CN110399718A - A method of the long-range infiltration for industrial control system is collected evidence - Google Patents
A method of the long-range infiltration for industrial control system is collected evidence Download PDFInfo
- Publication number
- CN110399718A CN110399718A CN201910482385.2A CN201910482385A CN110399718A CN 110399718 A CN110399718 A CN 110399718A CN 201910482385 A CN201910482385 A CN 201910482385A CN 110399718 A CN110399718 A CN 110399718A
- Authority
- CN
- China
- Prior art keywords
- controlled terminal
- long
- file
- control system
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of methods of long-range infiltration evidence obtaining for industrial control system, include the following steps: that (1) locally proposes power;(2) permission is resident;(3) information is collected;(4) local vulnerability scanning;(5) remote scanning utilizes, the method disclosed in the present can be in target industry control Intranet, to permeate the visual angle of personnel, Intranet penetration testing is carried out to target network and destination host, reference value is provided for industry control security protection and provides professional tool for industry control security evaluation, is of great significance to industry control security evaluation, evidence obtaining and protection.
Description
Technical field
It is the present invention relates to a kind of safety evaluation method of industrial Intranet, in particular to a kind of for the remote of industrial control system
The method of journey infiltration evidence obtaining.
Background technique
With the continuous development of heavy industry, industrial control system (ICS, hereinafter referred to as industrial control system) becomes safely people and closes
The focus of note.Nowadays, industrial control system is as industrial infrastructure, and there is serious security threats, for example, industry control
Antivirus software is not installed in enterprise's not patch installing, host, the Windows XP system no longer safeguarded using Microsoft the problems such as all lead
It causes industrial control host there is power and code execution loophole is largely remotely proposed, destroys attacker and unauthorized person easily
Industrial control system.
The tool for carrying out security evaluation for industrial Intranet at present mainly has following 4 class:
(1) vulnerability scanning class tool: such tool is mainly positioned as commenting for industrial equipment/host progress security sweep
Estimate, detect safety problem from mechanical floor, network layer, application layer, such as weak passwurd loophole, remotely bypasses loophole and remotely mention power loophole
Result Deng, scanning provides fragility report for safety officer.The usage scenario of such tool is more limited to, at present can only be right
A certain node or a certain group node are scanned, but not can enter and be scanned in node to other connected nodes.
(2) information detection class tool: being mainly used for detecting specified industry control Intranet equipment, carries out to certain node or certain group node
Detection, obtains its relevant information and data, such as version, the area DB, content of registers and specified address contents.
(3) Situation Awareness class tool: it is mainly used for detecting the whole network industrial control equipment, obtains the data of all industry control nodes, wrap
Include implementor name, device number, version, register or specified address contents etc..
(4) bug excavation class tool: it is mainly used for carrying out bug excavation for a given industrial control equipment IP address.
It, to a large amount of deformity message of target formation, makes current buffer overflow, and dig by fuzz testing and the method that remotely monitors
Dig security breaches.
All there is certain applications to limit to for above-mentioned 4 class tool, and fluctuation of service, be easy to cause the paralysis of production system
Paralysis or collapse.
Summary of the invention
In order to solve the above technical problems, the present invention provides a kind of sides of long-range infiltration evidence obtaining for industrial control system
Method ensures the purpose of system stability in test process to reach the paralysis or collapse that avoid production system.
In order to achieve the above objectives, technical scheme is as follows:
A method of the long-range infiltration for industrial control system is collected evidence, and is included the following steps:
(1) local to propose power;
(2) permission is resident;
(3) information is collected;
(4) local vulnerability scanning;
(5) remote scanning utilizes.
In above scheme, the specific method is as follows for the step (1): administrator operates control terminal, and control terminal passes through service
Device end connects controlled terminal, is authenticated after controlled terminal is online, certification start after passing through it is local proposes power, multiple propose power by built-in
Vulnerability exploit method, find one by one it is available propose power, and promoted and arrive SYSTEM permission, if SYSTEM power can not be promoted
Limit then executes and proposes power around the realization of UAC step.
In above scheme, in the step (2), if locally power can not be proposed by proposing power, it tries pass through and infect shortcut
Realization proposes power, specifically comprises the following steps:
1) common lnk file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
2) common chm file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
3) common bat file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
4) disk dll file is scanned, scan hijack loophole, and service initiator is set, starting target is set as this
Program;
5) html file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
6) js file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
7) bat file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
8) powershell file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
9) rundll startup file is added, starting target is this controlled terminal program;
10) plan target is added, starting target is this controlled terminal program;
11) creation service, service starting target is this controlled terminal program;
12) startup file is added to registry boot item;
During the above permission is resident, skips and continue to execute if failure.In replacement process, using the side of multistage link
Formula.
In above scheme, the specific method is as follows for step (3) the information collection:
1) traversal process obtains the information of each process;
2) traverse service obtains the information of each service;
3) mount message that mounted software obtains each software is traversed;
4) web socket information (including locally listen to and remotely connect) is obtained;
5) information of local antivirus software is obtained;
6) login password (such as Chrome browser, Firefox browser, XShell, IE browsing of all kinds of softwares are obtained
Device, remote desktop voucher etc.);
7) information of configuration software is obtained.
In above scheme, the content of the local vulnerability scanning of the step (4) includes checking that loophole and fragility are weighed in local mentioning
Point problem.
In above scheme, step (5) the remote scanning process is as follows:
1) scanning Intranet survival host;
2) port scan is carried out for Intranet survival host and service detects;
3) it is overflowed using long-range attack loophole common in 5 years, remotely executes order, realized long-range directly online;
4) as long-range vulnerability exploit fails, it tries weak passwurd utilizes, shared, Active Directory, sharing printer by IPC
Attempt empty password;
5) such as empty password trial failure, then administrator is inquired, it can be further normal to Intranet by the way of weak passwurd scanning
The service of opinion is scanned, and service includes FTP, TELNET, SSH.
In further technical solution, online controlled terminal includes two ways: direct-connected online and agency is online;Work as control terminal
When being controlled end node to some and issuing task, order is uploaded onto the server end by control terminal first, then server end deposit
The task queue of specified node reads task queue and executes order, and then close when controlled terminal automatic regular polling server end
Socket.
Through the above technical solutions, a kind of method of long-range infiltration evidence obtaining for industrial control system provided by the invention
It has the following beneficial effects:
Industry control intranet security infiltration assessment proposed by the present invention can be in target industry control Intranet, with infiltration with evidence collecting method
The visual angle of personnel carries out Intranet penetration testing to target network and destination host.To node (Windows machine each in industrial control system
Device) carry out safe penetration assessment and evidence obtaining.Boundary hacker or unauthorized person can be simulated to penetrate into from the external world, provided for administrator dynamic
State reference, provides early warning mechanism for enterprise security.It is of great significance to industry control security evaluation, evidence obtaining and protection.It is suitable for
All kinds of industry control Intranets and industrial control equipment system, field are not limited to electric power, petroleum and petrochemical industry, tobacco, coal mine etc..
Meanwhile this system is started with from the stability of industrial control system again, avoids the paralysis or collapse of production system, is ensured
The stability of system in test process.Reference value is provided to industry control security protection, profession is provided to industry control security evaluation
Property tool.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of method flow of the long-range infiltration evidence obtaining for industrial control system disclosed in the embodiment of the present invention
Schematic diagram;
Fig. 2 is the online process schematic of controlled terminal disclosed in the embodiment of the present invention;
Fig. 3 is server end disclosed in the embodiment of the present invention and controlled terminal communication process schematic diagram;
Fig. 4 is the network structure of this method.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.
The present invention provides a kind of methods of long-range infiltration evidence obtaining for industrial control system, as shown in Figure 1, this method
With the visual angle of long-range penetration testing personnel, Intranet penetration testing is carried out to target network and destination host.
As shown in Figure 1, this method comprises the following steps:
One, it is locally extracted
This method meets the accuracy that the adequacy of acquisition of information, the flexibility of infiltration assessment and crucial loophole examine.It should
Method installs this controlled program firstly the need of the fringe node in industrial control system, and installation method includes long-range vulnerability exploit, USB flash disk fortune
Row, mail operation etc..After control system operation, program will be carried out proposing power and will be implanted into host system, can starting up.
System is divided into three parts: control terminal, server end, controlled terminal.Administrator operates controlled terminal cluster, clothes in control terminal
Business device end runs Linux server, is responsible for establishing connection with controlled terminal cluster.Controlled terminal program (script) runs on Windows
Terminal or Linux terminal/server, for being communicated with server end, and the order that execute server end issues.Network structure is such as
Shown in Fig. 4.
Administrator operates control terminal, and control terminal connects server end by TCP and with des encryption.Pass through server end again
Generating controlled terminal script file, (files such as optional generation BAT, PS, CMD, EXE of Windows, Linux generate python script text
Part, BSD and MACOS generate Python script file).The file of the controlled terminal of generation is run on by modes such as USB flash disk/mails
Target machine, controlled terminal program will execute following content after operation:
It is connected to server end, cipher authentication by HTTPS, and reads task list and executes, is held if there are task
Row task simultaneously uploads as a result, closing socket in turn.Task is such as not present, then directly closes socket.Server end and controlled
The main communication at end is as shown in Figure 3.
Controlled terminal is online, and there are two types of modes: direct-connected online (server end is connect with controlled terminal program by HTTPS) and generation
Manage online (server end is acted on behalf of with controlled terminal program by HTTPS online).Server end self maintained all controlled terminals
Information, including socket, task list, key, fingerprint etc..When control terminal, which is controlled end node to some, issues task, life
It enables and being uploaded onto the server end by control terminal first, then the task queue of node is specified in server end deposit.When controlled terminal timing
When polling server end, reads task queue and execute order, and then close socket.Process is as shown in Figure 2.
After passing through with server-side certificate, start the local power that proposes and check, multiple mentions power vulnerability exploit by built-in
Method, find one by one it is available propose power, and promoted and arrive SYSTEM permission, if SYSTEM permission can not be proposed, execution is bypassed
The realization of UAC step proposes power.
Two, permission is resident
If locally power can not be proposed by proposing power, it tries propose power by infection shortcut realization, specifically comprise the following steps:
1) common lnk file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
2) common chm file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
3) common bat file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
4) disk dll file is scanned, scan hijack loophole, and service initiator is set, starting target is set as this
Program;
5) html file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
6) js file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
7) bat file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
8) powershell file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
9) rundll startup file is added, starting target is this controlled terminal program;
10) plan target is added, starting target is this controlled terminal program;
11) creation service, service starting target is this controlled terminal program;
12) startup file is added to registry boot item;
During the above permission is resident, skips and continue to execute if failure.In replacement process, using the side of multistage link
Formula.
Three, information is collected
The specific method is as follows for information collection:
1) traversal process obtains the information of each process;
2) traverse service obtains the information of each service;
3) mount message that mounted software obtains each software is traversed;
4) web socket information (including locally listen to and remotely connect) is obtained;
5) information of local antivirus software is obtained;
6) login password (such as Chrome browser, Firefox browser, XShell, IE browsing of all kinds of softwares are obtained
Device, remote desktop voucher etc.);
7) information of configuration software is obtained.
Four, local vulnerability scanning
The content of local vulnerability scanning includes:
1) check that loophole (high-risk) is weighed in local mentioning;
2) local tender spots problem (non-high-risk) is checked, problem includes that leakage of information, weak passwurd, popular software remotely mention
Power and leakage of information etc..
Five, remote scanning utilizes
Remote scanning process is as follows:
1) scanning Intranet survival host;
2) port scan is carried out for Intranet survival host and service detects;
3) it is overflowed using long-range attack loophole common in 5 years, remotely executes order, realized long-range directly online;
4) as long-range vulnerability exploit fails, it tries weak passwurd utilizes, shared, Active Directory, sharing printer by IPC
Attempt empty password;
5) such as empty password trial failure, then administrator is inquired, it can be further normal to Intranet by the way of weak passwurd scanning
The service of opinion is scanned, and service includes FTP, TELNET, SSH.
In addition, administrator need to configure the online target arrived before automatic wire charging, target can be server end or a upper jump
Trigger can be completed for the controlled terminal generating process of springboard machine by server end semiautomatic fashion, can also be in long-range benefit
After success, it is automatically performed by server end.
Order implementation procedure realizes that Windows uses Powershell script execution command by the way of script execution,
Linux uses Python script execution command.The order transmitted by server end is held if control task only includes order
Row calls script interpretation function to execute, if control task includes to execute the executable files such as EXE, uses memory loading method
Realization loads automatically without additional process.In addition, control terminal user of service (administrator), which can be proposed power/evidence obtaining/in target, assesses it
It is resident that permission is carried out afterwards, in order to analyze assessment again in the future.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (7)
1. a kind of method of the long-range infiltration evidence obtaining for industrial control system, which comprises the steps of:
(1) local to propose power;
(2) permission is resident;
(3) information is collected;
(4) local vulnerability scanning;
(5) remote scanning utilizes.
2. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 1, which is characterized in that
The specific method is as follows for the step (1): administrator operates control terminal, and control terminal connects controlled terminal by server end, is controlled
Hold it is online after authenticated, certification start after passing through it is local proposes power, vulnerability exploit method is weighed by built-in multiple mention, is sought one by one
Look for it is available propose power, and promoted and arrive SYSTEM permission, if SYSTEM permission can not be promoted, executed and bypass UAC step
Realization proposes power.
3. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 1, which is characterized in that
In the step (2), propose power if local and can not propose power, it tries realized by infection shortcut and propose power, specifically include as
Lower step:
1) common lnk file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
2) common chm file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
3) common bat file is infected, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
4) disk dll file is scanned, scan hijack loophole, and service initiator is set, starting target is set as this program;
5) html file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
6) js file is scanned, scripted code is inserted into, makes it that can run this controlled terminal program;
7) bat file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
8) powershell file is scanned, operational objective is replaced using man-in-the-middle attack method, is changed to controlled terminal program;
9) rundll startup file is added, starting target is this controlled terminal program;
10) plan target is added, starting target is this controlled terminal program;
11) creation service, service starting target is this controlled terminal program;
12) startup file is added to registry boot item;
During the above permission is resident, skips and continue to execute if failure.In replacement process, by the way of multistage link.
4. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 1, which is characterized in that
The specific method is as follows for step (3) the information collection:
1) traversal process obtains the information of each process;
2) traverse service obtains the information of each service;
3) mount message that mounted software obtains each software is traversed;
4) web socket information (including locally listen to and remotely connect) is obtained;
5) information of local antivirus software is obtained;
6) login password (such as Chrome browser, Firefox browser, XShell, IE browser, remote of all kinds of softwares is obtained
Journey desktop voucher etc.);
7) information of configuration software is obtained.
5. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 1, which is characterized in that
The content of the local vulnerability scanning of the step (4) includes checking that loophole and tender spots problem are weighed in local mentioning.
6. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 1, which is characterized in that
Step (5) the remote scanning process is as follows:
1) scanning Intranet survival host;
2) port scan is carried out for Intranet survival host and service detects;
3) it is overflowed using long-range attack loophole common in 5 years, remotely executes order, realized long-range directly online;
4) as long-range vulnerability exploit fails, it tries weak passwurd utilizes, and by IPC, shared, Active Directory, sharing printer are attempted
Empty password;
5) such as empty password trial failure, then administrator is inquired, it can be further by the way of weak passwurd scanning to the common clothes of Intranet
Business is scanned, and service includes FTP, TELNET, SSH.
7. a kind of method of long-range infiltration evidence obtaining for industrial control system according to claim 2, which is characterized in that
Online controlled terminal includes two ways: direct-connected online and agency is online;Task is issued when control terminal is controlled end node to some
When, order is uploaded onto the server end by control terminal first, and then the task queue of node is specified in server end deposit, works as controlled terminal
When automatic regular polling server end, reads task queue and execute order, and then close socket.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910482385.2A CN110399718B (en) | 2019-06-04 | 2019-06-04 | Remote penetration evidence obtaining method for industrial control system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910482385.2A CN110399718B (en) | 2019-06-04 | 2019-06-04 | Remote penetration evidence obtaining method for industrial control system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110399718A true CN110399718A (en) | 2019-11-01 |
CN110399718B CN110399718B (en) | 2023-01-20 |
Family
ID=68324052
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910482385.2A Active CN110399718B (en) | 2019-06-04 | 2019-06-04 | Remote penetration evidence obtaining method for industrial control system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110399718B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
CN104009881A (en) * | 2013-02-27 | 2014-08-27 | 广东电网公司信息中心 | Method and device for system penetration testing |
CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
CN108182359A (en) * | 2017-12-29 | 2018-06-19 | 中国信息通信研究院 | The method, apparatus and storage medium of API safeties under a kind of test trusted context |
US20180270268A1 (en) * | 2017-01-30 | 2018-09-20 | XM Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
-
2019
- 2019-06-04 CN CN201910482385.2A patent/CN110399718B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
CN104009881A (en) * | 2013-02-27 | 2014-08-27 | 广东电网公司信息中心 | Method and device for system penetration testing |
CN104468267A (en) * | 2014-11-24 | 2015-03-25 | 国家电网公司 | Information safety penetration testing method for distribution automation system |
CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
US20180270268A1 (en) * | 2017-01-30 | 2018-09-20 | XM Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
CN108182359A (en) * | 2017-12-29 | 2018-06-19 | 中国信息通信研究院 | The method, apparatus and storage medium of API safeties under a kind of test trusted context |
Also Published As
Publication number | Publication date |
---|---|
CN110399718B (en) | 2023-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109325351B (en) | Security hole automatic verification system based on public testing platform | |
CN104468267B (en) | A kind of electrical power distribution automatization system information security penetration testing method | |
Paracha et al. | IoTLS: understanding TLS usage in consumer IoT devices | |
Schuster et al. | Towards reducing the attack surface of software backdoors | |
CN102254113A (en) | Method and system for detecting and intercepting malicious code of mobile terminal | |
US10771477B2 (en) | Mitigating communications and control attempts | |
Dai et al. | Configuration fuzzing for software vulnerability detection | |
Johari et al. | Penetration testing in IoT network | |
Inoue et al. | Automated malware analysis system and its sandbox for revealing malware's internal and external activities | |
Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
JP2012008732A (en) | Installation control device and program | |
KR102189361B1 (en) | Managed detection and response system and method based on endpoint | |
CN111177715A (en) | Mobile App vulnerability detection method and device | |
CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
CN108809950B (en) | Wireless router protection method and system based on cloud shadow system | |
CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
Sachidananda et al. | OVER: Overhauling vulnerability detection for IoT through an adaptable and automated static analysis framework | |
CN113364744A (en) | Method and system for detecting domain user login authentication abnormity based on windows log | |
Yagi et al. | Investigation and analysis of malware on websites | |
CN112765611A (en) | Unauthorized vulnerability detection method, device, equipment and storage medium | |
CN110399718A (en) | A method of the long-range infiltration for industrial control system is collected evidence | |
Kaur et al. | Hybrid real-time zero-day malware analysis and reporting system | |
Chen et al. | A proactive approach to intrusion detection and malware collection | |
Bin Sulaiman et al. | A Framework to Mitigate Attacks in Web Applications. | |
WO2015178002A1 (en) | Information processing device, information processing system, and communication history analysis method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |