CN110535718A - A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature - Google Patents
A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature Download PDFInfo
- Publication number
- CN110535718A CN110535718A CN201910765184.3A CN201910765184A CN110535718A CN 110535718 A CN110535718 A CN 110535718A CN 201910765184 A CN201910765184 A CN 201910765184A CN 110535718 A CN110535718 A CN 110535718A
- Authority
- CN
- China
- Prior art keywords
- uri
- character string
- blacklist
- data packet
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of plug-in behavior monitoring methods of game based on HTTP flow URI feature, which comprises step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a URI blacklist is established, the URI blacklist stores the URI character string that the HTTP packet of plug-in sending is included;Step S3, networks filter driver captures all TCP data packets in layer data stream, URI parameter character string is extracted from TCP data packet, then URI blacklist is traversed, each blacklist item of URI parameter character string and URI blacklist is subjected to character string comparison, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet, determine that game player has plug-in usage behavior;The present invention can efficiently monitor the plug-in usage behavior of known HTTP traffic characteristic.
Description
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of
The plug-in behavior monitoring method of game based on HTTP flow URI feature.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure
Memory headroom judges whether comprising plug-in condition code etc., plug-in for game temporarily without disclosed based on HTTP flow URI feature
The inner nuclear layer monitoring means of behavior.
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in
Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to
It monitors in the plug-in usage scenario for having HTTP flow URI feature and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_
LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data
Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data stream);Since data packet needs basis in system bottom
Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_
LAYER_STREAM_V4 layers (i.e. layer data stream) can capture all TCP data packets for being free of IP.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for
Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base
The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen
WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen
It carries out.
URI leads to resource label symbol (Universal Resource Identifier, URI), and expression is every on web
A kind of available resource, if html document, image, video clip, program etc. are all as positioning a URI.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide a kind of plug-in rows of game based on HTTP flow URI feature
For monitoring method, it is a kind of hidden plug-in behavior monitoring means, can efficiently monitors the plug-in of known HTTP traffic characteristic
Usage behavior.
The present invention is realized using following scheme: a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature,
It is characterized by: described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation
Networks filter driver;
Step S2, a URI blacklist is established, the URI blacklist stores the URI word that the HTTP packet of plug-in sending is included
Symbol string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, extracts URI from TCP data packet
Then parameter character string traverses URI blacklist, each blacklist item of URI parameter character string and URI blacklist is carried out word
Symbol string compares, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet,
Then determine that game player has plug-in usage behavior.
Further, the step S2 is further specifically: during creation networks filter driver, carries out net for plug-in
The URI that can be accessed in network interactive process is written in the file of networks filter driver, and Windows system application is loaded and opened
Open networks filter driver;After networks filter driver is opened successfully, URI blacklist is initialized, during initializing blacklist,
All URI being written in file are inserted into URI blacklist by networks filter driver.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses
FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data
Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching
Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow
Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system
The corresponding call back function network data packet of sublayer can be called;The call back function of the layer data stream is for handling TCP data
Packet.
Further, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, returns
Letter of transfer number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters
Step S32;Otherwise call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol
In extract URI parameter character string, then traverse URI blacklist, each in URI parameter character string and URI blacklist is black
Name individual event carries out character string comparison, and the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then sentences
Determining player has plug-in usage behavior.
Further, the call back function parses packet content according to HTTP message format, from the TCP number of http protocol
Specifically comprise the following steps: according to URI parameter character string is extracted in packet
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string
" HTTP/ ", if not including, this process terminates;If recording comprising character string " HTTP/ " and occurring character string for the first time
The memory address of " HTTP/ ", it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 relative to the offset of the initial address of the TCP data packet of http protocol, and
Whether the end address of the TCP data packet of http protocol is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't expire simultaneously
Foot, then be determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, with
End is initial address, and using data packet initial address as termination address, descending backward traverses memory, uses charactor comparison
Mode searches character string " 20 2f ", when finding character string " 20 2f ", will store character ' the address of 2f ' be set as needing
The starting point Begin of the URI character string to be extracted, and enter step 7;If searching failure, abnormal data packet, process knot are determined
Beam;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.
The beneficial effects of the present invention are: 1. usage behavior blacklist mechanisms can efficiently monitor known HTTP flow
The plug-in usage behavior of feature.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer
Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big
Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, monitoring is improved
Ability.
5. improving monitoring the present invention provides a kind of technical solution for extracting URI from HTTP data packet in inner nuclear layer
Accuracy.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Refering to Figure 1, a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature of the invention,
Described method includes following steps: step S1, the client of Windows system application layer is driven in driving layer creation network filtering
It is dynamic;
Step S2, a URI blacklist is established, the URI blacklist stores the URI word that the HTTP packet of plug-in sending is included
Symbol string;The step S2 is further specifically: during creation networks filter driver, during plug-in carry out network interaction
The URI that can be accessed is written in the file of networks filter driver, the load of Windows system application and opening network filtering drive
It is dynamic;After networks filter driver is opened successfully, URI blacklist, during initializing blacklist, networks filter driver are initialized
All URI being written in file are inserted into URI blacklist.In addition, the blacklist item stored in blacklist must be plug-in
Otherwise distinctive feature exists that is, in addition to this remaining plug-in program does not have the access behavior of this network or probability is extremely low
Report risk by mistake.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_STREAM_V4 layers) of layer data stream all TCP numbers of capture
According to packet, URI parameter character string is extracted from TCP data packet, URI blacklist is then traversed, by URI parameter character string and URI
Each blacklist item of blacklist carries out character string comparison, if extracted from TCP data packet URI parameter character string with
Any one blacklist item is identical in URI blacklist, then determines that game player has plug-in usage behavior.
Further, between the step S2 and step S3 further include:
Step S21, networks filter driver obtains basic filtering engine BFE handle using FwpmEngineOpen function, makees
For the parameter of subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data
Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching
Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow
Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer filter captures network packet
When, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for handling
TCP data packet.
Wherein, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, adjusts back letter
Number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step
S32;Otherwise call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol
In extract URI parameter character string, then traverse URI blacklist, each in URI parameter character string and URI blacklist is black
Name individual event carries out character string comparison, and the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then sentences
Determining player has plug-in usage behavior.
The call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol
URI parameter character string is taken out to specifically comprise the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string
" HTTP/ ", if not including, this process terminates;If recording comprising character string " HTTP/ " and occurring character string for the first time
The memory address of " HTTP/ ", it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 relative to the offset of the initial address of the TCP data packet of http protocol, and
Whether the end address of the TCP data packet of http protocol is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't expire simultaneously
Foot, then be determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then sentencing
Determine abnormal data packet, process terminates;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, with
End is initial address, using data packet initial address as termination address, traverses memory to small backward greatly by (from back to front), uses
The mode of charactor comparison searches character string " 20 2f ", when finding character string " 20 2f ", by store character ' 2f ' ground
Location is set as needing the starting point Begin for the URI character string extracted, and enters step 7;If searching failure, abnormal data is determined
Packet, process terminate;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.(the data of intermediate storage
Including Begin and End).Format such as the following table 1 of non-abnormal data packet, the URI character string of extraction are originated from ‘ 2f ', and ‘ is arrived
The character string of 20 ' prev word section ends.
Table 1
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
(character ‘ 2f ' is equivalent to '/', be slash symbols/computer data storage form, below the useful single quotation marks of institute
The data of ' ' description are the ASCII character of a byte-sized)
1. assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Outside
" tools.cheat.com/key.txt " (URI of this network address is "/key.txt ") can be accessed after process initiation by hanging A,
In addition to the plug-in A of game, other processes not will do it identical network request.
Whether run during the networks filter driver D detection player developed based on this programme 2. game company B is used
Plug-in A, and scheme protects game client C whereby.
3. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives
Dynamic D initializes URI blacklist after loading successfully, and is inserted into URI blacklist dedicated for detecting the black name of the plug-in A of game
Individual event "/key.txt ".
4. networks filter driver D is in FWPM_LAYER_STREAM_V4 layers of completion registered callbacks function, creation sublayer, unlatching
Start to play network data packet filtering function after the sequence of operations such as filter.
5. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at
Access " tools.cheat.com/key.txt " is attempted after function, has sent the http protocol that a URI parameter is "/key.txt "
TCP data packet.
After 6.FWPM_LAYER_STREAM_V4 layers of filters trap to this TCP data packet, this data packet is judged
Distal end slogan whether be 80, if port numbers be equal to 80 if be a http protocol TCP data packet, it is assumed that http protocol report
Text content be " xxxx ' 20 '/key.txt ' 20 ' HTTP/1.1 ' 0d ' ' 0a ' xxxxx ", enter step 7.Otherwise it adjusts back
Function execution terminates.(x represents extraneous data)
7. call back function parses packet content according to HTTP message format.HTTP data packet is parsed, URI parameter word is obtained
Accord with string bebinning character '/' (i.e. ‘ 2f ') and end character ' t ', extracted from HTTP data packet URI parameter character string "/
key.txt”。
8. call back function traverses URI blacklist, URI parameter character string "/key.txt " and each blacklist item are carried out
Character string compares, and when blacklist item "/key.txt " is arrived in comparison, two character strings are equal, determine that this HTTP data packet meets URI
Thus blacklist rule determines that player has the behavior using the plug-in A of game.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with
Modification, is all covered by the present invention.
Claims (5)
1. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature, it is characterised in that: the method includes such as
Lower step: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a URI blacklist is established, the URI blacklist stores the URI character that the HTTP packet of plug-in sending is included
String;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and URI parameter is extracted from TCP data packet
Then character string traverses URI blacklist, each blacklist item of URI parameter character string and URI blacklist is carried out character string
It compares, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet, sentences
Determining game player has plug-in usage behavior.
2. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 1, feature
Be: the step S2 is further specifically: during creation networks filter driver, during plug-in carry out network interaction
The URI that can be accessed is written in the file of networks filter driver, the load of Windows system application and opening network filtering drive
It is dynamic;After networks filter driver is opened successfully, URI blacklist, during initializing blacklist, networks filter driver are initialized
All URI being written in file are inserted into URI blacklist.
3. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 1, feature
It is: between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function
Obtain basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver uses FwpsCalloutRegister function registration returning in layer data stream monitoring data
Letter of transfer number;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before
The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for capturing number
According to;
Step S25, networks filter driver uses FwpmFilterAdd function, is created by basic filtering engine BFE in data flow
Filter is built, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system can be adjusted
With the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for handling TCP data packet.
4. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 3, feature
Be: the step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function judges number
Whether it is 80 according to the remote port of packet, is that then, data packet is the TCP data packet an of http protocol and enters step S32;Otherwise
Call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol
URI parameter character string is taken out, URI blacklist is then traversed, by each blacklist in URI parameter character string and URI blacklist
Character string comparison is carried out, the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then determines to play
There is plug-in usage behavior in family.
5. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 4, feature
Be: the call back function parses packet content according to HTTP message format, extracts from the TCP data packet of http protocol
URI parameter character string specifically comprises the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " HTTP/ ",
If not including, this process terminates;If recording comprising character string " HTTP/ " and occurring the memory of character string " HTTP/ " for the first time
Address, it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 and HTTP relative to the offset of the initial address of the TCP data packet of http protocol
Whether the end address of the TCP data packet of agreement is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't meet simultaneously,
It is determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then determining different
Regular data packet, process terminate;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then determining different
Regular data packet, process terminate;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then determining different
Regular data packet, process terminate;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, are with End
Initial address, using data packet initial address as termination address, descending backward traverses memory, is looked into using the mode of charactor comparison
Look for character string " 20 2f ", when finding character string " 20 2f ", will store character ' the address of 2f ' be set as needing to extract
URI character string starting point Begin, and enter step 7;If searching failure, abnormal data packet is determined, process terminates;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765184.3A CN110535718A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765184.3A CN110535718A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110535718A true CN110535718A (en) | 2019-12-03 |
Family
ID=68663671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910765184.3A Withdrawn CN110535718A (en) | 2019-08-19 | 2019-08-19 | A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535718A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
US20140304328A1 (en) * | 2009-08-11 | 2014-10-09 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
CN107222511A (en) * | 2017-07-25 | 2017-09-29 | 深信服科技股份有限公司 | Detection method and device, computer installation and the readable storage medium storing program for executing of Malware |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109889511A (en) * | 2019-01-31 | 2019-06-14 | 中国人民解放军61660部队 | Process DNS activity monitoring method, equipment and medium |
-
2019
- 2019-08-19 CN CN201910765184.3A patent/CN110535718A/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140304328A1 (en) * | 2009-08-11 | 2014-10-09 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
CN107222511A (en) * | 2017-07-25 | 2017-09-29 | 深信服科技股份有限公司 | Detection method and device, computer installation and the readable storage medium storing program for executing of Malware |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109889511A (en) * | 2019-01-31 | 2019-06-14 | 中国人民解放军61660部队 | Process DNS activity monitoring method, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101123583B (en) | Network node apparatus and its method | |
US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
US8601585B2 (en) | Modification of messages for analyzing the security of communication protocols and channels | |
Lin et al. | Automatic protocol format reverse engineering through context-aware monitored execution. | |
CN101035111B (en) | Intelligent protocol parsing method and device | |
CN109951500A (en) | Network attack detecting method and device | |
CN102724317B (en) | A kind of network traffic data sorting technique and device | |
CN106330584B (en) | A kind of recognition methods of Business Stream and identification device | |
CN101557329B (en) | Application layer-based data segmenting method and device thereof | |
CN112995352B (en) | IPv6 network space mapping system and mapping method based on flow analysis | |
CN105103496A (en) | System and method for extracting and preserving metadata for analyzing network communications | |
CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
US20080291912A1 (en) | System and method for detecting file | |
CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
CN102468987B (en) | NetFlow characteristic vector extraction method | |
CN105635170A (en) | Method and device for identifying network data packet based on rules | |
CN108234345A (en) | A kind of traffic characteristic recognition methods of terminal network application, device and system | |
CN112671759A (en) | DNS tunnel detection method and device based on multi-dimensional analysis | |
CN109474485A (en) | Method, system and storage medium based on network traffic information detection Botnet | |
CN110368695A (en) | A kind of plug-in detection method of game based on HTTP flow URI feature | |
CN110404267A (en) | A kind of plug-in detection method of game based on HTTP flow HOST field feature | |
CN114039774A (en) | Blocking method, detection method and device for malicious PE program | |
CN104660584B (en) | Analysis of Trojan Virus technology based on network session | |
CN111654499B (en) | Method and device for identifying attack breach based on protocol stack | |
CN110535718A (en) | A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20191203 |