CN111353155A - Detection method, device, equipment and medium for process injection - Google Patents

Detection method, device, equipment and medium for process injection Download PDF

Info

Publication number
CN111353155A
CN111353155A CN202010236193.6A CN202010236193A CN111353155A CN 111353155 A CN111353155 A CN 111353155A CN 202010236193 A CN202010236193 A CN 202010236193A CN 111353155 A CN111353155 A CN 111353155A
Authority
CN
China
Prior art keywords
fake
module
list
counterfeit
newly added
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010236193.6A
Other languages
Chinese (zh)
Other versions
CN111353155B (en
Inventor
段青青
黄龙
刘业欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202010236193.6A priority Critical patent/CN111353155B/en
Publication of CN111353155A publication Critical patent/CN111353155A/en
Application granted granted Critical
Publication of CN111353155B publication Critical patent/CN111353155B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the field of network security, in particular to a process injection detection method, a device, equipment and a medium, which are used for solving the problem that in the prior art, an injection behavior capable of rapidly discovering malicious software is needed, so that unknown threats are discovered, and time is strived for further protection blocking, and the process injection detection method provided by the embodiment of the application comprises the following steps: generating a plurality of counterfeit processes according to a preset counterfeit process list; acquiring a process module list corresponding to a plurality of forged processes; and when the newly added process module exists in the process module list, determining that the counterfeit process corresponding to the newly added process module is injected.

Description

Detection method, device, equipment and medium for process injection
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a medium for detecting process injection.
Background
With the continuous development and progress of science and technology, the field of the internet is increasingly strong, great convenience is brought to people, various potential safety hazards also exist, particularly, in recent years, attack events of malicious software occur frequently, technical means of system vulnerability invasion are more than five-door, and the defense is not sufficient, so that the maintenance of network safety is more important.
Generally speaking, malicious software often performs network attack by using a process injection mode, that is, any self-defined code is run in an address space of a target process, the process injection mode greatly improves the concealment of the network attack, and meanwhile, the process injection mode is not easy to be discovered, so that the persistence of the network attack is also enhanced. Most of the existing detection technologies match malicious processes through process characteristic values, and more of the existing detection technologies are prevention for known viruses and have great limitations.
Therefore, a method for detecting process injection is needed, which can quickly discover the injection behavior of malware, so as to discover unknown threats and to strive for time for further protection blocking.
Disclosure of Invention
The embodiment of the application provides a process injection detection method, a process injection detection device and a process injection detection medium, which are used for solving the problem that in the prior art, an injection behavior of malicious software can be found quickly, so that unknown threats are found, and time is strived for further protection blocking.
In a first aspect, an embodiment of the present invention provides a method for detecting process injection, where the method includes:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
acquiring a process module list corresponding to a plurality of forged processes;
and when the newly added process module exists in the process module list, determining that the fake process corresponding to the newly added process module is injected.
In the embodiment of the application, a plurality of counterfeit processes are generated according to a preset counterfeit process list, then a process module list corresponding to the counterfeit processes is obtained, and when a newly added process module exists in the process module list, it is determined that the counterfeit process corresponding to the newly added process module is injected. Compared with the prior art, the injection behavior of the malicious software can be quickly discovered, so that unknown threats can be discovered, and time is strived for further protection blocking.
In a possible implementation manner, in a method provided by an embodiment of the present invention, generating a plurality of counterfeit processes according to a preset counterfeit process list includes:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
determining the fake process with the same fake process name as the operated process name as a puppet process;
the puppet process is modified based on the configuration of the run process.
In the embodiment of the present application, it is determined that the dummy process with the same dummy process name as the run process name is a puppet process, and the puppet process is modified based on the configuration of the run process. Compared with the prior art, the configuration of the fake process is modified according to the configuration of the running process, so that the attribute information of the real process is simulated to the maximum extent by the fake process.
In a possible implementation manner, in the method provided in the embodiment of the present invention, a fake process whose fake process name and a run process name are different is determined as a fake process;
and modifying the disguised process based on preset configuration information.
In a possible implementation manner, in the method provided by the embodiment of the present invention, when there is a newly added process module in the process module list, after determining that a fake process corresponding to the newly added process module is injected, the method further includes:
recording path information of the newly added process module;
issuing an alert based on the path information.
In the embodiment of the application, the path information of the newly added process module is recorded, and a warning is given out based on the path information. Compared with the prior art, the source of the malicious software is accurately determined, the warning is sent to the user, the process which is injected maliciously is effectively discovered, and time is strived for further protection blocking.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting process injection, where the apparatus includes:
the generating module is used for generating a plurality of fake processes according to a preset fake process list;
the acquiring module is used for acquiring a process module list corresponding to a plurality of forged processes;
and the determining module is used for determining that the fake process corresponding to the newly added process module is injected when the newly added process module exists in the process module list.
In a possible implementation manner, in the apparatus provided in an embodiment of the present invention, the generating module is specifically configured to:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
determining the fake process with the same fake process name as the operated process name as a puppet process;
the puppet process is modified based on the configuration of the run process.
In a possible implementation manner, in the apparatus provided in an embodiment of the present invention, the generating module is specifically configured to:
determining a fake process with a fake process name different from an operated process name as a fake process;
and modifying the disguised process based on preset configuration information.
In a possible implementation manner, in the apparatus provided in the embodiment of the present invention, the determining module is further configured to:
recording path information of the newly added process module;
issuing an alert based on the path information.
In a third aspect, an embodiment of the present application provides an electronic device, including: the apparatus may include at least one processor, at least one memory, and computer program instructions stored in the memory, which when executed by the processor, implement the method provided by the first aspect of an embodiment of the present application.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, implement the method provided by the first aspect of the embodiments of the present application.
Drawings
Fig. 1 is a schematic flow chart of a process injection detection method according to an embodiment of the present invention;
fig. 2 is a schematic specific flowchart of a process injection detection method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a detection apparatus for process injection according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Some of the words that appear in the text are explained below:
1. the term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
2. Message Digest Algorithm (MD 5), a widely used cryptographic hash function, generates a 128-bit (16-byte) hash value to ensure the integrity of the Message transmission.
With the continuous development and progress of science and technology, the field of the internet is increasingly strong, great convenience is brought to people, various potential safety hazards also exist, particularly, in recent years, attack events of malicious software occur frequently, technical means of system vulnerability invasion are more than five-door, and the defense is not sufficient, so that the maintenance of network safety is more important.
Generally speaking, malicious software often performs network attack by using a process injection mode, that is, any self-defined code is run in an address space of a target process, the process injection mode greatly improves the concealment of the network attack, and meanwhile, the process injection mode is not easy to be discovered, so that the persistence of the network attack is also enhanced. Most of the existing detection technologies match malicious processes through process characteristic values, and more of the existing detection technologies are prevention for known viruses and have great limitations.
In order to solve the above problems, the present invention provides a method for detecting injection, which includes generating a plurality of counterfeit processes according to a preset counterfeit process list, then obtaining a process module list corresponding to the counterfeit processes, and determining that the counterfeit processes corresponding to the newly added process modules are injected when the newly added process modules exist in the process module list. Compared with the prior art, the injection behavior of the malicious software can be quickly discovered, so that unknown threats can be discovered, and time is strived for further protection blocking.
The embodiments of the present application will be described in further detail with reference to the drawings attached hereto.
Example one
As shown in fig. 1, a flowchart of a process injection detection method provided in an embodiment of the present application includes the following steps:
step S101, a plurality of fake processes are generated according to a preset fake process list.
In specific implementation, a plurality of fake processes are generated according to a preset fake process list, a fake process with the same fake process name as the operated process name is determined as a puppet process, and the puppet process is modified based on the configuration of the operated process; and determining the fake process with the name different from the name of the running process as the fake process, and modifying the fake process based on preset configuration information.
It should be noted that the preset fake process list may be set according to a requirement, and may include a common system process, a common basic process, and an application process according to a personal requirement of a user.
Step S102, a process module list corresponding to a plurality of forged processes is obtained.
In specific implementation, a process module list corresponding to a plurality of forged processes is obtained, and the process module list is compared in subsequent steps, so that whether a process is injected or not is determined.
In one example, a mutex event is created according to a fake process, and the name of the mutex event is a character string to contain the fake process, so as to send a semaphore after the fake process runs, thereby obtaining an initial module list of the fake process.
Step S103, when a newly added process module exists in the process module list, determining that a fake process corresponding to the newly added process module is injected.
In specific implementation, the manner of determining that the counterfeit process is injected may be:
in step S102, an initial process module list is obtained, the process module list is obtained by a timed polling method and compared with the initial module list, when a newly added module is found, the newly added module is identified as a suspicious process injection module, a counterfeit process corresponding to the newly added process module is determined as an injected process, and meanwhile, path information of the newly added process module is recorded, and an alarm is issued based on the path information. Therefore, the source of the malicious software is accurately determined, a warning is given to a user, the process which is injected maliciously is effectively discovered, and time is strived for further protection blocking.
A specific implementation flow of the process injection detection method provided in the embodiment of the present invention is described below with reference to fig. 2.
In step S201, a process configuration file is prepared.
In specific implementation, the name of the process file, the information of the process file and the process template need to be determined.
For the names of the process files, the general convention of the process file names uses the MD5 value of the process names, and when the process file is implemented specifically, the configuration of the process names of the same type is stored in one file, so that the files of the corresponding processes are conveniently searched.
It should be noted that the process file is mainly used for storing the relevant configuration of the target process, the name of the file name is mainly used for finding the file corresponding to one another after the template program is started, the specific naming mode may be an ID number, a target process name, or a character string set by other people, and as long as the corresponding relationship between the file name and the process is determined, the file name and the process can be calculated to calculate the correct process configuration file path, which can meet the requirement, and the embodiment of the present invention does not limit this.
The process file information generally includes a process name, a process path and a module path list to be loaded by the process, and the storage format of the process file information selects data that can be analyzed by a template program. The module path list is obtained by analyzing the existing process needing to be forged, so that the attribute information of the real process can be simulated to the maximum extent.
When the process template is operated, firstly, a process configuration file corresponding to the process is found according to the MD5 value of the process name, the process configuration file is read and analyzed, then, a process module list is loaded, and a mutual exclusion signal is sent after the loading is finished, so that the forged process is in a stable operation state.
S202, creating and monitoring a fake process.
In specific implementation, the process configuration file is read first, and after the process name to be created is obtained, the process configuration file is considered in two cases:
(1) determining that the dummy process with the same dummy process name as the run process name is a puppet process, and modifying the puppet process based on the configuration of the run process.
If the process name is a system process (e.g. svchost. exe, cmd.exe, etc.) or an application already installed on the system, the process is treated as a puppet process. Creating a process in a suspended state, storing the context environment of the current process of the process, clearing the current memory data of the process, applying for a new memory, then writing the PE file of the template program into the process memory according to the PE format, recovering the thread context environment of the process by using the stored thread context environment, and finally recovering the running state of the suspended process.
(2) And determining the fake process with the name different from the name of the running process as the fake process, and modifying the fake process based on preset configuration information.
If the process name of the fake process can not be found in the system, the fake process is processed, when the fake process is implemented specifically, the PE file name of the process template is changed into the configured process name, then the process template is operated, and the process template automatically loads the configuration file corresponding to the process name, so that the fake process is generated to operate.
After the initialization of the puppet process and the disguised process is completed, a process module list corresponding to the fake process is obtained, in an example, a mutex event is created first, where the event name is an agreed character string including a fake process pid, so that after the fake process runs stably, a semaphore is sent, and an initial process module list of the fake process is obtained.
When the initialization of the fake process is completed, the process is in a sleep state. And acquiring a real-time process module list in a timing polling mode, comparing the real-time process module list with the initial process module list, identifying the newly added module as a suspicious process injection module when the newly added module is found, recording the path of the module and sending a primary alarm.
In addition, the scheme can also configure a plurality of process configuration files according to requirements so as to generate a plurality of different counterfeit processes, after one counterfeit process is detected to be injected, whether other counterfeit processes are injected or not is checked, and if the counterfeit processes are also injected, a higher-level alarm is generated. Meanwhile, in long-time monitoring, the injection time of the malicious software is also acquired, so that the process injected maliciously is monitored more effectively, and the protection blocking time is further strived for.
Correspondingly, as shown in fig. 3, the apparatus for detecting process injection provided by the embodiment of the present invention includes:
a generating module 301, configured to generate multiple counterfeit processes according to a preset counterfeit process list;
an obtaining module 302, configured to obtain a process module list corresponding to multiple counterfeit processes;
a determining module 303, configured to determine, when there is a newly added process module in the process module list, that a counterfeit process corresponding to the newly added process module is injected.
In a possible implementation manner, in the apparatus provided in the embodiment of the present invention, the generating module 301 is specifically configured to:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
determining the fake process with the same fake process name as the operated process name as a puppet process;
the puppet process is modified based on the configuration of the run process.
In a possible implementation manner, in the apparatus provided in the embodiment of the present invention, the generating module 301 is specifically configured to:
determining a fake process with a fake process name different from an operated process name as a fake process;
and modifying the disguised process based on preset configuration information.
In a possible implementation manner, in the apparatus provided in the embodiment of the present invention, the determining module 303 is further configured to:
recording path information of the newly added process module;
issuing an alert based on the path information.
In addition, the method and apparatus for detecting process injection in the embodiment of the present application described in conjunction with fig. 1 to 3 may be implemented by an electronic device. Fig. 4 shows a hardware structure diagram of an electronic device provided in an embodiment of the present application.
The electronic device may include a processor 401 and a memory 402 storing computer program instructions.
Specifically, the processor 401 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing embodiments of the present invention.
Memory 402 may include mass storage for data or instructions. By way of example, and not limitation, memory 402 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 402 may include removable or non-removable (or fixed) media, where appropriate. The memory 402 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 402 is a non-volatile solid-state memory. In a particular embodiment, the memory 402 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.
The processor 401 reads and executes the computer program instructions stored in the memory 42 to implement any one of the process injection detection methods in the above embodiments.
In one example, the electronic device may also include a communication interface 403 and a bus 410. As shown in fig. 4, the processor 401, the memory 402, and the communication interface 403 are connected via a bus 410 to complete communication therebetween.
The communication interface 403 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.
Bus 410 includes hardware, software, or both to couple the components of the electronic device to each other. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hypertransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 410 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.
The electronic device may execute the process injection detection method in the embodiment of the present invention, so as to implement the process injection detection method described in conjunction with fig. 1.
In addition, in combination with the network link intercepting method in the foregoing embodiments, embodiments of the present invention may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the above-described embodiments of the method for detecting process injection.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for detecting process injection, the method comprising:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
acquiring a process module list corresponding to a plurality of forged processes;
and when the newly added process module exists in the process module list, determining that the counterfeit process corresponding to the newly added process module is injected.
2. The method of claim 1, wherein generating a plurality of fake processes according to a preset fake process list comprises:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
determining the fake process with the same fake process name as the operated process name as a puppet process;
the puppet process is modified based on the configuration of the run process.
3. The method of claim 2, wherein a fake process whose fake process name and run process name are different is determined as a fake process;
and modifying the disguised process based on preset configuration information.
4. The method as claimed in claim 1, wherein when there is a newly added process module in the process module list, after determining that a fake process corresponding to the newly added process module is injected, further comprising:
recording the path information of the newly added process module;
issuing a warning based on the path information.
5. An apparatus for detecting process injection, the apparatus comprising:
the generating module is used for generating a plurality of fake processes according to a preset fake process list;
the acquiring module is used for acquiring a process module list corresponding to a plurality of forged processes;
and the determining module is used for determining that the fake process corresponding to the newly added process module is injected when the newly added process module exists in the process module list.
6. The apparatus of claim 5, wherein the generation module is specifically configured to:
generating a plurality of counterfeit processes according to a preset counterfeit process list;
determining the fake process with the same fake process name as the operated process name as a puppet process;
the puppet process is modified based on the configuration of the run process.
7. The apparatus of claim 6, wherein the generation module is specifically configured to:
determining a fake process with a fake process name different from an operated process name as a fake process;
and modifying the disguised process based on preset configuration information.
8. The apparatus of claim 6, wherein the determination module is further to:
recording the path information of the newly added process module;
issuing a warning based on the path information.
9. An electronic device, comprising: at least one processor, at least one memory, and computer program instructions stored in the memory that, when executed by the processor, implement the method of any of claims 1-4.
10. A computer-readable storage medium having computer program instructions stored thereon, which when executed by a processor implement the method of any one of claims 1-4.
CN202010236193.6A 2020-03-30 2020-03-30 Detection method, device, equipment and medium for process injection Active CN111353155B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010236193.6A CN111353155B (en) 2020-03-30 2020-03-30 Detection method, device, equipment and medium for process injection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010236193.6A CN111353155B (en) 2020-03-30 2020-03-30 Detection method, device, equipment and medium for process injection

Publications (2)

Publication Number Publication Date
CN111353155A true CN111353155A (en) 2020-06-30
CN111353155B CN111353155B (en) 2022-09-20

Family

ID=71193198

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010236193.6A Active CN111353155B (en) 2020-03-30 2020-03-30 Detection method, device, equipment and medium for process injection

Country Status (1)

Country Link
CN (1) CN111353155B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100269175A1 (en) * 2008-12-02 2010-10-21 Stolfo Salvatore J Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
CN108197475A (en) * 2018-01-11 2018-06-22 广州汇智通信技术有限公司 A kind of malice so modules detection method and relevant apparatus
CN108737421A (en) * 2018-05-23 2018-11-02 深信服科技股份有限公司 Method, system, device and the storage medium of potential threat in a kind of discovery network
CN110188539A (en) * 2019-05-29 2019-08-30 中国人民解放军战略支援部队信息工程大学 A kind of method, apparatus and system of operation application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100269175A1 (en) * 2008-12-02 2010-10-21 Stolfo Salvatore J Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
CN108197475A (en) * 2018-01-11 2018-06-22 广州汇智通信技术有限公司 A kind of malice so modules detection method and relevant apparatus
CN108737421A (en) * 2018-05-23 2018-11-02 深信服科技股份有限公司 Method, system, device and the storage medium of potential threat in a kind of discovery network
CN110188539A (en) * 2019-05-29 2019-08-30 中国人民解放军战略支援部队信息工程大学 A kind of method, apparatus and system of operation application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王佩红 等: "远程线程注入DLL的检测与卸载方法研究", 《计算机与数字工程》 *

Also Published As

Publication number Publication date
CN111353155B (en) 2022-09-20

Similar Documents

Publication Publication Date Title
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
CN110113167B (en) Information protection method and system of intelligent terminal and readable storage medium
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN103955645B (en) The detection method of malicious process behavior, apparatus and system
CN109344611B (en) Application access control method, terminal equipment and medium
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
JPWO2016147944A1 (en) Malware-infected terminal detection device, malware-infected terminal detection system, malware-infected terminal detection method, and malware-infected terminal detection program
CN112134897B (en) Network attack data processing method and device
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
US20170155683A1 (en) Remedial action for release of threat data
CN110929259A (en) Process security verification white list generation method and device
CN113672913B (en) Security event processing method and device and electronic equipment
CN113141335A (en) Network attack detection method and device
CN111353155B (en) Detection method, device, equipment and medium for process injection
CN113849859A (en) Linux kernel modification method, terminal device and storage medium
KR102081492B1 (en) Apparatus and method for generating integrated representation specification data for cyber threat information
CN114257404B (en) Abnormal external connection statistical alarm method, device, computer equipment and storage medium
CN116846570A (en) Vulnerability assessment method and analysis equipment
CN110135152B (en) Application program attack detection method and device
US11763004B1 (en) System and method for bootkit detection
CN115412271A (en) Data watermark adding method and data security analysis method and device
CN109214212A (en) Information leakage protection method and device
EP3739484B1 (en) Method and system for detection of post compilation modification of binary images
US20200304482A1 (en) Security Enforcement in a System with a Multiplicity of End Units
JP7483174B2 (en) Attack detection device, attack detection method, and attack detection program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant