CN110351255B - Data acquisition method and data acquisition system in network target range system - Google Patents
Data acquisition method and data acquisition system in network target range system Download PDFInfo
- Publication number
- CN110351255B CN110351255B CN201910557426.XA CN201910557426A CN110351255B CN 110351255 B CN110351255 B CN 110351255B CN 201910557426 A CN201910557426 A CN 201910557426A CN 110351255 B CN110351255 B CN 110351255B
- Authority
- CN
- China
- Prior art keywords
- events
- attack
- defense
- data
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Abstract
The embodiment of the invention relates to a data acquisition method and a data acquisition system in a network target range system, wherein the method comprises the following steps: a behavior monitoring module is pre-built in a target node of a network target range system; the behavior monitoring module acquires attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook; and each target node collects the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node. The technical scheme provided by the application can improve the concealment of the self and reduce the influence on the target node while acquiring more data.
Description
Technical Field
The application relates to the technical field of internet, in particular to a data acquisition method and a data acquisition system in a network shooting range system.
Background
The network target range is characterized in that a virtual environment is combined with real equipment, a real network space attack and defense combat environment is simulated in a simulating mode, and a network attack and defense combat capability research and network space weapon equipment verification test platform can be supported.
In the construction process of the urban network shooting range, how to construct a monitoring attack and defense behavior effect is an important link, so that after the practice, quantitative scoring is carried out on both the attack and defense parties. In a scoring system, it is necessary to collect attack and defense events to determine whether a target node has attack and defense activities. In the prior art, the acquisition of attack and defense data is generally realized through a special behavior monitoring program, but the acquired information is single, and the behavior monitoring program is easy to detect, has poor concealment and has large influence on target nodes.
Disclosure of Invention
The application aims to provide a data acquisition method and a data acquisition system in a network shooting range system, which can improve the self concealment and reduce the influence on target nodes while acquiring more data.
In order to achieve the above object, the present application provides a data acquisition method in a network range system, the method comprising: a behavior monitoring module is pre-built in a target node of a network target range system; the behavior monitoring module acquires attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook; and each target node collects the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node.
Further, the multi-dimensional attack and defense behavior data comprises at least one of a system user change event, a system user login and logout event, a system process event, a network connection change event, a file change event, a registry change event, a driver loading event, a remote injection thread event, a message hook loading event, a cross-process operation memory event, an application layer direct operation physical memory event, a keyboard recording event, a screen recording and screenshot event, and a specific network protocol analysis event.
Further, after the behavior monitoring module is pre-built in the target node of the network range system, the method further comprises:
and the target node receives the issued attack and defense acquisition configuration file and acquires attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
Further, the behavior monitoring module collects attack and defense behavior data of multiple dimensions in the target node in a process-free running mode based on the kernel hook and comprises:
the behavior monitoring module intercepts specific operations in the target node and performs specific processing aiming at the specific operations; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the behavior monitoring module changes an original function call flow, so that a target function preferentially executes a preset third-party function before being executed, and corresponding specific processing is implemented when the third-party function is executed.
Further, the specific operation includes importing an address table;
accordingly, intercepting a particular operation in the target node and performing particular processing for the particular operation comprises:
replacing the original import address table with a function address preset by a user, when the import address table needs to be called, preferentially calling a function pointed by the function address, and performing corresponding specific operation in the function execution process.
To achieve the above object, the present application further provides a data acquisition system in a network range system, the data acquisition system comprising: the module presetting unit is used for presetting a behavior monitoring module in a target node of the network shooting range system; the data acquisition unit is used for controlling the behavior monitoring module to acquire attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook; and the activity judgment unit is used for controlling each target node to collect the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node.
Further, the multi-dimensional attack and defense behavior data comprises at least one of a system user change event, a system user login and logout event, a system process event, a network connection change event, a file change event, a registry change event, a driver loading event, a remote injection thread event, a message hook loading event, a cross-process operation memory event, an application layer direct operation physical memory event, a keyboard recording event, a screen recording and screenshot event, and a specific network protocol analysis event.
Further, the data acquisition system further comprises:
and the configuration file issuing unit is used for controlling the target node to receive the issued attack and defense acquisition configuration file and acquiring attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
Further, the data acquisition unit includes:
the intercepting module is used for intercepting a specific operation in the target node and performing specific processing aiming at the specific operation; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the calling flow changing module is used for changing the original function calling flow, so that the target function is preferentially executed a preset third-party function before being executed, and corresponding specific processing is implemented when the third-party function is executed.
Further, the specific operation includes importing an address table;
accordingly, the interception module comprises:
the address replacement module is used for replacing the original import address table with a function address preset by a user, preferentially calling a function pointed by the function address when the import address table needs to be called, and performing corresponding specific operation in the function execution process.
It can be seen from above that, through the technical scheme that this application provided, can possess following technological effect:
1. different attack and defense events can be collected from multiple dimensions, and the comprehensiveness of data is greatly ensured;
2. different target nodes can be configured with different acquisition dimensions, so that the diversity of the target nodes in data acquisition is ensured;
3. compared with the existing behavior monitoring program, the behavior monitoring module based on the kernel hook technology can reduce the influence on the system, and can realize the concealment of the behavior monitoring module by running in a non-process state, so that the performance of the target node is less influenced by the data acquisition of the attack and defense behaviors.
Drawings
FIG. 1 is a diagram illustrating the steps of a data collection method in an embodiment of the present application;
fig. 2 is a schematic diagram of functional modules of the data acquisition system in the embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art without any inventive work based on the embodiments in the present application shall fall within the scope of protection of the present application.
The invention relates to a computer algorithm for collecting attack and defense behavior information of multiple dimensions in real time from each node device of a city shooting range in the construction of a city network shooting range system in the city network shooting range construction. Under the condition of minimizing influence on the urban target nodes, the large-scale nodes are subjected to acquisition of multi-dimensional attack and defense data.
Specifically, the present application provides a data acquisition method in a network shooting range system, please refer to fig. 1, which includes the following steps.
S1: a behavior monitoring module is pre-built in a target node of a network target range system;
s2: the behavior monitoring module acquires attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook;
s3: and each target node collects the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node.
The multi-dimension attack and defense behavior data comprises at least one of a system user change event, a system user login and logout event, a system process event, a network connection change event, a file change event, a registry change event, a driver loading event, a remote injection thread event, a message hook loading event, a cross-process operation memory event, an application layer direct operation physical memory event, a keyboard recording event, a screen recording and screenshot event and a specific network protocol analysis event.
In one embodiment, after pre-installing a behavior monitoring module in a target node of a network range system, the method further comprises:
and the target node receives the issued attack and defense acquisition configuration file and acquires attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
In one embodiment, the behavior monitoring module collects attack and defense behavior data of multiple dimensions in the target node in a process-free operation manner based on kernel hook, and the collecting comprises:
the behavior monitoring module intercepts specific operations in the target node and performs specific processing aiming at the specific operations; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the behavior monitoring module changes an original function call flow, so that a target function preferentially executes a preset third-party function before being executed, and corresponding specific processing is implemented when the third-party function is executed.
In one embodiment, the specific operation includes importing an address table;
accordingly, intercepting a particular operation in the target node and performing particular processing for the particular operation comprises:
replacing the original import address table with a function address preset by a user, when the import address table needs to be called, preferentially calling a function pointed by the function address, and performing corresponding specific operation in the function execution process.
In practical application, the shooting range system is internally provided with a host behavior monitoring module on a target virtual host, and captures host data in real time to generate a host behavior log. The host behavior monitoring module works in a process-free running mode and ensures self-concealment by utilizing Hook-based technology and various technologies including a kernel layer and an application layer.
Specifically, the type of Hook technology is various, and the monitoring process can be summarized as follows:
1. intercepting specific operation, and performing specific processing (such as filtering, recording or correlation analysis).
2. The original function calling flow is changed, so that a certain third-party function is executed before the Hook function is executed, and then special processing is carried out on the third-party function.
Taking an IAT (Import Address Table) Hook as an example, an Import function is a function called by a program but an execution code of the Import function is not in the program, when a PE (Portable Executable) file is loaded into a memory, a loader loads a DLL (Dynamic Link Library) and associates an instruction calling the Import function with an Address where the function is actually located (Dynamic Link), and this operation needs to be completed by the IAT. Where the import address table indicates the actual address of the function. The address of each called API (Application Programming Interface) function of the program is stored in the IAT, and the address used by the CALL instruction of each called API function is the address of the corresponding function registered in the IAT table. The principle of IATHOOK is to exchange the address in the IAT table with the user's own function address, so that each API call calls the user's own function first. In the function, the recording of the function name, the recording of the parameter, the calling of the original process can be completed, and the result is recorded when the function returns.
In practical application, the experimental operation behavior and the host monitoring module should run in a non-process state, so that favorable conditions are provided for self hiding. The monitored content should include: files, processes, registries, web communications, keyboard logs, screenshots, account creation, changes to security policies, and so forth.
Specifically, the operating virtual machine and the target virtual machine should be used as basic data sources for experimental data monitoring, and the following operating system behaviors should be monitored and logs should be formed by integrating research experiences of scientific research institutions at home and abroad on vulnerability discovery and malicious code analysis for many years:
1) login and logout events for operating system users. Unauthorized interactive or non-interactive login sessions are discovered by auditing login and logout events for operating system users.
2) Change events for operating system users and user groups. User add, user delete, user password change, etc.
3) Creation of a process, extinction, killed event. The behavior of an attacker is performed by a series of processes, with the creation and extinction of the processes at various stages of the attack. If an attacker enters the system through remote overflow, a shell process is generally created. After an attacker enters the system, the system condition is detected, a back door is left, a special process is established, and even the process of the safety protection software is killed, so that the operation of the attacker is facilitated. Auditing the life cycle of the process can track the behavior of an attacker.
4) A network connection change event. External attacks entail changes in the network connection.
5) A file change event. The auditing is carried out aiming at the behaviors of file creation, modification, deletion and the like, and the behavior of the implanted backdoor can be found.
6) A registry change event. And recording information such as registry key change, registry value change and the like so as to restore the influence of the operation of an attacker on the host registry.
7) A driver load event. After the attacker obtains the highest authority of the system, various operations such as recording keystrokes can be freely carried out at the kernel layer by a simple method of loading drivers. Thus auditing load-driven events may discover attack behavior.
8) Thread events are injected remotely. Remote injection of threads is a common attack by which specified code can be executed in a target process. The trojan can embed own codes into the system process and then delete own program files so as to realize stealth. Thus auditing remote injected thread events may discover attack behavior.
9) The message hook loads the event. Message hooking mechanisms are also common because they allow attack code to get opportunities to execute and monitor operations such as system keyboards.
10) Memory events are operated across processes. The ability of the operating system to operate memory across processes is often used by attackers to modify system processes to embed malicious code, and auditing of such behavior is highly desirable.
11) The application layer directly manipulates physical memory events. After obtaining the highest authority of the system, an attacker can directly operate a physical memory area and implant malicious codes at an application layer without a high-level driver, so that the dangerous operations need to be audited.
12) And (5) recording by using a keyboard. The keyboard records can record the behavior and thought of the experiment operator in detail by recording the keyboard operation of the operator in detail and comprehensively recording the contextual window information, the process information and the like when the operator presses the key.
13) Screenshots and screenshots. In order to observe and record the operation behavior of the experiment operator more intuitively, direct screenshot or even video recording on the desktop of the operator is the best solution, but the storage space of the video is more occupied, corresponding configuration is set, and a switch for selectively recording a specific scene is set.
14) Resolution of a specific network protocol. Network attack and defense experiments are usually performed in a network environment, so that it is very valuable to be able to record the content of a network data packet in detail, and at least to be able to discover and analyze the network data stream of the http protocol.
In practical application, different attack and defense acquisition configurations can be issued for different nodes in the urban shooting range so as to customize the dimensionality of the nodes for acquiring attack and defense behavior data, and therefore the purpose of acquiring attack and defense data of large-scale nodes in the urban shooting range is achieved.
Referring to fig. 2, the present application further provides a data acquisition system in a network shooting range system, where the data acquisition system includes:
the module presetting unit is used for presetting a behavior monitoring module in a target node of the network shooting range system;
the data acquisition unit is used for controlling the behavior monitoring module to acquire attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook;
and the activity judgment unit is used for controlling each target node to collect the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node.
In one embodiment, the attack and defense behavior data of multiple dimensions includes at least one of a system user change event, a system user login and logout event, a system process event, a network connection change event, a file change event, a registry change event, a driver loading event, a remote injection thread event, a message hook loading event, a cross-process operation memory event, an application layer direct operation physical memory event, a keyboard recording event, a screen recording and screenshot event, and a specific network protocol parsing event.
In one embodiment, the data acquisition system further comprises:
and the configuration file issuing unit is used for controlling the target node to receive the issued attack and defense acquisition configuration file and acquiring attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
In one embodiment, the data acquisition unit comprises:
the intercepting module is used for intercepting a specific operation in the target node and performing specific processing aiming at the specific operation; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the calling flow changing module is used for changing the original function calling flow, so that the target function is preferentially executed a preset third-party function before being executed, and corresponding specific processing is implemented when the third-party function is executed.
In one embodiment, the specific operation includes importing an address table;
accordingly, the interception module comprises:
the address replacement module is used for replacing the original import address table with a function address preset by a user, preferentially calling a function pointed by the function address when the import address table needs to be called, and performing corresponding specific operation in the function execution process.
Therefore, in the process of using the urban network target range to perform attack and defense exercises, behavior information of both attack and defense needs to be collected in real time to serve as important data for subsequently performing effectiveness evaluation of attack and defense parties. The collected dimensionality and the method for collecting the behavior information have the minimum influence on the system and the attack and defense behaviors of the shooting range node, and the data are all great problems. The method of the invention collects and self-hides the behavior data through the kernel module, has little influence on the performance and bandwidth of the collected node, can collect algorithms such as important nodes in a targeted manner through the distribution of the configurable strategy, and realizes the collection of data with more dimensions under the condition of minimizing the influence on the target. The method has the following technical effects:
1. different attack and defense events can be collected from multiple dimensions, and the comprehensiveness of data is greatly ensured;
2. different target nodes can be configured with different acquisition dimensions, so that the diversity of the target nodes in data acquisition is ensured;
3. compared with the existing behavior monitoring program, the behavior monitoring module based on the kernel hook technology can reduce the influence on the system, and can realize the concealment of the behavior monitoring module by running in a non-process state, so that the performance of the target node is less influenced by the data acquisition of the attack and defense behaviors.
The foregoing description of various embodiments of the present application is provided for the purpose of illustration to those skilled in the art. It is not intended to be exhaustive or to limit the invention to a single disclosed embodiment. As described above, various alternatives and modifications of the present application will be apparent to those skilled in the art to which the above-described technology pertains. Thus, while some alternative embodiments have been discussed in detail, other embodiments will be apparent or relatively easy to derive by those of ordinary skill in the art. This application is intended to cover all alternatives, modifications, and variations of the invention that have been discussed herein, as well as other embodiments that fall within the spirit and scope of the above-described application.
Claims (6)
1. A method of data acquisition in a network range system, the method comprising:
a behavior monitoring module is pre-built in a target node of a network target range system;
the behavior monitoring module acquires attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook;
each target node collects the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node;
the behavior monitoring module is based on the kernel hook, and acquiring attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode comprises the following steps:
the behavior monitoring module intercepts specific operations in the target node and performs specific processing aiming at the specific operations; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the behavior monitoring module changes the original function call flow, so that a target function is preferentially executed a preset third-party function before being executed, and corresponding specific processing is implemented when the third-party function is executed;
the specific operation comprises importing an address table;
accordingly, intercepting a particular operation in the target node and performing particular processing for the particular operation comprises:
replacing the original import address table with a function address preset by a user, when the import address table needs to be called, preferentially calling a function pointed by the function address, and performing corresponding specific operation in the function execution process.
2. The method of claim 1, wherein the attack and defense behavior data of the multiple dimensions comprises at least one of system user change events, system user login and logout events, system process events, network connection change events, file change events, registry change events, driver loading events, remote injection thread events, message hook loading events, cross-process operation memory events, application layer direct operation physical memory events, keyboard recording events, screen recording and screenshot events, and network protocol specific resolution events.
3. The method of claim 1 or 2, wherein after pre-installing a behavior monitoring module in a target node of a network firing ground system, the method further comprises:
and the target node receives the issued attack and defense acquisition configuration file and acquires attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
4. A data acquisition system in a network range system, the data acquisition system comprising:
the module presetting unit is used for presetting a behavior monitoring module in a target node of the network shooting range system;
the data acquisition unit is used for controlling the behavior monitoring module to acquire attack and defense behavior data of multiple dimensions in the target node in a process-free operation mode based on the kernel hook;
the activity judgment unit is used for controlling each target node to collect the acquired attack and defense behavior data to a central node so as to judge whether attack and/or defense activities exist at present through the central node;
the data acquisition unit includes:
the intercepting module is used for intercepting a specific operation in the target node and performing specific processing aiming at the specific operation; wherein the specific processing comprises at least one of data filtering, data logging, or correlation analysis;
the calling flow changing module is used for changing the original function calling flow, so that a preset third-party function is preferentially executed before the target function is executed, and corresponding specific processing is implemented when the third-party function is executed;
the specific operation comprises importing an address table;
accordingly, the interception module comprises:
the address replacement module is used for replacing the original import address table with a function address preset by a user, preferentially calling a function pointed by the function address when the import address table needs to be called, and performing corresponding specific operation in the function execution process.
5. The data collection system of claim 4, wherein the multi-dimensional attack and defense behavior data comprises at least one of system user change events, system user login and logout events, system process events, network connection change events, file change events, registry change events, driver load events, remote injection thread events, message hook load events, cross-process operation memory events, application layer direct operation physical memory events, keyboard log events, screen and screenshot events, and web protocol specific resolution events.
6. The data acquisition system according to claim 4 or 5, further comprising:
and the configuration file issuing unit is used for controlling the target node to receive the issued attack and defense acquisition configuration file and acquiring attack and defense behavior data of multiple dimensions limited by the attack and defense acquisition configuration file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910557426.XA CN110351255B (en) | 2019-06-25 | 2019-06-25 | Data acquisition method and data acquisition system in network target range system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910557426.XA CN110351255B (en) | 2019-06-25 | 2019-06-25 | Data acquisition method and data acquisition system in network target range system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110351255A CN110351255A (en) | 2019-10-18 |
| CN110351255B true CN110351255B (en) | 2021-07-20 |
Family
ID=68183040
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910557426.XA Active CN110351255B (en) | 2019-06-25 | 2019-06-25 | Data acquisition method and data acquisition system in network target range system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110351255B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818102B (en) * | 2020-09-09 | 2020-12-11 | 信联科技(南京)有限公司 | Defense efficiency evaluation method applied to network target range |
| CN112084091B (en) * | 2020-09-09 | 2021-07-30 | 北京升鑫网络科技有限公司 | System behavior auditing method, device, terminal and storage medium |
| CN114048487B (en) * | 2021-11-29 | 2022-06-17 | 北京永信至诚科技股份有限公司 | Attack process evaluation method and device for network shooting range, storage medium and equipment |
| CN114257506B (en) * | 2021-12-21 | 2024-04-02 | 北京知道未来信息技术有限公司 | Network target range construction method and device, back-end server and readable storage medium |
| CN114282795B (en) * | 2021-12-21 | 2022-09-16 | 北京永信至诚科技股份有限公司 | Network target range personnel skill evaluation method, device, equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0856256A (en) * | 1994-08-11 | 1996-02-27 | Kenwood Corp | Telephone set |
| CN101820413A (en) * | 2010-01-08 | 2010-09-01 | 中国科学院软件研究所 | Method for selecting optimized protection strategy for network security |
| CN106059826A (en) * | 2016-07-08 | 2016-10-26 | 中国电子科技集团公司电子科学研究院 | Method and device for monitoring virtualization platform |
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10291634B2 (en) * | 2015-12-09 | 2019-05-14 | Checkpoint Software Technologies Ltd. | System and method for determining summary events of an attack |
-
2019
- 2019-06-25 CN CN201910557426.XA patent/CN110351255B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0856256A (en) * | 1994-08-11 | 1996-02-27 | Kenwood Corp | Telephone set |
| CN101820413A (en) * | 2010-01-08 | 2010-09-01 | 中国科学院软件研究所 | Method for selecting optimized protection strategy for network security |
| CN106059826A (en) * | 2016-07-08 | 2016-10-26 | 中国电子科技集团公司电子科学研究院 | Method and device for monitoring virtualization platform |
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110351255A (en) | 2019-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351255B (en) | Data acquisition method and data acquisition system in network target range system | |
| KR101057432B1 (en) | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process | |
| US10509906B2 (en) | Automated code lockdown to reduce attack surface for software | |
| Gao et al. | On gray-box program tracking for anomaly detection | |
| CN108769071B (en) | Attack information processing method and device and Internet of things honeypot system | |
| Nicomette et al. | Set-up and deployment of a high-interaction honeypot: experiment and lessons learned | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| KR100910761B1 (en) | Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique | |
| CN110958257B (en) | Intranet permeation process reduction method and system | |
| CN101667232B (en) | Terminal credible security system and method based on credible computing | |
| CN104239797B (en) | Active defense method and device | |
| CN110602044A (en) | Network threat analysis method and system | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| Varlioglu et al. | The dangerous combo: Fileless malware and cryptojacking | |
| CN113111347A (en) | Threat disposal method and safety monitoring probe for Android application | |
| CN113886814A (en) | Attack detection method and related device | |
| US8572744B2 (en) | Information security auditing and incident investigation system | |
| Park et al. | How to design practical client honeypots based on virtual environment | |
| Sun et al. | The case for less predictable operating system behavior | |
| Kaur et al. | Hybrid real-time zero-day malware analysis and reporting system | |
| Ma et al. | High-Interaction Honeypot System for SQL Injection Analysis | |
| Ham et al. | Vulnerability monitoring mechanism in Android based smartphone with correlation analysis on event-driven activities | |
| Chen et al. | POSTER: Construct macOS Cyber Range for Red/Blue Teams | |
| Yang et al. | Malicious behavior analysis of Android GUI based on ADB | |
| CN112131576A (en) | Safety protection system for power plant database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Patentee after: Yongxin Zhicheng Technology Group Co.,Ltd. Address before: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Patentee before: BEIJING YONGXIN ZHICHENG TECHNOLOGY CO.,LTD. |
|
| CP01 | Change in the name or title of a patent holder |