CN109766691B - Lexovirus monitoring method and device - Google Patents
Lexovirus monitoring method and device Download PDFInfo
- Publication number
- CN109766691B CN109766691B CN201811564804.9A CN201811564804A CN109766691B CN 109766691 B CN109766691 B CN 109766691B CN 201811564804 A CN201811564804 A CN 201811564804A CN 109766691 B CN109766691 B CN 109766691B
- Authority
- CN
- China
- Prior art keywords
- sequence
- classification model
- suspicious
- malicious
- inputting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a method and a device for monitoring a Lecable virus, wherein the method comprises the following steps: after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation; initializing a sandbox system, inputting a suspicious sequence into the sandbox system for replay, and determining the suspicious sequence as a malicious sequence if a replay result and the suspicious sequence meet preset malicious conditions; after a normal sequence corresponding to normal operation for operating a user system is acquired, inputting the normal operation, suspicious operation and malicious operation into a preset machine learning engine for training to obtain a first classification model; inputting a malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model to obtain a second classification model; and inputting an operation sequence on the user system into a second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning. The present application is effective for monitoring existing, variants or novel luxes.
Description
Technical Field
The application relates to the technical field of computer security, in particular to a method and a device for monitoring a Lecable virus.
Background
The Lecable virus is generally transmitted by adopting a zero-day vulnerability, and is different from other malicious behavior viruses, the Lecable virus encrypts data by a normal encryption means, the behavior characteristics of the Lecable virus are relatively similar to those of manual operation, the Lecable virus is also relatively simple to variant, and the behavior of the Lecable virus is generally difficult to effectively distinguish from other normal operation by virus killing software based on fixed characteristic behavior, so that the Lecable virus cannot be prejudged, and the searching and killing accuracy and efficiency are relatively low.
Disclosure of Invention
The embodiment of the application provides a method and a device for monitoring the Leucasian virus, which can effectively monitor the existing Leucasian virus, variants thereof or novel Leucasian virus.
According to one aspect of the present application, there is provided a method of monitoring for a Lexovirus comprising:
after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation;
initializing a sandbox system, inputting the suspicious sequence into the sandbox system for replay, and if the replay result and the suspicious sequence meet preset malicious conditions, determining that the suspicious sequence is a malicious sequence;
after a normal sequence corresponding to normal operation for operating a user system is obtained, inputting the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training to obtain a first classification model;
inputting the malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model to obtain a second classification model;
and inputting the operation sequence on the user system into the second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning.
Preferably, the if the replayed result and the suspicious sequence satisfy a preset malicious condition is specifically:
if the replayed file state is a preset malicious state, and the suspicious sequence comprises a subsequence of calls of the encryption API.
Preferably, the preset malicious state is deleted or unable to be opened or an abnormality is opened.
Preferably, the classification of the first classification model for the lux virus type is specifically:
classifying the first classification model based on sequence similarity.
Preferably, the classification of the first classification model based on the sequence similarity specifically includes:
and calculating sequence similarity between the malicious sequences in a word nesting mode, and classifying the Leesvirus types of the first classification model according to the sequence similarity.
Preferably, the inputting the operation sequence on the user system into the second classification model, if the sequence is generated by the lux virus, the pre-warning further includes:
inputting the sequence generated by the Leucavirus into the second classification model for model updating.
Preferably, the inputting the operation sequence on the user system into the second classification model, if the sequence is generated by the lux virus, the pre-warning further includes:
generating a monitoring report of the Leucavirus.
According to another aspect of the present application, there is provided a lux virus monitoring device comprising:
the acquisition module is used for acquiring suspicious sequences corresponding to suspicious operations after the suspicious operations for operating the honeypot system are monitored;
the replay module is used for initializing a sandbox system, inputting the suspicious sequence into the sandbox system for replay, and determining that the suspicious sequence is a malicious sequence if a replay result and the suspicious sequence meet preset malicious conditions;
the training module is used for inputting the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training after acquiring a normal sequence corresponding to the normal operation for operating the user system, so as to obtain a first classification model;
the classification module is used for inputting the malicious sequence into the first classification model again, classifying the Lesovirus type of the first classification model, and obtaining a second classification model;
and the monitoring module is used for inputting the operation sequence on the user system into the second classification model, and if the operation sequence is generated by the Leucavirus, early warning is carried out.
According to another aspect of the present application there is provided a lux virus monitoring device comprising a processor and a memory having stored thereon computer program instructions which when executed by the processor implement a lux virus monitoring method as described above.
According to another aspect of the present application there is provided a computer readable storage medium having stored thereon computer program instructions which when executed by a processor implement a method of monitoring for the lux virus as described above.
From the above technical solutions, the embodiment of the present application has the following advantages:
the application provides a method and a device for monitoring a Lecable virus, wherein the method comprises the following steps: after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation; initializing a sandbox system, inputting a suspicious sequence into the sandbox system for replay, and determining the suspicious sequence as a malicious sequence if a replay result and the suspicious sequence meet preset malicious conditions; after a normal sequence corresponding to normal operation for operating a user system is acquired, inputting the normal operation, suspicious operation and malicious operation into a preset machine learning engine for training to obtain a first classification model; inputting a malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model to obtain a second classification model; and inputting an operation sequence on the user system into a second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning. The application collects suspicious sequences through the honeypot system, determines malicious sequences after replaying the suspicious sequences through the sandbox system, inputs the normal sequences, the suspicious sequences and the malicious sequences into the supervised machine learning engine for training to obtain a first classification model capable of distinguishing normal operation and virus malicious operation, and then splits the first classification model based on virus types to obtain a second classification model.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the application, and that other drawings can be obtained from these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a schematic flow chart of an embodiment of a method for monitoring a Leucasian virus according to the present application;
FIG. 2 is a schematic flow chart of another embodiment of a method for monitoring the Leucasian virus according to the present application;
fig. 3 is a schematic structural diagram of an embodiment of a lux virus monitoring device provided by the present application.
Detailed Description
The embodiment of the application provides a method and a device for monitoring the Leucasian virus, which can effectively monitor the existing Leucasian virus, variants thereof or novel Leucasian virus.
In order to make the objects, features and advantages of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in detail below with reference to the accompanying drawings, and it is apparent that the embodiments described below are only some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, an embodiment of a method for monitoring a lux virus according to the present application includes:
101. after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation;
102. initializing a sandbox system, inputting a suspicious sequence into the sandbox system for replay, and determining the suspicious sequence as a malicious sequence if a replay result and the suspicious sequence meet preset malicious conditions;
103. after a normal sequence corresponding to normal operation for operating a user system is acquired, inputting the normal operation, suspicious operation and malicious operation into a preset machine learning engine for training to obtain a first classification model;
104. inputting a malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model to obtain a second classification model;
105. and inputting an operation sequence on the user system into a second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning.
It should be noted that, the honeypot system is used to obtain the attack behavior of unknown vulnerabilities in the network, where the honeypot is deployed in the network for desiring to monitor the lux virus, and may be presented in the form of a honeypot device network or a single honeypot device. The honeypot runs a conventional operating system thereon, including Linux or Windows, etc.; typical system software and application software is run, including database systems, control class systems, office systems, file editing systems, and the like. The operating system running in the honeypot is pre-implanted with a software probe, and the probe is used for collecting events generated in the system, including at least network operation events, file operation events, process operation events and key API call events.
The sandbox system is used for recording and analyzing the operation behavior of the Leucovirus in a single device, and the device is provided with a conventional operation system, including a Linux or Windows operation system, and typical system software and application software, including a database system, a control class system, an office system, a file editing system and the like. The sandbox can effectively execute issued computer instructions, capture and record system states (memory and file system snapshots) in the middle, can set initial states, can set any time states in storage operation, and can restore to the set states when executing a plurality of restoring states.
The machine learning engine is used for performing supervision training on the input event sequence and the corresponding label to form a classification model of the Leuco virus and the normal behavior. The machine learning engine carries out non-supervision training on the event sequence according to the similarity of the event sequence to form a classification model among different Leucasian viruses. For a sequence of events specifying software, the machine learning engine is used to infer it and to determine if it is running the software.
The application collects suspicious sequences through the honeypot system, determines malicious sequences after replaying the suspicious sequences through the sandbox system, inputs the normal sequences, the suspicious sequences and the malicious sequences into the supervised machine learning engine for training to obtain a first classification model capable of distinguishing normal operation and virus malicious operation, and then splits the first classification model based on virus types to obtain a second classification model.
The foregoing is an embodiment of a method for monitoring a lux virus, and for more specific description, another embodiment of a method for monitoring a lux virus is provided below, referring to fig. 2, and another embodiment of a method for monitoring a lux virus according to the present application includes:
201. after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation;
in the present embodiment, a honey system, a sandbox system, and a user system are deployed in the detected target network, and no user operation of the honey system is set. The event sequence of each process running on the honey pot system can be collected, whether operation on key data such as user files, database files, configuration files and the like exists or not is monitored, if yes, the operation is called suspicious operation, and suspicious sequences containing the suspicious operation are obtained.
202. Initializing a sandbox system, inputting a suspicious sequence into the sandbox system for replay, and if the replayed file state is a preset malicious state and the suspicious sequence contains a subsequence of the call of the encryption API, determining that the suspicious sequence is a malicious sequence;
in this embodiment, since the suspicious operation is not necessarily performed by the lux virus, the present application inputs the suspicious sequence into the sandbox system for playback by initializing the sandbox system, and if the file status being played back is deleted or cannot be opened or is abnormal, and the suspicious sequence includes the subsequence of the call of the encryption API, it is determined that the suspicious sequence is a malicious sequence, that is, a malicious sequence caused by the lux virus.
203. After a normal sequence corresponding to normal operation for operating a user system is acquired, inputting the normal operation, suspicious operation and malicious operation into a preset machine learning engine for training to obtain a first classification model;
after determining the malicious sequence, the normal event sequence, i.e. the normal sequence, of each process running on it needs to be collected by the user system. And inputting normal operation, suspicious operation and malicious operation into a preset machine learning engine for training to obtain a first classification model. It will be appreciated that the first classification model may be used to classify operations for a Leucasian virus malicious program, normal operations, suspicious operations (made by non-Leucasian viruses).
204. Inputting malicious sequences into the first classification model again, calculating sequence similarity between the malicious sequences in a word nesting mode, and classifying the Leesvirus type of the first classification model according to the sequence similarity to obtain a second classification model;
after the first classification model is obtained, a malicious sequence can be input into the first classification model again, and the malicious sequence usually comprises a plurality of sequences and can be generated by different types of lux viruses, so that the method calculates the sequence similarity between the malicious sequences in a word nesting mode, classifies the similar sequences according to the sequence similarity, namely, the classification of the lux virus type of the first classification model is completed, and a second classification model is obtained.
205. And inputting an operation sequence on the user system into a second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning.
After the second classification model is obtained, the method can be used for monitoring the operation sequence on the user system, and if the sequence is generated by the Leucavirus, the corresponding process can be found and early warning can be carried out
Still further, step 205 further comprises:
206. the sequences generated by the Leucavirus are input into a second classification model for model updating.
Since the Leucasian virus in step 205 may be a new type of Leucasian virus, its corresponding sequence may be input into the second split model for incremental training to update the model.
Still further, step 205 further comprises:
207. generating a monitoring report of the Lecable virus.
After determining that the operation is the production of the Leucavirus, a monitoring report of the Leucavirus can be generated for the user to review.
The application collects suspicious sequences through the honeypot system, determines malicious sequences after replaying the suspicious sequences through the sandbox system, inputs the normal sequences, the suspicious sequences and the malicious sequences into the supervised machine learning engine for training to obtain a first classification model capable of distinguishing normal operation and virus malicious operation, and then splits the first classification model based on virus types to obtain a second classification model.
The foregoing describes a method for monitoring a lux virus according to the present application, and the following describes the structure and connection relationship of a lux virus monitoring device according to the present application, referring to fig. 3, an embodiment of the lux virus monitoring device according to the present application includes:
the acquiring module 301 is configured to acquire a suspicious sequence corresponding to a suspicious operation after detecting that the suspicious operation for operating the honeypot system exists;
the replay module 302 is configured to initialize a sandbox system, input a suspicious sequence into the sandbox system for replay, and determine that the suspicious sequence is a malicious sequence if the replay result and the suspicious sequence meet preset malicious conditions;
the training module 303 is configured to input a normal operation, a suspicious operation, and a malicious operation into a preset machine learning engine to train after obtaining a normal sequence corresponding to a normal operation for operating the user system, so as to obtain a first classification model;
the classification module 304 is configured to input a malicious sequence into the first classification model again, classify the first classification model by using the lux virus type, and obtain a second classification model;
the monitoring module 305 is configured to input the operation sequence on the user system into the second classification model, and if the operation sequence is a sequence generated by the lux virus, perform early warning.
Furthermore, the replay module 302 is further configured to initialize the sandboxed system, input the suspicious sequence into the sandboxed system for replay, and determine that the suspicious sequence is a malicious sequence if the replayed file status is a preset malicious status and the suspicious sequence includes a subsequence of a call of the encryption API.
Further, the preset malicious state is deleted or unable to open or open an exception.
Further, the classification module 304 is configured to input the malicious sequences into the first classification model again, calculate the sequence similarity between the malicious sequences in a word nesting manner, and classify the first classification model according to the sequence similarity to obtain the second classification model.
Still further, the present application provides a device for monitoring the lux virus, which further comprises:
and the updating module is used for inputting the sequence generated by the Leucavirus into the second classification model to update the model.
Still further, the present application provides a device for monitoring the lux virus, which further comprises:
and the generation module is used for generating a monitoring report of the Lecable virus.
Another embodiment of a lux virus monitoring device provided by the application includes a processor and a memory, wherein the memory stores computer program instructions that when executed by the processor implement a lux virus monitoring method as described above.
The application also relates to a computer readable storage medium having stored thereon computer program instructions which when executed by a processor implement the method of Leucasian virus monitoring as described above.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (8)
1. A method of monitoring a lux virus comprising:
after suspicious operation for operating the honeypot system is monitored, acquiring a suspicious sequence corresponding to the suspicious operation;
initializing a sandbox system, inputting the suspicious sequence into the sandbox system for replay, and if the replay result and the suspicious sequence meet preset malicious conditions, determining that the suspicious sequence is a malicious sequence;
after a normal sequence corresponding to normal operation for operating a user system is obtained, inputting the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training to obtain a first classification model;
inputting the malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model to obtain a second classification model;
the step of classifying the first classification model for the Leucavirus type includes:
classifying the Leucovirus type of the first classification model based on sequence similarity;
the classification of the Lesovirus type based on the sequence similarity for the first classification model is specifically:
calculating sequence similarity between the malicious sequences in a word nesting mode, and classifying the Leesvirus type of the first classification model according to the sequence similarity;
and inputting the operation sequence on the user system into the second classification model, and if the operation sequence is generated by the Leucavirus, performing early warning.
2. The method of claim 1, wherein the if-replayed result and the suspicious sequence satisfy preset malicious conditions is specifically:
if the replayed file state is a preset malicious state, and the suspicious sequence comprises a subsequence of calls of the encryption API.
3. The method of claim 2, wherein the preset malicious state is a deleted or unopened or opened exception.
4. A method of monitoring the presence of the lux virus according to any one of claims 1 to 3, wherein the inputting the sequence of operations on the user system into the second classification model, if the sequence is generated by the lux virus, further comprises, after the pre-warning:
inputting the sequence generated by the Leucavirus into the second classification model for model updating.
5. A method of monitoring the presence of the lux virus according to any one of claims 1 to 3, wherein the inputting the sequence of operations on the user system into the second classification model, if the sequence is generated by the lux virus, further comprises, after the pre-warning:
generating a monitoring report of the Leucavirus.
6. A lux virus monitoring device, comprising:
the acquisition module is used for acquiring suspicious sequences corresponding to suspicious operations after the suspicious operations for operating the honeypot system are monitored;
the replay module is used for initializing a sandbox system, inputting the suspicious sequence into the sandbox system for replay, and determining that the suspicious sequence is a malicious sequence if a replay result and the suspicious sequence meet preset malicious conditions;
the training module is used for inputting the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training after acquiring a normal sequence corresponding to the normal operation for operating the user system, so as to obtain a first classification model;
the classification module is used for inputting the malicious sequence into the first classification model again, classifying the Lesovirus type of the first classification model, and obtaining a second classification model;
the classification module is specifically configured to:
inputting the malicious sequence into the first classification model again, and classifying the Lesovirus type of the first classification model based on sequence similarity to obtain a second classification model;
the classification of the Lesovirus type based on the sequence similarity for the first classification model is specifically:
calculating sequence similarity between the malicious sequences in a word nesting mode, and classifying the Leesvirus type of the first classification model according to the sequence similarity;
and the monitoring module is used for inputting the operation sequence on the user system into the second classification model, and if the operation sequence is generated by the Leucavirus, early warning is carried out.
7. A lux virus monitoring device comprising a processor and a memory, the memory having stored thereon computer program instructions which, when executed by the processor, implement a lux virus monitoring method according to any one of claims 1 to 5.
8. A computer readable storage medium having stored thereon computer program instructions which when executed by a processor implement the method of lux virus monitoring of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811564804.9A CN109766691B (en) | 2018-12-20 | 2018-12-20 | Lexovirus monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811564804.9A CN109766691B (en) | 2018-12-20 | 2018-12-20 | Lexovirus monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109766691A CN109766691A (en) | 2019-05-17 |
| CN109766691B true CN109766691B (en) | 2023-08-22 |
Family
ID=66450773
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811564804.9A Active CN109766691B (en) | 2018-12-20 | 2018-12-20 | Lexovirus monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109766691B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110363002A (en) * | 2019-07-16 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing |
| CN110555306B (en) * | 2019-09-02 | 2024-02-06 | 慧盾信息安全科技(苏州)股份有限公司 | System and method for automatically controlling access authority of process to server data |
| CN117235712B (en) * | 2023-11-14 | 2024-02-02 | 北京网藤科技有限公司 | Method and system for detecting Lexovirus by sandbox |
| CN117540385B (en) * | 2024-01-09 | 2024-03-29 | 北京数基信息有限公司 | Script file monitoring method, system and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
| CN103918222A (en) * | 2011-10-21 | 2014-07-09 | 迈克菲公司 | System and method for detection of denial of service attacks |
| CN104541293A (en) * | 2012-05-14 | 2015-04-22 | 高通股份有限公司 | Architecture for client-cloud behavior analyzer |
| CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
| CN107273747A (en) * | 2017-05-22 | 2017-10-20 | 中国人民公安大学 | The method for extorting software detection |
| CN107315954A (en) * | 2016-04-27 | 2017-11-03 | 腾讯科技(深圳)有限公司 | A kind of file type identification method and server |
| KR20180062998A (en) * | 2018-05-28 | 2018-06-11 | 한국인터넷진흥원 | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning |
| CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
-
2018
- 2018-12-20 CN CN201811564804.9A patent/CN109766691B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN103918222A (en) * | 2011-10-21 | 2014-07-09 | 迈克菲公司 | System and method for detection of denial of service attacks |
| CN104541293A (en) * | 2012-05-14 | 2015-04-22 | 高通股份有限公司 | Architecture for client-cloud behavior analyzer |
| CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
| CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
| CN107315954A (en) * | 2016-04-27 | 2017-11-03 | 腾讯科技(深圳)有限公司 | A kind of file type identification method and server |
| CN107273747A (en) * | 2017-05-22 | 2017-10-20 | 中国人民公安大学 | The method for extorting software detection |
| CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
| KR20180062998A (en) * | 2018-05-28 | 2018-06-11 | 한국인터넷진흥원 | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109766691A (en) | 2019-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766691B (en) | Lexovirus monitoring method and device | |
| US10949534B2 (en) | Method for predicting and characterizing cyber attacks | |
| US10791133B2 (en) | System and method for detecting and mitigating ransomware threats | |
| US11496495B2 (en) | System and a method for detecting anomalous patterns in a network | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| US10868823B2 (en) | Systems and methods for discriminating between human and non-human interactions with computing devices on a computer network | |
| AU2019307885B2 (en) | Systems and methods for reporting computer security incidents | |
| CN106775929A (en) | A kind of virtual platform safety monitoring method and system | |
| JP2015028700A (en) | Failure detection device, failure detection method, failure detection program and recording medium | |
| CN109684833A (en) | Make the system and method for program hazardous act mode adaptive user machine system | |
| US20220309171A1 (en) | Endpoint Security using an Action Prediction Model | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| JP2021512412A (en) | Detect and prevent user value-based ransomware | |
| WO2020199905A1 (en) | Command detection method and device, computer apparatus, and storage medium | |
| JP6719492B2 (en) | Rule generation device and rule generation program | |
| GB2592132A (en) | Enterprise network threat detection | |
| US11163875B1 (en) | Discovery of computer system incidents to be remediated based on correlation between support interaction data and computer system telemetry data | |
| EP4266201A1 (en) | Malware detection using machine learning | |
| WO2020246227A1 (en) | Rule generation device, rule generation method, and computer readable storage medium | |
| US20140208427A1 (en) | Apparatus and methods for detecting data access | |
| CN115794479B (en) | Log data processing method and device, electronic equipment and storage medium | |
| KR20210025448A (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| JP6780326B2 (en) | Information processing equipment and programs | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| Arumugam et al. | Implementation of two class classifiers for hybrid intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |