CN113792294B - Malicious class detection method, system, device, equipment and medium - Google Patents
Malicious class detection method, system, device, equipment and medium Download PDFInfo
- Publication number
- CN113792294B CN113792294B CN202111344288.0A CN202111344288A CN113792294B CN 113792294 B CN113792294 B CN 113792294B CN 202111344288 A CN202111344288 A CN 202111344288A CN 113792294 B CN113792294 B CN 113792294B
- Authority
- CN
- China
- Prior art keywords
- class
- malicious
- program running
- suspicious
- attribute information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a malicious class detection method, a system, a device, equipment and a medium, which are applied to the technical field of network security and are used for solving the problems of poor universality and expandability and non-ideal detection effect of the malicious class detection method in the prior art. The method specifically comprises the following steps: when monitoring that the program running equipment loads a new class, a malicious class detection client on the program running equipment acquires first attribute information of each new class in the program running equipment and sends the first attribute information to a malicious class detection server; the malicious class detection server detects whether each new class is a suspicious class or not based on the first attribute information of each new class, and sends the detected second attribute information of each suspicious class to the malicious class detection client; the malicious class detection client dumps the byte codes of the suspicious classes and sends the byte codes to the malicious class detection server based on the second attribute information of the suspicious classes; and the malicious class detection server detects whether each suspicious class is a malicious class or not based on the byte codes of each suspicious class.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a malicious class detection method, system, apparatus, device, and medium.
Background
With the increasing emphasis on network security in countries and large enterprises, hacker attackers face the defense strategies of large security manufacturers, the traditional attack technology with file landing has smaller and smaller living space, and the attack technology without file landing gradually becomes a new attack trend.
At present, a detection method for a non-file attack generally does not have a real-time detection capability, is not light enough, has poor universality and expandability, and is not ideal in detection effect, and how to realize a high-availability and light-weight non-file attack detection method with good universality and expandability is a problem to be solved in the technical field of network security at present.
Disclosure of Invention
The embodiment of the application provides a malicious class detection method, a malicious class detection system, a malicious class detection device, malicious class detection equipment and a malicious class detection medium, and aims to solve the problems that a file-free attack detection method in the prior art is not light enough, poor in universality and expandability and not ideal in detection timeliness and detection effect.
The technical scheme provided by the embodiment of the application is as follows:
on one hand, the embodiment of the application provides a malicious class detection method, which is applied to a malicious class detection server and comprises the following steps:
receiving first attribute information of each new class in the program running equipment, which is sent when a malicious class detection client on the program running equipment monitors that the program running equipment loads the new class;
calling suspicious class filtering rules stored in a first designated area based on first attribute information of each new class in the program running equipment, and detecting whether each new class in the program running equipment is a suspicious class to obtain each suspicious class in the program running equipment;
sending the second attribute information of each suspicious class in the program running equipment to the malicious class detection client to trigger the malicious class detection client to dump the bytecode of each suspicious class in the program running equipment;
and calling a malicious class detection model stored in a second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
On the other hand, an embodiment of the present application further provides another malicious class detection method, which is applied to a malicious class detection client on a program running device, and the malicious class detection method includes:
when it is monitored that the program running equipment loads a new class, acquiring first attribute information of each new class in the program running equipment and sending the first attribute information to a malicious class detection server so as to trigger the malicious class detection server to detect whether each new class in the program running equipment is a suspicious class or not based on the first attribute information of each new class in the program running equipment;
and when second attribute information of each suspicious class in the program running equipment, which is sent when the malicious class detection server detects each suspicious class in the program running equipment, is received, dumping the byte codes of each suspicious class in the program running equipment and sending the byte codes to the malicious class detection server so as to trigger the malicious class detection server to detect whether each suspicious class in the program running equipment is a malicious class or not based on the byte codes of each suspicious class in the program running equipment.
On the other hand, an embodiment of the present application further provides a malicious class detection system, including: the malicious class detection system comprises a malicious class detection client on the program running equipment and a malicious class detection server;
the malicious class detection client is used for acquiring first attribute information of each new class in the program running equipment and sending the first attribute information to the malicious class detection server when the fact that the program running equipment loads the new class is monitored; when second attribute information of each suspicious class in the program running equipment sent by the malicious class detection server is received, dumping byte codes of each suspicious class in the program running equipment and sending the byte codes to the malicious class detection server;
the malicious class detection server is used for calling suspicious class filtering rules stored in a first designated area based on the first attribute information of each new class in the program running equipment when receiving the first attribute information of each new class in the program running equipment sent by the malicious class detection client, detecting whether each new class in the program running equipment is a suspicious class, obtaining each suspicious class in the program running equipment, and sending the second attribute information of each suspicious class in the program running equipment to the malicious class detection client; and calling a malicious class detection model stored in a second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
On the other hand, an embodiment of the present application further provides a malicious class detection apparatus, which is applied to a malicious class detection server, and the malicious class detection apparatus includes:
the information receiving unit is used for receiving first attribute information of each new class in the program running equipment, which is sent when a malicious class detection client on the program running equipment monitors that the program running equipment loads the new class;
the suspicious class detection unit is used for calling suspicious class filtering rules stored in the first designated area based on the first attribute information of each new class in the program running equipment, and detecting whether each new class in the program running equipment is a suspicious class to obtain each suspicious class in the program running equipment;
the device comprises a memory triggering unit, a malicious class detection client and a memory storing unit, wherein the memory triggering unit is used for sending second attribute information of each suspicious class in the program running equipment to the malicious class detection client so as to trigger the malicious class detection client to dump byte codes of each suspicious class in the program running equipment;
and the malicious class detection unit is used for calling a malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
On the other hand, an embodiment of the present application further provides another malicious class detection apparatus, which is applied to a malicious class detection client on a program running device, and the malicious class detection apparatus includes:
the information acquisition unit is used for acquiring first attribute information of each new class in the program running equipment and sending the first attribute information to the malicious class detection server when monitoring that the program running equipment loads the new classes, so as to trigger the malicious class detection server to detect whether each new class in the program running equipment is a suspicious class or not based on the first attribute information of each new class in the program running equipment;
and the dumping execution unit is used for dumping the byte codes of the suspicious classes in the program running equipment and sending the byte codes to the malicious class detection server when receiving the second attribute information of the suspicious classes in the program running equipment sent by the malicious class detection server when detecting the suspicious classes in the program running equipment so as to trigger the malicious class detection server to detect whether the suspicious classes in the program running equipment are malicious classes or not based on the byte codes of the suspicious classes in the program running equipment.
On the other hand, an embodiment of the present application further provides a malicious class detection device, including: the device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the computer program, the malicious class detection method applied to the malicious class detection server provided by the embodiment of the application is realized, or the malicious class detection method applied to the malicious class detection client provided by the embodiment of the application is realized.
On the other hand, an embodiment of the present application further provides a computer-readable storage medium, where computer instructions are stored, and when executed by a processor, the computer instructions implement the malicious class detection method applied to the malicious class detection server provided in the embodiment of the present application, or implement the malicious class detection method applied to the malicious class detection client provided in the embodiment of the present application.
The beneficial effects of the embodiment of the application are as follows:
in the embodiment of the application, on one hand, by injecting a malicious class detection client into the program running device, the malicious class detection client can be used for monitoring the new class loading operation of the program running device, so that a malicious class detection flow can be triggered when it is monitored that the program running device loads a new class, and further the malicious class can be detected in time, on the other hand, by detecting the malicious class through the mutual cooperation of the malicious class detection server and the malicious class detection client, not only can the lightweight malicious class detection be realized, but also the universality of the malicious class detection can be improved, and by storing the suspicious class filtering rule in the first designated area and storing the malicious class detection model in the second designated area, the dynamic addition, deletion, modification and dynamic upgrade of the suspicious class filtering rule and the malicious class detection model can be realized, so that the flexibility and expandability of the malicious class detection can be improved, in addition, the suspicious class filtering rules and the malicious class detection engine are used for carrying out detection twice, so that the accuracy of malicious class detection can be improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of a system architecture of a malicious class detection system according to an embodiment of the present application;
fig. 2 is an interaction flow diagram of a malicious class detection method in an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a specific malicious class detection method in an embodiment of the present application;
fig. 4 is a functional structure diagram of a malicious class detection apparatus according to an embodiment of the present disclosure;
fig. 5 is a functional structure diagram of another malicious class detection apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of a malicious class detection device in the embodiment of the present application.
Detailed Description
In order to make the purpose, technical solution and advantages of the present application more clearly and clearly understood, the technical solution in the embodiments of the present application will be described below in detail and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
To facilitate a better understanding of the present application by those skilled in the art, a brief description of the technical terms involved in the present application will be given below.
Program running equipment, which is equipment for running an executable program, in this embodiment of the present application, the program running equipment includes, but is not limited to, a virtual machine, a server, a terminal device, and the like, and for example, the program running equipment may be a Java virtual machine for running a Java program.
The malicious class detection system is used for detecting the malicious class in the program running equipment, and in the embodiment of the application, the malicious class detection system at least comprises a malicious class detection client and a malicious class detection server on the program running equipment; wherein:
in practical application, the malicious class detection client is injected into the program running equipment in the form of an executable program compressed package, and specifically can be injected into each process executed by the program running equipment, for example, a jar package for monitoring the loading operation of the new class and acquiring the attribute information and the bytecode of the new class can be injected into each process executed by a Java virtual machine;
and the malicious class detection server is background running equipment for performing suspicious class detection and malicious class detection on each new class in the program running equipment.
It is worth mentioning that, in the embodiment of the present application, the malicious class detection system may further include a suspicious class detection engine and a malicious class detection engine; the suspicious class detection engine can be an internal component of the malicious class detection server, or can be an external device independent of the malicious class detection server, and is used for detecting whether each new class in the program running device is a suspicious class; the malicious class detection engine may be an internal component of the malicious class detection server, or may be an external device independent of the malicious class detection server, and is configured to detect whether each suspicious class in the program running device is a malicious class.
First attribute information, which is information describing each attribute of a class, in this embodiment of the present application, the first attribute information includes, but is not limited to, a class name, a secondary class name, a path name, an interface name, a class loader declaration, an annotation, and the like.
And > second attribute information, which is information representing a unique identifier of a class, in this embodiment, the second attribute information includes, but is not limited to, a class name, and the like.
The suspicious class filtering rule is a rule for detecting a suspicious class, and in this embodiment of the application, the suspicious class filtering rule includes, but is not limited to, that there is no class path in the first attribute information, and that the first attribute information includes an interface name that implements functions such as a filter, a listener, or a container.
The malicious class detection model is a neural network model which is obtained by performing machine learning on the byte codes of all the sample classes and the real labels of whether all the sample classes belong to the malicious classes and is used for detecting whether the sample classes belong to the malicious classes according to the byte codes of the classes.
The first designated area is an area for storing the suspicious class filtering rule, and in this embodiment of the application, the first designated area may be a memory, a database, or the like.
A second designated area, which is an area for storing the malicious class detection model, in this embodiment of the present application, the second designated area may be a memory, a database, or the like. In practical applications, the first designated area and the second designated area may be the same storage area or different storage areas, and the application is not limited thereto.
An executable program compression package, which is a compression package obtained by compressing an executable program of a malicious class detection client, for example, the executable program compression package may be a Jar package.
A hook loading function, which is a hook function for monitoring a new class loading operation of the program running device, in this embodiment of the present application, the hook loading function may be injected into each process executed by the program running device.
A first callback function, which is a transform callback function for acquiring the first attribute information.
A second callback function, which is a transform callback function for dumping bytecode.
It should be noted that, in the embodiments of the present application, references to "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or sequence. It is to be understood that such terms are interchangeable under appropriate circumstances such that the embodiments described herein are capable of operation in sequences other than those illustrated or otherwise described herein. In addition, the reference to "and/or" in the embodiments of the present application describes an association relationship of associated objects, which means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
After introducing the technical terms related to the present application, the following briefly introduces the application scenarios and design ideas of the embodiments of the present application.
In order to solve the problems that the existing file-free attack detection method is not light enough, poor in universality and expandability and poor in detection timeliness and detection effect, in the embodiment of the application, a malicious class detection client is injected into a program running device, the malicious class detection client is used for monitoring the new class loading operation of the program running device in real time, and when it is monitored that the program running device is loaded with a new class, a malicious class detection server is used for detecting whether each new class in the program running device is a suspicious class or not, and then whether each suspicious class in the program running device is a malicious class or not is further detected. In this way, by triggering the malicious class detection on all new classes in the program running equipment when the new classes are loaded in the malicious class detection client monitoring program running equipment, the malicious class can be detected in time and comprehensively, and the malicious class can be detected through the mutual cooperation of the malicious class detection server and the malicious class detection client, so that the lightweight malicious class detection can be realized, the universality of the malicious class detection can be improved, in addition, the accuracy of the malicious class detection can be improved by carrying out twice detection on suspicious classes and malicious classes on all new classes in the program running equipment.
After introducing the application scenario and the design concept of the embodiment of the present application, the following describes in detail the technical solution provided by the embodiment of the present application.
Referring to fig. 1, a malicious class detection system 100 provided in an embodiment of the present application at least includes: a malicious class detection client 110 on the program running device, and a malicious class detection server 120;
the malicious class detection client 110 is configured to, when it is monitored that the program running device loads a new class, obtain first attribute information of each new class in the program running device and send the first attribute information to the malicious class detection server 120; when second attribute information of each suspicious class in the program running equipment sent by the malicious class detection server 120 is received, dumping the bytecode of each suspicious class in the program running equipment and sending the bytecode to the malicious class detection server 120;
the malicious class detection server 120 is configured to, when receiving first attribute information of each new class in the program running device sent by the malicious class detection client 110, call a suspicious class filtering rule stored in a first specified area based on the first attribute information of each new class in the program running device, detect whether each new class in the program running device is a suspicious class, obtain each suspicious class in the program running device, and send second attribute information of each suspicious class in the program running device to the malicious class detection client 110; and calling a malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running device sent by the malicious class detection client 110, and detecting whether each suspicious class in the program running device is a malicious class, so as to obtain each malicious class in the program running device.
In a possible implementation manner, the malicious class detection server 120 is further configured to, before the malicious class detection client 110 on the program running device receives the first attribute information of each new class in the program running device, which is sent when the malicious class detection client 110 on the program running device monitors that the program running device loads the new class, and when it is determined that the program running device meets a pin inserting condition, inject the executable program compression packet of the malicious class detection client 110 into the program running device by using a pin inserting technology.
In a possible implementation manner, the malicious class detection client 110 is specifically configured to match a standard class file of the program running device with a current class file to obtain each new class in the program running device when it is monitored by using a hook loading function that the new class is loaded in the program running device; and acquiring first attribute information of each new class in the program running equipment by using the first callback function.
In a possible implementation manner, the malicious class detection server 120 is specifically configured to send the first attribute information of each new class in the program running device to the suspicious class detection engine 130, so as to trigger the suspicious class detection engine 130 to call the suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program running device, and detect whether each new class in the program running device is a suspicious class.
In one possible implementation, the malicious class detection client 110 is specifically configured to obtain the bytecode of each suspicious class in the program running device by using the second callback function.
In a possible implementation manner, the malicious class detection server 120 is specifically configured to send the bytecode of each suspicious class in the program running device to the malicious class detection engine 140, so as to trigger the malicious class detection engine 140 to invoke a malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running device, and detect whether each suspicious class in the program running device is a malicious class.
Referring to fig. 2, an interaction flow of the malicious class detection method according to the embodiment of the present application is as follows:
step 201: when monitoring that the program running device loads a new class, the malicious class detection client 110 acquires first attribute information of each new class in the program running device.
In practical applications, in order to implement real-time monitoring of a new class loading operation and acquisition of attribute information and bytecode of a new class, the malicious class detection server 120 may use a pin insertion technique to inject an executable program compression packet of the malicious class detection client 110 into the program running device when it is determined that the program running device satisfies a pin insertion condition, and specifically, the malicious class detection server 120 may determine that the program running device satisfies the pin insertion condition when it is determined that a source code version of the program running device meets a pin insertion requirement, and further use the pin insertion technique to inject the executable program compression packet of the malicious class detection client 110 into each process executed by the program running device, so that the function of the malicious class detection client 110 is implemented by running the executable program compression packet injected into each process of the program running device.
Further, when the malicious class detection client 110 monitors that the program running device loads a new class by using the hook loading function, the standard class file of the program running device may be matched with the current class file to obtain each new class in the program running device, and the first attribute information of each new class in the program running device is obtained by using the first callback function.
Step 202: the malicious class detection client 110 sends the first attribute information of each new class in the program execution device to the malicious class detection server 120.
In practical applications, the malicious class detection client 110 may send the first attribute information of each new class in the program running device to the malicious class detection server 120 through the socket.
Step 203: when receiving the first attribute information of each new class in the program running device sent by the malicious class detection client 110, the malicious class detection server 120 calls the suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program running device, and detects whether each new class in the program running device is a suspicious class, so as to obtain each suspicious class in the program running device.
In practical applications, in order to improve flexibility and extensibility of configuration of the suspicious class filtering rules, the suspicious class filtering rules may be stored in a first designated area of the suspicious class detection engine 130, and in a specific implementation, after receiving first attribute information of each new class in the program running device sent by the malicious class detection client 110, the malicious class detection server 120 may send the first attribute information of each new class in the program running device to the suspicious class detection engine 130 through inter-process communication, and call the suspicious class filtering rules stored in the first designated area through the suspicious class detection engine 130 based on the first attribute information of each new class in the program running device to detect whether each new class in the program running device is a suspicious class, and return to the malicious class detection server 120 after obtaining each suspicious class in the program running device, and specifically, the suspicious class detection engine 130 may send the first attribute information of each new class to the suspicious class detection engine 130 through inter-process communication, each suspicious class in the program running device is sent to the malicious class detection server 120, and the malicious class detection server 120 obtains each suspicious class in the program running device.
Step 204: the malicious class detection server 120 sends the second attribute information of each suspicious class in the program running device to the malicious class detection client 110.
In practical applications, the malicious class detection server 120 may also send the second attribute information of each suspicious class in the program running device to the malicious class detection client 110 through the socket.
Step 205: when receiving the second attribute information of each suspicious class in the program running device sent by the malicious class detection server 120, the malicious class detection client 110 dumps the bytecode of each suspicious class in the program running device.
In practical applications, when the malicious class detection client 110 receives the second attribute information of each suspicious class in the program running device sent by the malicious class detection server 120, the bytecode of each suspicious class in the program running device may be dumped by using the second callback function, so as to obtain the bytecode of each suspicious class in the program running device.
Step 206: the malicious class detection client 110 sends the bytecode of each suspicious class in the dumped program execution device to the malicious class detection server 120.
In practical applications, the malicious class detection client 110 may send the bytecode of each suspicious class in the program running device to the malicious class detection server 120 through the socket.
Step 207: when the malicious class detection server 120 receives the bytecode of each suspicious class in the program running device sent by the malicious class detection client 110, the malicious class detection model stored in the second specified area is called based on the bytecode of each suspicious class in the program running device, and whether each suspicious class in the program running device is a malicious class is detected, so that each malicious class in the program running device is obtained.
In practical applications, in order to improve flexibility and extensibility of configuration of the malicious class detection model, the malicious class detection model may be stored in a second designated area of the malicious class detection engine 140, and in specific implementation, after receiving the bytecode of each suspicious class in the program running device sent by the malicious class detection client 110, the malicious class detection server 120 may send the bytecode of each suspicious class in the program running device to the malicious class detection engine 140, and call, by using the malicious class detection engine 140, the malicious class detection model stored in the second designated area based on the bytecode of each suspicious class in the program running device, to detect whether each suspicious class in the program running device is a malicious class, and return the suspicious class in the program running device to the malicious class detection server 120 after obtaining each malicious class in the program running device, specifically, the malicious class detection engine 140 may perform inter-process communication, and sending each malicious class in the program running device to the malicious class detection server 120, so that the malicious class detection server 120 obtains each malicious class in the program running device.
The malicious class detection method provided by the embodiment of the present application is further described in detail below with "performing Java malicious class detection on a Java virtual machine" as a specific application scenario.
In practical applications, in order to monitor the loading operation of the new class of the Java virtual machine and obtain the attribute information and bytecode of the new class, the malicious class detection server 120 may determine that when the Java source code version running in the Java virtual machine meets the Java pin specification, by adopting Java pin technology, the Jar packet of the malicious class detection client 110 is injected into each process of the Java virtual machine, thereby, by running the executable program compression package injected into each process of the program running device, the function of the malicious class detection client 110 is realized, further, detection of Java malicious classes of the Java virtual machine may be achieved through mutual cooperation of the malicious class detection client 110, the malicious class detection server 120, the suspicious class detection engine 130, and the malicious class detection engine 140, and specifically, as shown in fig. 3, a specific flow of the malicious class detection method provided in the embodiment of the present application is as follows:
step 301: when the malicious class detection client 110 monitors that the Java virtual machine loads a new class by using a hook loading function, matching the standard class file of the Java virtual machine with the current class file to obtain each new class in the Java virtual machine.
Step 302: the malicious class detection client 110 acquires first attribute information of each new class in the Java virtual machine by using a first transform callback function.
Step 303: the malicious class detection client 110 sends the first attribute information of each new class in the Java virtual machine to the malicious class detection server 120 through the socket.
Step 304: the malicious class detection server 120 sends the first attribute information of each new class in the Java virtual machine to the suspicious class detection engine 130 through inter-process communication.
Step 305: the suspicious class detection engine 130 calls the suspicious class filtering rule stored in the first designated area based on the first attribute information of each new class in the Java virtual machine, and detects whether each new class in the Java virtual machine is a Java suspicious class, so as to obtain each Java suspicious class in the Java virtual machine.
Step 306: the suspicious class detection engine 130 returns the second attribute information of each Java suspicious class in the Java virtual machine to the malicious class detection server 120 through inter-process communication.
Step 307: the malicious class detection server 120 sends the second attribute information of each Java suspicious class in the Java virtual machine to the malicious class detection client 110 through the socket.
Step 308: the malicious class detection client 110 obtains the bytecode of each Java suspicious class in the Java virtual machine by using a second transform callback function based on the second attribute information of each Java suspicious class in the Java virtual machine.
Step 309: the malicious class detection client 110 sends the bytecode of each Java suspicious class in the Java virtual machine to the malicious class detection server 120 through the socket.
Step 310: the malicious class detection server 120 sends the bytecode of each Java suspicious class in the Java virtual machine to the malicious class detection engine 140 through inter-process communication.
Step 311: the malicious class detection engine 140 calls a malicious class detection model stored in the second specified area based on the bytecode of each Java suspicious class in the Java virtual machine, and detects whether each Java suspicious class in the Java virtual machine is a Java malicious class, so as to obtain each Java malicious class in the Java virtual machine.
Step 312: the malicious class detection engine 140 returns each Java malicious class in the Java virtual machine to the malicious class detection server 120 through inter-process communication.
Based on the foregoing embodiments, an embodiment of the present application provides a malicious class detection apparatus, which is applied to the malicious class detection server 120, and referring to fig. 4, the malicious class detection apparatus 400 provided in the embodiment of the present application at least includes:
an information receiving unit 401, configured to receive first attribute information of each new class in the program running device, which is sent when the malicious class detection client 110 on the program running device monitors that the program running device loads the new class;
a suspicious class detection unit 402, configured to invoke a suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program running device, and detect whether each new class in the program running device is a suspicious class, so as to obtain each suspicious class in the program running device;
a trigger dump unit 403, configured to send the second attribute information of each suspicious class in the program running device to the malicious class detection client 110, so as to trigger the malicious class detection client 110 to dump the bytecode of each suspicious class in the program running device;
a malicious class detection unit 404, configured to invoke a malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running device sent by the malicious class detection client 110, and detect whether each suspicious class in the program running device is a malicious class, so as to obtain each malicious class in the program running device.
In a possible implementation manner, the malicious class detection apparatus 400 provided in an embodiment of the present application further includes:
the program pin unit 405 is configured to inject the executable program compression packet of the malicious class detection client 110 into the program running device by using a pin technology when it is determined that the program running device satisfies a pin condition.
In a possible implementation manner, based on the first attribute information of each new class in the program running device, the suspicious class filtering rule stored in the first specified area is called, and when detecting whether each new class in the program running device is a suspicious class, the suspicious class detecting unit 402 is specifically configured to:
sending the first attribute information of each new class in the program running device to the suspicious class detection engine 130, so as to trigger the suspicious class detection engine 130 to call the suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program running device, and detect whether each new class in the program running device is a suspicious class.
In a possible implementation manner, based on the bytecode of each suspicious class in the program running device sent by the malicious class detection client 110, the malicious class detection model stored in the second specified area is called, and when detecting whether each suspicious class in the program running device is a malicious class, the malicious class detection unit 404 is specifically configured to:
and sending the bytecode of each suspicious class in the program running device to the malicious class detection engine 140 to trigger the malicious class detection engine 140 to call the malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running device, so as to detect whether each suspicious class in the program running device is a malicious class.
In addition, another malicious class detection apparatus is further provided in an embodiment of the present application, and is applied to a malicious class detection client 110 on a program running device, as shown in fig. 5, a malicious class detection apparatus 500 provided in an embodiment of the present application at least includes:
an information obtaining unit 501, configured to, when it is monitored that the program running device loads a new class, obtain first attribute information of each new class in the program running device and send the first attribute information to the malicious class detection server 120, so as to trigger the malicious class detection server 120 to detect whether each new class in the program running device is a suspicious class based on the first attribute information of each new class in the program running device;
a dump execution unit 502, configured to dump the bytecode of each suspicious class in the program running device and send the bytecode to the malicious class detection server 120 when receiving the second attribute information of each suspicious class in the program running device, which is sent when the malicious class detection server 120 detects each suspicious class in the program running device, so as to trigger the malicious class detection server 120 to detect whether each suspicious class in the program running device is a malicious class based on the bytecode of each suspicious class in the program running device.
In a possible implementation manner, when it is monitored that the program running device loads a new class and first attribute information of each new class in the program running device is acquired, the information acquiring unit 501 is specifically configured to:
when the hook loading function is used for monitoring that the program operating equipment loads a new class, matching the standard class file of the program operating equipment with the current class file to obtain each new class in the program operating equipment;
and acquiring first attribute information of each new class in the program running equipment by using the first callback function.
In a possible implementation manner, when dumping the bytecode of each suspicious class in the program running device, the dump execution unit 502 is specifically configured to:
and acquiring the byte codes of all suspicious classes in the program running equipment by using the second callback function.
It should be noted that the principle of solving the technical problem of the two malicious class detection devices provided in the embodiment of the present application is similar to that of the malicious class detection method provided in the embodiment of the present application, and therefore, implementation of the two malicious class detection devices provided in the embodiment of the present application can refer to implementation of the malicious class detection method provided in the embodiment of the present application, and repeated details are not described herein.
After the system, the method and the device for detecting malicious classes provided by the embodiments of the present application are introduced, a simple introduction is performed on the malicious class detection device provided by the embodiments of the present application.
Referring to fig. 6, a malicious class detection apparatus 600 provided in the embodiment of the present application at least includes: the processor 601, the memory 602, and a computer program stored on the memory 602 and operable on the processor 601, when the processor 601 executes the computer program, implement the malicious class detection method applied to the malicious class detection server provided in the embodiments of the present application, or implement the malicious class detection method applied to the malicious class detection client provided in the embodiments of the present application.
The malicious class detection device 600 provided by the embodiment of the present application may further include a bus 603 connecting different components (including the processor 601 and the memory 602). Bus 603 represents one or more of any of several types of bus structures, including a memory bus, a peripheral bus, a local bus, and so forth.
The Memory 602 may include readable media in the form of volatile Memory, such as Random Access Memory (RAM) 6021 and/or cache Memory 6022, and may further include Read Only Memory (ROM) 6023.
The memory 602 may also include a program means 6025 having a set (at least one) of program modules 6024, the program modules 6024 including, but not limited to: an operating subsystem, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The malicious class detection device 600 may also communicate with one or more external devices 604 (e.g., a keyboard, a remote control, etc.), with one or more devices that enable a user to interact with the malicious class detection device 600 (e.g., a cell phone, a computer, etc.), and/or with any device that enables the malicious class detection device 600 to communicate with one or more other malicious class detection devices 600 (e.g., a router, a modem, etc.). Such communication may be through an Input/Output (I/O) interface 605. Also, the malicious class detection device 600 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public Network, such as the internet) via the Network adapter 606. As shown in fig. 6, the network adapter 606 communicates with the other modules of the malicious class detection apparatus 600 through the bus 603. It should be appreciated that although not shown in FIG. 6, other hardware and/or software modules may be used in conjunction with the malicious class detection apparatus 600, including but not limited to: microcode, device drivers, Redundant processors, external disk drive Arrays, disk array (RAID) subsystems, tape drives, and data backup storage subsystems, to name a few.
It should be noted that the malicious class detection apparatus 600 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the use range of the embodiment of the present application.
The following briefly introduces a computer-readable storage medium provided by an embodiment of the present application. The computer-readable storage medium provided in the embodiments of the present application stores computer instructions, and the computer instructions, when executed by the processor, implement the malicious class detection method applied to the malicious class detection server provided in the embodiments of the present application, or implement the malicious class detection method applied to the malicious class detection client provided in the embodiments of the present application. Specifically, the executable program may be built in or installed in the malicious class detection device 600, so that the malicious class detection device 600 may implement the malicious class detection method applied to the malicious class detection server provided in the embodiment of the present application, or implement the malicious class detection method applied to the malicious class detection client provided in the embodiment of the present application, by executing the built-in or installed executable program.
In addition, the malicious class detection method applied to the malicious class detection server according to the embodiment of the present application can also be implemented as a program product, where the program product includes program code, and when the program product can run on the malicious class detection server, the program code is configured to enable the malicious class detection server to execute the malicious class detection method applied to the malicious class detection server according to the embodiment of the present application. Of course, the malicious class detection method applied to the malicious class detection client according to the embodiment of the present application may also be implemented as a program product, where the program product includes a program code, and when the program product can run on a program running device, the program code is used to enable the program running device to execute the malicious class detection method applied to the malicious class detection client according to the embodiment of the present application.
The program product provided by the embodiments of the present application may be any combination of one or more readable media, where the readable media may be a readable signal medium or a readable storage medium, and the readable storage medium may be, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof, and in particular, more specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a RAM, a ROM, an Erasable Programmable Read-Only Memory (EPROM), an optical fiber, a portable Compact disk Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product provided by the embodiment of the application can adopt a CD-ROM and comprises program codes, and can run on a computing device. However, the program product provided by the embodiments of the present application is not limited thereto, and in the embodiments of the present application, the readable storage medium may be any tangible medium that can contain or store a program, which can be used by or in connection with an instruction execution system, apparatus, or device.
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.
Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (11)
1. A malicious class detection method is applied to a malicious class detection server, and comprises the following steps:
receiving first attribute information of each new class in program running equipment, which is sent when a hook function respectively injected into each process executed by the program running equipment is used by a malicious class detection client on the program running equipment to monitor that any process executed by the program running equipment loads the new class; the first attribute information is information which is obtained by the malicious class detection client by utilizing a first transform callback function and is used for describing each attribute of a new class;
calling suspicious class filtering rules stored in a first designated area based on first attribute information of each new class in the program running equipment, and detecting whether each new class in the program running equipment is a suspicious class to obtain each suspicious class in the program running equipment;
sending second attribute information of each suspicious class in the program running equipment to the malicious class detection client to trigger the malicious class detection client to dump byte codes of each suspicious class in the program running equipment by using a second transform callback function; the second attribute information is information representing the unique identifier of the suspicious class;
and calling a malicious class detection model stored in a second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
2. The malicious class detection method according to claim 1, wherein before the malicious class detection client on the receiving program running device monitors the first attribute information of each new class in the program running device, sent when the program running device loads the new class, the method further comprises:
and when the source code version operated by the program operating equipment is determined to meet the pin inserting requirement, injecting the executable program compression packet of the malicious class detection client into the program operating equipment by adopting a pin inserting technology.
3. The malicious class detection method according to claim 1, wherein invoking the suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program execution device, and detecting whether each new class in the program execution device is a suspicious class includes:
sending the first attribute information of each new class in the program running equipment to a suspicious class detection engine to trigger the suspicious class detection engine to call a suspicious class filtering rule stored in the first specified area based on the first attribute information of each new class in the program running equipment, and detecting whether each new class in the program running equipment is a suspicious class.
4. The method according to claim 1, wherein the step of calling a malicious class detection model stored in a second specified area based on a bytecode of each suspicious class in the program execution device sent by the malicious class detection client to detect whether each suspicious class in the program execution device is a malicious class comprises:
and sending the bytecode of each suspicious class in the program running equipment to a malicious class detection engine so as to trigger the malicious class detection engine to call a malicious class detection model stored in the second specified area based on the bytecode of each suspicious class in the program running equipment, and detect whether each suspicious class in the program running equipment is a malicious class.
5. A malicious class detection method is applied to a malicious class detection client on program running equipment, and comprises the following steps:
when a hook function respectively injected into each process executed by program running equipment is used for monitoring that any process executed by the program running equipment loads a new class, a first transform callback function is used for acquiring first attribute information of each new class in the program running equipment and sending the first attribute information to a malicious class detection server so as to trigger the malicious class detection server to detect whether each new class in the program running equipment is a suspicious class or not based on the first attribute information of each new class in the program running equipment; wherein, the first attribute information is information describing each attribute of the new class;
when second attribute information of each suspicious class in the program running equipment, which is sent when the malicious class detection server detects each suspicious class in the program running equipment, is received, dumping the byte codes of each suspicious class in the program running equipment by using a second transform callback function and sending the byte codes to the malicious class detection server so as to trigger the malicious class detection server to detect whether each suspicious class in the program running equipment is a malicious class or not based on the byte codes of each suspicious class in the program running equipment; and the second attribute information is information representing the unique identifier of the suspicious class.
6. The malicious class detection method according to claim 5, wherein when it is monitored that any process executed by the program execution device loads a new class by using a hook function respectively injected into each process executed by the program execution device, before the first transform callback function is used to acquire the first attribute information of each new class in the program execution device, the method further includes:
and matching the standard class file of the program operation equipment with the current class file to obtain each new class in the program operation equipment.
7. A malicious class detection system, comprising: the malicious class detection system comprises a malicious class detection client on the program running equipment and a malicious class detection server;
the malicious class detection client is used for acquiring first attribute information of each new class in the program running equipment by using a first transform callback function and sending the first attribute information to the malicious class detection server when a hook function respectively injected into each process executed by the program running equipment monitors that any process executed by the program running equipment loads the new class; when second attribute information of each suspicious class in the program running equipment, which is sent by the malicious class detection server, is received, dumping the bytecode of each suspicious class in the program running equipment by using a second transform callback function, and sending the bytecode to the malicious class detection server; the first attribute information is information describing each attribute of the new class, and the second attribute information is information representing a unique identifier of the suspicious class;
the malicious class detection server is configured to, when receiving first attribute information of each new class in the program running device sent by the malicious class detection client, call a suspicious class filtering rule stored in a first specified area based on the first attribute information of each new class in the program running device, detect whether each new class in the program running device is a suspicious class, obtain each suspicious class in the program running device, and send second attribute information of each suspicious class in the program running device to the malicious class detection client; and calling a malicious class detection model stored in a second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
8. A malicious class detection device applied to a malicious class detection server, the malicious class detection device comprising:
the information receiving unit is used for receiving first attribute information of each new class in the program running equipment, which is sent when a malicious class detection client on the program running equipment monitors that any process executed by the program running equipment loads the new class by using hook functions respectively injected into each process executed by the program running equipment; the first attribute information is information which is obtained by the malicious class detection client by utilizing a first transform callback function and is used for describing each attribute of a new class;
the suspicious class detection unit is used for calling suspicious class filtering rules stored in a first specified area based on first attribute information of each new class in the program running equipment, and detecting whether each new class in the program running equipment is a suspicious class to obtain each suspicious class in the program running equipment;
a dump triggering unit, configured to send second attribute information of each suspicious class in the program running device to the malicious class detection client, so as to trigger the malicious class detection client to dump bytecode of each suspicious class in the program running device by using a second transform callback function; the second attribute information is information representing the unique identifier of the suspicious class;
and the malicious class detection unit is used for calling a malicious class detection model stored in a second specified area based on the bytecode of each suspicious class in the program running equipment sent by the malicious class detection client, and detecting whether each suspicious class in the program running equipment is a malicious class to obtain each malicious class in the program running equipment.
9. A malicious class detection apparatus applied to a malicious class detection client on a program execution device, the malicious class detection apparatus comprising:
the information acquisition unit is used for acquiring first attribute information of each new class in the program running equipment by using a first transform callback function and sending the first attribute information to a malicious class detection server when a hook function respectively injected into each process executed by the program running equipment monitors that any process executed by the program running equipment loads the new class, so as to trigger the malicious class detection server to detect whether each new class in the program running equipment is a suspicious class or not based on the first attribute information of each new class in the program running equipment; wherein, the first attribute information is information describing each attribute of the new class;
a dump execution unit, configured to, when receiving second attribute information of each suspicious class in the program running apparatus, which is sent by the malicious class detection server when detecting each suspicious class in the program running apparatus, dump, by using a second transform callback function, a bytecode of each suspicious class in the program running apparatus and send the bytecode of each suspicious class to the malicious class detection server, so as to trigger the malicious class detection server to detect whether each suspicious class in the program running apparatus is a malicious class based on the bytecode of each suspicious class in the program running apparatus; and the second attribute information is information representing the unique identifier of the suspicious class.
10. A malicious class detection device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the malicious class detection method according to any of claims 1 to 4 or the malicious class detection method according to any of claims 5 to 6 when executing the computer program.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions which, when executed by a processor, implement the malicious class detection method according to any one of claims 1 to 4, or implement the malicious class detection method according to any one of claims 5 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111344288.0A CN113792294B (en) | 2021-11-15 | 2021-11-15 | Malicious class detection method, system, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111344288.0A CN113792294B (en) | 2021-11-15 | 2021-11-15 | Malicious class detection method, system, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113792294A CN113792294A (en) | 2021-12-14 |
| CN113792294B true CN113792294B (en) | 2022-03-08 |
Family
ID=78955135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111344288.0A Active CN113792294B (en) | 2021-11-15 | 2021-11-15 | Malicious class detection method, system, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113792294B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113946825B (en) * | 2021-12-22 | 2022-04-26 | 北京微步在线科技有限公司 | Memory horse processing method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001947A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program processing method and program processing system |
| CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2485577C1 (en) * | 2012-05-11 | 2013-06-20 | Закрытое акционерное общество "Лаборатория Касперского" | Method of increasing reliability of detecting malicious software |
| US9171154B2 (en) * | 2014-02-12 | 2015-10-27 | Symantec Corporation | Systems and methods for scanning packed programs in response to detecting suspicious behaviors |
| US12013941B2 (en) * | 2018-06-28 | 2024-06-18 | Crowdstrike, Inc. | Analysis of malware |
| CN113452794A (en) * | 2021-06-30 | 2021-09-28 | 深圳鲲鹏无限科技有限公司 | Method, system, server and router for intelligently and dynamically adding blacklist |
-
2021
- 2021-11-15 CN CN202111344288.0A patent/CN113792294B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001947A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program processing method and program processing system |
| CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113792294A (en) | 2021-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102264288B1 (en) | Systems and methods for monitoring cloud-based operating system events and data access | |
| US10642978B2 (en) | Information security techniques including detection, interdiction and/or mitigation of memory injection attacks | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| CN106687971A (en) | Automated code lockdown to reduce attack surface for software | |
| CN113568686B (en) | Asynchronous processing method and device for Lua language, computer equipment and storage medium | |
| CN101151617A (en) | Software protection | |
| CN104239797B (en) | Active defense method and device | |
| WO2021189257A1 (en) | Malicious process detection method and apparatus, electronic device, and storage medium | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN111813774B (en) | Method for monitoring and acquiring traceability information based on sysdig system | |
| CN113792294B (en) | Malicious class detection method, system, device, equipment and medium | |
| CN111800490A (en) | Method and device for acquiring network behavior data and terminal equipment | |
| CN202652255U (en) | SQL injection safety protection system | |
| CN110505246B (en) | Client network communication detection method, device and storage medium | |
| CN114595462A (en) | Data processing method and device | |
| CN106997313B (en) | Signal processing method and system of application program and terminal equipment | |
| CN115859280A (en) | Memory horse detection method, device, equipment and storage medium | |
| CN109784054B (en) | Behavior stack information acquisition method and device | |
| CN112235300B (en) | Cloud virtual network vulnerability detection method, system, device and electronic equipment | |
| CN113420046A (en) | Data operation method, device, equipment and storage medium of non-relational database | |
| CN110958267B (en) | Method and system for monitoring threat behaviors in virtual network | |
| CN115794583A (en) | Kernel analysis method and device | |
| CN114444071A (en) | Powershell script monitoring method and device, electronic equipment, medium and product | |
| CN114861230A (en) | Privacy protection method and device in terminal equipment | |
| CN114266037B (en) | Sample detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |