CN113904796B - Equipment back door detection method for network flow safety detection - Google Patents
Equipment back door detection method for network flow safety detection Download PDFInfo
- Publication number
- CN113904796B CN113904796B CN202110995717.4A CN202110995717A CN113904796B CN 113904796 B CN113904796 B CN 113904796B CN 202110995717 A CN202110995717 A CN 202110995717A CN 113904796 B CN113904796 B CN 113904796B
- Authority
- CN
- China
- Prior art keywords
- suspicious
- file
- past
- registry
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 19
- 230000002159 abnormal effect Effects 0.000 claims abstract description 46
- 238000000034 method Methods 0.000 claims abstract description 30
- 244000035744 Hura crepitans Species 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims abstract description 11
- 230000005856 abnormality Effects 0.000 claims abstract 3
- 230000006399 behavior Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000011068 loading method Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000035772 mutation Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims 4
- 238000011835 investigation Methods 0.000 abstract description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of network security, and discloses a device backdoor detection method for network traffic security detection, which comprises a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when traffic is abnormally increased, and the consistency between the abnormal release file sample recorded by the registry and detected by a backward-past registry and the file packet sample received when the backward-past traffic is abnormally increased is compared. According to the invention, through directly obtaining the file sample with the back door in the equipment software and the back door associated with abnormal release, when the back flow abnormality increases, the abnormal phenomenon of the equipment is compared with the registry in a combined way, and the current is monitored in real time, so that compared with the process of only checking the current IP abnormal communication and the single investigation registry, the efficiency is relatively higher, and the accuracy is improved through comparison.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a device back door detection method for network traffic security detection.
Background
The back doors of the device refer to a program which bypasses the security monitoring of the system and directly obtains the direct access right and control right to related programs and the system, the back doors are generally left by developers when the system program is developed and are convenient for modifying the system program in the development process, and the like, but if the back doors are not removed before the device software is released, the back doors become so-called loopholes, and immeasurable losses can be caused if the back doors are utilized by illegal personnel.
The general developer can remove the back door of the product after the product is released, but lawless persons can still utilize some other holes of the software to transplant other back doors into the software, so that the equipment software needs to be subjected to check work on the back door in unscheduled maintenance, but the existing check means generally monitor data of the equipment program and the software after the equipment program and the software run and check whether the equipment program and other IP addresses are communicated, but the back door program must be communicated and downloaded after being activated, and the like, so that the step can not necessarily check the equipment back door, and whether the registered item is really the back door program is difficult to judge by only depending on the registry of the equipment program, so that a new mode is required for checking the check difficulty.
Disclosure of Invention
The invention aims to provide a device back door detection method for network traffic safety detection, which aims to solve the problems in the background technology.
In order to achieve the above object, the present invention provides the following technical solutions: the equipment back door detection method for network traffic safety detection comprises a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when traffic is abnormally increased, comparing the consistency between the abnormal release file sample recorded by the registry and detected by a retrospective registry and the file packet sample received when the retrospective traffic is abnormally increased, and judging whether a back door exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
Preferably, the steps of checking the abnormal release file samples recorded by the registry and checking the file package samples received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time, so that the efficiency is improved.
Preferably, the ESP theorem shelling method can also be replaced by an OD loading method.
Preferably, the error of the size matching degree between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow rate is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow rate is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released at the time point of statistics, the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
Preferably, the abnormal release file samples recorded in the registry are obtained by overlapping release files with different addresses at the same time point, if only a release file with a single certain address at the time point is adopted and the release file with different time points is not overlapped, the abnormal release file samples cannot be compared with the file packet samples received when the traffic is abnormally increased at the same time, unless three file exceptions are released from the time point.
The beneficial effects of the invention are as follows:
according to the invention, through checking the abnormally released file samples recorded in the registry and the file package samples received when the past flow is abnormally increased, the time points and the file package types and sizes of the file samples which are abnormally released are listed, the file package samples are compared with the file package samples received when the past flow is abnormally increased, whether the time points are identical or not is observed, whether the file sizes are identical or very close to each other is judged, if the file sizes are identical, a file sample with a back door in equipment software and the back door associated with the abnormally released can be directly obtained, when the past flow is abnormally increased, the abnormal phenomenon of the equipment is combined and compared with the registry, the current is monitored in real time, compared with the case that only the current IP abnormal communication and single investigation registry are checked, the efficiency is relatively high, and the accuracy is improved through comparison.
Drawings
FIG. 1 is a flowchart of a sample check of an abnormal release file recorded in a registry according to the present invention;
FIG. 2 is a flow chart of a received sample of a file packet when the past traffic is abnormally increased;
FIG. 3 is a schematic diagram showing the comparison conditions according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1 to fig. 3, in the embodiment of the present invention, a device backdoor detection method for network traffic safety detection includes a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded in a registry, and a file packet sample received when traffic is abnormally increased, comparing a consistency between the abnormal release file sample recorded in the registry and detected by a backtracking past registry and the file packet sample received when traffic is abnormally increased, and judging whether a backdoor exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
The method comprises the steps of checking an abnormal release file sample recorded by the registry and checking a file packet sample received when the past flow is abnormally increased, wherein the checking steps of the abnormal release file sample recorded by the registry and the file packet sample received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can synchronously run and compare in real time, so that the efficiency is improved.
Wherein the ESP theorem shelling method can also be replaced by an OD loading method.
The size matching error between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released when the time point is counted, and the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
The abnormal release file samples recorded in the registry are obtained by superposing release files at different addresses at the same time point, if only a release file at a single address at the time point is adopted and the release file at the different time point is not superposed with the release file at the same time point, the abnormal release file samples cannot be compared with the file packet samples received when the flow is abnormally increased at the same time, and unless three file exceptions are released from the time point.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (5)
1. The utility model provides a network traffic safety detection's equipment back door detection method, includes sandbox virtual system program, shelling procedure, tracking procedure, judgement procedure, registry recorded abnormal release file sample and flow abnormal when increasing receive file package sample, its characterized in that: comparing the consistency between the abnormal release file sample recorded by the registry and checked by the retrospective registry and the file packet sample received when the retrospective past flow is abnormally increased, and judging whether a backdoor exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: the method comprises the steps of establishing a sandbox virtual system, dragging suspicious equipment programs and software into the sandbox to prepare for operation, firstly, running fileinfo.exe in the sandbox, checking whether the suspicious equipment programs and software are shelled, judging the type of the shelled by the detection result, and calling the corresponding shelling program to prepare for shelling;
and a second step of: if the suspicious program and software of the equipment are shelled, unshelling is carried out by adopting an ESP theorem unshelling method, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the process directly jumps to the third step;
and a third step of: directly running suspicious programs and software, loading tracking programs and judging programs, carrying out data transmission tracking on the suspicious programs and software to be detected by the tracking programs, checking whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and the outside unknown IP addresses and whether new registration items are added, displaying and recording all the IP addresses of the current communication, displaying the byte numbers of data transmission and reception in unit time in real time, recording flow mutation behaviors in a time period, judging whether the new registration items are suspicious registration items or not by the aid of the judging programs, and recording and listing the suspicious registration items;
fourth step: backtracking past registration items of a registry, listing the registration items, carrying out inspection in a judging program, carrying out listing and recording on suspicious registration items by the judging program, searching new files record of past abnormality in the registration items, determining the position of suspicious files by checking operation logs, comparing the past suspicious files with newly-added files released by suspicious programs and software of current equipment, comparing whether the types of the past suspicious files are similar or identical, judging the starting time of the current equipment program and software in past execution of the operation if the types of the past suspicious files are similar or identical, and only recording the adding position and time information of the past suspicious files if the current suspicious files are not newly-added;
fifth step: checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, wherein the back door exists in the past suspicious files, and if not, checking file package samples received when the past flow is abnormally increased;
the specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: checking whether file sharing behaviors exist between suspicious programs and software of equipment and other non-trigger source IP addresses in a past flow abnormal increasing time point;
comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
2. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: the inspection steps of the abnormal release file samples recorded by the registry and the inspection steps of the file packet samples received when the past flow abnormality increases are carried out in a sandbox virtual system, and the two inspection steps run synchronously and are compared in real time.
3. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: the ESP theorem shelling method is replaced by the OD loading method.
4. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: and when the size coincidence degree error between the abnormal release file sample recorded by the registry and the file packet sample received when the retrospective past flow is abnormally increased is not more than 1MB, the file packet samples are regarded as consistent.
5. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: and the abnormal release file samples recorded by the registry are obtained by superposing release files at different addresses at the same time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110995717.4A CN113904796B (en) | 2021-08-27 | 2021-08-27 | Equipment back door detection method for network flow safety detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110995717.4A CN113904796B (en) | 2021-08-27 | 2021-08-27 | Equipment back door detection method for network flow safety detection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113904796A CN113904796A (en) | 2022-01-07 |
CN113904796B true CN113904796B (en) | 2023-11-17 |
Family
ID=79188267
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110995717.4A Active CN113904796B (en) | 2021-08-27 | 2021-08-27 | Equipment back door detection method for network flow safety detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113904796B (en) |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011063729A1 (en) * | 2009-11-26 | 2011-06-03 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for early warning about unknown malicious codes |
CN103473501A (en) * | 2013-08-22 | 2013-12-25 | 北京奇虎科技有限公司 | Malware tracking method based on cloud safety |
US8990944B1 (en) * | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
CN106301974A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website back door detection method and device |
CN107196960A (en) * | 2017-06-27 | 2017-09-22 | 四维创智(北京)科技发展有限公司 | A kind of net horse detecting system and its detection method based on sandbox technology |
CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
CN110362994A (en) * | 2018-03-26 | 2019-10-22 | 华为技术有限公司 | Detection method, equipment and the system of malicious file |
CN112182561A (en) * | 2020-09-24 | 2021-01-05 | 百度在线网络技术(北京)有限公司 | Method and device for detecting rear door, electronic equipment and medium |
CN112580044A (en) * | 2019-09-30 | 2021-03-30 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files |
CN112580049A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
CN114003903A (en) * | 2021-12-28 | 2022-02-01 | 北京微步在线科技有限公司 | Network attack tracing method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9356945B2 (en) * | 2014-07-17 | 2016-05-31 | Check Point Advanced Threat Prevention Ltd | Automatic content inspection system for exploit detection |
US9680845B2 (en) * | 2015-03-31 | 2017-06-13 | Juniper Neworks, Inc. | Detecting a malicious file infection via sandboxing |
US11716337B2 (en) * | 2020-02-10 | 2023-08-01 | IronNet Cybersecurity, Inc. | Systems and methods of malware detection |
-
2021
- 2021-08-27 CN CN202110995717.4A patent/CN113904796B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011063729A1 (en) * | 2009-11-26 | 2011-06-03 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for early warning about unknown malicious codes |
US8990944B1 (en) * | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
CN103473501A (en) * | 2013-08-22 | 2013-12-25 | 北京奇虎科技有限公司 | Malware tracking method based on cloud safety |
US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
CN106301974A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website back door detection method and device |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
CN107196960A (en) * | 2017-06-27 | 2017-09-22 | 四维创智(北京)科技发展有限公司 | A kind of net horse detecting system and its detection method based on sandbox technology |
CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
CN110362994A (en) * | 2018-03-26 | 2019-10-22 | 华为技术有限公司 | Detection method, equipment and the system of malicious file |
CN112580044A (en) * | 2019-09-30 | 2021-03-30 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files |
CN112182561A (en) * | 2020-09-24 | 2021-01-05 | 百度在线网络技术(北京)有限公司 | Method and device for detecting rear door, electronic equipment and medium |
CN112580049A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
CN114003903A (en) * | 2021-12-28 | 2022-02-01 | 北京微步在线科技有限公司 | Network attack tracing method and device |
Non-Patent Citations (2)
Title |
---|
Automating Linux Malware Analysis Using Limon Sandbox;Monnappa K A;《blackhat》;全文 * |
火焰病毒探析;史洪;李波;王开建;何乔;;保密科学技术(第11期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113904796A (en) | 2022-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105069355B (en) | The static detection method and device of webshell deformations | |
CN112668010B (en) | Method, system and computing device for scanning loopholes of industrial control system | |
KR102225460B1 (en) | Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same | |
CN102469146B (en) | A kind of cloud security downloading method | |
CN102902924B (en) | The method that file behavioural characteristic is detected and device | |
EP3566166B1 (en) | Management of security vulnerabilities | |
US8661543B2 (en) | Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal | |
CN109995705B (en) | Attack chain detection method and device based on high-interaction honeypot system | |
CN116781430B (en) | Network information security system and method for gas pipe network | |
CN105306467B (en) | The analysis method and device that web data is distorted | |
CN110516448A (en) | A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing | |
CN110099044A (en) | Cloud Host Security detection system and method | |
CN107566401B (en) | Protection method and device for virtualized environment | |
CN113158191B (en) | Vulnerability verification method based on intelligent probe and related IAST method and system | |
Provataki et al. | Differential malware forensics | |
CN115033887A (en) | Open source component safety management method and system, electronic equipment and storage medium | |
CN106446685A (en) | Methods and devices for detecting malicious documents | |
CN112039858A (en) | Block chain service security reinforcement system and method | |
CN107666464A (en) | A kind of information processing method and server | |
TWI515599B (en) | Computer program products and methods for monitoring and defending security | |
CN117527412A (en) | Data security monitoring method and device | |
CN113904796B (en) | Equipment back door detection method for network flow safety detection | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
Gashi et al. | A study of the relationship between antivirus regressions and label changes | |
CN110210216A (en) | A kind of method and relevant apparatus of viral diagnosis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |