CN111797393A - Detection method and device for malicious mining behavior based on GPU - Google Patents
Detection method and device for malicious mining behavior based on GPU Download PDFInfo
- Publication number
- CN111797393A CN111797393A CN202010578925.XA CN202010578925A CN111797393A CN 111797393 A CN111797393 A CN 111797393A CN 202010578925 A CN202010578925 A CN 202010578925A CN 111797393 A CN111797393 A CN 111797393A
- Authority
- CN
- China
- Prior art keywords
- loading process
- gpu
- dynamic link
- link library
- frequency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for detecting malicious mining behaviors based on a GPU (graphics processing unit), electronic equipment and a storage medium, and relates to the technical field of network terminal safety. The method comprises the following steps: monitoring the loading process of a dynamic link library of the GPU; acquiring first calling information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU or not; if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; and judging whether the loading process is malicious mining behavior or not according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at the CPU based on flow and endpoint softening, and has pertinence.
Description
Technical Field
The invention relates to the technical field of network terminal security, in particular to a detection method and device for malicious mining behaviors based on a GPU (graphics processing unit), electronic equipment and a storage medium.
Background
As data demand workloads penetrate the data center and cover traditional CPU performance, GPU vendors have supplemented the data center with entirely new devices and display cards. And the mining capability of the GPU is far better than that of the CPU, and more malicious mining behaviors are diverted to the GPU. The existing excavation protection schemes are all specific to a CPU platform, and include a network monitoring solution (an author of an excavation program can avoid the detection method by encrypting flow), end point softening protection (difficult to detect for unknown excavation families), browser extension maintenance (mainly specific to a CPU and not applicable to a GPU) and the like. The scheme is not targeted and applicable to GPU ore excavation.
Disclosure of Invention
First, terms appearing in the present invention are explained:
GPU: a Graphics processor (abbreviated as GPU), also called a display core, a visual processor, and a display chip, is a microprocessor that is specially used for image and Graphics related operations on a personal computer, a workstation, a game machine, and some mobile devices (such as a tablet computer, a smart phone, etc.).
Digging a mine Trojan: a procedure of generating (mining) the cryptocurrency. Most cryptocurrencies are issued in a decentralized manner by creating new "currency" blocks according to certain rules. The generation of each new monetary unit requires a significant amount of computing resources. The mining trojan uses resources to find a new hash sum and earns encryption currency for its owner. Mining trojans installed on equipment without user consent belong to malware.
Dynamic Link Library (DLL): in Windows, many applications are not a complete executable file, but are partitioned into relatively independent dynamic link libraries, i.e., DLL files, that are placed in the system. When we execute a certain program, the corresponding DLL file will be called.
In view of the above, the present invention provides a method, an apparatus, an electronic device and a storage medium for detecting malicious mining behavior based on a GPU, so as to solve or partially solve the above technical problems.
According to one aspect of the invention, a detection method for malicious mining behaviors based on a GPU is provided, and the method comprises the following steps:
monitoring the loading process of a dynamic link library of the GPU;
acquiring first calling information of the dynamic link library;
judging whether the loading process calls a dynamic link library of the GPU or not;
if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
and judging whether the loading process is a malicious mining behavior or not according to the first calling information and the second calling information.
Optionally, the first call information includes a first frequency of normal calls in a unit time and a first time period of the first frequency of normal calls;
the second call information includes a second frequency of calls per unit time.
Optionally, the determining, according to the first calling information and the second calling information, whether the loading process is a malicious mining behavior includes:
dividing the second frequency by the first frequency to obtain a first multiple value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiplier value;
judging whether the second multiplier is larger than a second preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; and if not, continuously monitoring the loading process of the dynamic link library of the GPU.
Optionally, the method further comprises:
and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated.
According to another aspect of the present invention, there is provided a GPU-based malicious mining behavior detection apparatus, the apparatus including:
the monitoring unit is used for monitoring the loading process of the dynamic link library of the GPU;
the acquisition unit is used for acquiring first calling information of the dynamic link library;
the judging unit is used for judging whether the loading process calls a dynamic link library of the GPU or not;
if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
and the processing unit is used for judging whether the loading process is a malicious mining behavior or not according to the first calling information and the second calling information.
Optionally, the first call information includes a first frequency of normal calls in a unit time and a first time period of the first frequency of normal calls;
the second call information includes a second frequency of calls per unit time.
Optionally, the processing unit is specifically configured to:
dividing the second frequency by the first frequency to obtain a first multiple value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiplier value;
judging whether the second multiplier is larger than a second preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; and if not, continuously monitoring the loading process of the dynamic link library of the GPU.
Optionally, the apparatus further includes an alarm unit, specifically configured to:
and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for executing the aforementioned method.
According to yet another aspect of the present invention, there is provided a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the aforementioned method.
The method comprises the steps of monitoring the loading process of a dynamic link library of the GPU; acquiring first calling information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU or not; if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; and judging whether the loading process is malicious mining behavior or not according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at the CPU based on flow and endpoint softening, and has pertinence.
Drawings
Fig. 1 is a flowchart of a detection method for malicious mining behavior based on a GPU according to an embodiment of the present invention;
fig. 2 is a flowchart of another detection method for malicious mining based on a GPU according to an embodiment of the present invention;
fig. 3 is a device diagram of a detection method for malicious mining behavior based on a GPU according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Specific embodiments of a method, an apparatus, an electronic device and a storage medium for detecting malicious mining behaviors based on a GPU according to embodiments of the present invention are described below with reference to the accompanying drawings of the specification.
Fig. 1 is a flowchart of a method for detecting malicious mining behavior based on a GPU according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
step S11: monitoring the loading process of a dynamic link library of the GPU;
step S12: acquiring first calling information of a dynamic link library;
step S13: judging whether the loading process calls a dynamic link library of the GPU or not;
step S14: if so, acquiring second calling information of the dynamic link library;
step S15: if not, continuing to monitor the loading process of the dynamic link library of the GPU;
step S16: and judging whether the loading process is malicious mining behavior or not according to the first calling information and the second calling information.
The method comprises the steps of monitoring the loading process of a dynamic link library of the GPU; acquiring first calling information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU or not; if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; and judging whether the loading process is malicious mining behavior or not according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at the CPU based on flow and endpoint softening, and has pertinence.
In some embodiments of the present invention, the first call information includes a first frequency of normal calls per unit time and a first time period of the first frequency of normal calls; the second call information includes a second frequency of calls per unit time.
In some embodiments of the present invention, determining whether the loading process is a malicious mining behavior according to the first calling information and the second calling information includes: dividing the second frequency by the first frequency to obtain a first multiple value; judging whether the first multiple value is larger than a first preset threshold value or not; if so, judging the loading process as a malicious ore excavation behavior; if not, acquiring a second time period for calling a second frequency; dividing the second time period by the first time period to obtain a second multiplier value; judging whether the second multiplier is larger than a second preset threshold value or not; if so, judging the loading process as a malicious ore excavation behavior; and if not, continuously monitoring the loading process of the dynamic link library of the GPU.
The first preset threshold and the second preset threshold may be set empirically, in this embodiment, the first preset threshold is 10; the second preset threshold is 10.
In some embodiments of the invention, the method further comprises: and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated. The mining trojan resident modules in the registry, planning tasks, and services may be cleared for the submission of the behavior log of the loading process.
Fig. 2 is a flowchart of another detection method for malicious mining based on a GPU according to an embodiment of the present invention, as shown in fig. 2, the method includes:
step S21: and monitoring the loading process of the dynamic link library of the GPU.
Step S22: the first frequency F1 of the API normally calling in the unit time Tmin period and the first time period T1 of the calling frequency F1 are recorded.
Step S23: judging whether the loading process calls a dynamic link library of the GPU or not; if yes, go to step S24 to trace the loading process, where the loading process may be a system process injected by malicious code or other legal process; if not, step S21 is executed.
Step S24: and acquiring a second frequency F2 of calling of the dynamic link library in the unit time, namely tracing the condition of the target loading process related to the API call of the display card, and recording the frequency F2 of calling of the API in a T1 period in the unit time.
Step S25: the second frequency F2 is divided by the first frequency F1 to obtain a first multiple value.
Step S26: judging whether the first multiple value is larger than a first preset threshold value, wherein the first preset threshold value can be 10; if yes, the API call frequency F2 is higher than F1 within the continuous unit time Tmin cycle, the target process is considered as an abnormal process, and step S210 is executed; if not, it is explained that the calling frequency of the API is within the unit time Tmin cycle, and F2 is close to F1, step S27 is executed.
Step S27: a second time period T2 is obtained that invokes the second frequency F2.
Step S28: the second time period T2 is divided by the first time period T1 to obtain a second multiplier value.
Step S29: judging whether the second multiplier is larger than a second preset threshold, wherein the first preset threshold can be 10; if yes, it is determined that T2 is much greater than T1, the target process is considered to be an abnormal process, and step S210 is executed; if not, step S21 is executed.
Step S210: and judging the loading process as a malicious mining behavior.
Step S211: the method comprises the following steps of raising an alarm and eliminating malicious mining behaviors, and specifically comprises the following steps: and submitting a behavior log of the process, and clearing a resident module of the mining trojan in a registry, a planning task and a service.
In one embodiment of the invention, the propagation path of the mining trojan is mainly through junk mail, software binding and vulnerability propagation. The perception of the mining trojan is mainly reflected in the use feeling of the host, the host suddenly becomes stuck under the condition of normal operation, and the utilization rate of a CPU is higher than the value in normal use or reaches 100 percent. Certain experience is needed for judging the existence of the ore digging process, the process which occupies high CPU and causes the blockage is the ore digging process, and whether the blockage is caused by the system configuration problem or not needs to be distinguished. Generally, mining trojans have system resident modules and can continuously execute malicious processes in a task planning, service and other modes.
And the malicious software BlackSquid launches XMRig mining Trojan through the vulnerability of the server. The malicious code BlackSquid can also check whether a target system has a display card or not besides deploying the mining Trojan aiming at the CPU, and download a new component to mine aiming at GPU resources if Nvidia and AMD display cards are found to exist. In the process, the behavior of the display card DLL can be loaded to the process, the calling relation of the process is monitored, the calling process of the manually loaded legal DLL file is traced, and whether the process belongs to the normal calling relation or not is judged by monitoring the frequency and the duration of calling of the display card API. And if the abnormal condition is found by monitoring, ending the relevant process, then checking a behavior log corresponding to the process, and clearing a resident module of the mining Trojan in a registry, a planning task and a service.
Fig. 3 is a device diagram of a detection method for malicious mining behavior based on a GPU according to an embodiment of the present invention, as shown in fig. 3, the device 30 includes:
a monitoring unit 301, configured to monitor a loading process of a dynamic link library of the GPU;
an obtaining unit 302, configured to obtain first invocation information of a dynamic link library;
a judging unit 303, configured to judge whether the loading process calls a dynamic link library of the GPU;
if yes, acquiring second calling information of the dynamic link library through the acquisition unit 302; if not, the loading process of the dynamic link library of the GPU is continuously monitored through the monitoring unit 301;
the processing unit 304 determines whether the loading process is a malicious mining behavior according to the first calling information and the second calling information.
In some embodiments of the present invention, the first call information includes a first frequency of normal calls per unit time and a first time period of the first frequency of normal calls; the second call information includes a second frequency of calls per unit time.
In some embodiments of the invention, the processing unit 304 is specifically configured to: dividing the second frequency by the first frequency to obtain a first multiple value; judging whether the first multiple value is larger than a first preset threshold value or not; if so, judging the loading process as a malicious ore excavation behavior; if not, a second time period for calling the second frequency is obtained through the obtaining unit 302; dividing the second time period by the first time period to obtain a second multiplier value; judging whether the second multiplier is larger than a second preset threshold value or not; if so, judging the loading process as a malicious ore excavation behavior; if not, the loading process of the dynamic link library of the GPU is continuously monitored through the monitoring unit 301.
In some embodiments of the present invention, the apparatus further includes an alarm unit 305, specifically configured to:
and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated.
The specific workflow has been described in detail in the method embodiment, and is not described herein again.
An embodiment of the present invention further provides an electronic device, fig. 4 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiment shown in fig. 1-2 of the present invention can be implemented, as shown in fig. 4, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, for executing the method described in any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1-2 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the aforementioned program startup method.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The invention has the following technical effects:
in summary, for the mining behavior of the GPU display card, a malicious attacker needs to obtain the basic information (product and version model) of the display card and then call the corresponding dynamic link library to improve the mining behavior. The method comprises the steps of firstly loading the behavior of the display card DLL to a process, monitoring the calling relation, tracing the calling process of a manually loaded legal DLL file, and judging whether the process belongs to the normal calling relation or not by monitoring the calling frequency and the calling duration of the display card API. And if the monitoring finds the exception, ending the related process. Therefore, the traditional detection scheme aiming at flow and endpoint softening can be improved by monitoring the DLL calling relation and the frequency and duration of API calling in the GPU execution process.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A detection method for malicious mining behaviors based on a GPU (graphics processing unit), which is characterized by comprising the following steps:
monitoring the loading process of a dynamic link library of the GPU;
acquiring first calling information of the dynamic link library;
judging whether the loading process calls a dynamic link library of the GPU or not;
if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
and judging whether the loading process is a malicious mining behavior or not according to the first calling information and the second calling information.
2. The method of claim 1, wherein the first call information includes a first frequency of normal calls per unit time and a first time period of normal calls for the first frequency;
the second call information includes a second frequency of calls per unit time.
3. The method of claim 2, wherein the determining whether the loading process is malicious mining according to the first and second call information comprises:
dividing the second frequency by the first frequency to obtain a first multiple value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiplier value;
judging whether the second multiplier is larger than a second preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; and if not, continuously monitoring the loading process of the dynamic link library of the GPU.
4. The method of claim 3, wherein the method further comprises:
and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated.
5. A detection apparatus for malicious mining behavior based on a GPU, the apparatus comprising:
the monitoring unit is used for monitoring the loading process of the dynamic link library of the GPU;
the acquisition unit is used for acquiring first calling information of the dynamic link library;
the judging unit is used for judging whether the loading process calls a dynamic link library of the GPU or not;
if so, acquiring second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
and the processing unit is used for judging whether the loading process is a malicious mining behavior or not according to the first calling information and the second calling information.
6. The apparatus of claim 5, wherein the first call information includes a first frequency of normal calls per unit time and a first time period of normal calls for the first frequency;
the second call information includes a second frequency of calls per unit time.
7. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
dividing the second frequency by the first frequency to obtain a first multiple value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiplier value;
judging whether the second multiplier is larger than a second preset threshold value or not;
if so, judging the loading process as a malicious ore excavation behavior; and if not, continuously monitoring the loading process of the dynamic link library of the GPU.
8. The apparatus according to claim 7, wherein the apparatus further comprises an alarm unit, specifically configured to:
and when the loading process is judged to be the malicious mining behavior, an alarm is raised, and the malicious mining behavior is eliminated.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any one of the preceding claims 1 to 4.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any of the preceding claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010578925.XA CN111797393B (en) | 2020-06-23 | 2020-06-23 | Method and device for detecting malicious mining behavior based on GPU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010578925.XA CN111797393B (en) | 2020-06-23 | 2020-06-23 | Method and device for detecting malicious mining behavior based on GPU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111797393A true CN111797393A (en) | 2020-10-20 |
| CN111797393B CN111797393B (en) | 2023-05-23 |
Family
ID=72803725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010578925.XA Active CN111797393B (en) | 2020-06-23 | 2020-06-23 | Method and device for detecting malicious mining behavior based on GPU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111797393B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009129451A (en) * | 2007-11-20 | 2009-06-11 | Korea Electronics Telecommun | Apparatus and method for detecting dynamic link library inserted by malicious code |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| WO2015100538A1 (en) * | 2013-12-30 | 2015-07-09 | Nokia Technologies Oy | Method and apparatus for malware detection |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detection method and device |
| CN107679402A (en) * | 2017-09-28 | 2018-02-09 | 四川长虹电器股份有限公司 | Malicious code behavioural characteristic extracting method |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
| CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
| CN110489969A (en) * | 2019-08-22 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | The system and electronic equipment of mine virus are dug based on SOAR disposition host |
| CN110619217A (en) * | 2019-09-18 | 2019-12-27 | 杭州安恒信息技术股份有限公司 | Method and device for actively defending malicious mining program |
| CN110839088A (en) * | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN110875917A (en) * | 2018-09-04 | 2020-03-10 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for detecting mine excavation virus |
| CN111143842A (en) * | 2019-12-12 | 2020-05-12 | 广州大学 | Malicious code detection method and system |
-
2020
- 2020-06-23 CN CN202010578925.XA patent/CN111797393B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009129451A (en) * | 2007-11-20 | 2009-06-11 | Korea Electronics Telecommun | Apparatus and method for detecting dynamic link library inserted by malicious code |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| WO2015100538A1 (en) * | 2013-12-30 | 2015-07-09 | Nokia Technologies Oy | Method and apparatus for malware detection |
| US20170004303A1 (en) * | 2013-12-30 | 2017-01-05 | Nokia Technologies Oy | Method and Apparatus for Malware Detection |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detection method and device |
| CN107679402A (en) * | 2017-09-28 | 2018-02-09 | 四川长虹电器股份有限公司 | Malicious code behavioural characteristic extracting method |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| CN110839088A (en) * | 2018-08-16 | 2020-02-25 | 深信服科技股份有限公司 | Detection method, system, device and storage medium for dug by virtual currency |
| CN110875917A (en) * | 2018-09-04 | 2020-03-10 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for detecting mine excavation virus |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
| CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
| CN110489969A (en) * | 2019-08-22 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | The system and electronic equipment of mine virus are dug based on SOAR disposition host |
| CN110619217A (en) * | 2019-09-18 | 2019-12-27 | 杭州安恒信息技术股份有限公司 | Method and device for actively defending malicious mining program |
| CN111143842A (en) * | 2019-12-12 | 2020-05-12 | 广州大学 | Malicious code detection method and system |
Non-Patent Citations (3)
| Title |
|---|
| 戴纯兴 等: "KVM环境下基于异常行为的恶意软件检测技术研究", 《信息安全研究》 * |
| 杨鸣坤 等;: "基于API和Permission的Android恶意软件静态检测方法研究", 计算机应用与软件 * |
| 白金荣 等: "基于敏感Native API的恶意软件检测方法", 《计算机工程》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111797393B (en) | 2023-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10951647B1 (en) | Behavioral scanning of mobile applications | |
| US9652617B1 (en) | Analyzing security of applications | |
| CN106709325B (en) | Method and device for monitoring program | |
| CN108875364B (en) | Threat determination method and device for unknown file, electronic device and storage medium | |
| CN105630551A (en) | Method and device for installing application software and electronic equipment | |
| CN114065204A (en) | File-free Trojan horse searching and killing method and device | |
| CN105868625B (en) | Method and device for intercepting restart deletion of file | |
| CN110866248A (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| CN114741695A (en) | Malicious code monitoring method and device, electronic equipment and storage medium | |
| CN111027064A (en) | Method and device for protecting and removing mine excavation viruses under Linux platform and storage equipment | |
| CN111062035B (en) | Lesu software detection method and device, electronic equipment and storage medium | |
| CN111030974A (en) | APT attack event detection method, device and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN111797393B (en) | Method and device for detecting malicious mining behavior based on GPU | |
| CN111782294A (en) | Application program running method and device, electronic equipment and storage medium | |
| CN115378628A (en) | Sandbox-based malicious sample detection method and system, host, electronic device and storage medium | |
| CN116108435A (en) | On-demand opening method and device for safety cut surface of mobile terminal | |
| CN114692150A (en) | Sandbox environment-based malicious code analysis method and device and related equipment | |
| CN108875372B (en) | Code detection method and device, electronic equipment and storage medium | |
| CN110875919B (en) | Network threat detection method and device, electronic equipment and storage medium | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN115712876A (en) | Installation package intercepting method and device, electronic equipment and computer readable storage medium | |
| CN106169044B (en) | Method and device for protecting thread data and electronic equipment | |
| CN110659489B (en) | Threat detection method, device and storage medium for character string splicing behavior | |
| CN115840941A (en) | Detection method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |