CN109582437A - A kind of the malicious process detection method and system of the perception of type based on memory - Google Patents
A kind of the malicious process detection method and system of the perception of type based on memory Download PDFInfo
- Publication number
- CN109582437A CN109582437A CN201811267347.7A CN201811267347A CN109582437A CN 109582437 A CN109582437 A CN 109582437A CN 201811267347 A CN201811267347 A CN 201811267347A CN 109582437 A CN109582437 A CN 109582437A
- Authority
- CN
- China
- Prior art keywords
- page
- memory
- type
- virtual machine
- view
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the malicious process detection methods and system of a kind of perception of type based on memory.Method includes the following steps: 1) examined oneself technology using virtual machine, in the type of the memory pages of virtual machine monitor layer identification virtual machine;2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, obtains process list view;The process list view that application program in client computer obtains and the process list view that step 2) obtains are compared, identify hiding malicious process.The present invention internally deposits into capable classification using type of memory identification, by only carrying out reverse Mapping, the virtual machine kernel data structure that need to be scanned when reducing detection, so as to reduce system bring performance loss to crucial memory;By to sorted memory reverse Mapping, establishing being associated with for memory and consumer process, it can detecte the process for being hidden into user's space and kernel spacing, realize that more comprehensively rogue program detects.
Description
Technical field
The invention belongs to secure virtual machine field, it is related to virtual machine and examines oneself technology, and in particular to a kind of type based on memory
The malicious process detection method and system of perception.
Background technique
Currently, virtualization technology is increasingly becoming the core support technology of cloud computing platform and virtual network building.With cloud
Computing platform obtains extensive practical application in fields such as electric business, finance, government affairs, and virtual machine becomes the main mesh of network attack
Mark.Attack detecting technology can identify attack after system is attacked, and then guarantee the peace of system by guard technology
Quan Xing.Virtualization technology has the characteristics that encapsulation, isolation, can realize in exterior to internal system behavioral value, from
And a kind of pair of transparent solution of upper-level system is provided, extensive concern has been obtained in information security field in recent years.
Specifically, virtual machine monitor layer is located under VME operating system, by examining in virtual machine monitor layer
The state of virtual machine internal, such as CPU, memory, disk file, network flow are surveyed, can identify the state of virtual machine internal
Variation passes through analysis state change and combines rogue program feature, the detection to behaviors such as attack, invasions may be implemented.
Oneself is often hidden for malicious process with escape detection, there is presently no effective method can recognize that it is hiding
Malicious process.
Summary of the invention
Aiming at the problem that malicious process often hides oneself to escape detection, it is a primary object of the present invention to propose one kind
The malicious process detection method and system of type perception based on memory.
The technical solution adopted by the invention is as follows:
A kind of malicious process detection method of the perception of type based on memory, comprising the following steps:
1) in the type of the memory pages of virtual machine monitor layer identification virtual machine;
2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, process is obtained
List View;
3) the process list view and the obtained process list view of step 2) obtained application program in client computer into
Row comparison, and then identify hiding malicious process.
Further, step 1) using virtual machine examine oneself technology identification virutal machine memory page type.
Further, step 1) includes:
1.1) the kernel objects page that physical page information is described in kernel is obtained;
1.2) by analyzing the variable of kernel objects page come paging type.
Further, step 1.1) obtains page object in memory physically according to mem_map array and page frame number
Then the content of page object is read in location using kvm_read_guest function from the address.
Further, step 1.2) includes:
1.2.1) if active user's number of page is less than or equal to 0, the currently empty not busy page of the page;Otherwise it executes
1.2.2);
1.2.2) if mapping address mapping is sky, instruction page is the kernel page;Otherwise 1.2.3 is executed);
1.2.3) if mapping amount page_mapcount is less than or equal to 0, which is the caching page;Otherwise it executes
1.2.4);
It 1.2.4 is otherwise the Inode page for the anonymous page) if page setup anonymous identification.
Further, step 2) includes:
2.1) all page kernel objects on mem_map are traversed, for each object, are executed 2.2);
2.2) by page object accesses mapping variable, vm_area_struct object is obtained, is directed toward the page object
Existing region of memory;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained;For mm_
Struct object accesses owner variable obtains task_struct object, executes step 2.3);
2.3) it by task_struct object, accesses pid object and obtains process number, access comm object obtains process title;
2.4) step 2.2)~2.3 are repeated), until all page objects traversal finishes;
2.5) all process numbers, process title are recorded in process list view.
Further, the difference between two process list views is considered as hiding malicious process by step 3).
Further, step 3) includes:
3.1) program for inquiring all processes is executed in a client, and result is stored in process list view file, mark
It is denoted as View_local;
3.2) the process list view mark for obtaining step 2) is View_vmm;
3.3) process recorded in two process list views is traversed, process number and process title are compared;It will be present in
Process in view_vmm but not in view_local is added in malicious process list;
3.4) rogue program that will test is reported to Virtual Machine Manager person.
A kind of malicious process detection system of the perception of type based on memory comprising:
Type of memory identification module is responsible for identifying the type of the memory pages of virtual machine in virtual machine monitor layer;
Process trace module is responsible for establishing the pass of memory pages and consumer process based on the memory pages type identified
Connection relationship obtains process list view;
View contrast module is responsible for the process list view and the process trace for obtaining application program in client computer
The process list view that module obtains compares, and then identifies hiding malicious process.
Further, the type of memory identification module includes:
Memory is examined oneself module, is responsible for reading virutal machine memory page data, is obtained page object;
Memory categorization module is responsible for classifying to obtained page object, paging type.
The present invention can recognize that the malicious process hidden under virtual execution environment, and good effect is embodied in lower section
Face:
1) capable classification is internally deposited into using type of memory identification, by only carrying out reverse Mapping to crucial memory, reduced
The virtual machine kernel data structure that need to be scanned when detection, so as to reduce system bring performance loss.
2) by sorted memory reverse Mapping, establishing being associated with for memory and consumer process, it can detecte and be hidden into
The process of user's space and kernel spacing realizes that more comprehensively rogue program detects.
Detailed description of the invention
Fig. 1 is the schematic illustration of malicious process detection method of the invention.
Fig. 2 is the type of memory recognition methods schematic diagram based on technology of examining oneself.
Fig. 3 is the configuration diagram of hidden process detection system.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, in the following with reference to the drawings and specific embodiments to this
Invention is described in further details.
Fig. 1 is the schematic diagram of malicious process detection method of the invention.This method analyzes type of memory using technology of examining oneself,
And the incidence relation of memory and consumer process is established, to construct all active and sluggish process list views in system
Figure.By comparing the process list view that identifies and system level process list view, (such as linux is obtained using ps order
Process list view), and then identify hiding malicious process.Python, sshd, mysqld, httpd indicate four in Fig. 1
A process.
1. type of memory identifies
In (SuSE) Linux OS, memory pages can fall into 5 types, i.e. free page, the caching page, the Inode page,
The anonymous page and the kernel page.The present invention examines oneself technology realization in virtual machine monitor layer identification virtual machine by virtual machine
Memory pages type.In order to identify page type, need to obtain the kernel objects page that physical page information is described in kernel.
Linux kernel manages the page of all pages using mem_map array, is located at physical memory area
At the address 0xffffea0000000000, and page frame number is used as array index to index respective page.According to mem_map and
Page frame number can obtain the physical address of page object in memory, then using kvm_read_guest function come from the address
Read the content of page object.After obtaining the corresponding kernel variable page of a page, it can drawn by analyzing its variable
Divide page type, as shown in Figure 2.Specific identification process is as follows:
1) if active user's number (page_count) of page is less than or equal to 0, the currently empty not busy page of the page.
Otherwise it executes 2).
If 2) mapping address mapping is sky, instruction page is the kernel page.Otherwise it executes 3).
3) if mapping amount Mapcount is less than or equal to 0, which is the caching page.Otherwise it executes 4).
If 4) page setup anonymous identification (i.e. MAPPING_ANON), for the anonymous page.It otherwise is the Inode page.
2. memory pages and process map
According to operating system to the usage mode of memory, based on the type of memory identified, can use the anonymous page (is
The page relevant to consumer process in system) identify all consumer process, and process list view is recorded (labeled as View_
vmm).The mapping algorithm is as shown in table 1, and it is as follows to specifically describe process:
1) the 1st row traverses all page kernel objects on mem_map, for each object, executes 2);
2) 2-4 row obtains vm_area_struct object by page object accesses mapping variable, and being directed toward should
Region of memory existing for page object;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained;
For mm_struct object accesses owner variable, task_struct object is obtained, executes step 3);
3) 5-8 row is accessed pid object and is obtained process number by task_struct object, access comm object obtain into
Journey title;
4) 2-3 step is repeated, until all page objects traversal finishes;
5) all process numbers, process title are recorded in list.
1. memory pages of table and process mapping algorithm
3. the hidden process detection based on view comparison
Hidden process detection method disclosed by the invention based on view comparison, such as by application program in comparison client computer
The process list view and the above-mentioned process list view mapped according to memory pages that ps is obtained, will be between two views
Difference be considered as hidden process.The algorithm is as shown in table 2, is described in detail below:
1) the 1st row executes the program for inquiring all processes, such as the order " ps in (SuSE) Linux OS in a client
Result is stored in process list view file by aux ", is labeled as View_local;
2) the 2nd row obtains the process that virtual machine monitor layer obtains using the method for above-mentioned memory pages and process mapping
List View is labeled as View_vmm;
3) 3-6 row traverses the process recorded in two views, compares process number (pid) and process title (comm);It will
It is present in the process in view_vmm but not in view_local to be added in malicious process List View;
4) 7-8 row, the rogue program that will test are reported to Virtual Machine Manager person.
2. hidden process detection algorithm of table
4. hidden process detection system framework
Hidden process detection system framework disclosed in the present embodiment as shown in figure 3, its by virtual machine examine oneself technology analyze
The virutal machine memory page obtains process list view in virtual machine monitoring layer, and finds hidden process by comparison view.Its
Middle memory examines oneself module and memory categorization module can be collectively referred to as type of memory identification module.Process is described as follows:
1) examined oneself module using memory, read virutal machine memory page data, obtain page object;
2) to obtained page object, classified using memory categorization module to page, identified and consumer process phase
The anonymous page of pass;
3) process number and process title are identified using process trace module for all anonymous pages, and be recorded
In monitor process list view;
4) such as the ps order in linux system client computer is recorded in result by the executive process display command in virtual machine
In process list view;
5) view contrast module is utilized, is regarded by comparing obtained client process List View and monitor process list
Figure obtains hidden process, completes detection.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field
Personnel can be with modification or equivalent replacement of the technical solution of the present invention are made, without departing from the spirit and scope of the present invention, this
The protection scope of invention should be subject to described in claims.
Claims (10)
1. a kind of malicious process detection method of the perception of type based on memory, which comprises the following steps:
1) in the type of the memory pages of virtual machine monitor layer identification virtual machine;
2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, process list is obtained
View;
3) process list view and the obtained process list view of step 2) that application program in client computer obtains are carried out pair
Than, and then identify hiding malicious process.
2. the method according to claim 1, wherein step 1) is examined oneself in technology identification virtual machine using virtual machine
Deposit page type.
3. according to the method described in claim 2, it is characterized in that, step 1) includes:
1.1) the kernel objects page that physical page information is described in kernel is obtained;
1.2) by analyzing the variable of kernel objects page come paging type.
4. according to the method described in claim 3, it is characterized in that, step 1.1) is obtained according to mem_map array and page frame number
Then the physical address of page object in memory reads page object from the address using kvm_read_guest function
Content.
5. according to the method described in claim 3, it is characterized in that, step 1.2) includes:
1.2.1) if active user's number of page is less than or equal to 0, the currently empty not busy page of the page;Otherwise it executes
1.2.2);
1.2.2) if mapping address mapping is sky, instruction page is the kernel page;Otherwise 1.2.3 is executed);
1.2.3) if mapping amount page_mapcount is less than or equal to 0, which is the caching page;Otherwise it executes
1.2.4);
It 1.2.4 is otherwise the Inode page for the anonymous page) if page setup anonymous identification.
6. the method according to claim 1, wherein step 2) includes:
2.1) all page kernel objects on mem_map are traversed, for each object, are executed 2.2);
2.2) by page object accesses mapping variable, vm_area_struct object is obtained, is directed toward page object presence
Region of memory;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained;For mm_
Struct object accesses owner variable obtains task_struct object, executes step 2.3);
2.3) it by task_struct object, accesses pid object and obtains process number, access comm object obtains process title;
2.4) step 2.2)~2.3 are repeated), until all page objects traversal finishes;
2.5) all process numbers, process title are recorded in process list view.
7. the method according to claim 1, wherein step 3) regards the difference between two process list views
For hiding malicious process.
8. the method according to the description of claim 7 is characterized in that step 3) includes:
3.1) program for inquiring all processes is executed in a client, and result is stored in process list view file, is labeled as
View_local;
3.2) the process list view mark for obtaining step 2) is View_vmm;
3.3) process recorded in two process list views is traversed, process number and process title are compared;It will be present in view_
Process in vmm but not in view_local is added in malicious process list;
3.4) rogue program that will test is reported to Virtual Machine Manager person.
9. a kind of malicious process detection system of the perception of type based on memory characterized by comprising
Type of memory identification module is responsible for identifying the type of the memory pages of virtual machine in virtual machine monitor layer;
Process trace module, is responsible for based on the memory pages type identified, establishes being associated with for memory pages and consumer process
System, obtains process list view;
View contrast module is responsible for the process list view for obtaining application program in client computer and the process trace module
Obtained process list view compares, and then identifies hiding malicious process.
10. system according to claim 9, which is characterized in that the type of memory identification module includes:
Memory is examined oneself module, is responsible for reading virutal machine memory page data, is obtained page object;
Memory categorization module is responsible for classifying to obtained page object, paging type.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811267347.7A CN109582437A (en) | 2018-10-29 | 2018-10-29 | A kind of the malicious process detection method and system of the perception of type based on memory |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811267347.7A CN109582437A (en) | 2018-10-29 | 2018-10-29 | A kind of the malicious process detection method and system of the perception of type based on memory |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109582437A true CN109582437A (en) | 2019-04-05 |
Family
ID=65920768
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811267347.7A Pending CN109582437A (en) | 2018-10-29 | 2018-10-29 | A kind of the malicious process detection method and system of the perception of type based on memory |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109582437A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
CN112052053A (en) * | 2020-10-10 | 2020-12-08 | 国科晋云技术有限公司 | Method and system for cleaning mining program in high-performance computing cluster |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7370360B2 (en) * | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
CN102736969A (en) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | Method and system for monitoring virtualized internal memory of hardware |
CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
CN106843756A (en) * | 2017-01-13 | 2017-06-13 | 中国科学院信息工程研究所 | Memory pages recovery method and system based on page classifications |
US20180075238A1 (en) * | 2016-09-13 | 2018-03-15 | Symantec Corporation | Systems and methods for detecting malicious processes on computing devices |
-
2018
- 2018-10-29 CN CN201811267347.7A patent/CN109582437A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7370360B2 (en) * | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
CN102736969A (en) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | Method and system for monitoring virtualized internal memory of hardware |
CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
US20180075238A1 (en) * | 2016-09-13 | 2018-03-15 | Symantec Corporation | Systems and methods for detecting malicious processes on computing devices |
CN106843756A (en) * | 2017-01-13 | 2017-06-13 | 中国科学院信息工程研究所 | Memory pages recovery method and system based on page classifications |
Non-Patent Citations (3)
Title |
---|
JIANGYONG SHI ET AL.: "Design of a comprehensive virtual machine monitoring system", 《2014 IEEE 3RD INTERNATIONAL CONFERENCE ON CLOUD COMPUTING AND INTELLIGENCE SYSTEM》 * |
LEI CUI, ZHENG SONG, YONGNAN LI, ZHIYU HAO: "XScope: Memory Introspection Based Malicious Application Detection", 《2018 5TH INTERNATIONAL CONFERENCE ON INFORMATION SCIENCE AND CONTROL ENGINEERING》 * |
M.A.AJAY KUMARA ET AL.: "Virtual machine introspection based spurious process detection in virtualized cloud computing environment", 《2015 INTERNATIONAL CONFERENCE ON FUTURISTIC TRENDS ON COMPUTATIONAL ANALYSIS AND KNOWLEDGE MANAGEMENT》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
CN111639340B (en) * | 2020-05-28 | 2023-11-03 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
CN112052053A (en) * | 2020-10-10 | 2020-12-08 | 国科晋云技术有限公司 | Method and system for cleaning mining program in high-performance computing cluster |
CN112052053B (en) * | 2020-10-10 | 2023-12-19 | 国科晋云技术有限公司 | Method and system for cleaning ore mining program in high-performance computing cluster |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Warnecke et al. | Evaluating explanation methods for deep learning in security | |
Nauman et al. | A three-way decision making approach to malware analysis using probabilistic rough sets | |
Wang et al. | Android malware detection through machine learning on kernel task structures | |
CN104956376B (en) | Using the methods and techniques with equipment control in virtualized environment | |
US8108931B1 (en) | Method and apparatus for identifying invariants to detect software tampering | |
US20190034632A1 (en) | Method and system for static behavior-predictive malware detection | |
Mehtab et al. | AdDroid: rule-based machine learning framework for android malware analysis | |
CN112602081A (en) | Enhancing network security and operational monitoring with alarm confidence assignment | |
Pagani et al. | Introducing the temporal dimension to memory forensics | |
Ganfure et al. | Deepware: Imaging performance counters with deep learning to detect ransomware | |
Wei et al. | Strategic application of ai intelligent algorithm in network threat detection and defense | |
CN113132311A (en) | Abnormal access detection method, device and equipment | |
CN109597675A (en) | Virtual machine Malware behavioral value method and system | |
CN109582437A (en) | A kind of the malicious process detection method and system of the perception of type based on memory | |
Pirch et al. | Tagvet: Vetting malware tags using explainable machine learning | |
US20200381084A1 (en) | Identifying salient features for instances of data | |
KR101308866B1 (en) | Open type system for analyzing and managing malicious code | |
CN112215271B (en) | Anti-occlusion target detection method and equipment based on multi-head attention mechanism | |
Zhan et al. | A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT | |
CN109240807A (en) | A kind of malicious program detection system and method based on VMI | |
Wang et al. | DockerWatch: a two-phase hybrid detection of malware using various static features in container cloud | |
Chen et al. | A Malicious URL detection method based on CNN | |
KR20210110765A (en) | Method for providing ai-based big data de-identification solution | |
US20230315850A1 (en) | Rootkit detection based on system dump sequence analysis | |
CN113010268B (en) | Malicious program identification method and device, storage medium and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190405 |
|
WD01 | Invention patent application deemed withdrawn after publication |