CN110602044A - Network threat analysis method and system - Google Patents
Network threat analysis method and system Download PDFInfo
- Publication number
- CN110602044A CN110602044A CN201910740996.2A CN201910740996A CN110602044A CN 110602044 A CN110602044 A CN 110602044A CN 201910740996 A CN201910740996 A CN 201910740996A CN 110602044 A CN110602044 A CN 110602044A
- Authority
- CN
- China
- Prior art keywords
- detection
- file
- behavior
- network
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network threat analysis method and a network threat analysis system. The threat analysis system, named as Thread Analysis Center (TAC) in english, can effectively detect known and unknown malicious software and files entering the network through web pages, emails or other online file sharing modes, and discover the APT attack behavior utilizing the 0day vulnerability to protect the client network from various risks caused by attacks such as 0day and the like. The TAC system of the invention adopts a multi-core virtualization platform, and achieves higher performance and higher detection rate by parallel virtual environment detection and stream processing modes. The system has four core detection components: the system comprises a credit detection engine, a virus detection engine, a static detection engine (including vulnerability detection and shellcode detection) and a dynamic sandbox detection engine, and can effectively detect 0day attack and unknown attack while detecting known threats through parallel detection of various detection technologies, so that advanced sustainable threats can be effectively monitored.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a network threat analysis system which is used for protecting a client network from various risks caused by attacks such as 0day and the like.
Background
Today, governments and businesses are simultaneously confronted with an evolving cyber-threat environment. The initial hacking attacks were to gain influence and satisfy themselves to attack media websites, and have now evolved into attacks for economic, political, etc. purposes. Attackers can directly obtain benefits by stealing intellectual property, and can also invade and steal personal financial information of customers, even directly encrypt documents and then carry out naked lasso, and even destroy the services of the other party and the national infrastructure. The change of motivation brings the change of attack mode. From the past widespread, casual and purposeless Threat of attack, the rapid transition has been made in years to a highly sustainable Threat (advanced persistent thread) that will have serious consequences for the victim organization. Such as lemonades software, have seen explosive growth in the last two years.
The advanced sustainable threat has the following three characteristics:
high-level: the attacker is an expert in the technical aspect of hacker intrusion, can independently develop an attack tool or excavate a vulnerability, and achieves a preset attack target by combining various attack methods and tools.
And (3) continuous penetration: the attacker can perform long-term penetration aiming at a determined attack target. Without being discovered, the attack is continued for maximum effect.
Threat: this is a human attack coordinated and directed by the organizer. The intrusion team will have a specific goal that is trained, organized, funded, and motivated politically or economically.
APT threats may bypass traditional security mechanisms such as firewalls, IPS, AV, and gatekeepers, and silently obtain high-level confidential information from enterprises or government agencies. The main security defense mechanism of today is usually constructed by firewall or NGFW, intrusion detection, gatekeeper and antivirus software, and these products rely on known attack signatures for pattern matching to detect known network attacks, and in some specific cases, may also detect new attacks against known vulnerabilities. Such a solution enables very efficient monitoring of common known network attacks, such as: worms, trojan horses, spyware, botnet, and basic computer viruses, but have no success at all for the most threatening advanced sustainable threats today. In most cases, the APT attack faces the traditional security defense mechanism, such as being unmanned, because the attack has no signature code, the traditional defense mechanism cannot detect the attack means taken by the attacker in the initial stage, and finally the network attacker can control the network arbitrarily.
Some traditional schemes with deeper protection can be combined with IPS or NBA products to perform anomaly detection to assist in finding out network attacks, and although a novel APT threat can be detected in the mode, the method is often affected by false alarm (normal flow is classified as abnormal), so that the defense effect is poor, and the problem of missing report is easy to occur. Just because the traditional security defense mechanism lacks the necessary monitoring capability under the APT attack, a large number of enterprises establishing more perfect traditional defense mechanism are successfully reached by APT attackers in recent years.
For APT, various detection or prevention techniques have been proposed in the home and abroad security world, and security manufacturers often use a combination of these methods for analysis and monitoring, and these techniques include:
firstly, performing network analysis by adopting deep packet inspection;
secondly, automatically analyzing the file statically;
and thirdly, carrying out manual analysis based on visualization, alarming and the like.
In use, various problems are discovered, including high false alarm rate, large amount of false alarm, and too high requirement for safety management personnel, so that most organizations cannot make the product perform the intended detection function, and thus the product is not widely accepted by the market.
Disclosure of Invention
The invention aims to solve the problems and innovatively provides a network threat analysis method and system.
The network threat analysis system (hereinafter referred to as TAC) adopts a multi-core virtualization platform, and achieves higher performance and higher detection rate through parallel virtual environment detection and stream processing.
The system has four core detection components: the system comprises a credit detection engine, a virus detection engine, a static detection engine (including vulnerability detection and shellcode detection) and a dynamic sandbox detection engine, and can effectively detect 0day attack and unknown attack while detecting known threats through parallel detection of various detection technologies, so that advanced sustainable threats can be effectively monitored.
The main functions include:
multiple application layer and file layer decoding
Analyzing on an attack path of the advanced sustainable threat, wherein most attacks come from Web surfing, phishing mail and file sharing, and providing decoding and restoring capabilities of the related application protocols based on the monitoring system specifically comprises the following steps: HTTP, SMTP, POP3, IMAP, FTP.
In order to more accurately detect the threat, the monitoring system takes the attack characteristics of the high-level sustainable threat into consideration, and carries out complete file restoration analysis on the key file type, and the system supports the following file decoding:
office class: word, Excel, PowerPoint …
Adobe class: swf,. pdf …
Different compression formats: zip,. rar,. gz,. tar,. 7z,. bz …
Picture class: jpg, jpeg, bmp ….
Unique reputation design
TAC utilizes wide global credit to make detection more efficient and accurate, after the file is restored, the file firstly enters a credit detection engine, the information of a global credit library is used for carrying out one-time detection, if the file is hit, the detection priority under the non-dynamic environment is promoted but the file is not put into a dynamic detection engine for detection, and if the file is hit, the file can be manually loaded to the dynamic detection engine to generate a detailed report. The current reputation value mainly comprises the MD5 and CRC32 values of the file, and information such as a download URL address and an IP of the file.
Integrating a variety of known threat detection technologies: AV, vulnerability-based static detection
The system is used for more comprehensively detecting known and unknown malicious software, and is internally provided with an AV detection module and a vulnerability-based static detection module.
Dynamic sandbox detection
Dynamic sandbox detection, also known as virtual execution detection, establishes a plurality of different application environments through a virtual machine technology, and observes the behavior of a program therein to determine whether an attack exists. The method can detect known and unknown threats, and because the true behaviors in the real application environment are analyzed, an extremely low false alarm rate can be achieved, and a high detection rate can be achieved.
Complete virtual environment
At present, most of typical APT attacks transmit malicious codes to terminals of an intranet in modes of phishing mails, enticing websites and the like, and TAC supports typical Internet transmission protocols such as http, pop3, smtp, imap, smb and the like. The TAC is internally provided with a static detection engine, and a lightweight virtual environment is formed by simulating a CPU instruction set so as to solve the problems.
Multi-core virtualization platform
The system is designed to run a plurality of virtual machines on one machine, and simultaneously, the parallel virtual machines are utilized to accelerate the execution of detection tasks, so that an extensible platform is achieved to process the high-speed network flow of the real world, and the threat monitoring is timely and effectively carried out.
Drawings
The features and advantages of the present invention will become more readily appreciated from the detailed description section provided below with reference to the drawings, in which:
FIG. 1 is a schematic flow chart of a cyber-threat analysis method provided by the present invention;
FIG. 2 is a schematic flow chart of a cyber-threat analysis method according to the present invention;
FIG. 3 is a schematic structural diagram of a cyber-threat analysis system provided by the present invention;
FIG. 4 is a diagram of a multi-core platform architecture of a cyber-threat analysis system according to the present invention;
Detailed Description
To solve the problems in the prior art, an embodiment of the present invention provides a method for analyzing a cyber threat, which may specifically include the following steps, as shown in fig. 1:
step 1, reconstructing and restoring files according to the network behavior of a computer system.
Specifically, from analysis on the attack path of the advanced sustainable threat, most attacks come from Web surfing, phishing mail and file sharing, and the monitoring system provides the decoding and restoring capability of the above related application protocols, which specifically comprises: HTTP, SMTP, POP3, IMAP, FTP, etc.
Further, in order to detect threats more accurately, the analysis system takes the attack characteristics of advanced sustainable threats into consideration, and performs complete file restoration analysis on key file types, and the system supports the following file decoding:
office class: word, Excel, PowerPoint …
Adobe class: swf,. pdf …
Different compression formats: zip,. rar,. gz,. tar,. 7z,. bz …
Picture class: jpg, jpeg, bmp ….
And 2, sending the file to a dynamic sandbox detection environment.
Optionally, after the file is restored, before the file is sent to the dynamic sandbox detection environment, reputation detection is performed first, information of the global reputation library is used for performing detection once, if the file is hit, the detection priority in the non-dynamic environment is promoted but the file is not placed in the dynamic detection engine for detection, and if the file is hit, the file can be manually loaded to the dynamic detection engine to generate a detailed report. The current reputation value mainly comprises the MD5 and CRC32 values of the file, and information such as a download URL address and an IP of the file.
And 3, respectively forming corresponding lightweight virtual environments by the dynamic sandbox detection environment in a mode of simulating a CPU instruction set according to different types of the files.
Specifically, dynamic sandbox detection, also called virtual execution detection, establishes a plurality of different application environments by using a virtual machine technology, and observes the behavior of a program therein to determine whether an attack exists. The method can detect known and unknown threats, and because the true behaviors in the real application environment are analyzed, an extremely low false alarm rate can be achieved, and a high detection rate can be achieved.
The APT attack transmits malicious codes to a terminal of an intranet in a phishing mail, an induced website and other modes, and the TAC supports typical Internet transmission protocols such as http, pop3, smtp, imap, smb and the like. The TAC is internally provided with a static detection engine, different lightweight virtual environments are formed by simulating a CPU instruction set, and the problems can be solved.
Further, many APT security events are initiated from end users with weak defense, so the TAC supports multiple terminal virtual operating systems such as WINXP, WIN7, android and the like.
Furthermore, a plurality of virtual machines are operated on one machine, and the parallel virtual machines are utilized to accelerate the execution of detection tasks, so that an extensible platform is achieved to process the high-speed network flow of the real world, and threat monitoring is carried out timely and effectively. The detection strategy of the threat analysis is executed through a specially designed virtual machine management program, and the management program supports a large number of parallel execution environments, namely a virtual machine comprising an operating system, an upgrade package and an application program combination. Each virtual machine utilizes the contained environment to identify malware and its critical behavioral characteristics. By the design, the parallel processing of multiple concurrent flows and multiple virtual execution environments is realized, and the performance and the detection rate are improved.
And 4, carrying out real-time instruction level analysis on the file behaviors in the virtual environment to find behavior characteristics belonging to attack threats.
Specifically, the dynamic sandbox detection process has instruction-level code analysis capability, and can track and analyze instruction characteristics and behavior characteristics. The instruction characteristics comprise code execution conditions in a heap and a stack, and the like, and various vulnerability exploitation behaviors such as overflow attacks can be found through abnormal changes of a memory space in the instruction operation, and 0day vulnerabilities can be found. The detection process simultaneously tracks the following behavioral characteristics, including:
stopping the creation of the process and injecting the process;
service, drive
Registry access, overwrite
File access, rewrite, download
Program port snooping
Network access behavior, etc.
The system comprehensively analyzes and finds the behavior characteristics belonging to the attack threat according to the behavior characteristics, and further finds malicious software such as 0day Trojan horse and the like. After discovering the malicious software, the system can continuously observe further behaviors of the malicious software, including network, file, process, registry and the like, and the further behaviors are output to a security administrator as part of alarm content, so that the system is convenient to trace and audit. And the network characteristics where malware connects to the C & C server (command and control server) can be further used to discover, track the botnet network.
And 5, forming an audit report according to the behavior characteristics which are found to belong to the attack threat.
Specifically, for effective safety response, the monitoring process needs to provide detailed alarm information so that the responding safety personnel can purposefully carry out work. The specific alarm information may include: whether a registry is modified, whether a process is newly established, whether an external connection of a command and control server is attempted, whether other machines can be directly infected, and the like. The system should try to monitor the malware for such activity and output it to the security administrator as part of an alarm.
As another embodiment of the invention, the analysis method adds a file decoding function on the basis of the traditional ShellCode detection, and restores the attack function field by decoding different file formats, so that the known and unknown threats can still be detected in a new situation.
As another embodiment of the present invention, the analysis method further uses AV antivirus detection and vulnerability-based static detection.
The AV detection adopts a heuristic file scanning technology, can check and kill millions of viruses of various protocol types such as HTTP, SMTP, POP3, FTP and the like, including Trojan, worm, macro virus, script virus and the like, and can effectively control and check and kill multithreading concurrence, deep level compressed files and the like.
The static vulnerability detection is different from a detection technology based on attack characteristics, focuses on characteristics of vulnerability utilization such as overflow caused in attack threats, is high in detection precision although the characteristics need to be based on known vulnerability information, and can use one detection rule to achieve complete coverage aiming at different malicious software utilizing the same vulnerability, namely, the static vulnerability detection not only can aim at the known vulnerability and the malicious software, but also has a good detection effect on part of unknown malicious software.
The invention also provides a network threat analysis system, which comprises:
the system comprises a file acquisition module, a file sending module, a dynamic sandbox detection engine, a threat analysis module and a report generation module, wherein the modules are respectively used for executing the functions of the steps 1-5 of the method and are not described herein again.
Furthermore, the network threat analysis system also comprises a reputation detection engine, a virus detection engine and a static detection engine.
The credit detection engine carries out credit detection, primary detection is carried out by utilizing information of the global credit library, if the file is hit, the detection priority under the non-dynamic environment is promoted but the file is not put into the dynamic detection engine for detection, and if the file is hit, the file can be manually loaded into the dynamic detection engine to generate a detailed report. The current reputation value mainly comprises the MD5 and CRC32 values of the file, and information such as a download URL address and an IP of the file.
The virus detection engine includes an AV detection module. The AV module adopts a heuristic file scanning technology, can check and kill millions of viruses of various protocol types such as HTTP, SMTP, POP3, FTP and the like, including Trojan, worm, macro virus, script virus and the like, and can effectively control and check and kill multithreading concurrence, deep level compressed files and the like.
The static detection engine pays attention to the characteristics of vulnerability exploitation such as overflow caused in attack threat, although the characteristics need to be based on known vulnerability information, the detection precision is high, and for different malicious software utilizing the same vulnerability, a detection rule can be used for achieving complete coverage, namely, the static detection engine not only can be used for the known vulnerability and the malicious software, but also has a good detection effect on part of unknown malicious software.
Furthermore, the static detection engine can also execute intelligent ShellCode detection, a file decoding function is added on the basis of the traditional ShellCode detection, and an attack function field is restored by decoding different file formats, so that the known and unknown threats can still be detected in a new situation. In the system, the mode is used as beneficial supplement of sandbox detection, so that the system has stronger detection capability, and the attack detection rate is improved.
While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the specific embodiments described and illustrated in detail herein, and that various changes may be made therein by those skilled in the art without departing from the scope of the invention as defined by the appended claims.
Claims (10)
1. A cyber-threat analysis method, the method comprising the steps of:
step 1, reconstructing and restoring files according to network behaviors of a computer system;
step 2, sending the file to a dynamic sandbox detection environment;
step 3, the dynamic sandbox detection environment respectively forms corresponding lightweight virtual environments in a mode of simulating a CPU instruction set according to different types of the files;
step 4, in the virtual environment, performing real-time instruction level analysis on the file behaviors to find behavior characteristics belonging to attack threats;
and 5, forming an audit report according to the behavior characteristics and sending the audit report to a user.
2. The method of claim 1, wherein prior to sending the file to the dynamic sandbox environment, sending the file to a reputation detection engine, detecting using information from the global reputation base, and raising a detection priority in the non-dynamic environment if the file hits.
3. The method of claim 2, wherein files hit by the reputation detection engine can be manually loaded into a dynamic sandbox detection environment for detection to generate detailed audit reports.
4. The method of claim 2, wherein the reputation detection engine detects reputation values for the file, the reputation values comprising an MD5 value, a CRC32 value, a download URL address, and IP information for the file.
5. The method of claim 1, further comprising killing viruses carried in the network behavior and detecting vulnerabilities in the network behavior.
6. The method of claim 1, wherein the restored file is decoded to restore the ShellCode of the attack function field.
7. The method of claim 1, wherein the behavior for the file comprises access, rewrite, and download operations for the file.
8. The method of claim 7, wherein the behavior for the file further includes creation, suspension, and injection of related processes; creation of a service or drive; accessing and rewriting a registry; monitoring a program port; a network access behavior.
9. The method of claim 1, wherein the instruction level analysis comprises: tracking and analyzing instruction characteristics and behavior characteristics, including code execution conditions in a stack and a heap; and discovering the vulnerability exploitation behavior through the abnormal change of the memory space in the instruction operation, thereby discovering the 0day vulnerability.
10. A cyber-threat analysis system, the system comprising:
the system comprises a file acquisition module, a file sending module, a dynamic sandbox detection engine, a threat analysis module and a report generation module;
the file acquisition module reconstructs and restores files according to the network behavior of the computer system;
the file sending module sends the file to a dynamic sandbox detection environment;
the dynamic sandbox detection engine respectively forms corresponding lightweight virtual environments in a mode of simulating a CPU instruction set according to different types of the files;
the threat analysis module carries out real-time instruction level analysis on the file behaviors in the virtual environment to find behavior characteristics belonging to attack threats;
and the report generation module forms an audit report according to the behavior characteristics and sends the audit report to a user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740996.2A CN110602044A (en) | 2019-08-12 | 2019-08-12 | Network threat analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740996.2A CN110602044A (en) | 2019-08-12 | 2019-08-12 | Network threat analysis method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110602044A true CN110602044A (en) | 2019-12-20 |
Family
ID=68853908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910740996.2A Pending CN110602044A (en) | 2019-08-12 | 2019-08-12 | Network threat analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602044A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111880942A (en) * | 2020-08-03 | 2020-11-03 | 北京天融信网络安全技术有限公司 | Network threat processing method and device |
| CN112235242A (en) * | 2020-09-08 | 2021-01-15 | 中国科学院信息工程研究所 | C & C channel detection method and system |
| CN112738118A (en) * | 2020-12-30 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Network threat detection method, device, system, electronic equipment and storage medium |
| CN113067840A (en) * | 2021-06-03 | 2021-07-02 | 江苏天翼安全技术有限公司 | Method for realizing cloud plug-in vulnerability response honey net architecture |
| CN114629711A (en) * | 2022-03-21 | 2022-06-14 | 广东云智安信科技有限公司 | Method and system for detecting special Trojan horse of Windows platform |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN116760624A (en) * | 2023-07-17 | 2023-09-15 | 江南信安(北京)科技有限公司 | Network worm detection method, system, storage medium and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105491002A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Advanced threat tracing method and system |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
| CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
| CN109074454A (en) * | 2016-02-29 | 2018-12-21 | 帕洛阿尔托网络公司 | Malware is grouped automatically based on artefact |
-
2019
- 2019-08-12 CN CN201910740996.2A patent/CN110602044A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105491002A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Advanced threat tracing method and system |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
| CN109074454A (en) * | 2016-02-29 | 2018-12-21 | 帕洛阿尔托网络公司 | Malware is grouped automatically based on artefact |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
Non-Patent Citations (1)
| Title |
|---|
| 覃杨等: "《基于光纤干涉的电缆通道振动辨识与预警系统》", 《电力大数据》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111880942A (en) * | 2020-08-03 | 2020-11-03 | 北京天融信网络安全技术有限公司 | Network threat processing method and device |
| CN112235242A (en) * | 2020-09-08 | 2021-01-15 | 中国科学院信息工程研究所 | C & C channel detection method and system |
| CN112738118A (en) * | 2020-12-30 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Network threat detection method, device, system, electronic equipment and storage medium |
| CN112738118B (en) * | 2020-12-30 | 2023-08-29 | 北京天融信网络安全技术有限公司 | Network threat detection method, device and system, electronic equipment and storage medium |
| CN113067840A (en) * | 2021-06-03 | 2021-07-02 | 江苏天翼安全技术有限公司 | Method for realizing cloud plug-in vulnerability response honey net architecture |
| CN114629711A (en) * | 2022-03-21 | 2022-06-14 | 广东云智安信科技有限公司 | Method and system for detecting special Trojan horse of Windows platform |
| CN114629711B (en) * | 2022-03-21 | 2024-02-06 | 广东云智安信科技有限公司 | Method and system for detecting special Trojan horse on Windows platform |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN114662111B (en) * | 2022-05-18 | 2022-08-09 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN116760624A (en) * | 2023-07-17 | 2023-09-15 | 江南信安(北京)科技有限公司 | Network worm detection method, system, storage medium and electronic equipment |
| CN116760624B (en) * | 2023-07-17 | 2024-02-27 | 江南信安(北京)科技有限公司 | Network worm detection method, system, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kiwia et al. | A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence | |
| CN110602044A (en) | Network threat analysis method and system | |
| KR101057432B1 (en) | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process | |
| CN108259449B (en) | Method and system for defending against APT (android packet) attack | |
| US20160078229A1 (en) | System And Method For Threat Risk Scoring Of Security Threats | |
| Zimba | Malware-free intrusion: a novel approach to ransomware infection vectors | |
| Kaur et al. | Automatic attack signature generation systems: A review | |
| CN104506495A (en) | Intelligent network APT attack threat analysis method | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| Grégio et al. | Toward a taxonomy of malware behaviors | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| Varlioglu et al. | The dangerous combo: Fileless malware and cryptojacking | |
| Umar et al. | Analysis of conti ransomware attack on computer network with live forensic method | |
| Sequeira | Intrusion prevention systems: security's silver bullet? | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| Borana et al. | An assistive tool for fileless malware detection | |
| Zou et al. | Automatic recognition of advanced persistent threat tactics for enterprise security | |
| Pandey et al. | A lifecycle based approach for malware analysis | |
| Polychronakis et al. | An Empirical Study of Real-world Polymorphic Code Injection Attacks. | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Kono et al. | An unknown malware detection using execution registry access | |
| Chen et al. | A proactive approach to intrusion detection and malware collection | |
| Jayan et al. | Sys-log classifier for complex event processing system in network security | |
| Singhal | Analysis and Categorization of Drive-By Download Malware Using Sandboxing and Yara Ruleset |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191220 |