monitoring device and a behavior comparison and analysis device, wherein the sample acquisition device is used for collecting a transmitted application document attachment sample from the flow of a network inlet; the preprocessing filter device is used for preprocessing the collected document attachment sample and filtering known sample accessories which contain application bugs and the sample accessories which obviously do not contain the application bugs; the analog behavior monitoring device is used for carrying out simulation execution detection on the filtered sample accessories; and the behavior comparison and analysis device is used for carrying out comparison and analysis on a behavior process which is monitored and recorded by analog execution to find suspicious acts which exhibit security threats in the behavior process. An expert system knowledge base is adopted to carry out result analysis and judgment on the detected suspicious acts and can intelligently judge whether the bug threats which can be taken advantage are in the presence in the detected suspicious acts or not along with a situation that the knowledge base is constantly enriched, and a problem of false alarm can be effectively solved.
Description
Technical field
The present invention relates to computer communication technology field, be specifically related to a kind of unknown applications leak threat detection apparatus and method.
Background technology
In recent years, network security problem had become one of Important Problems all paid close attention in global range.The disclosure of " Snowdon " event, the network privacy and personal user's Internet Security problem become the focus of public attention again.Along with the development of cyber-attack techniques, especially the senior sustainability of APT threatens to attack and day by day spreads unchecked, although Ge great security firm also all constantly releases the safety product of various utilization new technique, still the situation is tense for safety problem.
Along with the raising of public security consciousness, tradition has been fallen behind based on the Trojan attack of executable file, and everybody has recognized that unknown executable file is suspicious, fly-by-night.It is also at most the most effectively APT attack technology that current hacker adopts, APT attacks and generally sends by trusting relationship the document carrying vulnerability of application program to target, such as Word, PDF, after user receives document, often to think this document time safety, once opening document, just likely trigger the leak of application program, for passage is opened in next step invasion.But, traditional viral Trojan Horse Detection, and the killing being not suitable for carrying this type of APT attack sample that unknown applications leak threatens detects, and is mainly manifested in the following aspects:
First, traditional viral Trojan Horse Detection is Host Based detection, and this method needs user oneself to install anti-viral software, implements complicated, cannot carry out examination and controlling simultaneously to the wooden horse behavior that whether exists in whole network.
Secondly, traditional viral wooden horse killing software mainly uses the mode detected based on viral Trojan characteristics code, this method for inapplicable detection unknown applications leak threatens because APT attacks often use still unpub unknown leak.
The intruding detection system of current main flow and fire wall etc., also major part is rule-based firewall system.This rule-based protection method is difficult to distinguish unknown attack flow and control.Although also have some intelligent fire-proofing wall systems at present, effect is general, mainly still relies on traditional technological means to detect.
Retrieve in following patent from patent documentation:
Application number is the method for detecting network theft Trojan of CN200910022718.X, the thought of this patent is by obtaining network data flow, mailing address is analyzed, communication protocol is analyzed, communication behavior is analyzed, correspondence is analyzed, by highly doubtful wooden horse communication data packet, according to the network communication protocol that highly doubtful wooden horse communication adopts, connect with corresponding object IP address, and according to corresponding communication protocol structural exploration Packet Generation the other side, if containing the content that non-agreement specifies in the response packet that the other side returns, namely determine that this node is wooden horse control end.But for using normal network communications agreement to carry out the wooden horse communication flows communicated, the method is also inapplicable.
Application number is a kind of Trojan detecting method, the Apparatus and system of CN201010581622.X, the thought of this invention is for feature with the time sequencing of the feature execution in Trojan attack process, after judging to obtain suspicious feature message by preset Trojan characteristics storehouse, Trojan attack program is utilized to perform the feature of sequential further, judge that whether the execution sequential of suspicious feature message is identical with the execution sequential of Trojan attack program, if identical, then determine that suspicious characteristic message is Trojan characteristics message.Although the method is not traditional condition code recognition detection method, still need a preset Trojan characteristics storehouse.
Application number is method and the device of a kind of trojan horse detection of CN201110430821.5, the main thought of this patent is: when detect in session there is wooden horse heartbeat detection time, whether the frequency according to wooden horse heartbeat detection fixes, the session weights of record are increased corresponding weights and record, and for each message that control end sends to controlled terminal, detect the feature whether this message meets wooden horse control command message, if meet, then the session weights of record are increased by the 3rd weights and record, alarm is sent when session weights reach alarm threshold, to notify the session that this session is initiated for wooden horse.But the method cannot detect formula of the mourning in silence wooden horse of some Lungs from Non-Heart-Beating bag.
Application number is the intelligent trojan horse detection devices and methods therefor of behavioural characteristic in the flow a kind of Network Based of CN201210412347.8, this patent is a kind of method that wooden horse behavioural characteristic according to reflecting in network flow data removes to detect intelligently wooden horse, provide intelligent Trojan detecting method and the device thereof of behavioural characteristic in a kind of flow Network Based, its purport is to provide a kind of discovery to novel unknown wooden horse.But this patent does not propose concrete Trojan characteristics extracting method.And rate of false alarm and accuracy also need checking.
Application number is CN103095714A Trojan detecting method based on the modeling of trojan horse type classification, which disclose a kind of Trojan detecting method based on the modeling of trojan horse type classification, its central idea is by classifying by feature to known wooden horse, sets up Trojan characteristics recognition mode storehouse.Then according to this storehouse, wooden horse is detected.The method has certain unknown trojan horse detection ability, but inherently or a kind of detection mode based on Trojan characteristics code, higher to the detection rate of false alarm of New Trojan Horse.
Summary of the invention
The present invention is directed to the deficiencies in the prior art, propose a kind of unknown applications leak threat detection apparatus and method, be applicable to various network application environment, can the various apocryphas carrying the threat of unknown applications leak transmitted in network be detected.
A kind of unknown applications leak threat detection apparatus, comprising:
Sample collecting device: for the profile annex sample of collect and transmit from Web portal flow;
Pretreatment filtering device: the document attachment sample for collecting carries out pre-service, filters out known packets containing application leak and the sample annex obviously not comprising application leak;
Simulation behavior monitoring device: performing detection for carrying out simulation to the sample annex after filtration, comprising the simulation execution environment of structure, the actual implementation of full simulation sample, the various actions in record sample implementation;
Behavior compare of analysis device: the action process got off for performing monitoring record to simulation compares, find the suspicious actions that wherein there is security threat, judge whether this sample exists unknown application leak and threaten, and export final detection result, testing result is fed back to pre-service simultaneously and filter.
Preferably, described sample collecting device, adopts the data on the mode collection network of data image, and the agreement annex such as mail, HTTP adopting protocol assembly mode to obtain to comprise in flow.
Preferably, described pretreatment filtering device, adopts the annex that the mode bag filter of characteristic matching threatens containing known bugs, adopts document format, document volume size or white list mode to filter the obvious annex not comprising application leak and threaten.
Preferably, described simulation behavior monitoring device, running environment is the intelligent sandbox of structure, can various actions in complete documentation implementation, comprises file operation, registry operations, API Calls operation, network operation, system service operation, application program Crash.
Preferably, described behavior compare of analysis device, rule-based production expert system is adopted to construct, production rule is with IF ... THEN ... form occur, what wherein IF followed below is condition (namely simulation performs the abnormal behaviour record of monitoring), THEN below be conclusion (judging whether annex sample carries suspicious unknown applications leak and threaten), condition and conclusion all can carry out compound by logical operation AND, OR, NOT.
A kind of unknown applications leak threat detection method, comprises following implementation step:
A) the profile annex sample of sample collecting device collect and transmit from Web portal flow;
B) pretreatment filtering device carries out pre-service to the large volume document annex collected, and filters out known packets containing application leak and the sample annex obviously not comprising application leak;
C) simulate behavior monitoring device to carry out simulation to the sample annex after filtering and perform detection, comprise constructing analog execution environment, the actual implementation of full simulation sample, record the various actions in sample implementation;
D) behavior compare of analysis device compares to the action process that simulation execution monitoring record gets off, find the suspicious actions that wherein there is security threat, judge whether this sample exists unknown application leak and threaten, and export final detection result, testing result is fed back in pre-service filtration simultaneously.
Preferably, in step a, adopt the data on the mode collection network of data image, and the agreement annex such as mail, HTTP adopting protocol assembly mode to obtain to comprise in flow.
Preferably, in step b, adopt the annex that the mode bag filter of characteristic matching threatens containing known bugs, adopt document format, document volume size or white list mode to filter the obvious annex not comprising application leak and threaten.
Preferably, in step c, running environment is the intelligent sandbox of structure, can various actions in complete documentation implementation, comprises file operation, registry operations, API Calls operation, network operation, system service operation, application program Crash.
Preferably, in steps d, rule-based production expert system is adopted to construct, production rule is with IF ... THEN ... form occur, what wherein IF followed below is condition (namely simulation performs the abnormal behaviour record of monitoring), THEN below be conclusion (judging whether annex sample carries suspicious unknown applications leak and threaten), condition and conclusion all can carry out compound by logical operation AND, OR, NOT.
The simulation act of execution monitoring that present invention employs based on intelligent sandbox detects the apocrypha that may carry the threat of unknown applications leak, and this testing mechanism does not rely on the feature database of constantly upgrading completely.How no matter how apocrypha modification, in order to can control objectives computing machine, be all bound to perform specific behavior operation, efficiently solves the problem failed to report.
Present invention employs expert system knowledge base and interpretation of result judgement is carried out to the suspicious actions detected, along with enriching constantly of knowledge base, whether the suspicious actions that the judgement of its intelligence just can be made to detect really have can threaten for the leak utilized, and efficiently solves the problem of wrong report.
A kind of unknown applications leak threat detection apparatus disclosed by the invention and method, because do not need to upgrade sample characteristics storehouse, therefore without the need to connecting Internet, can be fully operational in Intranet, be particularly useful for requiring strict concerning security matters business and government department to safe class.
Accompanying drawing explanation
Fig. 1 is structure of the detecting device schematic diagram of the present invention;
Fig. 2 is unknown applications leak threat detection method schematic diagram of the present invention.
Embodiment
For making technical scheme of the present invention and feature clearly, below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail.At this, following examples for illustration of the present invention, but are not used for limiting the scope of the invention.
As shown in Figure 1, unknown applications leak threat detection apparatus of the present invention comprises, sample collecting device 1, pretreatment filtering device 2, simulation behavior monitoring device 3, behavioural analysis comparison device 4.
Wherein, the function of sample collecting device 1 is from network traffics, gather the various file attachment restored in transmission over networks.Harvester adopts standard agreement reduction technique, can reduce the agreements such as mail/HTTP.
Pretreatment filtering device 2, for filtering the source document annex collected, alleviates subsequent treatment pressure.The annex that pretreatment unit adopts the mode bag filter of characteristic matching to threaten containing known bugs, adopts document format, document volume size or white list mode to filter the obvious annex not comprising application leak and threaten.
Simulation behavior monitoring device 3 is cores of the present invention, detect for continuing dry run one by one to pretreated sample file, running environment is the intelligent sandbox of structure, can various actions in complete documentation implementation, comprise file operation, registry operations, API Calls operation, network operation, system service operation, application program Crash etc.
Behavioural analysis comparison device 4 is for judging testing result, rule-based production expert system is adopted to construct, production rule is with IF ... THEN ... form occur, just as the conditional statement in the programming languages such as BASIC, what IF followed below is condition (namely simulation performs the abnormal behaviour record of monitoring), THEN below be conclusion (judging whether annex sample carries suspicious unknown applications leak and threaten), condition and conclusion all can carry out compound by logical operation AND, OR, NOT.
In order to realize the object of control objectives computing machine, the apocrypha sample used in APT attack process all has certain behavioural characteristic in the process opening execution, and we choose the foundation of following feature as unknown applications leak threat detection.
1) particular file operation
Replace or revise the specific file under system file clip directory.
2) specific registration table handling
Increase or revise the specific project in system registry, such as startup item, or file association item.
3) specific service operation
Increase or revise specific system service, realizing backstage and automatically run.
4) specific API Calls
In running paper process, call the api interface of other process, when such as opening Word, run CMD program.
5) particular network calls
Initiatively initiate unnecessary network when opening file to connect.
6) application program Crash
Open file and cause application crash to overflow.
