CN113904796A - Equipment backdoor detection method of flow for network security detection - Google Patents

Equipment backdoor detection method of flow for network security detection Download PDF

Info

Publication number
CN113904796A
CN113904796A CN202110995717.4A CN202110995717A CN113904796A CN 113904796 A CN113904796 A CN 113904796A CN 202110995717 A CN202110995717 A CN 202110995717A CN 113904796 A CN113904796 A CN 113904796A
Authority
CN
China
Prior art keywords
file
suspicious
past
program
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110995717.4A
Other languages
Chinese (zh)
Other versions
CN113904796B (en
Inventor
贺铮
严定宇
吕利锋
严寒冰
饶毓
吕志泉
秦佳伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202110995717.4A priority Critical patent/CN113904796B/en
Publication of CN113904796A publication Critical patent/CN113904796A/en
Application granted granted Critical
Publication of CN113904796B publication Critical patent/CN113904796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of network security, and discloses a device backdoor detection method of flow for network security detection, which comprises a sandbox virtual system program, a shelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet receiving sample when the flow is abnormally increased, and the matching degree between the abnormal release file sample recorded by the registry and the file packet receiving sample when the flow is abnormally increased is compared. According to the invention, the file sample with the back door in the device software and the back door related to abnormal release can be directly obtained, when the flow is abnormally increased in the past through backtracking, the abnormal phenomenon of the device is jointly compared with the registry, and the current state is monitored in real time, so that compared with the state that only the current IP abnormal communication and single checking registry are checked, the efficiency is relatively high, and the accuracy is also improved through comparison.

Description

Equipment backdoor detection method of flow for network security detection
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for detecting a back door of equipment of flow for network security detection.
Background
The back door of the device refers to a program which bypasses the security monitoring of the system and directly obtains the direct access right and the control right to the related program and the system, and the back door is generally left by a developer during the development of the system program, so that the developer can modify the system program and the like during the development process, but if the back door is not removed before the software of the device is released, the back door becomes a so-called vulnerability, and if the back door is utilized by illegal personnel, the back door can bring immeasurable loss.
A general developer removes a product backdoor after releasing a product, but a lawbreaker can still use some other vulnerabilities of software to transplant other backdoors into the software, which requires to perform a backdoor troubleshooting operation on device software in irregular maintenance, but the existing troubleshooting means generally performs data monitoring on the device program and the software after the device program and the software are run, checks whether the device program is currently communicated with other IP addresses, but the backdoor program performs communication and downloading actions after being activated, so that the step cannot necessarily check the device backdoor, and only depends on a registry to work, and also cannot easily judge whether a registry is really a backdoor program, so that the troubleshooting difficulty needs to be realized, and a new way is needed to screen the backdoor.
Disclosure of Invention
The present invention aims to provide a method for detecting a device backdoor of a flow for network security detection, so as to solve the problems proposed in the background art.
In order to achieve the above purpose, the invention provides the following technical scheme: the equipment backdoor detection method of the flow for the network security detection comprises a sandbox virtual system program, a shelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when the flow is abnormally increased, the goodness of fit between the abnormal release file sample recorded by the registry and the file packet sample received when the flow is abnormally increased is compared, and whether the backdoor exists or not is judged according to the goodness of fit;
the method for checking the abnormal release file sample recorded by the registry comprises the following specific steps:
the first step is as follows: establishing a sandbox virtual system, dragging a possible suspicious device program and software into a sandbox to prepare for operation, firstly operating filiinfo. exe in the sandbox, checking whether the possible device program and the software are shelled, judging the type of the applied shell according to a detection result, calling a corresponding shelling program to prepare for shelling, wherein software shelling is generally a method for protecting program resources, the shells of the software are divided into various types including an encryption shell, a pseudo-shell, a compressed shell, a multilayer shell and the like, and the purpose of the software is to hide an OEP entry point of the program, place the OEP entry point of the program to be cracked, and the shelling is to remove the pseudo-shell and the protective shell of the program and modify the resources of the program;
the second step is that: if the suspicious programs and the software of the equipment are shelled, shelling can be carried out by adopting a method such as an ESP theorem shelling method and the like, OEP of the suspicious programs is exposed, conditions are provided for the following tracing programs, and if the inspection result of the fileinfo.
The third step: directly operating suspicious programs and software, loading a tracking program and a judging program at the same time, wherein the tracking program can carry out data transmission tracking on the detected suspicious programs and software, checking whether communication behaviors between the suspicious programs and external unknown IP addresses exist currently or not and whether new registration items are added or not, displaying and recording all IP addresses communicated currently, displaying the number of bytes transmitted and received in unit time in real time, recording flow mutation behaviors in a time period, and judging whether the new registration items and the suspicious registration items are judged by the judging program and recording the new registration items;
the fourth step: backtracking past registration items of a registry, listing the registration items, bringing the registration items into a judging program for checking, listing and recording suspicious registration items by the judging program, searching past abnormally added file records in the registration items, determining the position of a suspicious file by searching an operation log, comparing the types of the past suspicious file with the newly added file released by a current equipment suspicious program and software, and comparing whether the types of the past suspicious file and the newly added file are similar or consistent, if so, judging the starting time of the current equipment program and software for the past execution of the operation, and if so, adding position and time information to the past suspicious file.
The fifth step: checking whether the current equipment program and software automatically download the suspicious file packet, if so, directly judging that a back door exists, the back door exists and the past suspicious file, and if not, checking the received file packet sample when the past flow is abnormally increased.
The specific steps of the inspection of the received file packet samples when the past flow is abnormally increased are as follows:
the first step is as follows: monitoring whether abnormal flow increasing phenomenon exists in a period of time after a suspicious program and software of the equipment run, and if the abnormal flow increasing phenomenon exists, recording the size of a data receiving file packet and judging the type of the file packet;
the second step is that: backtracking and checking the condition of the abnormal increase of past flow, recording time points, checking the IP address of a trigger source when the TCP communication record flow is abnormally increased, and recording the receiving size of a received file packet;
the third step: and checking whether file sharing behaviors exist between suspicious programs and software of the equipment to other non-triggering source IP addresses in the past time point of abnormal increase of the flow.
Comparing the matching degree between the abnormal release file sample recorded by the registry and the file packet sample received when the backtracking past flow is abnormally increased, wherein the matching degree is detected by the backtracking past registry, and the matching degree comprises the following steps:
1) comparing whether the past suspicious registration item is matched with the time point of the abnormal increase of the past flow;
2) comparing whether the size of the received file packet is consistent with the file type when the sample of the released file found by the suspicious registry is abnormally increased with the past flow;
3) checking whether the sizes and file types of the file reports shared by other non-trigger sources and the received file packets are consistent;
if any one of the three items is matched, a back door exists, and the back door is related to the related file released by the suspicious program.
Preferably, the steps of checking the abnormal release file sample recorded by the registry and checking the received file packet sample when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time, so that the efficiency is improved.
Preferably, the ESP theorem shelling method may also be replaced by an OD loading method.
Preferably, when the size matching error between the abnormally released file sample recorded by the registry and the received file packet sample tracing back the increase of the past traffic abnormally does not exceed 1MB, the abnormally released file sample and the received file packet sample may also be considered to be consistent, the check of the received file packet sample when the past traffic abnormally increases is generally only required to obtain the size of the received file packet, the statistics is the size of the total amount of the received file packets, the file packets are scattered in various places, the missing deviation of the released data packet at the time point of the statistics can be ignored in the comparison process, but the missing deviation needs to be removed when the gate is finally checked.
Preferably, the abnormal release file samples recorded in the registry are obtained by overlapping release files at different addresses at the same time point, and if only a single release file at a certain address at the time point is taken and is not overlapped with the release files at different addresses at the same time point, the abnormal release file samples cannot be compared with the received file packet samples when the flow rate is abnormally increased at the same time unless three files are released at the time point.
The invention has the following beneficial effects:
the invention lists the time point of the file sample which is abnormally released and the type and the size of the file packet by checking the file sample which is abnormally released and is received when the past flow is abnormally increased and is recorded in the registry, comparing the data with the file packet samples received by the abnormal increase of the past flow, observing whether the time points are matched or not and whether the file sizes are matched or very close to each other or not, if the coincidence judgment result is yes, the file sample with the back door existing in the equipment software and related to the abnormal release of the back door can be directly obtained, when the flow rate is increased abnormally by backtracking, the abnormal phenomenon of the equipment is compared with the registry in a combined way, and current real-time monitoring is carried out, compared with the method of only checking current IP abnormal communication and a single troubleshooting registration item, the efficiency is relatively high, and the accuracy is improved through comparison.
Drawings
FIG. 1 is a flowchart illustrating sample checking of an abnormally released file recorded in a registry according to the present invention;
FIG. 2 is a flow chart illustrating the inspection of a sample of a received bundle of files when the past traffic is abnormally increased according to the present invention;
FIG. 3 is a schematic diagram illustrating the determination of the comparison condition according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1 to 3, in the embodiment of the present invention, the method for detecting a back door of a device of a flow for network security detection includes a sandbox virtual system program, a shell removal program, a tracking program, a determination program, an abnormally released file sample recorded by a registry, and a received file packet sample when the flow is abnormally increased, comparing a matching degree between the abnormally released file sample recorded by the registry and the abnormally released file sample recorded by the registry, which are traced back, and the received file packet sample when the flow is abnormally increased, and determining whether the back door exists according to the matching degree;
the method for checking the abnormal release file sample recorded by the registry comprises the following specific steps:
the first step is as follows: establishing a sandbox virtual system, dragging a possible suspicious device program and software into a sandbox to prepare for operation, firstly operating filiinfo. exe in the sandbox, checking whether the possible device program and the software are shelled, judging the type of the applied shell according to a detection result, calling a corresponding shelling program to prepare for shelling, wherein software shelling is generally a method for protecting program resources, the shells of the software are divided into various types including an encryption shell, a pseudo-shell, a compressed shell, a multilayer shell and the like, and the purpose of the software is to hide an OEP entry point of the program, place the OEP entry point of the program to be cracked, and the shelling is to remove the pseudo-shell and the protective shell of the program and modify the resources of the program;
the second step is that: if the suspicious programs and the software of the equipment are shelled, shelling can be carried out by adopting a method such as an ESP theorem shelling method and the like, OEP of the suspicious programs is exposed, conditions are provided for the following tracing programs, and if the inspection result of the fileinfo.
The third step: directly operating suspicious programs and software, loading a tracking program and a judging program at the same time, wherein the tracking program can carry out data transmission tracking on the detected suspicious programs and software, checking whether communication behaviors between the suspicious programs and external unknown IP addresses exist currently or not and whether new registration items are added or not, displaying and recording all IP addresses communicated currently, displaying the number of bytes transmitted and received in unit time in real time, recording flow mutation behaviors in a time period, and judging whether the new registration items and the suspicious registration items are judged by the judging program and recording the new registration items;
the fourth step: backtracking past registration items of a registry, listing the registration items, bringing the registration items into a judging program for checking, listing and recording suspicious registration items by the judging program, searching past abnormally added file records in the registration items, determining the position of a suspicious file by searching an operation log, comparing the types of the past suspicious file with the newly added file released by a current equipment suspicious program and software, and comparing whether the types of the past suspicious file and the newly added file are similar or consistent, if so, judging the starting time of the current equipment program and software for the past execution of the operation, and if so, adding position and time information to the past suspicious file.
The fifth step: checking whether the current equipment program and software automatically download the suspicious file packet, if so, directly judging that a back door exists, the back door exists and the past suspicious file, and if not, checking the received file packet sample when the past flow is abnormally increased.
The specific steps of the inspection of the received file packet samples when the past flow is abnormally increased are as follows:
the first step is as follows: monitoring whether abnormal flow increasing phenomenon exists in a period of time after a suspicious program and software of the equipment run, and if the abnormal flow increasing phenomenon exists, recording the size of a data receiving file packet and judging the type of the file packet;
the second step is that: backtracking and checking the condition of the abnormal increase of past flow, recording time points, checking the IP address of a trigger source when the TCP communication record flow is abnormally increased, and recording the receiving size of a received file packet;
the third step: and checking whether file sharing behaviors exist between suspicious programs and software of the equipment to other non-triggering source IP addresses in the past time point of abnormal increase of the flow.
Comparing the matching degree between the abnormal release file sample recorded by the registry and the file packet sample received when the backtracking past flow is abnormally increased, wherein the matching degree is detected by the backtracking past registry, and the matching degree comprises the following steps:
1) comparing whether the past suspicious registration item is matched with the time point of the abnormal increase of the past flow;
2) comparing whether the size of the received file packet is consistent with the file type when the sample of the released file found by the suspicious registry is abnormally increased with the past flow;
3) checking whether the sizes and file types of the file reports shared by other non-trigger sources and the received file packets are consistent;
if any one of the three items is matched, a back door exists, and the back door is related to the related file released by the suspicious program.
The steps of checking the abnormal release file samples recorded by the registry and checking the received file packet samples when the past flow is abnormally increased are carried out in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time, so that the efficiency is improved.
Wherein, the ESP theorem shelling method can be replaced by OD loading method.
When the error of the size coincidence degree between the abnormally released file sample recorded by the registry and the received file packet sample when the backtracking past flow abnormally increases is not more than 1MB, the abnormally released file sample and the received file packet sample can also be considered as consistent, the inspection of the received file packet sample when the past flow abnormally increases generally only needs to obtain the size of the received file packet, the statistics is the size of the total amount of the received file packets, the file packets are scattered at all positions, the missing deviation exists in the data packets released when the time point is counted, the missing deviation can be ignored in the comparison process, but the missing deviation needs to be removed when the gate is finally checked.
The abnormal release file sample recorded by the registry is obtained by overlapping release files at different addresses at the same time point, if only a single release file at a certain address at the time point is adopted and is not overlapped with the release files at different addresses at the same time point, the abnormal release file sample cannot be compared with the file packet sample received when the flow is abnormally increased at the same time unless three files are released at the time point.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (5)

1. A device backdoor detection method of flow for network security detection comprises a sandbox virtual system program, a shelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a received file packet sample when the flow is abnormally increased, and is characterized in that: comparing the goodness of fit between the abnormal release file sample recorded by the registry and the file packet sample received when the backtracking past flow is abnormally increased, and judging whether the backdoor exists or not according to the goodness of fit;
the method for checking the abnormal release file sample recorded by the registry comprises the following specific steps:
the first step is as follows: establishing a sandbox virtual system, dragging possible suspicious equipment programs and software into a sandbox to prepare for operation, firstly operating filiinfo. exe in the sandbox, checking whether the equipment programs and the software are shelled, judging the types of the applied shells according to the detection result, and calling the applied shells into corresponding shelling programs to prepare for shelling;
the second step is that: if the suspicious programs and the software of the equipment are shelled, shelling can be carried out by adopting a method such as an ESP theorem shelling method and the like, OEP of the suspicious programs is exposed, conditions are provided for the following tracing programs, and if the inspection result of the fileinfo.
The third step: directly operating suspicious programs and software, loading a tracking program and a judging program at the same time, wherein the tracking program can carry out data transmission tracking on the detected suspicious programs and software, checking whether communication behaviors between the suspicious programs and external unknown IP addresses exist currently or not and whether new registration items are added or not, displaying and recording all IP addresses communicated currently, displaying the number of bytes transmitted and received in unit time in real time, recording flow mutation behaviors in a time period, and judging whether the new registration items and the suspicious registration items are judged by the judging program and recording the new registration items;
the fourth step: backtracking past registration items of a registry, listing the registration items, bringing the registration items into a judging program for checking, listing and recording suspicious registration items by the judging program, searching past abnormally-increased file records in the registration items, determining the position of a suspicious file by searching an operation log, comparing the types of the past suspicious file with the newly increased file released by a current equipment suspicious program and software, and judging the starting time of the current equipment program and software for executing the operation in the past if the types of the past suspicious file and the newly increased file are similar or consistent, and adding position and time information to the past suspicious file if the types of the current equipment program and the software are similar or consistent;
the fifth step: checking whether the current equipment program and software automatically download the suspicious file packet, if so, directly judging that a back door exists, the back door exists and the past suspicious file, and if not, checking a file packet sample received when the past flow is abnormally increased;
the specific steps of the inspection of the received file packet samples when the past flow is abnormally increased are as follows:
the first step is as follows: monitoring whether abnormal flow increasing phenomenon exists in a period of time after a suspicious program and software of the equipment run, and if the abnormal flow increasing phenomenon exists, recording the size of a data receiving file packet and judging the type of the file packet;
the second step is that: backtracking and checking the condition of the abnormal increase of past flow, recording time points, checking the IP address of a trigger source when the TCP communication record flow is abnormally increased, and recording the receiving size of a received file packet;
the third step: checking whether file sharing behaviors exist between equipment suspicious programs and software to other non-trigger source IP addresses in past time points when the flow is abnormally increased;
comparing the matching degree between the abnormal release file sample recorded by the registry and the file packet sample received when the backtracking past flow is abnormally increased, wherein the matching degree is detected by the backtracking past registry, and the matching degree comprises the following steps:
1) comparing whether the past suspicious registration item is matched with the time point of the abnormal increase of the past flow;
2) comparing whether the size of the received file packet is consistent with the file type when the sample of the released file found by the suspicious registry is abnormally increased with the past flow;
3) checking whether the sizes and file types of the file reports shared by other non-trigger sources and the received file packets are consistent;
if any one of the three items is matched, a back door exists, and the back door is related to the related file released by the suspicious program.
2. The device backdoor detection method for traffic for network security detection according to claim 1, characterized in that: the steps of checking the abnormal release file sample recorded by the registry and checking the received file packet sample when the past flow is abnormally increased are both carried out in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time.
3. The device backdoor detection method for traffic for network security detection according to claim 1, characterized in that: the ESP theorem shelling method may also be replaced by an OD loading method.
4. The device backdoor detection method for traffic for network security detection according to claim 1, characterized in that: when the size matching error between the abnormal release file sample recorded by the registry and the file packet sample received when the backtracking past flow is abnormally increased does not exceed 1MB, the abnormal release file sample and the backtracking past flow are also considered to be consistent.
5. The device backdoor detection method for traffic for network security detection according to claim 1, characterized in that: and the abnormal release file samples recorded by the registry are obtained by superposing release files at the same time point and different addresses.
CN202110995717.4A 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection Active CN113904796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110995717.4A CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110995717.4A CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Publications (2)

Publication Number Publication Date
CN113904796A true CN113904796A (en) 2022-01-07
CN113904796B CN113904796B (en) 2023-11-17

Family

ID=79188267

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110995717.4A Active CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Country Status (1)

Country Link
CN (1) CN113904796B (en)

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011063729A1 (en) * 2009-11-26 2011-06-03 成都市华为赛门铁克科技有限公司 Method, equipment and system for early warning about unknown malicious codes
CN103473501A (en) * 2013-08-22 2013-12-25 北京奇虎科技有限公司 Malware tracking method based on cloud safety
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
US20160021142A1 (en) * 2014-07-17 2016-01-21 Check Point Advanced Threat Prevention Ltd Automatic content inspection system for exploit detection
US20160294851A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting a malicious file infection via sandboxing
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN106301974A (en) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 A kind of website back door detection method and device
CN107196960A (en) * 2017-06-27 2017-09-22 四维创智(北京)科技发展有限公司 A kind of net horse detecting system and its detection method based on sandbox technology
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox
CN110362994A (en) * 2018-03-26 2019-10-22 华为技术有限公司 Detection method, equipment and the system of malicious file
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN112580049A (en) * 2020-12-23 2021-03-30 苏州三六零智能安全科技有限公司 Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device
CN112580044A (en) * 2019-09-30 2021-03-30 卡巴斯基实验室股份制公司 System and method for detecting malicious files
US20210250364A1 (en) * 2020-02-10 2021-08-12 IronNet Cybersecurity, Inc. Systems and methods of malware detection
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011063729A1 (en) * 2009-11-26 2011-06-03 成都市华为赛门铁克科技有限公司 Method, equipment and system for early warning about unknown malicious codes
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN103473501A (en) * 2013-08-22 2013-12-25 北京奇虎科技有限公司 Malware tracking method based on cloud safety
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
US20160021142A1 (en) * 2014-07-17 2016-01-21 Check Point Advanced Threat Prevention Ltd Automatic content inspection system for exploit detection
US20160294851A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting a malicious file infection via sandboxing
CN106301974A (en) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 A kind of website back door detection method and device
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN107196960A (en) * 2017-06-27 2017-09-22 四维创智(北京)科技发展有限公司 A kind of net horse detecting system and its detection method based on sandbox technology
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox
CN110362994A (en) * 2018-03-26 2019-10-22 华为技术有限公司 Detection method, equipment and the system of malicious file
CN112580044A (en) * 2019-09-30 2021-03-30 卡巴斯基实验室股份制公司 System and method for detecting malicious files
US20210250364A1 (en) * 2020-02-10 2021-08-12 IronNet Cybersecurity, Inc. Systems and methods of malware detection
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN112580049A (en) * 2020-12-23 2021-03-30 苏州三六零智能安全科技有限公司 Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MONNAPPA K A: "Automating Linux Malware Analysis Using Limon Sandbox", 《BLACKHAT》 *
史洪;李波;王开建;何乔;: "火焰病毒探析", 保密科学技术, no. 11 *

Also Published As

Publication number Publication date
CN113904796B (en) 2023-11-17

Similar Documents

Publication Publication Date Title
CA2968201C (en) Systems and methods for malicious code detection
CN106650436B (en) A kind of safety detection method and device based on local area network
CN105408911A (en) Hardware and software execution profiling
CN110365709B (en) Device for sensing unknown network attack behavior based on upstream probe
CN109787964B (en) Process behavior tracing device and method
CN107566401B (en) Protection method and device for virtualized environment
CN113761519A (en) Detection method and device for Web application program and storage medium
CN113783886A (en) Intelligent operation and maintenance method and system for power grid based on intelligence and data
CN114826880A (en) Method and system for online monitoring of data safe operation
CN114050937B (en) Mailbox service unavailability processing method and device, electronic equipment and storage medium
CN112787985B (en) Vulnerability processing method, management equipment and gateway equipment
CN110049015B (en) Network security situation awareness system
TWI515599B (en) Computer program products and methods for monitoring and defending security
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
CN113904796A (en) Equipment backdoor detection method of flow for network security detection
CN107516039B (en) Safety protection method and device for virtualization system
Gashi et al. A study of the relationship between antivirus regressions and label changes
CN106899977B (en) Abnormal flow detection method and device
CN114490261A (en) Terminal security event linkage processing method, device and equipment
CN109800581B (en) Software behavior safety protection method and device, storage medium and computer equipment
Katsini et al. Digital forensic readiness in Internet of Vehicles: The denial-of-service on CAN bus case study
CN112329021A (en) Method and device for checking application bugs, electronic device and storage medium
CN113127856A (en) Network security operation and maintenance management method and device, computing equipment and storage medium
CN114938284B (en) Method, device, electronic equipment and medium for processing data disclosure event
CN113518055A (en) Data security protection processing method and device, storage medium and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant