CN111797393B - Method and device for detecting malicious mining behavior based on GPU - Google Patents

Method and device for detecting malicious mining behavior based on GPU Download PDF

Info

Publication number
CN111797393B
CN111797393B CN202010578925.XA CN202010578925A CN111797393B CN 111797393 B CN111797393 B CN 111797393B CN 202010578925 A CN202010578925 A CN 202010578925A CN 111797393 B CN111797393 B CN 111797393B
Authority
CN
China
Prior art keywords
loading process
gpu
dynamic link
link library
frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010578925.XA
Other languages
Chinese (zh)
Other versions
CN111797393A (en
Inventor
邢宝玉
白淳升
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202010578925.XA priority Critical patent/CN111797393B/en
Publication of CN111797393A publication Critical patent/CN111797393A/en
Application granted granted Critical
Publication of CN111797393B publication Critical patent/CN111797393B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a detection method and device based on a GPU malicious mining behavior, electronic equipment and a storage medium, and relates to the technical field of network terminal security. The method comprises the following steps: monitoring the loading process of a dynamic link library of the GPU; acquiring first call information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU; if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at CPU based on flow and endpoint softness, and has pertinence.

Description

Method and device for detecting malicious mining behavior based on GPU
Technical Field
The invention relates to the technical field of network terminal security, in particular to a method and a device for detecting malicious mining behaviors based on a GPU, electronic equipment and a storage medium.
Background
As data demand workloads penetrate data centers and cover traditional CPU performance, GPU vendors have supplemented data centers with entirely new devices and display cards. And the mining capability of the GPU is far superior to that of the CPU, and more malicious mining behaviors are turned to the GPU. The existing mining protection schemes are all aimed at a CPU platform, and comprise deployment of a network monitoring solution (authors of mining programs can avoid the detection method by encrypting traffic), endpoint softout protection (detection is difficult for unknown mining families), maintenance of browser extension (mainly aimed at a CPU and not applicable to a GPU) and the like. The scheme is not specific to GPU mining and is not applicable.
Disclosure of Invention
First, the technical terms appearing in the present invention will be explained:
GPU: graphics processors (English: graphics Processing Unit, abbreviated: GPU), also known as display cores, vision processors, display chips, are microprocessors that are dedicated to performing image and graphics related operations on personal computers, workstations, gaming machines, and some mobile devices (e.g., tablet computers, smartphones, etc.).
Mining Trojan horse: a process of generating (mining) cryptocurrency. Most crypto-currencies are issued in an decentralized manner by creating new "currency" blocks according to certain rules. The generation of each new monetary unit requires a significant amount of computing resources. The mining trojan uses the resource to find a new hash sum, and earns the encrypted currency for the owner. Mineral-mining trojans installed on equipment without user consent belong to malware.
Dynamic Link Library (DLL): in Windows, many applications are not a complete executable file, they are partitioned into relatively independent dynamically linked libraries, i.e., DLL files, that are placed in the system. When we execute a certain program, the corresponding DLL file is called.
In view of the above, the present invention provides a method, an apparatus, an electronic device, and a storage medium for detecting malicious mining behavior based on a GPU, so as to solve or partially solve the above technical problems.
According to one aspect of the invention, a method for detecting malicious mining behavior based on a GPU is provided, and the method comprises the following steps:
monitoring the loading process of a dynamic link library of the GPU;
acquiring first call information of the dynamic link library;
judging whether the loading process calls a dynamic link library of the GPU or not;
if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information.
Optionally, the first call information includes a first frequency of normal call in unit time and a first time period of the first frequency of normal call;
the second call information includes a second frequency of calls per unit time.
Optionally, the determining, according to the first call information and the second call information, whether the loading process is a malicious mining behavior includes:
dividing the second frequency by the first frequency to obtain a first multiplier value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiple value;
judging whether the second multiple value is larger than a second preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, continuing to monitor the loading process of the dynamic link library of the GPU.
Optionally, the method further comprises:
and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared.
According to another aspect of the present invention, there is provided a detection apparatus for malicious mining behavior based on a GPU, the apparatus comprising:
the monitoring unit is used for monitoring the loading process of the dynamic link library of the GPU;
the acquisition unit is used for acquiring the first call information of the dynamic link library;
the judging unit is used for judging whether the loading process calls a dynamic link library of the GPU;
if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
and the processing unit judges whether the loading process is a malicious mining behavior according to the first calling information and the second calling information.
Optionally, the first call information includes a first frequency of normal call in unit time and a first time period of the first frequency of normal call;
the second call information includes a second frequency of calls per unit time.
Optionally, the processing unit is specifically configured to:
dividing the second frequency by the first frequency to obtain a first multiplier value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiple value;
judging whether the second multiple value is larger than a second preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, continuing to monitor the loading process of the dynamic link library of the GPU.
Optionally, the device further comprises an alarm unit, specifically configured to:
and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared.
According to still another aspect of the present invention, there is provided an electronic device including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the aforementioned method.
According to yet another aspect of the present invention, there is provided a computer-readable storage medium storing one or more programs executable by one or more processors to implement the foregoing method.
The method monitors the loading process of the dynamic link library of the GPU; acquiring first call information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU; if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at CPU based on flow and endpoint softness, and has pertinence.
Drawings
FIG. 1 is a flowchart of a detection method based on a malicious mining behavior of a GPU, which is provided by an embodiment of the invention;
FIG. 2 is a flowchart of another method for detecting malicious mining behavior based on a GPU according to an embodiment of the present invention;
FIG. 3 is a device diagram of a detection method based on a malicious mining behavior of a GPU, which is provided by the embodiment of the invention;
fig. 4 is a schematic structural diagram of an embodiment of the electronic device of the present invention.
Detailed Description
The following describes specific implementation manners of a method, a device, an electronic device and a storage medium for detecting malicious mining behavior based on a GPU according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 is a flowchart of a method for detecting malicious mining behavior based on a GPU according to an embodiment of the present invention, as shown in fig. 1, where the method includes:
step S11: monitoring the loading process of a dynamic link library of the GPU;
step S12: acquiring first call information of a dynamic link library;
step S13: judging whether the loading process calls a dynamic link library of the GPU;
step S14: if yes, obtaining second calling information of the dynamic link library;
step S15: if not, continuing to monitor the loading process of the dynamic link library of the GPU;
step S16: judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information.
The method monitors the loading process of the dynamic link library of the GPU; acquiring first call information of a dynamic link library; judging whether the loading process calls a dynamic link library of the GPU; if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU; judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information. The method improves the traditional detection scheme aiming at CPU based on flow and endpoint softness, and has pertinence.
In some embodiments of the present invention, the first call information includes a first frequency of normal calls per unit time and a first time period of the first frequency of normal calls; the second call information includes a second frequency of calls per unit time.
In some embodiments of the present invention, determining whether the loading process is a malicious mining behavior according to the first call information and the second call information includes: dividing the second frequency by the first frequency to obtain a first multiple value; judging whether the first multiple value is larger than a first preset threshold value or not; if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling a second frequency; dividing the second time period by the first time period to obtain a second multiple value; judging whether the second multiple value is larger than a second preset threshold value or not; if yes, judging the loading process as a malicious mining behavior; if not, continuing to monitor the loading process of the dynamic link library of the GPU.
The first preset threshold and the second preset threshold may be set empirically, and in this embodiment, the first preset threshold is 10; the second preset threshold is 10.
In some embodiments of the invention, the method further comprises: and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared. The resident modules of the mining Trojan horse in the registry, the planning task and the service can be cleared for submitting the behavior log of the loading process.
Fig. 2 is a flowchart of another method for detecting malicious mining behavior based on GPU according to an embodiment of the present invention, as shown in fig. 2, the method includes:
step S21: and monitoring the loading process of the dynamic link library of the GPU.
Step S22: the method comprises the steps of recording a first frequency F1 of normal calling of an API in a unit time Tmin period and a first time period T1 of the calling frequency F1.
Step S23: judging whether the loading process calls a dynamic link library of the GPU; if yes, executing step S24 to trace the loading process, where the loading process may be a system process injected by malicious code or other legal processes; if not, step S21 is performed.
Step S24: the second frequency F2 of calling of the dynamic link library in unit time is obtained, namely the condition that the target loading process has Guan Xianka API calling is traced, and the frequency F2 of calling of the API in the unit time T1 period is recorded.
Step S25: the second frequency F2 is divided by the first frequency F1 to obtain a first multiplier value.
Step S26: judging whether the first multiple value is larger than a first preset threshold value or not, wherein the first preset threshold value can be 10; if yes, it is indicated that the API call frequency F2 is higher than F1 in the continuous unit time Tmin period, and the target process is considered to be an abnormal process, and step S210 is executed; if not, it is determined that the API call frequency is close to F2 and F1 in the unit time Tmin period, and step S27 is executed.
Step S27: a second time period T2 is acquired for invoking the second frequency F2.
Step S28: dividing the second time period T2 by the first time period T1 to obtain a second multiplier value.
Step S29: judging whether the second multiple value is larger than a second preset threshold value or not, wherein the first preset threshold value is 10; if yes, the target process is considered to be an abnormal process if T2 is far greater than T1, and step S210 is executed; if not, step S21 is performed.
Step S210: judging the loading process as a malicious mining behavior.
Step S211: the method specifically comprises the steps of providing an alarm and eliminating malicious mining behaviors: submitting the behavior log of the process, and clearing resident modules of the mining Trojan horse in a registry, a planning task and services.
In one embodiment of the invention, the propagation path of the mining Trojan is mainly through junk mail, software binding and vulnerability propagation. The general perception of the mining Trojan is mainly represented by the use sense of the host, the host suddenly becomes stuck under the condition of normal operation, and the use rate of the CPU is higher than the value in normal use or reaches 100 percent. Judging whether the mine digging process needs a certain experience, does not occupy CPU height, and leads to the process of jamming is the mine digging process, and whether the process is jamming caused by the system configuration problem is to be distinguished. In general, the mining Trojan has a system resident module, and malicious processes can be continuously executed in a mode of planning tasks, services and the like.
The malicious software BlackSquid puts XMUG mining Trojan through the vulnerability of the server. In addition to deploying the mining Trojan horse aiming at the CPU, the malicious code BlackSquid also can check whether the target system has a display card, and if the Nvidia and AMD display card are found, a new component can be downloaded to mine the GPU resource. In the process, the behavior of the display card DLL can be loaded to the process, the calling relationship is monitored, the calling process of the manually loaded legal DLL file is traced, and whether the normal calling relationship is met or not is judged by monitoring the frequency and the duration of the calling of the display card API. And if the monitoring finds an abnormality, ending the related process, then checking a behavior log corresponding to the process, and clearing resident modules of the mining Trojan in a registry, a planning task and a service.
Fig. 3 is a device diagram of a detection method based on a GPU malicious mining behavior according to an embodiment of the present invention, as shown in fig. 3, the device 30 includes:
the monitoring unit 301 is configured to monitor a loading process of the dynamic link library of the GPU;
an obtaining unit 302, configured to obtain first call information of the dynamic link library;
a judging unit 303, configured to judge whether the loading process invokes the dynamic link library of the GPU;
if yes, acquiring second call information of the dynamic link library through the acquisition unit 302; if not, continuing to monitor the loading process of the dynamic link library of the GPU through the monitoring unit 301;
the processing unit 304 determines whether the loading process is a malicious mining behavior according to the first call information and the second call information.
In some embodiments of the present invention, the first call information includes a first frequency of normal calls in a unit time and a first time period of the first frequency of normal calls; the second call information includes a second frequency of calls per unit time.
In some embodiments of the present invention, the processing unit 304 is specifically configured to: dividing the second frequency by the first frequency to obtain a first multiple value; judging whether the first multiple value is larger than a first preset threshold value or not; if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling a second frequency through the acquisition unit 302; dividing the second time period by the first time period to obtain a second multiple value; judging whether the second multiple value is larger than a second preset threshold value or not; if yes, judging the loading process as a malicious mining behavior; if not, the monitoring unit 301 continues to monitor the loading process of the dynamic link library of the GPU.
In some embodiments of the present invention, the apparatus further comprises an alarm unit 305, specifically configured to:
and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared.
Specific workflow is described in detail in the method embodiments, and is not described here again.
An embodiment of the present invention further provides an electronic device, and fig. 4 is a schematic structural diagram of an embodiment of the electronic device, where a flow of the embodiment of fig. 1-2 of the present invention may be implemented, as shown in fig. 4, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for executing the method described in any of the foregoing embodiments.
The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of executable program codes may be referred to in the description of the embodiment of fig. 1-2 of the present invention, which is not repeated herein.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs executable by one or more processors to implement the foregoing program launch method.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The invention has the following technical effects:
in summary, for the mining behavior of the GPU graphics card, a malicious attacker needs to acquire basic information (product, version and model) of the graphics card, and then call the dynamic link library corresponding to the basic information, so as to improve the mining behavior. The method comprises the steps of firstly loading the behavior of the display card DLL to the process, monitoring the calling relationship, tracing the calling process of the legal DLL file loaded manually, and judging whether the calling relationship is normal or not by monitoring the calling frequency and the calling duration of the display card API. And ending the related process if the monitoring finds an abnormality. Thus, by monitoring DLL call relationships during GPU execution, and the frequency and duration of API calls, previous detection schemes for traffic and endpoint softness can be improved.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (6)

1. The method for detecting the malicious mining behavior based on the GPU is characterized by comprising the following steps of:
monitoring the loading process of a dynamic link library of the GPU;
acquiring first call information of the dynamic link library;
judging whether the loading process calls a dynamic link library of the GPU or not;
if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information;
the first call information comprises a first frequency of normal call in unit time and a first time period of the first frequency of normal call;
the second call information comprises a second frequency of call in unit time;
the judging whether the loading process is a malicious mining behavior according to the first calling information and the second calling information comprises the following steps:
dividing the second frequency by the first frequency to obtain a first multiplier value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiple value;
judging whether the second multiple value is larger than a second preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, continuing to monitor the loading process of the dynamic link library of the GPU.
2. The method of claim 1, wherein the method further comprises:
and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared.
3. Detection device based on GPU malicious mining behavior, characterized in that, the device includes:
the monitoring unit is used for monitoring the loading process of the dynamic link library of the GPU;
the acquisition unit is used for acquiring the first call information of the dynamic link library;
the judging unit is used for judging whether the loading process calls a dynamic link library of the GPU;
if yes, obtaining second calling information of the dynamic link library; if not, continuing to monitor the loading process of the dynamic link library of the GPU;
the processing unit judges whether the loading process is a malicious mining behavior according to the first calling information and the second calling information;
the first call information comprises a first frequency of normal call in unit time and a first time period of the first frequency of normal call;
the second call information comprises a second frequency of call in unit time;
the processing unit is specifically configured to:
dividing the second frequency by the first frequency to obtain a first multiplier value;
judging whether the first multiple value is larger than a first preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, acquiring a second time period for calling the second frequency;
dividing the second time period by the first time period to obtain a second multiple value;
judging whether the second multiple value is larger than a second preset threshold value or not;
if yes, judging the loading process as a malicious mining behavior; if not, continuing to monitor the loading process of the dynamic link library of the GPU.
4. A device according to claim 3, characterized in that the device further comprises an alarm unit, in particular for:
and when the loading process is judged to be a malicious mining behavior, an alarm is given, and the malicious mining behavior is cleared.
5. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the preceding claims 1 to 2.
6. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of any of the preceding claims 1-2.
CN202010578925.XA 2020-06-23 2020-06-23 Method and device for detecting malicious mining behavior based on GPU Active CN111797393B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010578925.XA CN111797393B (en) 2020-06-23 2020-06-23 Method and device for detecting malicious mining behavior based on GPU

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010578925.XA CN111797393B (en) 2020-06-23 2020-06-23 Method and device for detecting malicious mining behavior based on GPU

Publications (2)

Publication Number Publication Date
CN111797393A CN111797393A (en) 2020-10-20
CN111797393B true CN111797393B (en) 2023-05-23

Family

ID=72803725

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010578925.XA Active CN111797393B (en) 2020-06-23 2020-06-23 Method and device for detecting malicious mining behavior based on GPU

Country Status (1)

Country Link
CN (1) CN111797393B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009129451A (en) * 2007-11-20 2009-06-11 Korea Electronics Telecommun Apparatus and method for detecting dynamic link library inserted by malicious code
CN102737188A (en) * 2012-06-27 2012-10-17 北京奇虎科技有限公司 Method and device for detecting malicious webpage
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detection method and device
CN109101815A (en) * 2018-07-27 2018-12-28 平安科技(深圳)有限公司 A kind of malware detection method and relevant device
CN110135160A (en) * 2019-04-29 2019-08-16 北京邮电大学 The method, apparatus and system of software detection
CN110619217A (en) * 2019-09-18 2019-12-27 杭州安恒信息技术股份有限公司 Method and device for actively defending malicious mining program
CN110839088A (en) * 2018-08-16 2020-02-25 深信服科技股份有限公司 Detection method, system, device and storage medium for dug by virtual currency
CN111143842A (en) * 2019-12-12 2020-05-12 广州大学 Malicious code detection method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105874463A (en) * 2013-12-30 2016-08-17 诺基亚技术有限公司 Method and apparatus for malware detection
CN107679402A (en) * 2017-09-28 2018-02-09 四川长虹电器股份有限公司 Malicious code behavioural characteristic extracting method
CN108829829A (en) * 2018-06-15 2018-11-16 深信服科技股份有限公司 Detect method, system, device and storage medium that ideal money digs mine program
CN110875917B (en) * 2018-09-04 2022-02-25 国家计算机网络与信息安全管理中心 Method, device and storage medium for detecting mine excavation virus
CN109347806B (en) * 2018-09-20 2021-04-27 天津大学 System and method for detecting mining malicious software based on host monitoring technology
CN110489969B (en) * 2019-08-22 2021-05-25 杭州安恒信息技术股份有限公司 System and electronic equipment for disposing mine excavation viruses of host based on SOAR

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009129451A (en) * 2007-11-20 2009-06-11 Korea Electronics Telecommun Apparatus and method for detecting dynamic link library inserted by malicious code
CN102737188A (en) * 2012-06-27 2012-10-17 北京奇虎科技有限公司 Method and device for detecting malicious webpage
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detection method and device
CN109101815A (en) * 2018-07-27 2018-12-28 平安科技(深圳)有限公司 A kind of malware detection method and relevant device
CN110839088A (en) * 2018-08-16 2020-02-25 深信服科技股份有限公司 Detection method, system, device and storage medium for dug by virtual currency
CN110135160A (en) * 2019-04-29 2019-08-16 北京邮电大学 The method, apparatus and system of software detection
CN110619217A (en) * 2019-09-18 2019-12-27 杭州安恒信息技术股份有限公司 Method and device for actively defending malicious mining program
CN111143842A (en) * 2019-12-12 2020-05-12 广州大学 Malicious code detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于API和Permission的Android恶意软件静态检测方法研究;杨鸣坤 等;;计算机应用与软件;37(04);第53-58、104页 *

Also Published As

Publication number Publication date
CN111797393A (en) 2020-10-20

Similar Documents

Publication Publication Date Title
CN104426885B (en) Abnormal account providing method and device
CN108875364B (en) Threat determination method and device for unknown file, electronic device and storage medium
CN106709325B (en) Method and device for monitoring program
CN106203092B (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN105630551A (en) Method and device for installing application software and electronic equipment
CN113973012B (en) Threat detection method and device, electronic equipment and readable storage medium
CN114065204A (en) File-free Trojan horse searching and killing method and device
CN110866248A (en) Lesovirus identification method and device, electronic equipment and storage medium
CN111259382A (en) Malicious behavior identification method, device and system and storage medium
CN111062035B (en) Lesu software detection method and device, electronic equipment and storage medium
CN114741695A (en) Malicious code monitoring method and device, electronic equipment and storage medium
CN110020531A (en) Internet of things equipment risk checking method and device
CN111030974A (en) APT attack event detection method, device and storage medium
CN106022117A (en) Method and device for preventing system environment variable from being modified and electronic equipment
CN111797393B (en) Method and device for detecting malicious mining behavior based on GPU
CN111027065B (en) Leucavirus identification method and device, electronic equipment and storage medium
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN111782294A (en) Application program running method and device, electronic equipment and storage medium
CN114860351A (en) Abnormity identification method and device, storage medium and computer equipment
CN116108435A (en) On-demand opening method and device for safety cut surface of mobile terminal
CN114692150A (en) Sandbox environment-based malicious code analysis method and device and related equipment
CN115378628A (en) Sandbox-based malicious sample detection method and system, host, electronic device and storage medium
CN108875363B (en) Method and device for accelerating virtual execution, electronic equipment and storage medium
CN108875372B (en) Code detection method and device, electronic equipment and storage medium
CN108875371B (en) Sandbox analysis method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road)

Applicant after: Antan Technology Group Co.,Ltd.

Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road)

Applicant before: Harbin Antian Science and Technology Group Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant