CN112738123A - Method and device for detecting malicious remote process tracing calling behavior - Google Patents
Method and device for detecting malicious remote process tracing calling behavior Download PDFInfo
- Publication number
- CN112738123A CN112738123A CN202110008594.0A CN202110008594A CN112738123A CN 112738123 A CN112738123 A CN 112738123A CN 202110008594 A CN202110008594 A CN 202110008594A CN 112738123 A CN112738123 A CN 112738123A
- Authority
- CN
- China
- Prior art keywords
- calling
- information
- call
- exists
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention relates to a detection method and a device for malicious remote process tracing calling behaviors, which comprises an initialization set E0, an interface identifier to be called, an API (application program interface) number, a specific function needing to call the interface and calling request parameter information are acquired by intercepting all RPC calling requests, and interprocess calling relation information of each remote process calling is established; judging whether the interface identifier called by the remote procedure exists in a preset list L0, continuously judging whether the interface identifier of the request exists in a preset list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results; and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result. The invention can save system resources and accelerate the processing flow of the system; meanwhile, the accuracy of RPC detection is ensured.
Description
Technical Field
The invention relates to the technical field of network monitoring, in particular to a malicious remote process tracing and calling behavior detection method and device.
Background
With the rapid development of the internet, malicious programs are more easily spread, and attack technologies used by the malicious programs are continuously upgraded, and are not limited to behavior countermeasure in malicious program processes, but are released by using rpc components existing in the system by using RPC (remote Procedure call) calls; safety monitoring systems such as bypassing sandboxes and main defense are achieved. Meanwhile, on a window (windows) operating system, not only a direct-connected rpc server but also a rpc server of a multi-level proxy exists, the request jumps many times, and finally reaches the process where the service is located, when the multi-level proxy exists, it is necessary to trace rpc, so that the rpc behavior can be associated with a real request initiator, and the situations of false alarm and vulnerability can be effectively avoided.
In addition, a large number of system processes exist on a window (windows) operating system of the latest version, the processes are created or finished all the time, and a large number of system behaviors generate a large number of false alarms if the behaviors cannot be strictly distinguished; especially in a sandbox system, the system behavior severely interferes with the detection of malicious behavior; the traditional process chain related to the malicious program is not enough to deal with the behavior release through RPC; many system behaviors occur if the system is based on a chain of process relationships throughout the system.
Summarizing, to accurately detect and trace the behavior of malicious remote procedure call, besides the GUID of the necessary call interface and the index number of the call function, the process ID and the thread ID of the client side initiating the request are also needed, so that accurate detection can be performed; for a remote procedure call with a multi-level proxy, a requester must be traced to know which process the client originally initiated the request is, so that whether the remote procedure call is malicious or not can be judged.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a method and a device for detecting a malicious remote process tracing calling behavior, and solves the problem that the traditional RPC interception only can acquire ProcNum and presentationContext; it is not possible to completely track which process initiated the request; and only the detection is carried out according to the known RPC rules through the ProcNum and the presentationContext, the accuracy of the detection is relatively low, and unknown malicious remote procedure calls cannot be detected.
The purpose of the invention is realized by the following technical scheme: a detection method for malicious remote procedure tracing calling behaviors, the detection method comprising:
initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing inter-process call relation information of each remote process call;
judging whether the interface identifier called by the remote process exists in a preset suspicious interface identifier list L0, continuously judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results;
and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result.
The method comprises the steps of initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing interprocess call relation information of each remote process call, wherein the steps comprise:
a1, initializing a suspicious target and carrying out an information set E0, intercepting an RPC server call response distribution entry function according to an API, distributing the RPC call request through the entry function, and intercepting the RPC call request;
a2, for a single RPC call request, the client sends an interface identifier and an API number to be called to the server, and informs the server of calling a specific function of the interface and calling request parameter information;
and A3, establishing the inter-process calling relation information of each remote procedure call according to the calling information acquired in the step A2.
3. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 2, wherein: and in the step A2, analyzing the process ID, the thread ID, the interface identification, the request function ID and the request function calling parameter list information of the RPC calling client according to the RPC calling request information.
The step a3 records the interface identifier, request function information, process ID and thread ID of the client, process ID of the current request server, and server thread ID as an inter-process call relationship query information structure.
The determining whether the interface identifier of the remote procedure call exists in the preconfigured suspicious interface identifier list L0, continuously determining whether the requested interface identifier exists in the preconfigured forwarding interface identifier list L1 according to the determination result, and performing corresponding operations according to the two determination results includes:
judging whether the interface identifier called by the client remote procedure in the step A2 exists in a preset suspicious interface identifier list L0, if not, judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1, if so, inserting the inter-process calling relation information into an inquiry module to indicate that the remote procedure calling request is proxy forwarding procedure calling, and finishing the implementation step;
when the interface identifier in the step A2 does not exist in the L0 and does not exist in the L1 at the same time, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if so, inserting the inter-process calling relationship information into the query module and ending the implementation step, otherwise, directly ending the implementation step;
when the interface identification exists in the step A2 in the L0, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if the client process ID exists in the set E0, recording and alarming the request as malicious remote process calling, and finishing the implementation step;
if the client process ID does not exist in the set E0, the client process ID and the thread ID in the invocation relation information of the step A3 are set as the retrieval condition T (P, T).
If the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result comprises the following steps:
b1, searching the same calling relationship information relationship I of the server process ID and the server thread ID in the query module according to the retrieval condition T (P, T), if the relationship I is empty, indicating that the process calling request is normally called, and ending the implementation step;
b2, judging whether the client process ID in the I exists in the suspicious process information set E0, if the process ID does not exist in the set E0, repeating the step B1 by taking the client process ID and the thread ID of the relation I as a retrieval condition T (P, T);
b3, if the client process ID of the process relation I exists in the set E0 in the step B2, recording and alarming the request as a malicious remote procedure call, and finishing the implementation step.
A detection device based on a detection method of malicious remote process traceability calling behaviors comprises a hijacking module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and an inquiry module;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the judgment of the third judging module being yes; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the server process ID and the server thread ID.
The invention has the following advantages: a malicious remote process tracing call behavior detection method comprises the steps of obtaining information such as a process ID and a thread ID of a client from intercepting remote process calls, and tracing the information such as the process ID and the thread ID of an initial remote process caller through the process ID and the thread ID of the client, so that a system credible RPC request can be released quickly, system resources can be saved, and the processing flow of the system can be accelerated; meanwhile, the accuracy of RPC detection is ensured.
Drawings
FIG. 1 is a flow chart of the API intercepting RPC according to the present invention;
FIG. 2 is a flow chart of the detection and tracing of the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings, but the scope of the invention is not limited to the following.
As shown in fig. 1 and fig. 2, the present invention relates to a method for detecting a malicious remote procedure tracing call behavior, by intercepting a remote procedure call, a call interface GUID, ProcNum, a call parameter, a process ID of a client, and a thread ID can be obtained, a current process sends the obtained information to a server module, the server module determines the obtained information, and mainly determines whether the call is a malicious call or not by using the process ID and the thread ID of the client, and if the call is a malicious remote procedure call, records a complete remote procedure call; for the non-malicious call, a true request initiator is found by using a tracing method, a call chain of the current remote process call is further obtained by a query module, and the process of the true remote process call can be found by carrying out recursive query on the call chain; the method specifically comprises the following steps:
and S1, taking the analysis sample process and the sub-processes thereof as suspicious processes, initializing a suspicious target process information set E0, hijacking an RPC server side to call a response distribution entry function (Invoke) based on an API (application program interface) interception technology, distributing all RPC call requests through the entry point, and intercepting all the RPC call requests.
S2, for single PRC call request, the client sends the Interface (Interface) identification and API number to be called to the server, and informs the server of the specific function and call request parameter information of the Interface. In this step, the process ID, the thread ID, the interface identification (GUID), the request function ID and the request function call parameter list information of the RPC call client are analyzed according to the RPC call request information.
And S3, establishing the inter-process calling relation information of each remote procedure call according to the calling information acquired in the step 2. The interface identification, the request function information, the process ID of the client, the thread ID, the process ID of the current request server and the service end thread ID in the record information are used as an inter-process call relation query information structure.
S4, judging whether the interface identifier of the client remote procedure call in the step 2 exists in a preset suspicious interface identifier list L0. If the interface identifier does not exist in L0, further determining whether the requested interface identifier exists in a preconfigured forwarding interface identifier list L1, if the interface identifier exists in L1, inserting the inter-process call relationship information in step 4 into the query module, indicating that the remote procedure call request is a proxy forwarding procedure call, and ending the implementation step. If the interface identification does not exist in L1, step 5 is entered.
S5, in step 4, if the set E0 has the client process ID in the inter-process calling relationship information, inserting the inter-process calling relationship information into the query module and ending the implementing step, otherwise, ending the implementing step.
S6, in step 2, if the suspicious interface identification list L0 has the current calling interface identification, further judging whether the client process ID in the inter-process calling relation information exists in the set E0, if the set E0 has the process ID, recording and alarming the request as malicious remote procedure call, and ending the implementation step.
S7, in step 6, if the set E0 has no client process ID, then the thread ID is used as the searching condition T (P, T) according to the client process ID in the calling relationship information of step 3.
And S8, searching the same calling relationship information relationship I between the service end process ID and the service end thread ID in the query module according to T (P, T), if I is empty, indicating that the process calling request is normal calling, and ending the implementation step.
S9, according to the relation I in the step 8, judging whether the client process ID in the relation I exists in the suspicious process list E0, if the process ID does not exist in the set E0, taking the client process ID and the thread ID of the relation I as the retrieval conditions T (P, T), and repeating the step 8.
S10, if the client process ID of the process relation I exists in the set E0 in the step 9, the request is recorded and alarmed as a malicious remote procedure call, and the implementation step is ended.
According to the method and the device, the source of the request can be further judged and the judgment of the request of unknown remote procedure call can be processed by acquiring the process ID and the thread ID of the client initiating the request; meanwhile, the judgment of the remote procedure call request with the multi-level proxy can be handled; on the premise of ensuring that any remote process behavior is not leaked, the detection of malicious remote calling behavior is also ensured.
The invention relates to a detection device of a detection method based on malicious remote process traceability calling behavior, which comprises a hijack module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and a query module, wherein the hijack module is used for detecting malicious remote process traceability calling behavior;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the judgment of the third judging module being yes; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the server process ID and the server thread ID.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, either as described above or as apparent to those skilled in the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (7)
1. A detection method for malicious remote process tracing calling behavior is characterized in that: the detection method comprises the following steps:
initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing inter-process call relation information of each remote process call;
judging whether the interface identifier called by the remote process exists in a preset suspicious interface identifier list L0, continuously judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results;
and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result.
2. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 1, wherein: the method comprises the steps of initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing interprocess call relation information of each remote process call, wherein the steps comprise:
a1, initializing a suspicious target and carrying out an information set E0, intercepting an RPC server call response distribution entry function according to an API, distributing the RPC call request through the entry function, and intercepting the RPC call request;
a2, for a single RPC call request, the client sends an interface identifier and an API number to be called to the server, and informs the server of calling a specific function of the interface and calling request parameter information;
and A3, establishing the inter-process calling relation information of each remote procedure call according to the calling information acquired in the step A2.
3. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 2, wherein: and in the step A2, analyzing the process ID, the thread ID, the interface identification, the request function ID and the request function calling parameter list information of the RPC calling client according to the RPC calling request information.
4. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 3, wherein: the step a3 records the interface identifier, request function information, process ID and thread ID of the client, process ID of the current request server, and server thread ID as an inter-process call relationship query information structure.
5. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 2, wherein: the determining whether the interface identifier of the remote procedure call exists in the preconfigured suspicious interface identifier list L0, continuously determining whether the requested interface identifier exists in the preconfigured forwarding interface identifier list L1 according to the determination result, and performing corresponding operations according to the two determination results includes:
judging whether the interface identifier called by the client remote procedure in the step A2 exists in a preset suspicious interface identifier list L0, if not, judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1, if so, inserting the inter-process calling relation information into an inquiry module to indicate that the remote procedure calling request is proxy forwarding procedure calling, and finishing the implementation step;
when the interface identifier in the step A2 does not exist in the L0 and does not exist in the L1 at the same time, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if so, inserting the inter-process calling relationship information into the query module and ending the implementation step, otherwise, directly ending the implementation step;
when the interface identification exists in the step A2 in the L0, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if the client process ID exists in the set E0, recording and alarming the request as malicious remote process calling, and finishing the implementation step;
if the client process ID does not exist in the set E0, the client process ID and the thread ID in the invocation relation information of the step A3 are set as the retrieval condition T (P, T).
6. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 5, wherein: if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result comprises the following steps:
b1, searching the same calling relationship information relationship I of the server process ID and the server thread ID in the query module according to the retrieval condition T (P, T), if the relationship I is empty, indicating that the process calling request is normally called, and ending the implementation step;
b2, judging whether the client process ID in the relation I exists in the suspicious process information set E0, if the process ID does not exist in the set E0, repeating the step B1 by taking the client process ID and the thread ID of the relation I as a retrieval condition T (P, T);
b3, if the client process ID of the process relation I exists in the set E0 in the step B2, recording and alarming the request as a malicious remote procedure call, and finishing the implementation step.
7. A detection device based on a detection method of malicious remote process tracing calling behavior is characterized in that: the system comprises a hijack module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and a query module;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the judgment of the third judging module being yes; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the server process ID and the server thread ID.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110008594.0A CN112738123B (en) | 2021-01-05 | 2021-01-05 | Method and device for detecting malicious remote process tracing calling behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110008594.0A CN112738123B (en) | 2021-01-05 | 2021-01-05 | Method and device for detecting malicious remote process tracing calling behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738123A true CN112738123A (en) | 2021-04-30 |
| CN112738123B CN112738123B (en) | 2022-09-20 |
Family
ID=75591235
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110008594.0A Active CN112738123B (en) | 2021-01-05 | 2021-01-05 | Method and device for detecting malicious remote process tracing calling behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738123B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117494117A (en) * | 2023-11-17 | 2024-02-02 | 北京天融信网络安全技术有限公司 | Tracking system and tracking method for remote procedure call |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102438023A (en) * | 2011-12-29 | 2012-05-02 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting malicious remote procedure call (RPC) behaviors |
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| CN103023906A (en) * | 2012-12-20 | 2013-04-03 | 北京奇虎科技有限公司 | Method and system aiming at remote procedure calling conventions to perform status tracking |
| US20140040924A1 (en) * | 2011-07-13 | 2014-02-06 | Adobe Systems Incorporated | Invocation of additional processing using remote procedure calls |
| CN109995789A (en) * | 2019-04-10 | 2019-07-09 | 腾讯科技(深圳)有限公司 | The risk checking method and device of RPC interface in block catenary system |
-
2021
- 2021-01-05 CN CN202110008594.0A patent/CN112738123B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140040924A1 (en) * | 2011-07-13 | 2014-02-06 | Adobe Systems Incorporated | Invocation of additional processing using remote procedure calls |
| CN102438023A (en) * | 2011-12-29 | 2012-05-02 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting malicious remote procedure call (RPC) behaviors |
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| CN103023906A (en) * | 2012-12-20 | 2013-04-03 | 北京奇虎科技有限公司 | Method and system aiming at remote procedure calling conventions to perform status tracking |
| CN109995789A (en) * | 2019-04-10 | 2019-07-09 | 腾讯科技(深圳)有限公司 | The risk checking method and device of RPC interface in block catenary system |
Non-Patent Citations (4)
| Title |
|---|
| J.DENY: "Defensive against collaborative attacks by malicious nodes in MANETs: A cooperative bait detection approa", 《2017 INTERNATIONAL CONFERENCE ON ALGORITHMS, METHODOLOGY, MODELS AND APPLICATIONS IN EMERGING TECHNOLOGIES (ICAMMAET)》 * |
| 周虎生等: "基于Windows平台的RPC缓冲区溢出漏洞研究", 《信息网络安全》 * |
| 李蓓: "RPC安全漏洞及预防", 《青海师范大学学报(自然科学版)》 * |
| 赵丽敏等: "基于RPC的安全问题研究", 《丽水学院学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117494117A (en) * | 2023-11-17 | 2024-02-02 | 北京天融信网络安全技术有限公司 | Tracking system and tracking method for remote procedure call |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738123B (en) | 2022-09-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| CN107689940B (en) | WebShell detection method and device | |
| CN108959071B (en) | RASP-based PHP deformation webshell detection method and system | |
| US20170076094A1 (en) | System and method for analyzing patch file | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN111064745A (en) | Self-adaptive back-climbing method and system based on abnormal behavior detection | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| CN112738123B (en) | Method and device for detecting malicious remote process tracing calling behavior | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN111177665A (en) | Safety tracing method for newly generated executable file | |
| CN110781073A (en) | Security testing method and system | |
| CN108959860B (en) | Method for detecting whether Android system is cracked or not and obtaining cracking record | |
| CN113595975B (en) | Detection method and device for Webshell of Java memory | |
| CN114826639B (en) | Application attack detection method and device based on function call chain tracking | |
| CN110417578B (en) | Abnormal FTP connection alarm processing method | |
| CN112632547A (en) | Data processing method and related device | |
| CN111104670A (en) | APT attack identification and protection method | |
| CN108509796B (en) | Method for detecting risk and server | |
| CN113704749B (en) | Malicious mining detection processing method and device | |
| CN115442109A (en) | Method, device, equipment and storage medium for determining network attack result | |
| CN109271781B (en) | Method and system for detecting super authority obtaining behavior of application program based on kernel | |
| KR20150026187A (en) | System and Method for dropper distinction | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |