CN110535718A - A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature - Google Patents

A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature Download PDF

Info

Publication number
CN110535718A
CN110535718A CN201910765184.3A CN201910765184A CN110535718A CN 110535718 A CN110535718 A CN 110535718A CN 201910765184 A CN201910765184 A CN 201910765184A CN 110535718 A CN110535718 A CN 110535718A
Authority
CN
China
Prior art keywords
uri
character string
blacklist
data packet
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910765184.3A
Other languages
Chinese (zh)
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN201910765184.3A priority Critical patent/CN110535718A/en
Publication of CN110535718A publication Critical patent/CN110535718A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of plug-in behavior monitoring methods of game based on HTTP flow URI feature, which comprises step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a URI blacklist is established, the URI blacklist stores the URI character string that the HTTP packet of plug-in sending is included;Step S3, networks filter driver captures all TCP data packets in layer data stream, URI parameter character string is extracted from TCP data packet, then URI blacklist is traversed, each blacklist item of URI parameter character string and URI blacklist is subjected to character string comparison, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet, determine that game player has plug-in usage behavior;The present invention can efficiently monitor the plug-in usage behavior of known HTTP traffic characteristic.

Description

A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of The plug-in behavior monitoring method of game based on HTTP flow URI feature.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure Memory headroom judges whether comprising plug-in condition code etc., plug-in for game temporarily without disclosed based on HTTP flow URI feature The inner nuclear layer monitoring means of behavior.
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to It monitors in the plug-in usage scenario for having HTTP flow URI feature and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_ LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data stream);Since data packet needs basis in system bottom Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_ LAYER_STREAM_V4 layers (i.e. layer data stream) can capture all TCP data packets for being free of IP.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen It carries out.
URI leads to resource label symbol (Universal Resource Identifier, URI), and expression is every on web A kind of available resource, if html document, image, video clip, program etc. are all as positioning a URI.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide a kind of plug-in rows of game based on HTTP flow URI feature For monitoring method, it is a kind of hidden plug-in behavior monitoring means, can efficiently monitors the plug-in of known HTTP traffic characteristic Usage behavior.
The present invention is realized using following scheme: a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature, It is characterized by: described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation Networks filter driver;
Step S2, a URI blacklist is established, the URI blacklist stores the URI word that the HTTP packet of plug-in sending is included Symbol string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, extracts URI from TCP data packet Then parameter character string traverses URI blacklist, each blacklist item of URI parameter character string and URI blacklist is carried out word Symbol string compares, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet, Then determine that game player has plug-in usage behavior.
Further, the step S2 is further specifically: during creation networks filter driver, carries out net for plug-in The URI that can be accessed in network interactive process is written in the file of networks filter driver, and Windows system application is loaded and opened Open networks filter driver;After networks filter driver is opened successfully, URI blacklist is initialized, during initializing blacklist, All URI being written in file are inserted into URI blacklist by networks filter driver.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system The corresponding call back function network data packet of sublayer can be called;The call back function of the layer data stream is for handling TCP data Packet.
Further, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, returns Letter of transfer number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters Step S32;Otherwise call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol In extract URI parameter character string, then traverse URI blacklist, each in URI parameter character string and URI blacklist is black Name individual event carries out character string comparison, and the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then sentences Determining player has plug-in usage behavior.
Further, the call back function parses packet content according to HTTP message format, from the TCP number of http protocol Specifically comprise the following steps: according to URI parameter character string is extracted in packet
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " HTTP/ ", if not including, this process terminates;If recording comprising character string " HTTP/ " and occurring character string for the first time The memory address of " HTTP/ ", it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 relative to the offset of the initial address of the TCP data packet of http protocol, and Whether the end address of the TCP data packet of http protocol is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't expire simultaneously Foot, then be determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, with End is initial address, and using data packet initial address as termination address, descending backward traverses memory, uses charactor comparison Mode searches character string " 20 2f ", when finding character string " 20 2f ", will store character ' the address of 2f ' be set as needing The starting point Begin of the URI character string to be extracted, and enter step 7;If searching failure, abnormal data packet, process knot are determined Beam;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.
The beneficial effects of the present invention are: 1. usage behavior blacklist mechanisms can efficiently monitor known HTTP flow The plug-in usage behavior of feature.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, monitoring is improved Ability.
5. improving monitoring the present invention provides a kind of technical solution for extracting URI from HTTP data packet in inner nuclear layer Accuracy.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Refering to Figure 1, a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature of the invention, Described method includes following steps: step S1, the client of Windows system application layer is driven in driving layer creation network filtering It is dynamic;
Step S2, a URI blacklist is established, the URI blacklist stores the URI word that the HTTP packet of plug-in sending is included Symbol string;The step S2 is further specifically: during creation networks filter driver, during plug-in carry out network interaction The URI that can be accessed is written in the file of networks filter driver, the load of Windows system application and opening network filtering drive It is dynamic;After networks filter driver is opened successfully, URI blacklist, during initializing blacklist, networks filter driver are initialized All URI being written in file are inserted into URI blacklist.In addition, the blacklist item stored in blacklist must be plug-in Otherwise distinctive feature exists that is, in addition to this remaining plug-in program does not have the access behavior of this network or probability is extremely low Report risk by mistake.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_STREAM_V4 layers) of layer data stream all TCP numbers of capture According to packet, URI parameter character string is extracted from TCP data packet, URI blacklist is then traversed, by URI parameter character string and URI Each blacklist item of blacklist carries out character string comparison, if extracted from TCP data packet URI parameter character string with Any one blacklist item is identical in URI blacklist, then determines that game player has plug-in usage behavior.
Further, between the step S2 and step S3 further include:
Step S21, networks filter driver obtains basic filtering engine BFE handle using FwpmEngineOpen function, makees For the parameter of subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer filter captures network packet When, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for handling TCP data packet.
Wherein, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, adjusts back letter Number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32;Otherwise call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol In extract URI parameter character string, then traverse URI blacklist, each in URI parameter character string and URI blacklist is black Name individual event carries out character string comparison, and the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then sentences Determining player has plug-in usage behavior.
The call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol URI parameter character string is taken out to specifically comprise the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " HTTP/ ", if not including, this process terminates;If recording comprising character string " HTTP/ " and occurring character string for the first time The memory address of " HTTP/ ", it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 relative to the offset of the initial address of the TCP data packet of http protocol, and Whether the end address of the TCP data packet of http protocol is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't expire simultaneously Foot, then be determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then sentencing Determine abnormal data packet, process terminates;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, with End is initial address, using data packet initial address as termination address, traverses memory to small backward greatly by (from back to front), uses The mode of charactor comparison searches character string " 20 2f ", when finding character string " 20 2f ", by store character ' 2f ' ground Location is set as needing the starting point Begin for the URI character string extracted, and enters step 7;If searching failure, abnormal data is determined Packet, process terminate;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.(the data of intermediate storage Including Begin and End).Format such as the following table 1 of non-abnormal data packet, the URI character string of extraction are originated from ‘ 2f ', and ‘ is arrived The character string of 20 ' prev word section ends.
Table 1
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
(character ‘ 2f ' is equivalent to '/', be slash symbols/computer data storage form, below the useful single quotation marks of institute The data of ' ' description are the ASCII character of a byte-sized)
1. assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Outside " tools.cheat.com/key.txt " (URI of this network address is "/key.txt ") can be accessed after process initiation by hanging A, In addition to the plug-in A of game, other processes not will do it identical network request.
Whether run during the networks filter driver D detection player developed based on this programme 2. game company B is used Plug-in A, and scheme protects game client C whereby.
3. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives Dynamic D initializes URI blacklist after loading successfully, and is inserted into URI blacklist dedicated for detecting the black name of the plug-in A of game Individual event "/key.txt ".
4. networks filter driver D is in FWPM_LAYER_STREAM_V4 layers of completion registered callbacks function, creation sublayer, unlatching Start to play network data packet filtering function after the sequence of operations such as filter.
5. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at Access " tools.cheat.com/key.txt " is attempted after function, has sent the http protocol that a URI parameter is "/key.txt " TCP data packet.
After 6.FWPM_LAYER_STREAM_V4 layers of filters trap to this TCP data packet, this data packet is judged Distal end slogan whether be 80, if port numbers be equal to 80 if be a http protocol TCP data packet, it is assumed that http protocol report Text content be " xxxx ' 20 '/key.txt ' 20 ' HTTP/1.1 ' 0d ' ' 0a ' xxxxx ", enter step 7.Otherwise it adjusts back Function execution terminates.(x represents extraneous data)
7. call back function parses packet content according to HTTP message format.HTTP data packet is parsed, URI parameter word is obtained Accord with string bebinning character '/' (i.e. ‘ 2f ') and end character ' t ', extracted from HTTP data packet URI parameter character string "/ key.txt”。
8. call back function traverses URI blacklist, URI parameter character string "/key.txt " and each blacklist item are carried out Character string compares, and when blacklist item "/key.txt " is arrived in comparison, two character strings are equal, determine that this HTTP data packet meets URI Thus blacklist rule determines that player has the behavior using the plug-in A of game.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with Modification, is all covered by the present invention.

Claims (5)

1. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature, it is characterised in that: the method includes such as Lower step: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a URI blacklist is established, the URI blacklist stores the URI character that the HTTP packet of plug-in sending is included String;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and URI parameter is extracted from TCP data packet Then character string traverses URI blacklist, each blacklist item of URI parameter character string and URI blacklist is carried out character string It compares, if identical as blacklist item any one in URI blacklist from URI parameter character string is extracted in TCP data packet, sentences Determining game player has plug-in usage behavior.
2. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 1, feature Be: the step S2 is further specifically: during creation networks filter driver, during plug-in carry out network interaction The URI that can be accessed is written in the file of networks filter driver, the load of Windows system application and opening network filtering drive It is dynamic;After networks filter driver is opened successfully, URI blacklist, during initializing blacklist, networks filter driver are initialized All URI being written in file are inserted into URI blacklist.
3. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 1, feature It is: between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function Obtain basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver uses FwpsCalloutRegister function registration returning in layer data stream monitoring data Letter of transfer number;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for capturing number According to;
Step S25, networks filter driver uses FwpmFilterAdd function, is created by basic filtering engine BFE in data flow Filter is built, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system can be adjusted With the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for handling TCP data packet.
4. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 3, feature Be: the step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function judges number Whether it is 80 according to the remote port of packet, is that then, data packet is the TCP data packet an of http protocol and enters step S32;Otherwise Call back function execution terminates;
Step S32, call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol URI parameter character string is taken out, URI blacklist is then traversed, by each blacklist in URI parameter character string and URI blacklist Character string comparison is carried out, the URI parameter character string extracted in blacklist item and TCP data packet if it exists is identical, then determines to play There is plug-in usage behavior in family.
5. a kind of plug-in behavior monitoring method of game based on HTTP flow URI feature according to claim 4, feature Be: the call back function parses packet content according to HTTP message format, extracts from the TCP data packet of http protocol URI parameter character string specifically comprises the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " HTTP/ ", If not including, this process terminates;If recording comprising character string " HTTP/ " and occurring the memory of character string " HTTP/ " for the first time Address, it is Tmp that this memory address, which is arranged,;
Step 2 judges whether Tmp is greater than 4 and HTTP relative to the offset of the initial address of the TCP data packet of http protocol Whether the end address of the TCP data packet of agreement is greater than 8 relative to the offset of Tmp, if above-mentioned condition can't meet simultaneously, It is determined as abnormal data packet, process terminates;Otherwise 3 are entered step;
Step 3, judge 8 byte bigger than the address Tmp memory address storage data be ' 0d ', if not then determining different Regular data packet, process terminate;Otherwise 4 are entered step;
Step 4, judge 9 byte bigger than the address Tmp memory address storage data be ' 0a ', if not then determining different Regular data packet, process terminate;Otherwise 5 are entered step;
Step 5, judge 1 byte smaller than the address Tmp memory address storage data be ' 20 ', if not then determining different Regular data packet, process terminate;Otherwise 6 are entered step;
Step 6, the end that the previous byte of 20 ' memory address of ‘ is defined as to URI character string, are arranged entitled End, are with End Initial address, using data packet initial address as termination address, descending backward traverses memory, is looked into using the mode of charactor comparison Look for character string " 20 2f ", when finding character string " 20 2f ", will store character ' the address of 2f ' be set as needing to extract URI character string starting point Begin, and enter step 7;If searching failure, abnormal data packet is determined, process terminates;
Step 7, the data of Begin to End intermediate storage are exactly the URI character string for needing to extract.
CN201910765184.3A 2019-08-19 2019-08-19 A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature Withdrawn CN110535718A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910765184.3A CN110535718A (en) 2019-08-19 2019-08-19 A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910765184.3A CN110535718A (en) 2019-08-19 2019-08-19 A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature

Publications (1)

Publication Number Publication Date
CN110535718A true CN110535718A (en) 2019-12-03

Family

ID=68663671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910765184.3A Withdrawn CN110535718A (en) 2019-08-19 2019-08-19 A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature

Country Status (1)

Country Link
CN (1) CN110535718A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104022924A (en) * 2014-07-02 2014-09-03 浪潮电子信息产业股份有限公司 Method for detecting HTTP (hyper text transfer protocol) communication content
US20140304328A1 (en) * 2009-08-11 2014-10-09 Sony Computer Entertainment America Llc Management of ancillary content delivery and presentation
CN107222511A (en) * 2017-07-25 2017-09-29 深信服科技股份有限公司 Detection method and device, computer installation and the readable storage medium storing program for executing of Malware
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109889511A (en) * 2019-01-31 2019-06-14 中国人民解放军61660部队 Process DNS activity monitoring method, equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304328A1 (en) * 2009-08-11 2014-10-09 Sony Computer Entertainment America Llc Management of ancillary content delivery and presentation
CN104022924A (en) * 2014-07-02 2014-09-03 浪潮电子信息产业股份有限公司 Method for detecting HTTP (hyper text transfer protocol) communication content
CN107222511A (en) * 2017-07-25 2017-09-29 深信服科技股份有限公司 Detection method and device, computer installation and the readable storage medium storing program for executing of Malware
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109889511A (en) * 2019-01-31 2019-06-14 中国人民解放军61660部队 Process DNS activity monitoring method, equipment and medium

Similar Documents

Publication Publication Date Title
CN101123583B (en) Network node apparatus and its method
US8065722B2 (en) Semantically-aware network intrusion signature generator
US8601585B2 (en) Modification of messages for analyzing the security of communication protocols and channels
Lin et al. Automatic protocol format reverse engineering through context-aware monitored execution.
CN101035111B (en) Intelligent protocol parsing method and device
CN109951500A (en) Network attack detecting method and device
CN102724317B (en) A kind of network traffic data sorting technique and device
CN106330584B (en) A kind of recognition methods of Business Stream and identification device
CN101557329B (en) Application layer-based data segmenting method and device thereof
CN112995352B (en) IPv6 network space mapping system and mapping method based on flow analysis
CN105103496A (en) System and method for extracting and preserving metadata for analyzing network communications
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
US20080291912A1 (en) System and method for detecting file
CN107666486A (en) A kind of network data flow restoration methods and system based on message protocol feature
CN102468987B (en) NetFlow characteristic vector extraction method
CN105635170A (en) Method and device for identifying network data packet based on rules
CN108234345A (en) A kind of traffic characteristic recognition methods of terminal network application, device and system
CN112671759A (en) DNS tunnel detection method and device based on multi-dimensional analysis
CN109474485A (en) Method, system and storage medium based on network traffic information detection Botnet
CN110368695A (en) A kind of plug-in detection method of game based on HTTP flow URI feature
CN110404267A (en) A kind of plug-in detection method of game based on HTTP flow HOST field feature
CN114039774A (en) Blocking method, detection method and device for malicious PE program
CN104660584B (en) Analysis of Trojan Virus technology based on network session
CN111654499B (en) Method and device for identifying attack breach based on protocol stack
CN110535718A (en) A kind of plug-in behavior monitoring method of game based on HTTP flow URI feature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20191203