CN106844002B - Cloud platform client system availability improving method based on virtualization technology - Google Patents

Cloud platform client system availability improving method based on virtualization technology Download PDF

Info

Publication number
CN106844002B
CN106844002B CN201611201662.0A CN201611201662A CN106844002B CN 106844002 B CN106844002 B CN 106844002B CN 201611201662 A CN201611201662 A CN 201611201662A CN 106844002 B CN106844002 B CN 106844002B
Authority
CN
China
Prior art keywords
process
suspicious
behavior
client
processes
Prior art date
Application number
CN201611201662.0A
Other languages
Chinese (zh)
Other versions
CN106844002A (en
Inventor
贾晓启
李津津
杜海超
武希耀
唐静
白璐
Original Assignee
中国科学院信息工程研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院信息工程研究所 filed Critical 中国科学院信息工程研究所
Priority to CN201611201662.0A priority Critical patent/CN106844002B/en
Publication of CN106844002A publication Critical patent/CN106844002A/en
Application granted granted Critical
Publication of CN106844002B publication Critical patent/CN106844002B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45545Guest-host, i.e. hypervisor is an application program itself, e.g. VirtualBox
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Abstract

The invention relates to a method for improving the usability of a cloud platform client system based on a virtualization technology. The method comprises the following steps: 1) capturing suspicious process behaviors of the client at a virtualization monitoring layer; 2) forming a dependency relationship among the processes according to behavior interaction of the suspicious process and other processes; 3) the behavior of suspicious processes of the client and the behavior of the processes with dependency relationship with the suspicious processes are controlled on a virtualization monitoring layer, and the processes are ensured to continue running in the client, and the behavior of the suspicious processes does not influence the client; 4) when false alarm is found, if false alarm is found, the suspicious process and the process having the dependency relationship with the suspicious process are killed; if the false report is true, the controlled suspicious process and the process having the dependency relationship with the suspicious process are released, so that the suspicious process continues to normally operate. The invention can ensure that the client computer continuously operates without operations such as rollback, pause, restart and the like when the safety protection tool has false alarm, and maintains the due state of the client computer system.

Description

Cloud platform client system availability improving method based on virtualization technology

Technical Field

The invention belongs to the technical field of virtualization and system security, relates to a method for improving the usability of a cloud platform client system based on a virtualization technology, and particularly relates to a method for improving the usability of the cloud platform client system aiming at the problem of influence on the usability of the system caused by false alarm of a security tool.

Background

With the continuous development of virtualization technologies, cloud computing is more and more widely applied. The cloud platform-oriented security problem is solved, and the security of a client system using cloud services is guaranteed, so that the cloud platform-oriented security problem becomes one of important requirements of the cloud services. Some security protection technical schemes based on virtualization technology or operating systems exist at home and abroad, and mainly include the aspects of malicious code detection and analysis, integrity monitoring, intrusion detection, security monitoring and the like.

In terms of malicious code detection and analysis, Jiang et al (JIANG X, WANG X, XU D. dimensional hardware detection through vmm-based out-of-the-box semantic visibility [ C ]// Proceedings of the14th ACM conference on Computer and communications security. ACM,2007: 128-. The Xen-based Ether method was proposed by Dinaburg et al (DINABURG A, ROYAL P, SHARIF M, et. Ether: malt analysis via hardware simulation analysis extensions [ C ]// Proceedings of the 15th ACM conference on Computer and communication management. ACM,2008:51-62.), the entire system was divided into two parts, one part operating under the monitoring layer and the other part operating in Xen's privilege management domain (dom0), and suspicious programs in the monitored system were tracked using Intel VT (Intel visualization Technology) Technology. Lanzi et al (LANZI A, SHARIF M I, LEE W.K-Tracer: A System for Extracting Kernel malware Behavior [ C ]// NDSS 2009: The Network and Distributed System Symposium, San Diego, California,2009: 255-QE 264.) propose and develop a K-Tracer malicious code behavior analysis tool based on MU (quick) that is capable of dynamically collecting execution path information of The Windows Kernel and Extracting malicious code behaviors using backward and forward slicing techniques. The RkProfile proposed by XUAN et al (XUAN C, COPELAND J, BEYAH R. aware retailing kernel malware in virtual execution environment [ C ]// Recent Advances in execution detection. Springer Berlin Heidelberg,2009: 304) is a sandbox-based malicious code analysis system that can monitor and report the behavior of malicious code running in the client operating system.

In terms of integrity protection, SeSHADRI et al (SESHADRI A, LUK M, QU N, et al. SecVisor: A tiny hypervisor to a virtual lifetime kernel code integration for communication OSes [ C ]. ACM SIGOPS Operating Systems Review, ACM,2007,41(6):335 and 350.) proposed SecVisor performs memory protection on the Operating system by creating a lightweight virtual machine that performs memory protection on the memories in kernel mode and user mode based on page tables.

In terms of Security monitoring, the Lares system proposed by Payne et al (PAYNE B D, CARBONE M, SHARIF M, et al, Lares: An architecture for secure active monitoring using visualization [ C ]//2008 IEEE Symposite on Security and Privacy (sp 2008). IEEE,2008:233 once 247.) deploys the Security system in a Security domain outside the client system, while hook functions are inserted in the kernel of the client system, which are used to intercept certain events. Since the hook function exists in the kernel of the client system, and can be perceived by the client system, there is a possibility of being tampered by a malicious program, and therefore, the memory area where the hook function exists needs to be protected in the management layer of the virtual machine.

In terms of intrusion detection, Laureano et al (LAUREANO M, MAZIERO C, JAMHOUR E. protecting host-based intrusion detectors through virtual machines [ J ]. Computer Networks,2007,51(5):1275 and 1283.) propose a protection method of a host-based intrusion detection system, which judges whether process behaviors are abnormal by analyzing a system call sequence acquired by an external monitoring virtual machine and adopts corresponding measures. The VNIDA proposed by ZHANG et al (ZHANG X, LI Q, QING S, et al. VNIDA: Building an IDS architecture using VMM-based non-interactive approach [ C ]// WKDD 2008, Proceedings of the International works on Knowledge Discovery and Data Mining, IEEE,2008:594 and 600.) provides intrusion detection service for other virtual machines by establishing a separate intrusion detection domain.

However, none of these solutions take into account the availability issues of cloud service clients. Whether the security tool is based on an operating system or a virtualization technology, the security tool will have an influence on the availability of the system in the process of detecting, defending and recovering the system, and a client on the cloud platform has a higher requirement on the availability of the client, so that the interference of security protection measures on the normal operation of the client should be reduced as much as possible.

In an actual application scenario, a security protection tool inevitably causes a false alarm behavior, a security critical client often performs operations such as suspension, detection, and recovery when the security tool alarms, and occurrence and discovery of false alarms (false alarms and false alarms) of the security tool are delayed, so that the false alarms reduce availability of a client system.

Disclosure of Invention

In view of the above problems, the present invention provides a method for reducing the impact on the availability of a cloud platform client system caused by false alarms of security tools. When the safety protection tool reports by mistake, the method can ensure that the client continuously operates without operations such as rollback, pause, restart and the like, and maintains the due state of the client system.

The technical scheme adopted by the invention is as follows:

a method for improving the availability of a cloud platform client system based on a virtualization technology comprises the following steps:

1) capturing behavior of a suspicious process of an upper client at a virtualization monitoring layer (VMM); the suspicious process is a process which is provided by the safety protection tool and generates a threat when alarming;

2) forming a dependency relationship among the processes according to behavior interaction of the suspicious process of the client and other processes;

3) the method comprises the steps of controlling suspicious processes of a client and the behaviors of the processes with dependency relationship in a VMM layer, ensuring that the processes continue to run in the client and not influencing the client by the behaviors of the suspicious processes; 4) when false alarm is found, if false alarm is missed, the suspicious process and the process having the dependency relation with the suspicious process are killed; if the process is the false report, the controlled suspicious process and the process which has the dependency relationship with the controlled suspicious process are released, so that the process continues to normally run (namely the process which is under control before is released, and the system state is changed into the state that the suspicious process normally runs to the current state).

The details of the above steps will be described in detail in four sections.

1. The method adopts a system calling behavior sequence as the basis of process behavior control, captures the system calling behavior information of the client under the VMM and captures the behavior information of the client process. The captured behaviors comprise file operations and process operations, and the specific contents are shown in table 1, wherein read represents read operations, write represents write operations, fork and clone represent creation child process operations, mmap represents mapping operations, and pipe represents pipe operations. The captured behavior information includes a system call number, a process id, and information related to a specific behavior, such as a file path in a file operation, a process id in a process operation.

TABLE 1 Capture behavior

Capturing behavior System call Behavior information Document correlation read、write File path Process correlation fork、clone、mmap、pipe Operation target Process id

2. Some behaviors are not isolated because there is interprocess communication between processes. For example, if the process a is determined to be a suspicious process, the behavior of the process a will be under control. If there is behavioral interaction between the B-process and the A-process, then the B-process may be infected by the A-process, and therefore the B-process' behavior should also be controlled. The act of generating inter-process interactions can be divided into direct interactions and indirect interactions. Process creation, such as fork, Inter-Process Communication (IPC), such as pipe, is a direct interaction between processes. The interaction through the file operation can be regarded as indirect interaction, for example, process a writes a file, process B reads the same file, and it can be considered that indirect interaction occurs between processes A, B. And also mmap system call. The inter-process interaction behavior is shown in table 2.

TABLE 2 Each behavior control mode

3. When the false negative is found, the system safety can be restored by killing the threat process, and the process is ensured not to have substantial influence on the system before the false negative is found. The method controls the suspicious processes of the client and the behaviors of the processes which have dependency relationship with the suspicious processes, simultaneously ensures that the processes continue to run in the client, and the behaviors of the suspicious processes do not influence the client, and adopts the following control measures:

the capture module captures a process behavior from or in a dependent relationship with a controlled process;

the behavior control module judges whether the behavior is a behavior needing to be modified, and the behavior needing to be modified is shown in a table 2; if not, no processing is carried out; if yes, performing behavior control according to the table 2;

returning to the guest after the modification is over, the guest will not perceive any modification to the process by the VMM and will continue to run the process normally.

Control measures such as write system calls in such a way that the written content is cleared before the system call is executed; for mmap system call, when multiple processes mmap the same file, the inter-process dependency will be generated, and the control mode at this time is to allow the execution and record the generated dependency relationship. Similarly, the inter-process dependency generated by write/read is also generated, and the control mode is the same as mmap. fork and clone also cause inter-process dependencies, but are controlled in a manner that does not allow them to execute, where control is achieved by modifying the system call number to a system call without side effects (e.g., getpid ()) before the system call executes. Since pipe is often bound to fork, pipe does not have the effect when fork cannot be executed, and thus execution is allowed here. Since the behavior is modified when capturing the system call behavior of the process, so that no substantial change is made to the system, and the modified behavior may affect the subsequent behaviors of the process and other processes, control measures are continuously taken for the subsequent behaviors of the process and the related processes.

4. The important point in releasing the behavior of a controlled process into a client for quick recovery of the due running state is to preserve the running state of the process at the appropriate time.

When a process is under control or a dependency relationship is generated between the process and the controlled process, the process is handed to the behavior releasing module to backup the state of the process. Referring to fig. 1, a method for backing up a process is actively trapped in a VMM when the process is in a user state, and at this time, a fork system call is injected into the process to implement process backup. The method for injecting fork system call is to modify 4 bytes in the process code segment, and modify the original code content into three instructions of int3, int80 and int 3. When the code is modified, the original code content of the position needs to be saved so as to facilitate the later recovery work. After the code is modified, it is also necessary to set the value of the eax register to be the fork system call number, so that when the client executes the int80 instruction, the backup of the fork system call completion process can be correctly executed. Since the eax register is also modified, the original eax register value needs to be recorded here as well.

The fork-generated sub-process as a backup process should be suspended in this state and should not be scheduled to run; when the action needs to be released, the suspended state is released. The approach taken here is to inject the scheduled _ yield system call to sleep if it is detected that a sub-process is scheduled to execute.

In addition, since the modified code segment is often shared by multiple processes, the modified code may be executed by other unrelated processes, and the other processes should execute the original code and should not execute the modified code, so that two int3 instructions are added to control the behavior flow of the running process when the client sinks into the VMM. Since there are two int3 instructions, the case of trapping is divided into two from int 3: trapping from the first int3 (1st int3) and from the second int3 (2nd int 3). The handling of the different trapping cases is shown in fig. 2.

As shown in fig. 2, if trapping from the first int3, whether the process is an unrelated process or a controlled process, the original code execution effect of the modified location needs to be simulated; if the process is trapped from the second int3, it is determined whether the process is a controlled process or a backup-generated child process, and if the process is a child process, the process ID is recorded, and if the process is a controlled process, specific processing is performed according to whether the process behavior needs to be released.

The invention has the beneficial effects that:

the security tool inevitably generates false alarms, which can affect the system availability of the client on the cloud platform. The invention avoids the operation of system recovery, rollback and the like of the safety tool due to false alarm, ensures that the client system can still continuously run after the false alarm occurs, and maintains the correct running state. The invention can correctly control the suspicious process when the false alarm of the safety tool occurs, thereby avoiding the substantial influence of the process on the system and ensuring the correct running state of the process; when the false alarm is found, the client system can be quickly restored to the due state, so that the influence of the security tool on the availability of the client on the cloud platform is reduced.

Drawings

FIG. 1 is a process backup flow diagram of the present invention.

Fig. 2 is a flow chart of int3 trapping process of the present invention.

FIG. 3 is a flow chart of the method of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the following examples and the accompanying drawings.

The process flow of the method of the invention is shown in FIG. 3. When a safety tool generates an alarm, the method receives the signal and then executes the following process:

marking the process (provided by the safety tool) generating the threat as a suspicious process, and transmitting the process id of the suspicious process to a capturing module and a behavior releasing module;

the behavior release module backs up the suspicious process;

the capturing module captures the behavior of the suspicious process and transmits the captured behavior to the behavior control module;

the behavior control module controls the behavior of each process and forms an inter-process dependency relationship according to the behavior type;

when false alarm is found, if false alarm is missed, only the suspicious process, the processes with dependency relationship and the backup processes corresponding to the processes need to be killed; and if the message is a false report, sending the message to a behavior release module, wherein the behavior release module is responsible for recovering the state of the process, so that the process can continuously run. The report missing refers to the condition that the security tool does not give an alarm to the malicious process; the false report refers to the situation that the security tool reports the normal process as the malicious process.

Two specific examples are given below. It is to be understood that the described embodiments are merely a few embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The first embodiment is as follows:

we performed the following experiment for the scenario of false positive:

the two monitoring tools a and B monitor the client together, and a target process is running in the client currently. At time t1, an alarm is generated for the process (target process) at time A, an alarm is not generated at time B, and a false positive is found at time t 2. The target process is alarmed and then performs other operations and forms a dependency relationship with other processes. In the experiment, the method can correctly record the dependency relationship of each process after the alarm is given, and control the behavior of the related process. When a false positive is found at time t2, the associated process can be allowed to continue executing normally without re-execution. The behavior and the number of captures in the experiment are shown in table 3.

TABLE 3 behavior control mode

Behavior Number/number Whether or not to control processing mmap 5 write/read 11 fork 2 clone 2 pipe 2

Example two:

we performed the following experiment for the missed-report scenario:

the two monitoring tools a and B monitor the client together, and a target process is running in the client currently. At time t1, an alarm is generated for the process (target process) at time A, an alarm is not generated at time B, and a false negative is found at time t 2. Because the target process behavior is controlled and the system is not substantially damaged, the process having the dependency relationship and the backup processes corresponding to the processes are only required to be killed at the moment, and operations such as system pause, recovery, rollback and the like are not required. Experimental samples were Tsunami, Kaiten, xor.

Tsunami, analyzing from behavior, after the program starts to execute, a clone is needed to generate a subprocess, and the subprocess establishes a socket connection with an attack host and sends data. After receiving the command of the attacking host, the attacking host is used as a host in the botnet, and the attacking host initiates DoS (dental of service), SYN flow and the like to the target. In the experiment, the clone system call is captured and controlled, so that clone cannot be successfully executed, and therefore socket connection between the subprocess and the remote attack host cannot occur.

Another malware sample, Kaiten, was tested. The process writes to system files such as/etc/rc.d/rc.local,/etc/rc.conf. The system can control the writing content to make the writing operation invalid. It can be seen that the amount of recovery work and its complexity for the guest operating system is reduced.

Ddos begins executing and copies itself by creating a file under usr/bin,/tmp and writing the binary content. A process under control will not be able to write data to the target file.

Claims (9)

1. A cloud platform client system availability improving method based on virtualization technology ensures that a client continuously operates when a security protection tool is mistakenly reported; the method comprises the following steps:
1) capturing suspicious process behaviors of the client at a virtualization monitoring layer;
2) forming a dependency relationship among the processes according to behavior interaction of the suspicious process of the client and other processes;
3) the behavior of suspicious processes of the client and the behavior of the processes with dependency relationship with the suspicious processes are controlled on a virtualization monitoring layer, and the processes are ensured to continue running in the client, and the behavior of the suspicious processes does not influence the client;
4) when false alarm is found, if false alarm is missed, the suspicious process and the process having the dependency relationship with the suspicious process are killed; if the suspicious process is the false report, the controlled suspicious process and the process which has the dependency relationship with the suspicious process are released, and the suspicious process continues to normally run.
2. The method of claim 1, wherein: the behavior of the suspicious process captured in the step 1) comprises file operation and process operation, and the captured behavior information comprises a system calling number, a process ID and information related to specific behavior.
3. The method of claim 1, wherein: and the inter-process interaction behaviors in the step 2) comprise direct interaction and indirect interaction.
4. The method of claim 1, wherein: when a certain process is under control or a certain process and a controlled process generate a dependency relationship, backing up the running state of the certain process, so that the running state is quickly recovered when the controlled process is released in the step 4); and in the step 4), if the report is missed, the corresponding backup process is also killed.
5. The method of claim 4, wherein: the process as backup is in a suspended state, is not scheduled to run, and is released when it is released.
6. The method of claim 4, wherein the backup for a process is performed by: and actively trapping the process into the VMM when the process is in a user state, and injecting fork system call into the process to realize process backup.
7. The method of claim 6, wherein the method of injecting fork system calls is: modifying 4 bytes in the process code segment, and modifying the original code content into three instructions of int3, int80 and int 3; when the code is modified, the original code content is saved so as to facilitate the later recovery work; after the code is modified, the value of the eax register is set to the fork system call number so that when the client executes the int80 instruction, the backup of the fork system call completion process can be correctly executed.
8. The method of claim 7, wherein the flow of behavior of a running process when a guest traps in a VMM is controlled by two int3 instructions; the case of trapping from int3 is divided into two: trapping from the first int3 and from the second int 3; if trapping from the first int3, whether the process is an unrelated process or a controlled process, the original code execution effect of the modified location is simulated; if the process is trapped from the second int3, it is determined whether the process is a controlled process or a backup-generated child process, and if the process is a child process, the process ID is recorded, and if the process is a controlled process, the process is processed according to whether the process behavior needs to be released.
9. A virtualization technology-based cloud platform client system availability promotion apparatus using the method of claim 1, comprising:
the capturing module is used for capturing the behavior of the suspicious process of the upper client on the virtualization monitoring layer and transmitting the captured behavior to the behavior control module;
the behavior control module is used for controlling the behavior of each process and forming an inter-process dependency relationship according to the behavior type;
and the behavior release module is used for backing up the suspicious process and releasing the controlled suspicious process and the process with the dependency relationship with the suspicious process when the false report is a false report so as to ensure that the suspicious process continues to normally run.
CN201611201662.0A 2016-12-23 2016-12-23 Cloud platform client system availability improving method based on virtualization technology CN106844002B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611201662.0A CN106844002B (en) 2016-12-23 2016-12-23 Cloud platform client system availability improving method based on virtualization technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611201662.0A CN106844002B (en) 2016-12-23 2016-12-23 Cloud platform client system availability improving method based on virtualization technology

Publications (2)

Publication Number Publication Date
CN106844002A CN106844002A (en) 2017-06-13
CN106844002B true CN106844002B (en) 2019-12-31

Family

ID=59135714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611201662.0A CN106844002B (en) 2016-12-23 2016-12-23 Cloud platform client system availability improving method based on virtualization technology

Country Status (1)

Country Link
CN (1) CN106844002B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8655939B2 (en) * 2007-01-05 2014-02-18 Digital Doors, Inc. Electromagnetic pulse (EMP) hardened information infrastructure with extractor, cloud dispersal, secure storage, content analysis and classification and method therefor
CN101808093B (en) * 2010-03-15 2013-08-07 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN102200941A (en) * 2010-03-25 2011-09-28 杭州华三通信技术有限公司 Method and unit for monitoring process state
US20120052930A1 (en) * 2010-06-24 2012-03-01 Dr. Elliot McGucken System and method for the heros journey mythology code of honor video game engine and heros journey code of honor spy games wherein one must fake the enemy's ideology en route to winning
CN102855274B (en) * 2012-07-17 2015-12-09 北京奇虎科技有限公司 The method and apparatus that a kind of suspicious process detects

Also Published As

Publication number Publication date
CN106844002A (en) 2017-06-13

Similar Documents

Publication Publication Date Title
Mishra et al. Intrusion detection techniques in cloud environment: A survey
US9912681B1 (en) Injection of content processing delay in an endpoint
US9516060B2 (en) Malware analysis methods and systems
US10033747B1 (en) System and method for detecting interpreter-based exploit attacks
US9166997B1 (en) Systems and methods for reducing false positives when using event-correlation graphs to detect attacks on computing systems
CN106326743B (en) Method and system for the malware detection in virtual machine
US9355247B1 (en) File extraction from memory dump for malicious content analysis
US10467406B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US8955134B2 (en) Malicious code infection cause-and-effect analysis
RU2653985C2 (en) Method and system for detecting malicious software by control of software implementation running under script
Jin et al. A VMM-based intrusion prevention system in cloud computing environment
EP2893447B1 (en) Systems and methods for automated memory and thread execution anomaly detection in a computer network
US9825908B2 (en) System and method to monitor and manage imperfect or compromised software
US10083294B2 (en) Systems and methods for detecting return-oriented programming (ROP) exploits
US9594881B2 (en) System and method for passive threat detection using virtual memory inspection
AU2014318585B2 (en) Automated runtime detection of malware
US8479276B1 (en) Malware detection using risk analysis based on file system and network activity
KR101657191B1 (en) Software protection mechanism
US9870471B2 (en) Computer-implemented method for distilling a malware program in a system
Ma et al. Shadow attacks: automatically evading system-call-behavior based malware detection
US9317686B1 (en) File backup to combat ransomware
EP2649548B1 (en) Antimalware protection of virtual machines
Stakhanova et al. A taxonomy of intrusion response systems
US8898775B2 (en) Method and apparatus for detecting the malicious behavior of computer program
RU2397537C2 (en) Computer security control, for instance in virtual machine or real operating system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant