CN111083159A - Intrusion detection method and device, electronic equipment and storage medium - Google Patents
Intrusion detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111083159A CN111083159A CN201911374761.2A CN201911374761A CN111083159A CN 111083159 A CN111083159 A CN 111083159A CN 201911374761 A CN201911374761 A CN 201911374761A CN 111083159 A CN111083159 A CN 111083159A
- Authority
- CN
- China
- Prior art keywords
- information
- network connection
- thread
- new
- screen locking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The embodiment of the invention discloses an intrusion detection method, an intrusion detection device and a storage medium, relates to the technical field of network security, and can find intrusion behaviors in time under a system screen locking state. The method comprises the following steps: recording the process, thread and/or network connection condition before the system locks the screen to form first related information; if the screen locking operation is monitored, recording the progress, thread and/or network connection condition after the screen locking in real time to form second related information; comparing the first relevant information with the second relevant information, and if the first relevant information and the second relevant information cannot be completely matched, judging that a new process, a new thread and/or a new network connection exist; analyzing whether the new process, thread and/or network connection is a normal program based on multi-element combination.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for intrusion detection, an electronic device, and a storage medium.
Background
With the rapid development of the information age and the rapid progress of computer technology, more and more convenience is brought to the life of people. However, the influence and harm of computer viruses on individuals, society and even countries are increasing, and the technology for preventing computer virus intrusion needs to be promoted more quickly.
At present, all information security manufacturers carry out intrusion detection basically on the basis of flow and endpoint side or by adopting a feature code matching mode, but the technical means can prevent the intrusion detection in the normal use of a computer, but the intrusion behavior is difficult to find in time when the computer is locked.
Disclosure of Invention
In view of this, embodiments of the present invention provide an intrusion detection method, an intrusion detection apparatus, an electronic device, and a storage medium, which can discover an intrusion behavior in time in a system screen lock state.
The embodiment of the invention provides an intrusion detection method, which comprises the following steps:
recording the process, thread and/or network connection condition before the system locks the screen to form first related information;
if the screen locking operation is monitored, recording the progress, thread and/or network connection condition after the screen locking in real time to form second related information;
comparing the first relevant information with the second relevant information, and if the first relevant information and the second relevant information cannot be completely matched, judging that a new process, a new thread and/or a new network connection exist;
analyzing whether the new process, thread and/or network connection is a normal program based on multi-element combination.
Further, the process, thread and/or network connection condition includes: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
Further, the analyzing whether the new process, the thread and/or the network connection is a normal program based on the multi-element joint analysis specifically includes:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, process path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
The above method embodiment further includes: if the program is normal, popping up relevant data information during monitoring after the screen is unlocked; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
In a second aspect, an embodiment of the present invention provides an apparatus for intrusion detection, including:
the system comprises a screen locking pre-recording module, a screen locking pre-recording module and a screen locking pre-recording module, wherein the screen locking pre-recording module is used for recording the process, thread and/or network connection condition of the system before screen locking to form first related information;
the screen locking recording module is used for recording the process, the thread and/or the network connection condition after the screen locking in real time if the screen locking operation is monitored, so as to form second related information;
the information comparison and judgment module is used for comparing the first related information with the second related information, and judging that a new process, a new thread and/or a new network connection exist if the first related information and the second related information cannot be completely matched;
and the multi-element joint analysis module is used for analyzing whether the new process, the new thread and/or the new network connection is a normal program or not based on multi-element joint analysis.
Further, the process, thread and/or network connection condition includes: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
Further, the multi-element joint analysis module is specifically configured to:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, golden city path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
In the above device embodiment, the method further includes: the information prompting module is used for popping up related data information during monitoring after the screen is unlocked if the program is normal; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing any one of the above-mentioned intrusion detection methods.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method for intrusion detection according to any one of the foregoing implementation manners.
According to the intrusion detection method, the intrusion detection device, the electronic equipment and the storage medium, relevant information of processes, threads and/or network connections in the system before and after screen locking is compared, and if new processes, threads and/or network connections are found, whether the new processes, threads and/or network connections are normal programs is judged based on a multi-element association analysis method. The embodiment of the invention does not carry out detection method based on traditional flow, end point and feature code, thus having wide applicability; the embodiment of the invention not only can find the intrusion behavior in time after the system is locked, but also can not occupy too much system memory and not influence the normal use of the system because the information data to be monitored by the embodiment of the invention is less and more fixed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of a method of intrusion detection according to the present invention;
FIG. 2 is a flowchart of a method of intrusion detection according to another embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an intrusion detection apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, an embodiment of the present invention provides an intrusion detection method, which is capable of discovering an intrusion behavior in time after a system is locked.
Fig. 1 is a flowchart of an embodiment of a method for intrusion detection according to the present invention, including:
s101: and recording the process, the thread and/or the network connection condition before the screen locking of the system to form first related information.
S102: and if the screen locking operation is monitored, recording the progress, thread and/or network connection condition after the screen locking in real time to form second related information.
S103: and comparing the first relevant information with the second relevant information, and if the first relevant information and the second relevant information cannot be completely matched, judging that a new process, a new thread and/or a new network connection exist.
S104: analyzing whether the new process, thread and/or network connection is a normal program based on multi-element combination.
Preferably, the process, thread and/or network connection condition includes: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
Preferably, the analyzing whether the new process, the thread and/or the network connection is a normal program based on the multi-element joint analysis specifically includes:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, process path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
The above method embodiment further includes: if the program is normal, popping up relevant data information during monitoring after the screen is unlocked; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
The embodiment judges whether a new process, a thread and/or network connection is a normal program based on a multi-element correlation analysis method, so that intrusion behavior can be found in time after the system is locked; the intrusion detection is not carried out based on the flow, the end point and the characteristic, so the method has wider applicability; the monitoring data is limited, and the normal use of the system cannot be influenced.
Fig. 2 is a flowchart of a method of detecting intrusion according to another embodiment of the present invention, including:
s201: and recording the process, the thread and/or the network connection condition before the screen locking of the system to form first related information.
Wherein the process, thread and/or network connection condition comprises: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
S202: and if the screen locking process is started, recording the process, the thread and/or the network connection condition after the screen locking in real time to form second related information. Wherein, the screen locking process includes but is not limited to: logout under Linux, winlogon.exe under Windows.
S203: and comparing the first related information with the second related information, judging whether the first related information is completely matched or not, if so, continuing to execute the step S207, and if not, judging that a new process, a thread and/or network connection exists.
Wherein the incomplete matching comprises: the first related information and one or more items of data in the second related information are changed, or completely new information appears in the second related information.
S204: extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information.
The file attribute information, the associated information and/or other designated information may be added or deleted according to actual requirements, and the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, process path, IP or port number related to network connection; the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship; the other specified information includes but is not limited to: white list and black list.
For example: if it is determined in the early stage that a new network connection exists, extracting multi-element information related to the network connection, including file attribute information: IP or port number associated with the network connection;
s205: jointly judging whether the new process, the thread and/or the network connection is a normal program or not based on one or more than two items of information in the multi-element information, if so, continuing to execute S207, otherwise, continuing to execute S206;
for example: and judging whether the IP related to the network connection in the file attribute information is in a white list in other specified information, and if so, continuously checking whether the port number related to the network connection is in the white list in other specified information. If the three port numbers of 80, 800 and 8080 in the white list are opened, all the programs are regarded as normal programs, and once 6677 ports outside the white list connected with the machine are found, the programs are determined to be abnormal programs.
S206: recording alarm information;
s207: judging whether the screen locking process exits, if so, popping up relevant data information during monitoring, otherwise, continuing to execute S202;
the embodiment judges whether a new process, a thread and/or network connection is a normal program based on a multi-element correlation analysis method, so that intrusion behavior can be found in time after the system is locked; the intrusion detection is not carried out based on the flow, the end point and the characteristic, so the method has wider applicability; the monitoring data is limited, and the normal use of the system cannot be influenced.
In a second aspect, an embodiment of the present invention provides an intrusion detection apparatus, which is capable of discovering an intrusion behavior in time after a system is locked.
Fig. 3 is a schematic structural diagram of an intrusion detection apparatus according to an embodiment of the present invention, including:
the pre-screen-locking recording module 301 is configured to record a process, a thread and/or a network connection condition of the system before screen locking, and form first related information;
the after-screen-locking recording module 302 is configured to record a process, a thread and/or a network connection condition after screen locking in real time if a screen locking operation is monitored, so as to form second related information;
the information comparison and determination module 303 is configured to compare the first related information with the second related information, and determine that a new process, thread, and/or network connection exists if the first related information and the second related information cannot be completely matched;
a multi-element joint analysis module 304 for analyzing whether the new process, thread and/or network connection is a normal program based on the multi-element joint analysis.
Preferably, the process, thread and/or network connection condition includes: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
Preferably, the multi-element joint analysis module is specifically configured to:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, golden city path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
In the above device embodiment, the method further includes: the information prompting module is used for popping up related data information during monitoring after the screen is unlocked if the program is normal; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
The embodiment judges whether a new process, a thread and/or network connection is a normal program based on a multi-element correlation analysis method, so that intrusion behavior can be found in time after the system is locked; the intrusion detection is not carried out based on the flow, the end point and the characteristic, so the method has wider applicability; the monitoring data is limited, and the normal use of the system cannot be influenced.
In a third aspect, an embodiment of the present invention further provides an electronic device, which can discover an intrusion behavior in time after a system is locked.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device of the present invention, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, and is used for executing the method for intrusion detection according to any of the foregoing embodiments.
For the specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code, reference may be made to the description of the embodiment shown in fig. 1 and 2 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method for intrusion detection according to any one of the foregoing implementation manners.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the method embodiment, since it is substantially similar to the apparatus embodiment, the description is simple, and the relevant points can be referred to the partial description of the apparatus embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method of intrusion detection, comprising:
recording the process, thread and/or network connection condition before the system locks the screen to form first related information;
if the screen locking operation is monitored, recording the progress, thread and/or network connection condition after the screen locking in real time to form second related information;
comparing the first relevant information with the second relevant information, and if the first relevant information and the second relevant information cannot be completely matched, judging that a new process, a new thread and/or a new network connection exist;
analyzing whether the new process, thread and/or network connection is a normal program based on multi-element combination.
2. The method of claim 1, wherein the process, thread, and/or network connection condition comprises: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
3. The method of claim 1, wherein the multi-element based joint analysis of whether the new process, thread, and/or network connection is a normal procedure comprises:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, process path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
4. The method of any of claims 1-3, further comprising: if the program is normal, popping up relevant data information during monitoring after the screen is unlocked; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
5. An apparatus for intrusion detection, comprising:
the system comprises a screen locking pre-recording module, a screen locking pre-recording module and a screen locking pre-recording module, wherein the screen locking pre-recording module is used for recording the process, thread and/or network connection condition of the system before screen locking to form first related information;
the screen locking recording module is used for recording the process, the thread and/or the network connection condition after the screen locking in real time if the screen locking operation is monitored, so as to form second related information;
the information comparison and judgment module is used for comparing the first related information with the second related information, and judging that a new process, a new thread and/or a new network connection exist if the first related information and the second related information cannot be completely matched;
and the multi-element joint analysis module is used for analyzing whether the new process, the new thread and/or the new network connection is a normal program or not based on multi-element joint analysis.
6. The apparatus of claim 5, wherein the process, thread, and/or network connection condition comprises: the data volume of the current system process, the process ID, the loaded module information, the service starting information, the process path, the file name, the size, the attribute, the IP related to the network connection and the port number.
7. The apparatus of claim 5, wherein the multi-element joint analysis module is specifically configured to:
extracting multi-element information related to new processes, threads, and/or network connections, including: file attribute information, association information, and/or other specified information;
jointly judging whether a new process, a thread and/or a network connection is a normal program or not based on one or more than two items of information in the multi-element information;
wherein the file attribute information includes but is not limited to: file version, file size, file format, creation time, modification time, timestamp, section table, process ID, golden city path, IP or port number related to network connection;
the associated information includes but is not limited to: a called relationship, a loaded relationship, or an executed relationship;
the other specified information includes but is not limited to: white list and black list.
8. The apparatus of any of claims 5-7, further comprising: the information prompting module is used for popping up related data information during monitoring after the screen is unlocked if the program is normal; and if the program is not a normal program, popping up alarm prompt information after the screen is unlocked.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of any one of claims 1 to 4.
10. A computer-readable storage medium, having one or more programs stored thereon, the one or more programs being executable by one or more processors to perform the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911374761.2A CN111083159A (en) | 2019-12-27 | 2019-12-27 | Intrusion detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911374761.2A CN111083159A (en) | 2019-12-27 | 2019-12-27 | Intrusion detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111083159A true CN111083159A (en) | 2020-04-28 |
Family
ID=70318413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911374761.2A Withdrawn CN111083159A (en) | 2019-12-27 | 2019-12-27 | Intrusion detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111083159A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| CN108804918A (en) * | 2017-12-31 | 2018-11-13 | 北京安天网络安全技术有限公司 | Safety defence method, device, electronic equipment and storage medium |
| CN109144820A (en) * | 2018-08-31 | 2019-01-04 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal host |
| US20190156036A1 (en) * | 2017-11-23 | 2019-05-23 | Nicira, Inc. | Detecting arbitrary code execution using a hypervisor |
| CN110099038A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Detect the attack to equipment is calculated |
-
2019
- 2019-12-27 CN CN201911374761.2A patent/CN111083159A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| US20190156036A1 (en) * | 2017-11-23 | 2019-05-23 | Nicira, Inc. | Detecting arbitrary code execution using a hypervisor |
| CN108804918A (en) * | 2017-12-31 | 2018-11-13 | 北京安天网络安全技术有限公司 | Safety defence method, device, electronic equipment and storage medium |
| CN110099038A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Detect the attack to equipment is calculated |
| CN109144820A (en) * | 2018-08-31 | 2019-01-04 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal host |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| CN110866248B (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| CN108804918B (en) | Security defense method, security defense device, electronic equipment and storage medium | |
| RU2634177C1 (en) | System and method for unwanted software detection | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN111224953A (en) | Method, device and storage medium for discovering threat organization attack based on abnormal point | |
| CN111241546A (en) | Malicious software behavior detection method and device | |
| CN111030968A (en) | Detection method and device capable of customizing threat detection rule and storage medium | |
| CN114282212A (en) | Rogue software identification method and device, electronic equipment and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN111062035B (en) | Lesu software detection method and device, electronic equipment and storage medium | |
| CN110737894B (en) | Composite document security detection method and device, electronic equipment and storage medium | |
| CN111083159A (en) | Intrusion detection method and device, electronic equipment and storage medium | |
| CN111027065A (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN114692150A (en) | Sandbox environment-based malicious code analysis method and device and related equipment | |
| CN110858132A (en) | Configuration safety detection method and device for printing equipment | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN108875371B (en) | Sandbox analysis method and device, electronic equipment and storage medium | |
| CN105787302A (en) | Application processing method and device and electronic equipment | |
| CN108881151B (en) | Joint-point-free determination method and device and electronic equipment | |
| CN108875372B (en) | Code detection method and device, electronic equipment and storage medium | |
| CN111026633A (en) | Black box detection method and device for chip hardware trojan horse and storage medium | |
| CN105893102B (en) | A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen | |
| CN116010927A (en) | Digital signature certificate detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200428 |
|
| WW01 | Invention patent application withdrawn after publication |