CN109582437A - A kind of the malicious process detection method and system of the perception of type based on memory - Google Patents

A kind of the malicious process detection method and system of the perception of type based on memory Download PDF

Info

Publication number
CN109582437A
CN109582437A CN201811267347.7A CN201811267347A CN109582437A CN 109582437 A CN109582437 A CN 109582437A CN 201811267347 A CN201811267347 A CN 201811267347A CN 109582437 A CN109582437 A CN 109582437A
Authority
CN
China
Prior art keywords
page
memory
type
virtual machine
view
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811267347.7A
Other languages
Chinese (zh)
Inventor
崔磊
郝志宇
李大辉
陈宇
宋铮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Third Research Institute of the Ministry of Public Security
Original Assignee
Institute of Information Engineering of CAS
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS, Third Research Institute of the Ministry of Public Security filed Critical Institute of Information Engineering of CAS
Priority to CN201811267347.7A priority Critical patent/CN109582437A/en
Publication of CN109582437A publication Critical patent/CN109582437A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the malicious process detection methods and system of a kind of perception of type based on memory.Method includes the following steps: 1) examined oneself technology using virtual machine, in the type of the memory pages of virtual machine monitor layer identification virtual machine;2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, obtains process list view;The process list view that application program in client computer obtains and the process list view that step 2) obtains are compared, identify hiding malicious process.The present invention internally deposits into capable classification using type of memory identification, by only carrying out reverse Mapping, the virtual machine kernel data structure that need to be scanned when reducing detection, so as to reduce system bring performance loss to crucial memory;By to sorted memory reverse Mapping, establishing being associated with for memory and consumer process, it can detecte the process for being hidden into user's space and kernel spacing, realize that more comprehensively rogue program detects.

Description

A kind of the malicious process detection method and system of the perception of type based on memory
Technical field
The invention belongs to secure virtual machine field, it is related to virtual machine and examines oneself technology, and in particular to a kind of type based on memory The malicious process detection method and system of perception.
Background technique
Currently, virtualization technology is increasingly becoming the core support technology of cloud computing platform and virtual network building.With cloud Computing platform obtains extensive practical application in fields such as electric business, finance, government affairs, and virtual machine becomes the main mesh of network attack Mark.Attack detecting technology can identify attack after system is attacked, and then guarantee the peace of system by guard technology Quan Xing.Virtualization technology has the characteristics that encapsulation, isolation, can realize in exterior to internal system behavioral value, from And a kind of pair of transparent solution of upper-level system is provided, extensive concern has been obtained in information security field in recent years.
Specifically, virtual machine monitor layer is located under VME operating system, by examining in virtual machine monitor layer The state of virtual machine internal, such as CPU, memory, disk file, network flow are surveyed, can identify the state of virtual machine internal Variation passes through analysis state change and combines rogue program feature, the detection to behaviors such as attack, invasions may be implemented.
Oneself is often hidden for malicious process with escape detection, there is presently no effective method can recognize that it is hiding Malicious process.
Summary of the invention
Aiming at the problem that malicious process often hides oneself to escape detection, it is a primary object of the present invention to propose one kind The malicious process detection method and system of type perception based on memory.
The technical solution adopted by the invention is as follows:
A kind of malicious process detection method of the perception of type based on memory, comprising the following steps:
1) in the type of the memory pages of virtual machine monitor layer identification virtual machine;
2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, process is obtained List View;
3) the process list view and the obtained process list view of step 2) obtained application program in client computer into Row comparison, and then identify hiding malicious process.
Further, step 1) using virtual machine examine oneself technology identification virutal machine memory page type.
Further, step 1) includes:
1.1) the kernel objects page that physical page information is described in kernel is obtained;
1.2) by analyzing the variable of kernel objects page come paging type.
Further, step 1.1) obtains page object in memory physically according to mem_map array and page frame number Then the content of page object is read in location using kvm_read_guest function from the address.
Further, step 1.2) includes:
1.2.1) if active user's number of page is less than or equal to 0, the currently empty not busy page of the page;Otherwise it executes 1.2.2);
1.2.2) if mapping address mapping is sky, instruction page is the kernel page;Otherwise 1.2.3 is executed);
1.2.3) if mapping amount page_mapcount is less than or equal to 0, which is the caching page;Otherwise it executes 1.2.4);
It 1.2.4 is otherwise the Inode page for the anonymous page) if page setup anonymous identification.
Further, step 2) includes:
2.1) all page kernel objects on mem_map are traversed, for each object, are executed 2.2);
2.2) by page object accesses mapping variable, vm_area_struct object is obtained, is directed toward the page object Existing region of memory;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained;For mm_ Struct object accesses owner variable obtains task_struct object, executes step 2.3);
2.3) it by task_struct object, accesses pid object and obtains process number, access comm object obtains process title;
2.4) step 2.2)~2.3 are repeated), until all page objects traversal finishes;
2.5) all process numbers, process title are recorded in process list view.
Further, the difference between two process list views is considered as hiding malicious process by step 3).
Further, step 3) includes:
3.1) program for inquiring all processes is executed in a client, and result is stored in process list view file, mark It is denoted as View_local;
3.2) the process list view mark for obtaining step 2) is View_vmm;
3.3) process recorded in two process list views is traversed, process number and process title are compared;It will be present in Process in view_vmm but not in view_local is added in malicious process list;
3.4) rogue program that will test is reported to Virtual Machine Manager person.
A kind of malicious process detection system of the perception of type based on memory comprising:
Type of memory identification module is responsible for identifying the type of the memory pages of virtual machine in virtual machine monitor layer;
Process trace module is responsible for establishing the pass of memory pages and consumer process based on the memory pages type identified Connection relationship obtains process list view;
View contrast module is responsible for the process list view and the process trace for obtaining application program in client computer The process list view that module obtains compares, and then identifies hiding malicious process.
Further, the type of memory identification module includes:
Memory is examined oneself module, is responsible for reading virutal machine memory page data, is obtained page object;
Memory categorization module is responsible for classifying to obtained page object, paging type.
The present invention can recognize that the malicious process hidden under virtual execution environment, and good effect is embodied in lower section Face:
1) capable classification is internally deposited into using type of memory identification, by only carrying out reverse Mapping to crucial memory, reduced The virtual machine kernel data structure that need to be scanned when detection, so as to reduce system bring performance loss.
2) by sorted memory reverse Mapping, establishing being associated with for memory and consumer process, it can detecte and be hidden into The process of user's space and kernel spacing realizes that more comprehensively rogue program detects.
Detailed description of the invention
Fig. 1 is the schematic illustration of malicious process detection method of the invention.
Fig. 2 is the type of memory recognition methods schematic diagram based on technology of examining oneself.
Fig. 3 is the configuration diagram of hidden process detection system.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, in the following with reference to the drawings and specific embodiments to this Invention is described in further details.
Fig. 1 is the schematic diagram of malicious process detection method of the invention.This method analyzes type of memory using technology of examining oneself, And the incidence relation of memory and consumer process is established, to construct all active and sluggish process list views in system Figure.By comparing the process list view that identifies and system level process list view, (such as linux is obtained using ps order Process list view), and then identify hiding malicious process.Python, sshd, mysqld, httpd indicate four in Fig. 1 A process.
1. type of memory identifies
In (SuSE) Linux OS, memory pages can fall into 5 types, i.e. free page, the caching page, the Inode page, The anonymous page and the kernel page.The present invention examines oneself technology realization in virtual machine monitor layer identification virtual machine by virtual machine Memory pages type.In order to identify page type, need to obtain the kernel objects page that physical page information is described in kernel. Linux kernel manages the page of all pages using mem_map array, is located at physical memory area At the address 0xffffea0000000000, and page frame number is used as array index to index respective page.According to mem_map and Page frame number can obtain the physical address of page object in memory, then using kvm_read_guest function come from the address Read the content of page object.After obtaining the corresponding kernel variable page of a page, it can drawn by analyzing its variable Divide page type, as shown in Figure 2.Specific identification process is as follows:
1) if active user's number (page_count) of page is less than or equal to 0, the currently empty not busy page of the page. Otherwise it executes 2).
If 2) mapping address mapping is sky, instruction page is the kernel page.Otherwise it executes 3).
3) if mapping amount Mapcount is less than or equal to 0, which is the caching page.Otherwise it executes 4).
If 4) page setup anonymous identification (i.e. MAPPING_ANON), for the anonymous page.It otherwise is the Inode page.
2. memory pages and process map
According to operating system to the usage mode of memory, based on the type of memory identified, can use the anonymous page (is The page relevant to consumer process in system) identify all consumer process, and process list view is recorded (labeled as View_ vmm).The mapping algorithm is as shown in table 1, and it is as follows to specifically describe process:
1) the 1st row traverses all page kernel objects on mem_map, for each object, executes 2);
2) 2-4 row obtains vm_area_struct object by page object accesses mapping variable, and being directed toward should Region of memory existing for page object;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained; For mm_struct object accesses owner variable, task_struct object is obtained, executes step 3);
3) 5-8 row is accessed pid object and is obtained process number by task_struct object, access comm object obtain into Journey title;
4) 2-3 step is repeated, until all page objects traversal finishes;
5) all process numbers, process title are recorded in list.
1. memory pages of table and process mapping algorithm
3. the hidden process detection based on view comparison
Hidden process detection method disclosed by the invention based on view comparison, such as by application program in comparison client computer The process list view and the above-mentioned process list view mapped according to memory pages that ps is obtained, will be between two views Difference be considered as hidden process.The algorithm is as shown in table 2, is described in detail below:
1) the 1st row executes the program for inquiring all processes, such as the order " ps in (SuSE) Linux OS in a client Result is stored in process list view file by aux ", is labeled as View_local;
2) the 2nd row obtains the process that virtual machine monitor layer obtains using the method for above-mentioned memory pages and process mapping List View is labeled as View_vmm;
3) 3-6 row traverses the process recorded in two views, compares process number (pid) and process title (comm);It will It is present in the process in view_vmm but not in view_local to be added in malicious process List View;
4) 7-8 row, the rogue program that will test are reported to Virtual Machine Manager person.
2. hidden process detection algorithm of table
4. hidden process detection system framework
Hidden process detection system framework disclosed in the present embodiment as shown in figure 3, its by virtual machine examine oneself technology analyze The virutal machine memory page obtains process list view in virtual machine monitoring layer, and finds hidden process by comparison view.Its Middle memory examines oneself module and memory categorization module can be collectively referred to as type of memory identification module.Process is described as follows:
1) examined oneself module using memory, read virutal machine memory page data, obtain page object;
2) to obtained page object, classified using memory categorization module to page, identified and consumer process phase The anonymous page of pass;
3) process number and process title are identified using process trace module for all anonymous pages, and be recorded In monitor process list view;
4) such as the ps order in linux system client computer is recorded in result by the executive process display command in virtual machine In process list view;
5) view contrast module is utilized, is regarded by comparing obtained client process List View and monitor process list Figure obtains hidden process, completes detection.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field Personnel can be with modification or equivalent replacement of the technical solution of the present invention are made, without departing from the spirit and scope of the present invention, this The protection scope of invention should be subject to described in claims.

Claims (10)

1. a kind of malicious process detection method of the perception of type based on memory, which comprises the following steps:
1) in the type of the memory pages of virtual machine monitor layer identification virtual machine;
2) based on the memory pages type identified, the incidence relation of memory pages and consumer process is established, process list is obtained View;
3) process list view and the obtained process list view of step 2) that application program in client computer obtains are carried out pair Than, and then identify hiding malicious process.
2. the method according to claim 1, wherein step 1) is examined oneself in technology identification virtual machine using virtual machine Deposit page type.
3. according to the method described in claim 2, it is characterized in that, step 1) includes:
1.1) the kernel objects page that physical page information is described in kernel is obtained;
1.2) by analyzing the variable of kernel objects page come paging type.
4. according to the method described in claim 3, it is characterized in that, step 1.1) is obtained according to mem_map array and page frame number Then the physical address of page object in memory reads page object from the address using kvm_read_guest function Content.
5. according to the method described in claim 3, it is characterized in that, step 1.2) includes:
1.2.1) if active user's number of page is less than or equal to 0, the currently empty not busy page of the page;Otherwise it executes 1.2.2);
1.2.2) if mapping address mapping is sky, instruction page is the kernel page;Otherwise 1.2.3 is executed);
1.2.3) if mapping amount page_mapcount is less than or equal to 0, which is the caching page;Otherwise it executes 1.2.4);
It 1.2.4 is otherwise the Inode page for the anonymous page) if page setup anonymous identification.
6. the method according to claim 1, wherein step 2) includes:
2.1) all page kernel objects on mem_map are traversed, for each object, are executed 2.2);
2.2) by page object accesses mapping variable, vm_area_struct object is obtained, is directed toward page object presence Region of memory;For vm_area_struct object accesses vm_mm variable, mm_struct object is obtained;For mm_ Struct object accesses owner variable obtains task_struct object, executes step 2.3);
2.3) it by task_struct object, accesses pid object and obtains process number, access comm object obtains process title;
2.4) step 2.2)~2.3 are repeated), until all page objects traversal finishes;
2.5) all process numbers, process title are recorded in process list view.
7. the method according to claim 1, wherein step 3) regards the difference between two process list views For hiding malicious process.
8. the method according to the description of claim 7 is characterized in that step 3) includes:
3.1) program for inquiring all processes is executed in a client, and result is stored in process list view file, is labeled as View_local;
3.2) the process list view mark for obtaining step 2) is View_vmm;
3.3) process recorded in two process list views is traversed, process number and process title are compared;It will be present in view_ Process in vmm but not in view_local is added in malicious process list;
3.4) rogue program that will test is reported to Virtual Machine Manager person.
9. a kind of malicious process detection system of the perception of type based on memory characterized by comprising
Type of memory identification module is responsible for identifying the type of the memory pages of virtual machine in virtual machine monitor layer;
Process trace module, is responsible for based on the memory pages type identified, establishes being associated with for memory pages and consumer process System, obtains process list view;
View contrast module is responsible for the process list view for obtaining application program in client computer and the process trace module Obtained process list view compares, and then identifies hiding malicious process.
10. system according to claim 9, which is characterized in that the type of memory identification module includes:
Memory is examined oneself module, is responsible for reading virutal machine memory page data, is obtained page object;
Memory categorization module is responsible for classifying to obtained page object, paging type.
CN201811267347.7A 2018-10-29 2018-10-29 A kind of the malicious process detection method and system of the perception of type based on memory Pending CN109582437A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811267347.7A CN109582437A (en) 2018-10-29 2018-10-29 A kind of the malicious process detection method and system of the perception of type based on memory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811267347.7A CN109582437A (en) 2018-10-29 2018-10-29 A kind of the malicious process detection method and system of the perception of type based on memory

Publications (1)

Publication Number Publication Date
CN109582437A true CN109582437A (en) 2019-04-05

Family

ID=65920768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811267347.7A Pending CN109582437A (en) 2018-10-29 2018-10-29 A kind of the malicious process detection method and system of the perception of type based on memory

Country Status (1)

Country Link
CN (1) CN109582437A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639340A (en) * 2020-05-28 2020-09-08 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium
CN112052053A (en) * 2020-10-10 2020-12-08 国科晋云技术有限公司 Method and system for cleaning mining program in high-performance computing cluster

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7370360B2 (en) * 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
CN102736969A (en) * 2012-05-22 2012-10-17 中国科学院计算技术研究所 Method and system for monitoring virtualized internal memory of hardware
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
CN106843756A (en) * 2017-01-13 2017-06-13 中国科学院信息工程研究所 Memory pages recovery method and system based on page classifications
US20180075238A1 (en) * 2016-09-13 2018-03-15 Symantec Corporation Systems and methods for detecting malicious processes on computing devices

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7370360B2 (en) * 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
CN102736969A (en) * 2012-05-22 2012-10-17 中国科学院计算技术研究所 Method and system for monitoring virtualized internal memory of hardware
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
US20180075238A1 (en) * 2016-09-13 2018-03-15 Symantec Corporation Systems and methods for detecting malicious processes on computing devices
CN106843756A (en) * 2017-01-13 2017-06-13 中国科学院信息工程研究所 Memory pages recovery method and system based on page classifications

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JIANGYONG SHI ET AL.: "Design of a comprehensive virtual machine monitoring system", 《2014 IEEE 3RD INTERNATIONAL CONFERENCE ON CLOUD COMPUTING AND INTELLIGENCE SYSTEM》 *
LEI CUI, ZHENG SONG, YONGNAN LI, ZHIYU HAO: "XScope: Memory Introspection Based Malicious Application Detection", 《2018 5TH INTERNATIONAL CONFERENCE ON INFORMATION SCIENCE AND CONTROL ENGINEERING》 *
M.A.AJAY KUMARA ET AL.: "Virtual machine introspection based spurious process detection in virtualized cloud computing environment", 《2015 INTERNATIONAL CONFERENCE ON FUTURISTIC TRENDS ON COMPUTATIONAL ANALYSIS AND KNOWLEDGE MANAGEMENT》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639340A (en) * 2020-05-28 2020-09-08 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium
CN111639340B (en) * 2020-05-28 2023-11-03 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium
CN112052053A (en) * 2020-10-10 2020-12-08 国科晋云技术有限公司 Method and system for cleaning mining program in high-performance computing cluster
CN112052053B (en) * 2020-10-10 2023-12-19 国科晋云技术有限公司 Method and system for cleaning ore mining program in high-performance computing cluster

Similar Documents

Publication Publication Date Title
Warnecke et al. Evaluating explanation methods for deep learning in security
Nauman et al. A three-way decision making approach to malware analysis using probabilistic rough sets
Wang et al. Android malware detection through machine learning on kernel task structures
CN104956376B (en) Using the methods and techniques with equipment control in virtualized environment
US8108931B1 (en) Method and apparatus for identifying invariants to detect software tampering
US20190034632A1 (en) Method and system for static behavior-predictive malware detection
Mehtab et al. AdDroid: rule-based machine learning framework for android malware analysis
CN112602081A (en) Enhancing network security and operational monitoring with alarm confidence assignment
Pagani et al. Introducing the temporal dimension to memory forensics
Ganfure et al. Deepware: Imaging performance counters with deep learning to detect ransomware
Wei et al. Strategic application of ai intelligent algorithm in network threat detection and defense
CN113132311A (en) Abnormal access detection method, device and equipment
CN109597675A (en) Virtual machine Malware behavioral value method and system
CN109582437A (en) A kind of the malicious process detection method and system of the perception of type based on memory
Pirch et al. Tagvet: Vetting malware tags using explainable machine learning
US20200381084A1 (en) Identifying salient features for instances of data
KR101308866B1 (en) Open type system for analyzing and managing malicious code
CN112215271B (en) Anti-occlusion target detection method and equipment based on multi-head attention mechanism
Zhan et al. A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT
CN109240807A (en) A kind of malicious program detection system and method based on VMI
Wang et al. DockerWatch: a two-phase hybrid detection of malware using various static features in container cloud
Chen et al. A Malicious URL detection method based on CNN
KR20210110765A (en) Method for providing ai-based big data de-identification solution
US20230315850A1 (en) Rootkit detection based on system dump sequence analysis
CN113010268B (en) Malicious program identification method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190405

WD01 Invention patent application deemed withdrawn after publication