As shown in Figure 2, detection implementation step of the present invention is as follows:
201 primitive network flows;
First 202 gather the profile annex that reduction obtains transmission over networks from Web portal flow;
Then 203 carry out pre-service to these annexes, filters out the annex sample comprising known bugs and threaten and obviously can not comprise leak to threaten;
Sample annex after 204 pairs of filtrations carries out simulation behavior monitoring, comprises constructing analog execution environment, the actual implementation of full simulation sample, the various actions in record sample implementation;
205 last being put in the expert system of structure by the action process recorded carry out automatic threat identification and scoring, judge whether this annex sample comprises unknown vulnerability of application program;
206 export detailed results, will detect sample back to pretreatment filtering device simultaneously.
Key of the present invention is to extract the abnormal behavior when apocrypha carrying the threat of unknown applications leak performs, then an expert system knowledge base is built with these abnormal behaviors, and use learning algorithm, with behavior when normal File Open and carry unknown applications leak threaten apocrypha open time behavior learning training is carried out to expert system knowledge base, adjusting and optimizing detected parameters.
Obviously, the above embodiment of the present invention is only for example of the present invention is clearly described, and is not the restriction to embodiments of the present invention.For those of ordinary skill in the field, can also make other changes in different forms on the basis of the above description.Here cannot give exhaustive to all embodiments.Every belong to technical scheme of the present invention the apparent change of extending out or variation be still in the row of protection scope of the present invention.
Claims (10)
1. a unknown applications leak threat detection apparatus, is characterized in that, comprising:
Sample collecting device: for the profile annex sample of collect and transmit from Web portal flow;
Pretreatment filtering device: the document attachment sample for collecting carries out pre-service, filters out known packets containing application leak and the sample annex obviously not comprising application leak;
Simulation behavior monitoring device: performing detection for carrying out simulation to the sample annex after filtration, comprising the simulation execution environment of structure, the actual implementation of full simulation sample, the various actions in record sample implementation;
Behavior compare of analysis device: the action process got off for performing monitoring record to simulation compares, find the suspicious actions that wherein there is security threat, judge whether this sample exists unknown application leak and threaten, and export final detection result, testing result is fed back to pre-service simultaneously and filter.
2. a kind of unknown applications leak threat detection apparatus according to claim 1, it is characterized in that: described sample collecting device, adopt the data on the mode collection network of data image, and the agreement annex such as mail, HTTP adopting protocol assembly mode to obtain to comprise in flow.
3. a kind of unknown applications leak threat detection apparatus according to claim 1, it is characterized in that: described pretreatment filtering device, adopt the annex that the mode bag filter of characteristic matching threatens containing known bugs, adopt document format, document volume size or white list mode to filter the obvious annex not comprising application leak and threaten.
4. a kind of unknown applications leak threat detection apparatus according to claim 1, it is characterized in that: described simulation behavior monitoring device, running environment is the intelligent sandbox of structure, can various actions in complete documentation implementation, comprise file operation, registry operations, API Calls operation, network operation, system service operation, application program Crash.
5. a kind of unknown applications leak threat detection apparatus according to claim 1, it is characterized in that: described behavior compare of analysis device, rule-based production expert system is adopted to construct, production rule is with IF ... THEN ... form occur, what wherein IF followed below is condition (namely simulation performs the abnormal behaviour record of monitoring), THEN below be conclusion (judging whether annex sample carries suspicious unknown applications leak and threaten), condition and conclusion all can carry out compound by logical operation AND, OR, NOT.
6. a unknown applications leak threat detection method, is characterized in that, comprises following implementation step:
A) the profile annex sample of sample collecting device collect and transmit from Web portal flow;
B) pretreatment filtering device carries out pre-service to the large volume document annex collected, and filters out known packets containing application leak and the sample annex obviously not comprising application leak;
C) simulate behavior monitoring device to carry out simulation to the sample annex after filtering and perform detection, comprise constructing analog execution environment, the actual implementation of full simulation sample, record the various actions in sample implementation;
D) behavior compare of analysis device compares to the action process that simulation execution monitoring record gets off, find the suspicious actions that wherein there is security threat, judge whether this sample exists unknown application leak and threaten, and export final detection result, testing result is fed back in pre-service filtration simultaneously.
7. a kind of unknown applications leak threat detection method according to claim 6, it is characterized in that: in step a, adopt the data on the mode collection network of data image, and the agreement annex such as mail, HTTP adopting protocol assembly mode to obtain to comprise in flow.
8. a kind of unknown applications leak threat detection method according to claim 6, it is characterized in that: in step b, adopt the annex that the mode bag filter of characteristic matching threatens containing known bugs, adopt document format, document volume size or white list mode to filter the obvious annex not comprising application leak and threaten.
9. a kind of unknown applications leak threat detection method according to claim 6, it is characterized in that: in step c, running environment is the intelligent sandbox of structure, can various actions in complete documentation implementation, comprise file operation, registry operations, API Calls operation, network operation, system service operation, application program Crash.
10. a kind of unknown applications leak threat detection method according to claim 6, it is characterized in that: in steps d, rule-based production expert system is adopted to construct, production rule is with IF ... THEN ... form occur, what wherein IF followed below is condition (namely simulation performs the abnormal behaviour record of monitoring), THEN below be conclusion (judging whether annex sample carries suspicious unknown applications leak and threaten), condition and conclusion all can carry out compound by logical operation AND, OR, NOT.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410342634.5A CN105260662A (en) | 2014-07-17 | 2014-07-17 | Detection device and method of unknown application bug threat |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410342634.5A CN105260662A (en) | 2014-07-17 | 2014-07-17 | Detection device and method of unknown application bug threat |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105260662A true CN105260662A (en) | 2016-01-20 |
Family
ID=55100346
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410342634.5A Pending CN105260662A (en) | 2014-07-17 | 2014-07-17 | Detection device and method of unknown application bug threat |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105260662A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
| CN107103243A (en) * | 2017-05-11 | 2017-08-29 | 北京安赛创想科技有限公司 | The detection method and device of leak |
| CN107659540A (en) * | 2016-07-25 | 2018-02-02 | 中兴通讯股份有限公司 | Dynamic behaviour analysis method, device, system and equipment |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN108683644A (en) * | 2018-04-26 | 2018-10-19 | 中原工学院 | A kind of computer network security detection method |
| CN108848102A (en) * | 2018-07-02 | 2018-11-20 | 北京网藤科技有限公司 | A kind of APT attack early warning system and its method for early warning |
| CN110868403A (en) * | 2019-10-29 | 2020-03-06 | 泰康保险集团股份有限公司 | Method and equipment for identifying advanced persistent Attack (APT) |
| CN111428248A (en) * | 2020-06-10 | 2020-07-17 | 浙江鹏信信息科技股份有限公司 | Vulnerability noise reduction identification method and system based on grade assignment |
| CN111641589A (en) * | 2020-04-30 | 2020-09-08 | 中国移动通信集团有限公司 | Advanced sustainable threat detection method, system, computer and storage medium |
| WO2020199905A1 (en) * | 2019-03-29 | 2020-10-08 | 腾讯科技(深圳)有限公司 | Command detection method and device, computer apparatus, and storage medium |
| CN111931187A (en) * | 2020-08-13 | 2020-11-13 | 深信服科技股份有限公司 | Component vulnerability detection method, device, equipment and readable storage medium |
| CN112417438A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Program white list based on active immune trusted cloud platform |
| CN112667427A (en) * | 2020-12-31 | 2021-04-16 | 上海磐御网络科技有限公司 | Network security system based on virtualization technology |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118903A1 (en) * | 2000-09-11 | 2007-05-24 | International Business Machines Corporation | Web server apparatus and method for virus checking |
| CN101350049A (en) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | Method, apparatus and network device for identifying virus document |
| CN101964036A (en) * | 2010-10-29 | 2011-02-02 | 北京椒图科技有限公司 | Leak detection method and device |
| CN102012988A (en) * | 2010-12-02 | 2011-04-13 | 张平 | Automatic binary unwanted code behavior analysis method |
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN102547710A (en) * | 2010-12-22 | 2012-07-04 | 西门子公司 | Method and device for detecting virus in mobile communication system |
| CN103916288A (en) * | 2013-12-27 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | Botnet detection method and system on basis of gateway and local |
-
2014
- 2014-07-17 CN CN201410342634.5A patent/CN105260662A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118903A1 (en) * | 2000-09-11 | 2007-05-24 | International Business Machines Corporation | Web server apparatus and method for virus checking |
| CN101350049A (en) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | Method, apparatus and network device for identifying virus document |
| CN101964036A (en) * | 2010-10-29 | 2011-02-02 | 北京椒图科技有限公司 | Leak detection method and device |
| CN102012988A (en) * | 2010-12-02 | 2011-04-13 | 张平 | Automatic binary unwanted code behavior analysis method |
| CN102547710A (en) * | 2010-12-22 | 2012-07-04 | 西门子公司 | Method and device for detecting virus in mobile communication system |
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN103916288A (en) * | 2013-12-27 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | Botnet detection method and system on basis of gateway and local |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659540A (en) * | 2016-07-25 | 2018-02-02 | 中兴通讯股份有限公司 | Dynamic behaviour analysis method, device, system and equipment |
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
| CN107103243A (en) * | 2017-05-11 | 2017-08-29 | 北京安赛创想科技有限公司 | The detection method and device of leak |
| CN107103243B (en) * | 2017-05-11 | 2020-05-05 | 北京安赛创想科技有限公司 | Vulnerability detection method and device |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN107995179B (en) * | 2017-11-27 | 2020-10-27 | 深信服科技股份有限公司 | Unknown threat sensing method, device, equipment and system |
| CN108683644A (en) * | 2018-04-26 | 2018-10-19 | 中原工学院 | A kind of computer network security detection method |
| CN108848102B (en) * | 2018-07-02 | 2021-04-13 | 北京网藤科技有限公司 | APT attack early warning system and early warning method thereof |
| CN108848102A (en) * | 2018-07-02 | 2018-11-20 | 北京网藤科技有限公司 | A kind of APT attack early warning system and its method for early warning |
| WO2020199905A1 (en) * | 2019-03-29 | 2020-10-08 | 腾讯科技(深圳)有限公司 | Command detection method and device, computer apparatus, and storage medium |
| CN110868403A (en) * | 2019-10-29 | 2020-03-06 | 泰康保险集团股份有限公司 | Method and equipment for identifying advanced persistent Attack (APT) |
| CN111641589A (en) * | 2020-04-30 | 2020-09-08 | 中国移动通信集团有限公司 | Advanced sustainable threat detection method, system, computer and storage medium |
| CN111428248A (en) * | 2020-06-10 | 2020-07-17 | 浙江鹏信信息科技股份有限公司 | Vulnerability noise reduction identification method and system based on grade assignment |
| CN111931187A (en) * | 2020-08-13 | 2020-11-13 | 深信服科技股份有限公司 | Component vulnerability detection method, device, equipment and readable storage medium |
| CN112417438A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Program white list based on active immune trusted cloud platform |
| CN112667427A (en) * | 2020-12-31 | 2021-04-16 | 上海磐御网络科技有限公司 | Network security system based on virtualization technology |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105260662A (en) | Detection device and method of unknown application bug threat | |
| US20210194924A1 (en) | Artificial intelligence adversary red team | |
| CN103532957B (en) | A kind of long-range shell behavioral values device and method of wooden horse | |
| WO2021171090A1 (en) | An artificial intelligence adversary red team | |
| Kumar et al. | Machine learning classification model for network based intrusion detection system | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| US20160352759A1 (en) | Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls | |
| WO2013113532A1 (en) | A method and a system to detect malicious software | |
| CN107667505A (en) | System for monitoring and managing data center | |
| Ramprakash et al. | Host-based intrusion detection system using sequence of system calls | |
| CN103179105A (en) | Intelligent Trojan horse detecting device based on behavior features in network flows and method thereof | |
| CN103957203B (en) | A kind of network security protection system | |
| CN103227798A (en) | Immunological network system | |
| US9961047B2 (en) | Network security management | |
| CN104008332A (en) | Intrusion detection system based on Android platform | |
| CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
| CN109660518A (en) | Communication data detection method, device and the machine readable storage medium of network | |
| CN103957205A (en) | Trojan horse detection method based on terminal traffic | |
| KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
| CN112152962A (en) | Threat detection method and system | |
| CN107332863A (en) | The safety detection method and system of a kind of main frame based on centralized management | |
| Shabtai et al. | Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics | |
| US10897472B1 (en) | IT computer network threat analysis, detection and containment | |
| CN107766737B (en) | Database auditing method | |
| CN103942493A (en) | Intelligent active defensive system and method under Window |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160120 |