CN106991328A - A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis - Google Patents
A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis Download PDFInfo
- Publication number
- CN106991328A CN106991328A CN201710202771.2A CN201710202771A CN106991328A CN 106991328 A CN106991328 A CN 106991328A CN 201710202771 A CN201710202771 A CN 201710202771A CN 106991328 A CN106991328 A CN 106991328A
- Authority
- CN
- China
- Prior art keywords
- heap
- vulnerability exploit
- fingerprint
- dram
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis, step is as follows:1st, dynamic link library file is injected into target process;2nd, vectorization abnormality processing function is applied for;3rd, turn-on data performs protection;4th, the memory block of random size inaccessible is distributed;5th, application EMS memory occupation HeapSpray addresses;6th, the heap block distribution situation of monitoring process heap;7th, the module to loading carries out gravity treatment plot;8th, applied address is the memory block of 0x1 inaccessible attribute;9th, final anomalous event is taken over;10th, special interface function is kidnapped, Activity recognition is carried out to transfer environment;11st, thread scheduling process, the change behavior of the access token and SecurityDescriptor pointers of monitoring objective process are kidnapped;12nd, the access implementation status under kernel state to user's layer address is monitored;By above step, the effect of detection leak attack has been reached, flow complexity, the problem of there is lag period, poor compatibility in existing guard technology is solved.
Description
One, technical fields
The present invention provides a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis, and it is related to leakage
Hole utilizes detection recognition method, belongs to technical field of network security.
Two, background technologies
Leak refers to the weakness or defect that a system is present, and system is to specific threat attack or the sensitivity of hazard event
Property, or the possibility that the threat attacked is acted on.Defect when leak may be from application software or operating system design or
The mistake produced during coding, it is also possible to unreasonable in design defect of the business in iterative process or logic flow
Part.These defects, mistake or unreasonable part may be utilized either intentionally or unintentionally, so as to the assets or fortune of a tissue
Row is adversely affected, and such as information system is attacked or controlled, and capsule information are stolen, and user data is tampered, and system is made
To invade the springboard of other host computer systems.Be directed to government in recent years, military project, education department, R&D institution and enterprise it is senior
Continuation threatens (APT-Advanced Persistent Threat) event duration to rise, and vulnerability exploit is therein main
Attack meanses.
In face of increasingly enhanced vulnerability exploit skill, existing protection method has following several types, and all exists obvious
Shortcoming:
1. by the patch installing of leak program or timely ROMPaq to latest edition.This method can for known leak
To play preferable protection, but the software version quantities for updating an overall situation is big, and cycles consumed is long, and flow is complicated, and
It cannot be guaranteed that redaction does not have leak, if attacker has found leak earlier, it can be attacked before patch issue using the leak
Hit.
2. pass through static nature scanning recognition leak.This method needs to combine manual analysis, has higher to technical staff
Technical requirements, and there is the lag period of certain time, that is, sample is captured to addition rule this period after analysis, leak profit
In larger destruction may have been had resulted in, it is impossible to carry out the detection and protection of unknown leak.
3. rely on the security mechanism that operating system is provided in itself.Operating system can be provided in itself to be directed to the protection of leak and arranges
Apply, but the operating system that these safeguard procedures can not be under its compatible version and part needs the branch of translation and compiling environment or hardware
Hold, protection area coverage is small, poor compatibility, it is larger that integrated environment does system upgrade cost, expend the time long.
The three, content of the invention
1. goal of the invention
In view of the above problems, detect and know the invention provides a kind of vulnerability exploit based on Dram fingerprint anomaly analysis
Other method, it is therefore intended that defence identification that can be accurately and timely includes known bugs and the utilization means of unknown leak, and solves
Above-mentioned obvious defect problem, so that emergency response is quickly carried out, the safety of environmental protection system.
2. technical scheme
A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis of the present invention, its step is as follows:
Step 1:The dynamic link library file that the present invention is developed is injected into target process;
Step 2:Apply for a vectorization abnormality processing function (VEH-Vector Exception in target process
Handler) adapter exception procedure;
Step 3:Turn-on data performs protection (DEP-Data Execution Prevention);
Step 4:By the memory block of the random size of distribution of the low to high order in address, internal memory protection attribute is set to visit
Ask;
Step 5:Apply for common heap injection (heap-spray) address of EMS memory occupation;
Step 6:Create the heap block distribution situation of thread monitor process heap;
Step 7:Kidnap the interface function (API- being called in dynamic link library loading flow in NTDLL modules
Application Programming Interface), gravity treatment plot operation is carried out to the particular module of dynamic load;
Step 8:Applied address is 0x1 memory block, and internal memory protection attribute is set to inaccessible;
Step 9:Apply for final abnormal function, take over final anomalous event;
Step 10:The high interface function of all utilization rates in vulnerability exploit is kidnapped, exception is done according to process to transfer environment
Detect and to the Activity recognition of the being associated property of module in vulnerability exploit module blacklist;
Step 11:Thread scheduling process is kidnapped, the access token and SecurityDescriptor of monitoring objective process refer to
The change behavior of pin;
Step 12:Monitor under kernel state (ring0), to the access implementation status of user's layer address;
Wherein, " target process " described in step 1, it refers to the process protected by the present invention.
Wherein, " dynamic link library file " described in step 1, it refers to a kind of not executable binary program text
Part, it allows code and other resources necessary to procedure sharing execution special duty.
Wherein, " a vectorization abnormality processing function (VEH-Vector is applied in target process described in step 2
Exception Handler) adapter exception procedure ", its way is as follows:Distributing operation system interface function
AddVectoredExceptionHandler, registers a processing function, for the abnormal interrupt occurred in treatment progress.
Wherein, " turn-on data performs protection " described in step 3, its way is as follows:Obtain in kernel32 modules
The address of GetSystemDEPPolicy, GetProcessDEPPolicy, SetProcessDEPPolicy interface function, passes through
The DEP configuration information of the first two interface function detecting system and current process, passes through the 3rd function turn-on data
Protection is performed, is not executable state by stack space and heap space internal memory protection setting.
Wherein, " inaccessible " described in step 4, it refers to that internal memory protection attribute is PAGE_NOACCESS.
Wherein, " heap sprays (heap-spray) " described in step 5, it refers to a kind of vulnerability exploit technology, for promoting
Enter arbitrary code execution, certain section of byte sequence in heap is placed into the precalculated position of target process.
Wherein, " common heap injection (heap-spray) address of application EMS memory occupation " described in step 5, its way is such as
Under:Heap-spray addresses common at present are distributed in advance, and such as 0x0a0a0a0a, 0x0c0c0c0c0c, application method are abilities
The common technique in domain.
Wherein, " the heap block distribution situation for creating thread monitor process heap " described in step 6, its way is as follows:Create
Heap block in one worker thread, searching loop current process heap, detects the quantity of formed objects heap block, judges heap number of blocks simultaneously
And whether single size exceedes critical value.
Wherein, " particular module " described in step 7, it refers to be not turned on/DYNAMICBASE and with relocation table
Module.
Wherein, " the interface letter being called in dynamic link library loading flow in NTDLL modules is kidnapped described in step 7
Number (API-Application Programming Interface), gravity treatment plot behaviour is carried out to the particular module of dynamic load
Make ", its way is as follows:NTDLL export function NtMapViewOfSection is changed, in dynamic link library file dynamic load
When, judge the relocation information of this document, discharge original map section internal memory and apply for a part of EMS memory occupation address, again
The original memory field of application mapping.
Wherein, " the final abnormal function of application, take over final anomalous event " described in step 9, its way is as follows:Call
Operating system interface function, registers a final abnormality processing function, and the process for occurring in treatment progress is collapsed abnormal.
Wherein, " kidnapping the high interface function of all utilization rates in vulnerability exploit " described in step 10, its way is as follows:
Common interface function during hook (HOOK) vulnerability exploit, such as LoadLibraryExW, LoadLibraryExA,
VirtualAllocEx,VirtualProtectEx,Virtual Protect,VirtualAlloc,WinExec,
CreateFileA etc..
Wherein, " doing abnormality detection according to process to transfer environment " described in step 10, its way is as follows:Detection stack refers to
Whether pin register is located in the initial range of the stack address preserved in current thread block of information, detects the complete of abnormality processing chain
Whether integer, detection caller is Call instructions, and whether detection specifies the stack backtracking chain environment of hierachy number abnormal.
Wherein, " Activity recognition " described in step 10, it refers to after black list module is loaded with, the abnormal row sent
For detection, i.e. behavior outside white list behavior, for detecting non-internal memory damage type vulnerability exploit means.
Wherein, " the behavior knowledge to the being associated property of module in vulnerability exploit module blacklist described in step 10
Not ", its way is as follows:When in leak the module loading of blacklist occurs for monitoring, this pattern is opened, in detection procedure
Abnormal behaviour, such as IEXPLORE create Powershell processes.
Wherein, " access token " described in step 11, it refers to, each active program has one to access order
Board (access token), it, which is one group, describes the data message of authority.
Wherein, described in step 11 " kidnap thread scheduling process, the access token of monitoring objective process and
The change behavior of SecurityDescriptor pointers ", its way is as follows:Collect in current system environment and possess system power
The process ID of limit process, when thread scheduling CR3 registers switch, whether detection current process is located at the process ID collected
In, while detecting the behavior that SecurityDescriptor pointers are set to 0.
By above step, the present invention realizes the vulnerability exploit detection identification side based on Dram fingerprint anomaly analysis
Method, with reference to the safeguard procedures of system, has reached the effect of detection identification leak attack, has solved flow in existing guard technology
Complexity, the problem of there is lag period, poor compatibility.
3. advantage
By above-mentioned technical proposal, the present invention, with reference to the safeguard procedures of system, is independently realized a set of by dynamic mode
Based on the vulnerability exploit detection recognition method of Dram fingerprint anomaly analysis, system supporting rate and software compatibility are high, cost
Low, vulnerability exploit area coverage is wide, can effectively and timely detect in identification vulnerability exploit (exploit) (including unknown leak)
Most of technological means.
Four, are illustrated
Fig. 1 is the method for the invention schematic flow sheet.
Abnormality detection schematic flow sheet when Fig. 2 is the inventive method docking port function call.
Fig. 3 is the inventive method abnormality processing schematic flow sheet.
Five, embodiments
The shortcoming in vulnerability exploit detection scheme in order to solve prior art offer, i.e., can not detect that UNKNOWN TYPE leaks
Hole, the problems such as poor compatibility area coverage is small, present approach provides a kind of detection identifying schemes of vulnerability exploit, by inciting somebody to action
Protection module is injected into target process, arrangement internal memory to the perfect condition defendd, and the behavior of monitoring objective process is gone forward side by side Mobile state
Analysis, to recognize the attack meanses of vulnerability exploit, be not limited to known bugs utilization, play protection process and system environments
Effect.
In order that the purpose of the inventive method, technical scheme more clearly, is carried out further detailed below in conjunction with accompanying drawing
Describe in detail bright.
It is the vulnerability exploit detection identification process schematic diagram of the inventive method referring to Fig. 1, the present invention is a kind of based in dynamic
The vulnerability exploit detection recognition method of fingerprint anomaly analysis is deposited, its idiographic flow step is as follows:
Step S101:It is that the protection module developed by technical staff is injected into mesh to be protected by vulnerability exploit detection module
In mark process.
Step S102:Apply for the abnormal interrupt information in vectorization abnormality processing function, adapter process in target process,
See that Fig. 3 steps are as follows, include step S301- steps S305:
Step S301:Abnormal interrupt occurs inside target process, is taken over by the vectorization abnormality processing of protection module.
Step S302:Filter out the abnormal interrupt that non-abnormal access is sent.
Step S303:Judging this abnormal interrupt behavior is disposed with by internal memory of the protection module conducted in initialization
It is relevant.
Step S304:If not related, terminate this exception handling procedure.
Step S305:Step 304 performs failure, gives a warning, and detects the attack meanses of vulnerability exploit.
Step S103:The DEP configuration information of detecting system, in the state of supporting not open, passes through
Interface function SetProcessDEPPolicy is configured opening derived from kelner32 modules, by heap, stack address space internal memory
Attribute is protected to be set to not executable state.
Step S104:Order application random amount from low address to high address, the memory block of random size, and by repairing
Change the PAGE TABLE ENTRY (PTE) of related pages, add special identifier position, set its internal memory to protect attribute to be inaccessible
State.
Step S105:Apply for the popular addresses such as conventional heap injection overlay address, i.e. 0x0C0C0C0C in target process,
And by changing the PAGE TABLE ENTRY (PTE) of related pages, special identifier position is added, set its internal memory to protect the attribute to be
Inaccessible state.
Step S106:A worker thread is created, for the memory block distribution condition of detection procedure heap environment, to certain big
The heap environment that same big rickle number of blocks on small exceedes critical value sends vulnerability exploit warning.
Step S107:The interface function during dynamic module loading is kidnapped ,/DYNAMICBASE states are being not turned on
And when possessing the dynamic linked library modular loading of relocation table, by force in former load address application EMS memory occupation position, force
The dynamic linked library modular is loaded into other positions.
Step S108:One section internal memory of the applied address since 0x1, by the PAGE TABLE for changing related pages
ENTRY (PTE), adds special identifier position, sets its internal memory to protect attribute to be inaccessible state.
Step S109:Final abnormality processing function is set in current process space, final anomalous event is taken over.
Step S110:Kidnap in vulnerability exploit, the interface function being frequently used, abnormality detection is carried out to its flow, seen
Fig. 2 steps are as follows, include step S201- steps S208:
Step S201:Parameter to this function call process carries out abnormality detection, such as VirtualProtect interfaces letter
Whether several lpAddress parameters are located at stack address space and whether flNewProtect parameters are with executable flag,
Such as abnormal parameters, step S208 is gone to.
Step S202:Check whether the stack pointer register in current environment is located within stack address space, be such as not belonging to
The scope, sends exception, goes to step S208.
Step S203:Detect in current environment, call the abnormality processing chain for being whether complete in this interface function, such as deposit
In exception, step S208 is gone to.
Step S204:Whether the caller for detecting the interface function is " Call " instruction, if it is not, exception is sent, and
Go to step S208.
Step S205:Enter the chain environment analysis of broker's storehouse backtracking to this function call, detect whether the link is normal, ground
Location environment whether there is in white list, if any exception, go to step S208.
Step S206:When often occurring the module blacklist loading of leak, this pattern is opened, in detection procedure
Abnormal behaviour, such as IEXPLORE create Powershell processes.
Step S207:Such as step S206 detects without exception, then this detection terminates, and waits calling for next interface function.
Step S208:Give a warning, detect the attack meanses of vulnerability exploit.
Step S111:The thread scheduling of current system is kidnapped, its event is detected whether application program visits when occurring
Ask the detection that SecurityDescriptor pointers are 0 in the situation that token changes, addition object header structure body.
Step S112:Access and implementation status of the code to client layer internal memory under kernel state are monitored, the event is sent out when occurring
Go out warning, detect vulnerability exploit attack meanses.
Claims (10)
1. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis, it is characterised in that:Its step is such as
Under:
Step 1:The dynamic link library file of exploitation is injected into target process;
Step 2:Apply for that a vectorization abnormality processing function is VEH-Vector Exception in target process
Handler adapter exception procedures;
Step 3:It is DEP-Data Execution Prevention that turn-on data, which performs protection,;
Step 4:By the memory block of the random size of distribution of the low to high order in address, internal memory protection attribute is set to inaccessible;
Step 5:Apply for that the common heap injection of EMS memory occupation is heap-spray addresses;
Step 6:Create the heap block distribution situation of thread monitor process heap;
Step 7:It is API- to kidnap the interface function being called in dynamic link library loading flow in NTDLL modules
Application Programming Interface, gravity treatment plot operation is carried out to the particular module of dynamic load;
Step 8:Applied address is 0x1 memory block, and internal memory protection attribute is set to inaccessible;
Step 9:Apply for final abnormal function, take over final anomalous event;
Step 10:The high interface function of all utilization rates in vulnerability exploit is kidnapped, abnormality detection is done according to process to transfer environment
And to the Activity recognition of the being associated property of module in vulnerability exploit module blacklist;
Step 11:Kidnap thread scheduling process, the access token of monitoring objective process and SecurityDescriptor pointers
Change behavior;
Step 12:Under monitoring kernel state is ring0, to the access implementation status of user's layer address;
By above step, the vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis is realized, with reference to being
The safeguard procedures of system, have reached the effect of detection identification leak attack, have solved flow complexity in existing guard technology, exist
The problem of lag period, poor compatibility.
2. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 1 described " target process ", the process protected by the present invention is referred to;Described " dynamic link library text
Part ", refers to a kind of not executable binary program file, it allow procedure sharing perform special duty necessary to code and
Other resources.
3. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
It is described in step 2 " to apply for that a vectorization abnormality processing function is VEH-Vector in target process
Exception Handler adapters exception procedure ", its way is as follows:Distributing operation system interface function
AddVectoredExceptionHandler, registers a processing function, for the abnormal interrupt occurred in treatment progress.
4. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 3 described " turn-on data performs protection ", its way is as follows:Obtain in kernel32 modules
The address of GetSystemDEPPolicy, GetProcessDEPPolicy, SetProcessDEPPolicy interface function, passes through
The DEP configuration information of the first two interface function detecting system and current process, passes through the 3rd function turn-on data
Protection is performed, is not executable state by stack space and heap space internal memory protection setting.
5. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
It is described in steps of 5 that " heap injection is heap-spray ", and it refers to a kind of vulnerability exploit technology, for promoting any generation
Code is performed, and certain section of byte sequence in heap is placed into the precalculated position of target process;
Described " the common heap injection of application EMS memory occupation is heap-spray addresses ", its way is as follows:Distribute in advance current
Common heap-spray addresses, such as 0x0a0a0a0a, 0x0c0c0c0c0c, application method are the common techniques of this area.
6. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 6 described " the heap block distribution situation for creating thread monitor process heap ", its way is as follows:Create a job
Heap block in thread, searching loop current process heap, detects the quantity of formed objects heap block, judges heap number of blocks and single big
It is small whether to exceed critical value.
7. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 7 described " particular module ", it refers to be not turned on/DYNAMICBASE and the module with relocation table;
It is described that " it is API- to kidnap the interface function being called in dynamic link library loading flow in NTDLL modules
Application Programming Interface, the operation of gravity treatment plot is carried out to the particular module of dynamic load ", it does
Method is as follows:NTDLL export function NtMapViewOfSection is changed, in dynamic link library file dynamic load, is judged
The relocation information of this document, discharges original map section internal memory and applies for a part of EMS memory occupation address, and application again is reflected
Penetrate original memory field.
8. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 9 described " the final abnormal function of application, take over final anomalous event ", its way is as follows:Call operation system
System interface function, registers a final abnormality processing function, and the process for occurring in treatment progress is collapsed abnormal.
9. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In step 10 described " kidnapping the high interface function of all utilization rates in vulnerability exploit ", its way is as follows:Hook
(HOOK) the common interface function during vulnerability exploit, such as
LoadLibraryExW,LoadLibraryExA,VirtualAllocEx,VirtualProtectEx,VirtualProt
ect,VirtualAlloc,WinExec,CreateFileA;
In step 10 described " doing abnormality detection according to process to transfer environment ", its way is as follows:Detect stack pointer deposit
Whether device is located in the initial range of the stack address preserved in current thread block of information, detects the complete type of abnormality processing chain,
Whether detection caller is Call instructions, and whether detection specifies the stack backtracking chain environment of hierachy number abnormal;
In step 10 described " Activity recognition ", it refers to after black list module is loaded with, the unusual checking sent,
Behavior i.e. outside white list behavior, for detecting non-internal memory damage type vulnerability exploit means;
In step 10 described " to the Activity recognition of the being associated property of module in vulnerability exploit module blacklist ", it does
Method is as follows:When in leak the module loading of blacklist occurs for monitoring, this pattern is opened, for the abnormal row in detection procedure
For such as IEXPLORE creates Powershell processes.
10. a kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis according to claim 1,
It is characterized in that:
In a step 11 described " access token ", it refers to, each active program has an access token i.e.
Access token, it, which is one group, describes the data message of authority;
It is described in a step 11 " kidnap thread scheduling process, the access token of monitoring objective process and
The change behavior of SecurityDescriptor pointers ", its way is as follows:Collect in current system environment and possess system power
The process ID of limit process, when thread scheduling CR3 registers switch, whether detection current process is located at the process ID collected
In, while detecting the behavior that SecurityDescriptor pointers are set to 0.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710202771.2A CN106991328B (en) | 2017-03-30 | 2017-03-30 | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710202771.2A CN106991328B (en) | 2017-03-30 | 2017-03-30 | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106991328A true CN106991328A (en) | 2017-07-28 |
| CN106991328B CN106991328B (en) | 2019-11-29 |
Family
ID=59411896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710202771.2A Active CN106991328B (en) | 2017-03-30 | 2017-03-30 | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106991328B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107291480A (en) * | 2017-08-15 | 2017-10-24 | 中国农业银行股份有限公司 | A kind of function calling method and device |
| CN108133149A (en) * | 2018-01-11 | 2018-06-08 | 武汉斗鱼网络科技有限公司 | A kind of data guard method, device and electronic equipment |
| CN108959938A (en) * | 2018-07-05 | 2018-12-07 | 腾讯科技(深圳)有限公司 | Detect method, apparatus, storage medium and the equipment of vulnerability exploit |
| CN112134875A (en) * | 2020-09-18 | 2020-12-25 | 国网山东省电力公司青岛供电公司 | IoT network abnormal flow detection method and system |
| CN112307482A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Intrusion kernel detection method and device based on target range and computing equipment |
| US11169869B1 (en) | 2020-07-08 | 2021-11-09 | International Business Machines Corporation | System kernel error identification and reporting |
| WO2024112272A1 (en) | 2022-11-24 | 2024-05-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Using memory page offsets to detect cybersecurity attacks |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902481A (en) * | 2010-08-10 | 2010-12-01 | 厦门市美亚柏科信息股份有限公司 | Real-time monitoring method and device for webpage Trojan horse |
| CN102622543A (en) * | 2012-02-06 | 2012-08-01 | 北京百度网讯科技有限公司 | Method and device for dynamically detecting malicious webpage scripts |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| CN103886252A (en) * | 2013-04-26 | 2014-06-25 | 卡巴斯基实验室封闭式股份公司 | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space |
| CN104217163A (en) * | 2014-09-10 | 2014-12-17 | 珠海市君天电子科技有限公司 | Method and device for detecting structured exception handling (SEH) attacks |
| US9336386B1 (en) * | 2013-06-12 | 2016-05-10 | Palo Alto Networks, Inc. | Exploit detection based on heap spray detection |
-
2017
- 2017-03-30 CN CN201710202771.2A patent/CN106991328B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902481A (en) * | 2010-08-10 | 2010-12-01 | 厦门市美亚柏科信息股份有限公司 | Real-time monitoring method and device for webpage Trojan horse |
| CN102622543A (en) * | 2012-02-06 | 2012-08-01 | 北京百度网讯科技有限公司 | Method and device for dynamically detecting malicious webpage scripts |
| CN103886252A (en) * | 2013-04-26 | 2014-06-25 | 卡巴斯基实验室封闭式股份公司 | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space |
| US9336386B1 (en) * | 2013-06-12 | 2016-05-10 | Palo Alto Networks, Inc. | Exploit detection based on heap spray detection |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| CN104217163A (en) * | 2014-09-10 | 2014-12-17 | 珠海市君天电子科技有限公司 | Method and device for detecting structured exception handling (SEH) attacks |
Non-Patent Citations (1)
| Title |
|---|
| 杨明 等: "高混淆网页木马的研究与检测实现", 《计算机工程与设计》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107291480A (en) * | 2017-08-15 | 2017-10-24 | 中国农业银行股份有限公司 | A kind of function calling method and device |
| CN107291480B (en) * | 2017-08-15 | 2020-12-15 | 中国农业银行股份有限公司 | Function calling method and device |
| CN108133149A (en) * | 2018-01-11 | 2018-06-08 | 武汉斗鱼网络科技有限公司 | A kind of data guard method, device and electronic equipment |
| CN108959938A (en) * | 2018-07-05 | 2018-12-07 | 腾讯科技(深圳)有限公司 | Detect method, apparatus, storage medium and the equipment of vulnerability exploit |
| CN112307482A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Intrusion kernel detection method and device based on target range and computing equipment |
| US11169869B1 (en) | 2020-07-08 | 2021-11-09 | International Business Machines Corporation | System kernel error identification and reporting |
| CN112134875A (en) * | 2020-09-18 | 2020-12-25 | 国网山东省电力公司青岛供电公司 | IoT network abnormal flow detection method and system |
| CN112134875B (en) * | 2020-09-18 | 2022-04-05 | 国网山东省电力公司青岛供电公司 | IoT network abnormal flow detection method and system |
| WO2024112272A1 (en) | 2022-11-24 | 2024-05-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Using memory page offsets to detect cybersecurity attacks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106991328B (en) | 2019-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106991328B (en) | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| EP3326100B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| CN104520867B (en) | Method, system and computer-readable medium for the actively monitoring, memory protection and integrity verification of destination apparatus | |
| CN104217157B (en) | A kind of anti-Application way of leak and system | |
| EP3654218B1 (en) | Method for detecting malicious code and deferring countermeasures | |
| CN104756129B (en) | For the security mechanism switched between the different operating domain of data processor | |
| CN109726560A (en) | Terminal device system protection method and device | |
| US20100064367A1 (en) | Intrusion detection for computer programs | |
| US8645923B1 (en) | Enforcing expected control flow in program execution | |
| Parameswaran et al. | Embedded systems security—an overview | |
| CN103620613A (en) | System and method for virtual machine monitor based anti-malware security | |
| CN104881610B (en) | A kind of defence method for virtual table hijack attack | |
| CN113412483B (en) | Computing device with increased resistance to address detection | |
| US20070266435A1 (en) | System and method for intrusion detection in a computer system | |
| CN107346390A (en) | A kind of malice sample testing method and device | |
| Xu et al. | BofAEG: Automated stack buffer overflow vulnerability detection and exploit generation based on symbolic execution and dynamic analysis | |
| McGraw | Building secure software: better than protecting bad software | |
| Liu et al. | Binary exploitation in industrial control systems: Past, present and future | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| Barbu et al. | Application-replay attack on Java Cards: when the garbage collector gets confused | |
| CN109271787A (en) | A kind of operating system security active defense method and operating system | |
| Moon et al. | Architectural supports to protect OS kernels from code-injection attacks and their applications | |
| US20160197955A1 (en) | System and Method for Automatic Detection of Attempted Virtual Function Table or Virtual Function Table Pointer Overwrite Attack | |
| Kong et al. | PtmxGuard: An improved method for android kernel to prevent privilege escalation attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |