CN112035837A - Malicious PDF document detection system and method based on mimicry defense - Google Patents
Malicious PDF document detection system and method based on mimicry defense Download PDFInfo
- Publication number
- CN112035837A CN112035837A CN202010755721.9A CN202010755721A CN112035837A CN 112035837 A CN112035837 A CN 112035837A CN 202010755721 A CN202010755721 A CN 202010755721A CN 112035837 A CN112035837 A CN 112035837A
- Authority
- CN
- China
- Prior art keywords
- pdf document
- malicious
- processing
- tracking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of information content security, and particularly relates to a malicious PDF document detection system and method based on mimicry defense. According to the invention, by introducing the mimicry defense technology into the detection of the malicious PDF document, the known and unknown risks faced by the PDF document can be effectively prevented, and the detection accuracy and the detection efficiency are improved.
Description
Technical Field
The invention belongs to the technical field of information content security, and particularly relates to a malicious PDF document detection system and method based on mimicry defense.
Background
With the user's knowledge of malicious email attachments and network links, network attackers have begun to turn to document-based malicious attacks. Browsers, email agents, or antivirus products typically warn users of more danger with executable files. Documents like PDF, however, are of little interest and doubt because they give the impression of being static files and pose little harm.
However, in recent years, the PDF specification has changed. The add-on script functionality enables documents to function in much the same way as executable files, including the ability to connect to the Internet, run processes, and interact with other files/programs. The increase in content complexity provides more vulnerabilities for attackers to launch powerful attacks and more flexibility to hide malicious loads and escape detection. A malicious PDF document typically attacks using one or more holes in the PDF interpreter. Given the increasing complexity of PDF document readers and the wide library/system component dependencies, large exposed attack surfaces are easily formed.
In 2019, 274 CVEs were discovered by taking the PDF Reader Adobe Acrobat Reader as an example. The wide variety of PDF readers and the resulting large attack surface make it one of the preferred targets for attackers. The collected malware cases show that many Abode components have been attacked, including the element parser and decoder, the font manager, and the JavaScript engine. System-wide dependencies, such as a graphics library, are also targets for attackers.
With the continuous development of PDF readers and the popularization of PDF formats, malicious PDF document detection has become an urgent problem. However, existing malicious PDF document detection schemes are overly simplified to PDF specifications, resulting in incomplete malicious payload extraction and detection failures, and lack of real-time tracking of the document running process. Therefore, there is a need to design a new type of malicious PDF document detection system to protect against the known and unknown risks of PDF documents.
In recent years, in order to solve the serious security problem caused by insufficient security of the traditional defense method, related researchers have proposed mimicry defense technology. The mimicry defense is an active defense method, and the core idea is dynamic heterogeneous redundancy, a plurality of redundant heterogeneous functional equivalents are organized to jointly process external same requests, and malicious attacks are discovered and shielded through multi-mode arbitration, so that static, similar and single safety defects in the traditional defense technology are overcome.
Disclosure of Invention
Aiming at malicious attacks launched by attackers through holes and backdoors in PDF documents and based on the idea of dynamic heterogeneous redundancy in mimicry defense, the invention designs a malicious PDF document detection system and method based on mimicry defense, so that the detection system has endogenous security attributes and can quickly and effectively detect known and unknown risks in the PDF documents.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a malicious PDF document detection system based on mimicry defense, which comprises the following steps:
the system comprises a plurality of heterogeneous hosts with equivalent functions, a plurality of processing units and a plurality of processing units, wherein the heterogeneous hosts are used for processing the same PDF document and tracking system behaviors of the plurality of heterogeneous hosts when processing the PDF document;
and the resolver is used for judging the tracking processing result and determining whether the PDF document is malicious or not.
Further, the same type and version of PDF readers are installed in the heterogeneous host system of the heterogeneous host.
Further, the system behaviors of the plurality of heterogeneous hosts in processing the PDF document comprise an internal behavior and an external behavior, the internal behavior is used for tracking the PDF document processing flow of a PDF reader in the heterogeneous host system, and the external behavior is used for tracking the influence of PDF document processing on the heterogeneous host system.
Further, the resolver comprises an internal behavior resolver and an external behavior resolver; the internal behavior arbitrator is used for executing multi-mode arbitration on the internal behavior tracking result, and the external behavior arbitrator is used for executing multi-mode arbitration on the external behavior tracking result.
The invention also provides a malicious PDF document detection method based on mimicry defense, which comprises the following steps:
performing mimicry processing on the same PDF document;
tracking system behaviors of a plurality of heterogeneous hosts in processing a PDF document;
and judging the tracking processing result, and determining whether the PDF document is malicious or not.
Further, performing mimicry processing on the same PDF document includes:
and respectively distributing the PDF document to be detected as input excitation to a plurality of heterogeneous hosts with equivalent functions for simultaneous processing, and installing PDF readers with the same type and version in the heterogeneous host systems of the heterogeneous hosts.
Further, the system behaviors of the plurality of heterogeneous hosts in processing the PDF document comprise an internal behavior and an external behavior, the internal behavior is used for tracking the PDF document processing flow of a PDF reader in the heterogeneous host system, and the external behavior is used for tracking the influence of PDF document processing on the heterogeneous host system.
Further, the internal behaviors include COS object parsing, PD tree construction, script execution and element rendering.
Further, the external behavior includes file system operations, network activities, and program loading.
Further, the step of determining the tracking processing result to determine whether the PDF document is malicious includes:
sending the internal behavior tracking result to an internal behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the processing action and executing multi-mode arbitration; and sending the external behavior tracking result to an external behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the behaviors of the heterogeneous host system and executing multi-mode arbitration.
Compared with the prior art, the invention has the following advantages:
in order to effectively improve the malicious PDF document detection capability, the invention designs a malicious PDF document detection system based on mimicry defense. Since normal PDF documents appear the same on different host systems, and malicious PDF documents may cause different behaviors when an attack is initiated on different host systems, ranging from PDF document processing actions (internal behaviors) to PDF document influences (external behaviors) on the host systems, a malicious PDF document detection result is output based on multi-mode arbitration by widely comparing the behaviors (including internal behaviors and external behaviors) of the PDF documents on heterogeneous host systems (e.g., Windows, Linux, and Macintosh). Specifically, an input PDF document is processed simultaneously based on a plurality of functionally equivalent heterogeneous host systems, the processing action of a PDF reader and the influence of the PDF document on the host systems are tracked respectively, a document detection result is output according to majority decision, and once the fact that internal behaviors or external behaviors are inconsistent between the heterogeneous host systems is found, the PDF document is considered to be malicious. According to the invention, by introducing the mimicry defense technology into the detection of the malicious PDF document, the known and unknown risks faced by the PDF document can be effectively prevented, and the detection accuracy and the detection efficiency are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a diagram of a mimicry defense system abstraction model;
FIG. 2 is a flow chart of PDF reader processing actions in an embodiment of the present invention;
fig. 3 is an overall framework diagram of a malicious PDF document detection system based on mimicry defense according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
The invention designs a malicious PDF document detection system based on mimicry defense based on the mimicry defense principle. The core idea of the mimicry defense is that the capability of a system for dealing with unknown threats is improved by introducing a dynamic heterogeneous redundant architecture, and an abstract model of a mimicry defense system is shown in figure 1, wherein an input agent needs to distribute an input sequence to a plurality of corresponding heterogeneous functional equivalents; the execution body receiving the input excitation in the functional equivalent heterogeneous execution body set generates an output vector meeting the given semantics and grammar; the multi-mode decider judges the consistency of the contents of the multi-mode output vectors and forms an output response sequence according to a decision strategy generated by a decision parameter or an algorithm. Therefore, by introducing the mimicry defense technology into malicious PDF document detection, the detection efficiency and accuracy can be greatly improved, and the information security protection capability is effectively enhanced.
Generally, when a PDF document is opened by a PDF reader, the PDF reader already starts its implementation process, and the basic flow sequentially passes through actions such as COS object parsing, PD tree construction, script execution, element rendering, and the like as shown in fig. 2. When a PDF document to be detected is opened, the PDF header is scanned to quickly locate the trailer and cross reference table (XRT), and once the XRT is located, the basic elements of the PDF document (referred to as COS objects) are enumerated and parsed, the COS objects being simply data with type labels (e.g., integers, strings, keywords, arrays, dictionaries, or streams). Then, one or more COS objects are assembled into PDF specific components, such as ext, image, font, form, page, JavaScript code, etc., according to the interpretation of the PDF specification by the PDF reader. The hierarchy of PDF documents (e.g., which text appears in a particular page) is also built according to this process, and the corresponding output is referred to as the PD tree, which is then passed to the rendering engine for display. For the PDF reader, when the rendering engine performs a JavaScript action, or renders a form embedded in JavaScript, the entire code block of JavaScript will be executed. And after the execution is finished, the PDF reader presents corresponding PDF document contents.
Due to the cross-platform (Windows, Linux, Mac) nature of the PDF specification, if some legitimate operations affect the host system on one platform, the same operations are performed when the document is opened on another platform. For example, if a benign document is connected to a remote host, the same operations are performed on other platforms. When different host systems open PDF documents, the function execution order and results are the same for a benign document, while for a malicious document, the PDF tracking results may differ in many places, including the PDF document processing procedure and the impact of the PDF document on the host system.
Based on a mimicry defense system abstract model, the embodiment performs mimicry transformation on the process of a malicious PDF document detection system, designs a malicious PDF document detection system based on mimicry defense, and the overall framework is as shown in FIG. 3 and comprises a plurality of heterogeneous hosts and arbitrators with equivalent functions, PDF readers with the same type and version are installed in the heterogeneous host systems of the heterogeneous hosts, and the heterogeneous host systems can adopt Windows, Linux, Mac or the like; the heterogeneous host is used for processing the same PDF document and tracking system behaviors of a plurality of heterogeneous hosts during PDF document processing, wherein the system behaviors comprise an internal behavior and an external behavior, the internal behavior is used for tracking a PDF document processing flow of a PDF reader in the heterogeneous host system, and the external behavior is used for tracking the influence of PDF document processing on the heterogeneous host system; the arbitrator is used for judging the tracking processing result, determining whether the PDF document is malicious or not and outputting a detection result, and comprises an internal behavior arbitrator and an external behavior arbitrator; the internal behavior arbitrator is used for executing multi-mode arbitration on the internal behavior tracking result, and the external behavior arbitrator is used for executing multi-mode arbitration on the external behavior tracking result.
By the aid of the mimic defense-based malicious PDF document detection system, malicious PDF documents can be quickly and effectively detected.
Corresponding to the above malicious PDF document detection system based on mimicry defense, the present embodiment further provides a malicious PDF document detection method based on mimicry defense, in which a same PDF document is processed by multiple heterogeneous hosts at the same time, after the PDF document to be detected is processed by different host systems, the processing result is tracked and sent to the arbitrator, and the arbitrating result is output by multiple decisions in the arbitrator; the method specifically comprises the following steps:
and step S101, performing mimicry processing on the same PDF document based on host diversity.
When a PDF document to be detected is input, the input PDF document is taken as input excitation and respectively distributed to a plurality of heterogeneous hosts with equivalent functions, PDF readers with the same type and version are installed in heterogeneous host systems, and the input PDF document is processed at the same time.
Step S102, tracking system behaviors of a plurality of heterogeneous hosts when processing PDF documents.
The PDF document processing process is tracked and divided into two parts: on one hand, tracing a PDF document processing flow (called internal behavior) of a PDF reader in the heterogeneous host system, wherein the internal behavior is four types of processing actions of the PDF reader, including COS object analysis, PD tree construction, JavaScript execution and PDF element presentation; on the other hand, tracking the impact of PDF document processing on a heterogeneous host system (referred to as external behavior) can be summarized as a series of executable operations, including file system operations, network activities, and program loading, hooking system calls through hooking techniques, and recording parameters and return values, thereby capturing the impact of executing malicious documents on the host system.
Step S103, determining the tracking processing result, and determining whether the PDF document is malicious.
Sending the four types of processing actions of the PDF reader to an internal behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the processing actions and executing multi-mode arbitration;
and sending the external behavior tracking result to an external behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the behaviors of the heterogeneous host system and executing multi-mode arbitration.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. A malicious PDF document detection system based on mimicry defense is characterized by comprising:
the system comprises a plurality of heterogeneous hosts with equivalent functions, a plurality of processing units and a plurality of processing units, wherein the heterogeneous hosts are used for processing the same PDF document and tracking system behaviors of the plurality of heterogeneous hosts when processing the PDF document;
and the resolver is used for judging the tracking processing result and determining whether the PDF document is malicious or not.
2. The mimicry defense-based malicious PDF document detection system according to claim 1, wherein the same type and version of PDF readers are installed in the heterogeneous host systems of the heterogeneous hosts.
3. The system for detecting the malicious PDF document based on the mimicry defense as claimed in claim 2, wherein the system behavior of tracking a plurality of heterogeneous hosts in processing the PDF document comprises an internal behavior and an external behavior, the internal behavior is tracking the PDF document processing flow of a PDF reader in the system of the heterogeneous hosts, and the external behavior is tracking the influence of the PDF document processing on the system of the heterogeneous hosts.
4. The mimicry defense based malicious PDF document detection system of claim 3, wherein the resolver comprises an internal behavior resolver and an external behavior resolver; the internal behavior arbitrator is used for executing multi-mode arbitration on the internal behavior tracking result, and the external behavior arbitrator is used for executing multi-mode arbitration on the external behavior tracking result.
5. A malicious PDF document detection method based on mimicry defense is characterized by comprising the following steps:
performing mimicry processing on the same PDF document;
tracking system behaviors of a plurality of heterogeneous hosts in processing a PDF document;
and judging the tracking processing result, and determining whether the PDF document is malicious or not.
6. The method for detecting the malicious PDF document based on the mimicry defense as claimed in claim 5, wherein the mimicry processing on the same PDF document comprises:
and respectively distributing the PDF document to be detected as input excitation to a plurality of heterogeneous hosts with equivalent functions for simultaneous processing, and installing PDF readers with the same type and version in the heterogeneous host systems of the heterogeneous hosts.
7. The method for detecting the malicious PDF document based on the mimicry defense as claimed in claim 6, wherein the tracking system behaviors of the plurality of heterogeneous hosts during processing the PDF document comprises an internal behavior and an external behavior, the internal behavior is tracking PDF document processing flow of a PDF reader in a system of the heterogeneous hosts, and the external behavior is tracking influence of PDF document processing on the system of the heterogeneous hosts.
8. The mimic defense based malicious PDF document detection method according to claim 7, wherein the internal behaviors include COS object parsing, PD tree construction, script execution and element rendering.
9. The method of claim 8, wherein the external behaviors include file system operations, network activities, and program loading.
10. The method for detecting the malicious PDF document based on mimicry defense as claimed in claim 9, wherein the step of determining whether the PDF document is malicious or not by determining the tracking processing result comprises:
sending the internal behavior tracking result to an internal behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the processing action and executing multi-mode arbitration; and sending the external behavior tracking result to an external behavior arbitrator for comparison, and determining whether the PDF document is malicious or not by comparing the behaviors of the heterogeneous host system and executing multi-mode arbitration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010755721.9A CN112035837B (en) | 2020-07-31 | 2020-07-31 | Malicious PDF document detection system and method based on mimicry defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010755721.9A CN112035837B (en) | 2020-07-31 | 2020-07-31 | Malicious PDF document detection system and method based on mimicry defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112035837A true CN112035837A (en) | 2020-12-04 |
| CN112035837B CN112035837B (en) | 2023-06-20 |
Family
ID=73581943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010755721.9A Active CN112035837B (en) | 2020-07-31 | 2020-07-31 | Malicious PDF document detection system and method based on mimicry defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112035837B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363037A (en) * | 2021-12-30 | 2022-04-15 | 河南信大网御科技有限公司 | Forcible specific scene-based forced decision method, system, framework and medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100115621A1 (en) * | 2008-11-03 | 2010-05-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious Network Content |
| US20110078794A1 (en) * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
| CN103440461A (en) * | 2013-09-16 | 2013-12-11 | 山东省计算中心 | PDF (Portable Document Format) document security auditing method |
| CN104731892A (en) * | 2015-03-17 | 2015-06-24 | 中国人民解放军信息工程大学 | Mimicry tampering resisting method for centralized file service system |
| CN104766025A (en) * | 2015-03-23 | 2015-07-08 | 中国人民解放军信息工程大学 | Mimicry tamper-proof method of distributed file system |
| CN104933094A (en) * | 2015-05-19 | 2015-09-23 | 深圳市松特高新实业有限公司 | PPT document construction method and system |
| CN105389407A (en) * | 2014-08-21 | 2016-03-09 | 波音公司 | integrated visualization and analysis of a complex system |
| CN108416034A (en) * | 2018-03-12 | 2018-08-17 | 宿州学院 | Information acquisition system and its control method based on financial isomery big data |
| CN110647754A (en) * | 2018-06-27 | 2020-01-03 | 国际商业机器公司 | File system view separation for data confidentiality and integrity |
| CN111310245A (en) * | 2020-03-05 | 2020-06-19 | 之江实验室 | Data encryption storage method for mimicry defense system |
-
2020
- 2020-07-31 CN CN202010755721.9A patent/CN112035837B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100115621A1 (en) * | 2008-11-03 | 2010-05-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious Network Content |
| US20110078794A1 (en) * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
| CN103440461A (en) * | 2013-09-16 | 2013-12-11 | 山东省计算中心 | PDF (Portable Document Format) document security auditing method |
| CN105389407A (en) * | 2014-08-21 | 2016-03-09 | 波音公司 | integrated visualization and analysis of a complex system |
| CN104731892A (en) * | 2015-03-17 | 2015-06-24 | 中国人民解放军信息工程大学 | Mimicry tampering resisting method for centralized file service system |
| CN104766025A (en) * | 2015-03-23 | 2015-07-08 | 中国人民解放军信息工程大学 | Mimicry tamper-proof method of distributed file system |
| CN104933094A (en) * | 2015-05-19 | 2015-09-23 | 深圳市松特高新实业有限公司 | PPT document construction method and system |
| CN108416034A (en) * | 2018-03-12 | 2018-08-17 | 宿州学院 | Information acquisition system and its control method based on financial isomery big data |
| CN110647754A (en) * | 2018-06-27 | 2020-01-03 | 国际商业机器公司 | File system view separation for data confidentiality and integrity |
| CN111310245A (en) * | 2020-03-05 | 2020-06-19 | 之江实验室 | Data encryption storage method for mimicry defense system |
Non-Patent Citations (3)
| Title |
|---|
| CHRISTIAN ESPOSITO: "Interoperable, dynamic and privacy-preserving access control for cloud data storage when integrating heterogeneous organizations", JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, vol. 108 * |
| 胡江;周安民;: "针对JavaScript攻击的恶意PDF文档检测技术研究", 现代计算机(专业版), vol. 2016, no. 01 * |
| 郑生军等: "基于虚拟执行技术的高级恶意软件攻击在线检测系统", 信息网络安全, vol. 2016, no. 01 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363037A (en) * | 2021-12-30 | 2022-04-15 | 河南信大网御科技有限公司 | Forcible specific scene-based forced decision method, system, framework and medium |
| CN114363037B (en) * | 2021-12-30 | 2023-09-29 | 河南信大网御科技有限公司 | Strong arbitration method, system, architecture and medium based on mimicry specific scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112035837B (en) | 2023-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10902111B2 (en) | Methods, media, and systems for detecting attack on a digital processing device | |
| US20240121266A1 (en) | Malicious script detection | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| CA2735545C (en) | Heuristic method of code analysis | |
| EP2955658B1 (en) | System and methods for detecting harmful files of different formats | |
| US7231637B1 (en) | Security and software testing of pre-release anti-virus updates on client and transmitting the results to the server | |
| US20050021994A1 (en) | Pre-approval of computer files during a malware detection | |
| US20090235357A1 (en) | Method and System for Generating a Malware Sequence File | |
| US10242190B2 (en) | System and method for detection of malicious code by iterative emulation of microcode | |
| US11048795B2 (en) | System and method for analyzing a log in a virtual machine based on a template | |
| Case et al. | HookTracer: A system for automated and accessible API hooks analysis | |
| CN112035837B (en) | Malicious PDF document detection system and method based on mimicry defense | |
| Dubin | Content disarm and reconstruction of rtf files a zero file trust methodology | |
| EP3800570B1 (en) | Methods and systems for genetic malware analysis and classification using code reuse patterns | |
| CN114091031A (en) | Class loading protection method and device based on white rule | |
| Chakraborty | A comparison study of computer virus and detection techniques | |
| US20120246723A1 (en) | Windows kernel alteration searching method | |
| Nix | Applying deep learning techniques to the analysis of Android APKs | |
| Crepaldi | Automatic malware signature generation | |
| Visaggio | The state of the malware: What can we defend against? | |
| Poonia et al. | Malware detection by token counting | |
| Daponte et al. | The State of the Malware: What Can We Defend Against? | |
| HUSSEIN | METHODS FOR DETECTING MODERN MALWARE USING BOOTKITS AS AN EXAMPLE | |
| Moawad et al. | An Automatic Artificial Intelligence System for Malware Detection | |
| Saleh | Malware detection model based on classifying system calls and code attributes: a proof of concept |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |