CN112738123B - Method and device for detecting malicious remote process tracing calling behavior - Google Patents

Method and device for detecting malicious remote process tracing calling behavior Download PDF

Info

Publication number
CN112738123B
CN112738123B CN202110008594.0A CN202110008594A CN112738123B CN 112738123 B CN112738123 B CN 112738123B CN 202110008594 A CN202110008594 A CN 202110008594A CN 112738123 B CN112738123 B CN 112738123B
Authority
CN
China
Prior art keywords
calling
call
exists
information
interface identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110008594.0A
Other languages
Chinese (zh)
Other versions
CN112738123A (en
Inventor
王宗才
胡周
毛春森
张洁
赵键
俞祥基
邓金祥
胡勇
王炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Ansi Technology Co ltd
Original Assignee
Chengdu Ansi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Ansi Technology Co ltd filed Critical Chengdu Ansi Technology Co ltd
Priority to CN202110008594.0A priority Critical patent/CN112738123B/en
Publication of CN112738123A publication Critical patent/CN112738123A/en
Application granted granted Critical
Publication of CN112738123B publication Critical patent/CN112738123B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a detection method and a device for malicious remote process tracing call behaviors, which comprises an initialization set E0, an API call request interception unit, a remote procedure call processing unit, a call processing unit and a call processing unit, wherein the initialization set E0 intercepts all RPC call requests, obtains an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishes inter-process call relation information of each remote process call; judging whether the interface identifier called by the remote procedure exists in a preset list L0, continuously judging whether the interface identifier of the request exists in a preset list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results; if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result. The invention can save system resources and accelerate the processing flow of the system; meanwhile, the accuracy of RPC detection is ensured.

Description

Method and device for detecting malicious remote process tracing calling behavior
Technical Field
The invention relates to the technical field of network monitoring, in particular to a malicious remote process tracing and calling behavior detection method and device.
Background
With the rapid development of the internet, malicious programs are more easily spread, and attack technologies used by the malicious programs are continuously upgraded, and are not limited to behavior countermeasure in malicious program processes, but are released by using rpc components existing in the system by using RPC (remote Procedure call) calls; safety monitoring systems such as bypassing sandboxes and main defense are achieved. Meanwhile, on a window (windows) operating system, not only a direct-connected rpc server but also a rpc server of a multi-level proxy exists, the request jumps many times, and finally reaches the process where the service is located, when the multi-level proxy exists, it is necessary to trace rpc, so that the rpc behavior can be associated with a real request initiator, and the situations of false alarm and vulnerability can be effectively avoided.
In addition, a large number of system processes exist on a window (windows) operating system of the latest version, the processes are created or finished all the time, and a large number of system behaviors generate a large number of false alarms if the behaviors cannot be strictly distinguished; especially in a sandbox system, the system behavior severely interferes with the detection of malicious behavior; the traditional process chain related to the malicious program is not enough to deal with the behavior release through RPC; many system behaviors occur if the system is based on a chain of process relationships throughout the system.
In summary, to accurately detect and trace the malicious remote procedure call behavior, besides the GUID of the necessary call interface and the index number of the call function, the process ID and the thread ID of the client initiating the request are also required, so that accurate detection can be performed; for a remote procedure call with a multi-level proxy, a requester must be traced to know which process the client originally initiated the request is, so that whether the remote procedure call is malicious or not can be judged.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a method and a device for detecting a malicious remote process tracing calling behavior, and solves the problem that the traditional RPC interception only can acquire ProcNum and presentationContext; it is not possible to completely track which process initiated the request; and only the detection is carried out according to the known RPC rules through the ProcNum and the presentationContext, the accuracy of the detection is relatively low, and unknown malicious remote procedure calls cannot be detected.
The purpose of the invention is realized by the following technical scheme: a detection method for malicious remote procedure tracing calling behaviors, the detection method comprising:
initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing inter-process call relation information of each remote process call;
judging whether the interface identifier called by the remote process exists in a preset suspicious interface identifier list L0, continuously judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results;
and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result.
The method comprises the steps of initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing interprocess call relation information of each remote process call, wherein the steps comprise:
a1, initializing a suspicious target and carrying out an information set E0, intercepting an RPC server call response distribution entry function according to an API, distributing the RPC call request through the entry function, and intercepting the RPC call request;
a2, for a single RPC call request, the client sends an interface identifier and an API number to be called to the server, and informs the server of calling a specific function of the interface and calling request parameter information;
and A3, establishing the inter-process calling relation information of each remote procedure call according to the calling information acquired in the step A2.
3. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 2, wherein: and in the step A2, analyzing the process ID, the thread ID, the interface identification, the request function ID and the request function calling parameter list information of the RPC calling client according to the RPC calling request information.
The step a3 records the interface identifier, request function information, process ID and thread ID of the client, process ID of the current request server, and server thread ID as an inter-process call relationship query information structure.
The determining whether the interface identifier of the remote procedure call exists in the preconfigured suspicious interface identifier list L0, continuously determining whether the requested interface identifier exists in the preconfigured forwarding interface identifier list L1 according to the determination result, and performing corresponding operations according to the two determination results includes:
judging whether the interface identifier called by the client remote procedure in the step A2 exists in a pre-configured suspicious interface identifier list L0, if not, judging whether the requested interface identifier exists in a pre-configured forwarding interface identifier list L1, if so, inserting the inter-process calling relation information into an inquiry module to indicate that the remote procedure calling request is proxy forwarding procedure calling, and ending the implementation step;
when the interface identifier in the step A2 does not exist in the L0 and does not exist in the L1 at the same time, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if so, inserting the inter-process calling relationship information into the query module and ending the implementation step, otherwise, directly ending the implementation step;
when the interface identification exists in the step A2 in the L0, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if the client process ID exists in the set E0, recording and alarming the request as malicious remote process calling, and finishing the implementation step;
if the client process ID does not exist in the set E0, the client process ID and the thread ID in the invocation relation information of the step A3 are set as the retrieval condition T (P, T).
If the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result comprises the following steps:
b1, searching the same calling relationship information relationship I of the server process ID and the server thread ID in the query module according to the retrieval condition T (P, T), if the relationship I is empty, indicating that the process calling request is normally called, and ending the implementation step;
b2, judging whether the client process ID in the I exists in the suspicious process information set E0, if the process ID does not exist in the set E0, repeating the step B1 by taking the client process ID and the thread ID of the relation I as a retrieval condition T (P, T);
b3, if the client process ID of the process relation I exists in the set E0 in the step B2, recording and alarming the request as a malicious remote procedure call, and finishing the implementation step.
A detection device based on a detection method of malicious remote process traceability calling behaviors comprises a hijacking module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and an inquiry module;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the judgment of the third judging module being yes; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the server process ID and the server thread ID.
The invention has the following advantages: a malicious remote process tracing call behavior detection method comprises the steps of obtaining information such as a process ID and a thread ID of a client from intercepting remote process calls, and tracing the information such as the process ID and the thread ID of an initial remote process caller through the process ID and the thread ID of the client, so that a system credible RPC request can be released quickly, system resources can be saved, and the processing flow of the system can be accelerated; meanwhile, the accuracy of RPC detection is ensured.
Drawings
FIG. 1 is a flow chart of the API intercepting RPC according to the present invention;
FIG. 2 is a flow chart of the detection and tracing of the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings, but the scope of the invention is not limited to the following.
As shown in fig. 1 and fig. 2, the present invention relates to a method for detecting a malicious remote procedure tracing call behavior, by intercepting a remote procedure call, a call interface GUID, ProcNum, a call parameter, a process ID of a client, and a thread ID can be obtained, a current process sends obtained information to a server module, the server module judges the obtained information, mainly judges whether the call is a malicious call by the process ID and the thread ID of the client, and records a complete remote procedure call if the call is a malicious remote procedure call; for the non-malicious call, a true request initiator is found by using a tracing method, a call chain of the current remote process call is further obtained by a query module, and the process of the true remote process call can be found by carrying out recursive query on the call chain; the method specifically comprises the following steps:
and S1, taking the analysis sample process and the sub-processes thereof as suspicious processes, initializing a suspicious target process information set E0, hijacking an RPC server side to call a response distribution entry function (Invoke) based on an API (application program interface) interception technology, distributing all RPC call requests through the entry point, and intercepting all the RPC call requests.
S2, for single PRC call request, the client sends the Interface (Interface) identification and API number to be called to the server, and informs the server of the specific function and call request parameter information of the Interface. In this step, the process ID, the thread ID, the interface identification (GUID), the request function ID and the request function calling parameter list information of the RPC calling client are analyzed according to the RPC calling request information.
And S3, establishing the inter-process calling relation information of each remote procedure call according to the calling information acquired in the step 2. The interface identification, the request function information, the process ID of the client, the thread ID, the process ID of the current request server and the service end thread ID in the record information are used as an inter-process call relation query information structure.
S4, judging whether the interface identifier of the client remote procedure call in the step 2 exists in a preset suspicious interface identifier list L0. If the interface identifier does not exist in L0, further determining whether the requested interface identifier exists in a preconfigured forwarding interface identifier list L1, if the interface identifier exists in L1, inserting the inter-process call relationship information in step 4 into the query module, indicating that the remote procedure call request is a proxy forwarding procedure call, and ending the implementation step. If the interface identification does not exist in L1, step 5 is entered.
S5, in step 4, if the set E0 has the client process ID in the inter-process calling relationship information, inserting the inter-process calling relationship information into the query module and ending the implementing step, otherwise, ending the implementing step.
S6, in step 2, if the suspicious interface identification list L0 has the current calling interface identification, further judging whether the client process ID in the inter-process calling relation information exists in the set E0, if the set E0 has the process ID, recording and alarming the request as malicious remote procedure call, and ending the implementation step.
S7, in step 6, if the set E0 does not have a client process ID, then according to the client process ID in the calling relationship information of step 3, the thread ID is used as the searching condition T (P, T).
And S8, searching the same calling relationship information relationship I between the service end process ID and the service end thread ID in the query module according to T (P, T), if I is empty, indicating that the process calling request is normal calling, and ending the implementation step.
S9, according to the relation I in the step 8, judging whether the client process ID in the relation I exists in the suspicious process list E0, if the process ID does not exist in the set E0, taking the client process ID and the thread ID of the relation I as the retrieval conditions T (P, T), and repeating the step 8.
S10, if the client process ID of the process relation I exists in the set E0 in the step 9, the request is recorded and alarmed as a malicious remote procedure call, and the implementation step is ended.
According to the method and the device, the source of the request can be further judged and the judgment of the request of unknown remote procedure call can be processed by acquiring the process ID and the thread ID of the client initiating the request; meanwhile, the judgment of the remote procedure call request with the multi-level proxy can be handled; on the premise of ensuring that any remote process behavior is not leaked, the detection of malicious remote calling behavior is also ensured.
The invention relates to a detection device of a detection method based on malicious remote process traceability calling behavior, which comprises a hijack module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and a query module, wherein the hijack module is used for detecting malicious remote process traceability calling behavior;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the yes judgment of the third judging module; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the server process ID and the server thread ID.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, either as described above or as apparent to those skilled in the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (4)

1. A detection method for malicious remote process tracing calling behavior is characterized in that: the detection method comprises the following steps:
initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing inter-process call relation information of each remote process call; the method specifically comprises the following steps:
a1, initializing a suspicious target and carrying out an information set E0, intercepting an RPC server call response distribution entry function according to an API, distributing the RPC call request through the entry function, and intercepting the RPC call request;
a2, for a single RPC call request, the client sends an interface identifier and an API number to be called to the server, and informs the server of calling a specific function of the interface and calling request parameter information;
a3, establishing the inter-process calling relationship information of each remote process calling according to the calling information obtained in the step A2;
judging whether the interface identifier called by the remote process exists in a preset suspicious interface identifier list L0, continuously judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results; the method specifically comprises the following steps:
judging whether the interface identifier called by the client remote procedure in the step A2 exists in a preset suspicious interface identifier list L0, if not, judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1, if so, inserting the inter-process calling relation information into an inquiry module to indicate that the remote procedure calling request is proxy forwarding procedure calling, and finishing the implementation step;
when the interface identifier in the step A2 does not exist in the L0 and does not exist in the L1 at the same time, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if so, inserting the inter-process calling relationship information into the query module and ending the implementation step, otherwise, directly ending the implementation step;
when the interface identification exists in the step A2 in the L0, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if the client process ID exists in the set E0, recording and alarming the request as malicious remote process calling, and finishing the implementation step;
if the client process ID does not exist in the set E0, taking the client process ID and the thread ID in the calling relationship information of the step A3 as a retrieval condition T (P, T); the method specifically comprises the following steps:
b1, searching the same calling relationship information relationship I of the server process ID and the server thread ID in the query module according to the retrieval condition T (P, T), if the relationship I is empty, indicating that the process calling request is normally called, and ending the implementation step;
b2, judging whether the client process ID in the relation I exists in the suspicious process information set E0, if the process ID does not exist in the set E0, repeating the step B1 by taking the client process ID and the thread ID of the relation I as a retrieval condition T (P, T);
b3, if the client process ID of the process relation I exists in the set E0 in the step B2, recording and alarming the request as a malicious remote procedure call, and finishing the implementation step;
and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result.
2. The method for detecting the malicious remote procedure tracing call behavior according to claim 1, wherein: and in the step A2, analyzing the process ID, the thread ID, the interface identification, the request function ID and the request function calling parameter list information of the RPC calling client according to the RPC calling request information.
3. The method for detecting the malicious remote procedure tracing invocation behavior according to claim 2, wherein: the step a3 records the interface identifier, request function information, process ID and thread ID of the client, process ID of the current request server, and server thread ID as an inter-process call relationship query information structure.
4. A detection device based on a detection method of malicious remote process tracing and calling behaviors is characterized in that: the system comprises a hijack module, an analysis module, a construction module, a first judgment module, a second judgment module, a third judgment module, a fourth judgment module, a recording alarm module and a query module;
the hijack module is used for intercepting all RPC call requests by utilizing an API (application program interface) interception method; the analysis module is used for analyzing the remote procedure call data packet; the construction module is used for constructing an information structure body; the first judging module is used for judging whether the interface identifier exists in L0; the second judging module is used for judging whether the relation I exists in a suspicious target process information set E0 on the basis of the judgment of the first judging module being yes; the third judging module is configured to judge whether the interface identifier exists in a forwarding interface identifier list L1; the fourth judging module is configured to judge whether the system I exists in the suspicious target process information set E0 on the basis of the judgment of the third judging module being yes; the recording alarm module is used for recording the malicious remote process call of the request corresponding to the alarm; the query module is used for searching the same calling relationship information relationship I of the service end process ID and the service end thread ID; the specific detection process is as follows:
initializing a suspicious target process information set E0, intercepting all RPC call requests according to an API, acquiring an interface identifier to be called, an API number, a specific function needing to call the interface and call request parameter information, and establishing inter-process call relation information of each remote process call; the method specifically comprises the following steps:
a1, initializing a suspicious target and carrying out an information set E0, intercepting an RPC server call response distribution entry function according to an API, distributing the RPC call request through the entry function, and intercepting the RPC call request;
a2, for a single RPC call request, the client sends an interface identifier and an API number to be called to the server, and informs the server of calling a specific function of the interface and calling request parameter information;
a3, establishing the inter-process calling relationship information of each remote process calling according to the calling information obtained in the step A2;
judging whether the interface identifier called by the remote process exists in a preset suspicious interface identifier list L0, continuously judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1 according to the judgment result, and implementing corresponding operation according to the two judgment results; the method specifically comprises the following steps:
judging whether the interface identifier called by the client remote procedure in the step A2 exists in a preset suspicious interface identifier list L0, if not, judging whether the requested interface identifier exists in a preset forwarding interface identifier list L1, if so, inserting the inter-process calling relation information into an inquiry module to indicate that the remote procedure calling request is proxy forwarding procedure calling, and finishing the implementation step;
when the interface identifier in the step A2 does not exist in the L0 and does not exist in the L1 at the same time, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if so, inserting the inter-process calling relationship information into the query module and ending the implementation step, otherwise, directly ending the implementation step;
when the interface identification exists in the step A2 in the L0, judging whether the client process ID in the inter-process calling relationship information exists in the set E0, if the client process ID exists in the set E0, recording and alarming the request as malicious remote process calling, and finishing the implementation step;
if the client process ID does not exist in the set E0, taking the client process ID and the thread ID in the calling relationship information of the step A3 as a retrieval condition T (P, T); the method specifically comprises the following steps:
b1, searching the same calling relation information relation I of the server process ID and the server thread ID in the query module according to the retrieval condition T (P, T), if the relation I is empty, indicating that the process calling request is normally called, and finishing the implementation steps;
b2, judging whether the client process ID in the relation I exists in the suspicious process information set E0, if the process ID does not exist in the set E0, repeating the step B1 by taking the client process ID and the thread ID of the relation I as a retrieval condition T (P, T);
b3, if the client process ID of the process relation I exists in the set E0 in the step B2, recording and alarming the request as a malicious remote procedure call, and finishing the implementation step;
and if the set E0 does not have the client process ID, searching the corresponding calling relationship information relationship I by taking T (P, T) as a retrieval condition, judging whether the I exists in the set E0, and implementing corresponding operation according to a judgment result.
CN202110008594.0A 2021-01-05 2021-01-05 Method and device for detecting malicious remote process tracing calling behavior Active CN112738123B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110008594.0A CN112738123B (en) 2021-01-05 2021-01-05 Method and device for detecting malicious remote process tracing calling behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110008594.0A CN112738123B (en) 2021-01-05 2021-01-05 Method and device for detecting malicious remote process tracing calling behavior

Publications (2)

Publication Number Publication Date
CN112738123A CN112738123A (en) 2021-04-30
CN112738123B true CN112738123B (en) 2022-09-20

Family

ID=75591235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110008594.0A Active CN112738123B (en) 2021-01-05 2021-01-05 Method and device for detecting malicious remote process tracing calling behavior

Country Status (1)

Country Link
CN (1) CN112738123B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117494117A (en) * 2023-11-17 2024-02-02 北京天融信网络安全技术有限公司 Tracking system and tracking method for remote procedure call

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023906A (en) * 2012-12-20 2013-04-03 北京奇虎科技有限公司 Method and system aiming at remote procedure calling conventions to perform status tracking

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9009740B2 (en) * 2011-07-13 2015-04-14 Adobe Systems Incorporated Invocation of additional processing using remote procedure calls
CN102438023B (en) * 2011-12-29 2014-08-20 华为数字技术(成都)有限公司 Method and device for detecting malicious remote procedure call (RPC) behaviors
CN102932329B (en) * 2012-09-26 2016-03-30 北京奇虎科技有限公司 A kind of method, device and client device that the behavior of program is tackled
CN109995789B (en) * 2019-04-10 2021-08-06 腾讯科技(深圳)有限公司 RPC interface risk detection method, device, equipment and medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023906A (en) * 2012-12-20 2013-04-03 北京奇虎科技有限公司 Method and system aiming at remote procedure calling conventions to perform status tracking

Also Published As

Publication number Publication date
CN112738123A (en) 2021-04-30

Similar Documents

Publication Publication Date Title
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
CN107483510B (en) Method and device for improving attack detection accuracy of Web application layer
CN107689940B (en) WebShell detection method and device
CN108959071B (en) RASP-based PHP deformation webshell detection method and system
US8661543B2 (en) Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal
CN113595975B (en) Detection method and device for Webshell of Java memory
CN107133516B (en) Authority control method and system
CN108898012B (en) Method and apparatus for detecting illegal program
CN110417578B (en) Abnormal FTP connection alarm processing method
CN112738123B (en) Method and device for detecting malicious remote process tracing calling behavior
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
CN108959860B (en) Method for detecting whether Android system is cracked or not and obtaining cracking record
CN105959294A (en) Malicious domain name identification method and device
CN114826639A (en) Application attack detection method and device based on function call chain tracking
CN110808997B (en) Method and device for remotely obtaining evidence of server, electronic equipment and storage medium
CN112699369A (en) Method and device for detecting abnormal login through stack backtracking
CN115296895B (en) Request response method and device, storage medium and electronic equipment
CN111104670A (en) APT attack identification and protection method
CN115955333A (en) C2 server identification method and device, electronic equipment and readable storage medium
CN115442109A (en) Method, device, equipment and storage medium for determining network attack result
CN110868410B (en) Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
KR20150026187A (en) System and Method for dropper distinction
KR102001814B1 (en) A method and apparatus for detecting malicious scripts based on mobile device
CN113839912A (en) Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination
CN113704749A (en) Malicious excavation detection processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant