CN113904796B - Equipment back door detection method for network flow safety detection - Google Patents

Equipment back door detection method for network flow safety detection Download PDF

Info

Publication number
CN113904796B
CN113904796B CN202110995717.4A CN202110995717A CN113904796B CN 113904796 B CN113904796 B CN 113904796B CN 202110995717 A CN202110995717 A CN 202110995717A CN 113904796 B CN113904796 B CN 113904796B
Authority
CN
China
Prior art keywords
suspicious
file
past
registry
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110995717.4A
Other languages
Chinese (zh)
Other versions
CN113904796A (en
Inventor
贺铮
严定宇
吕利锋
严寒冰
饶毓
吕志泉
秦佳伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202110995717.4A priority Critical patent/CN113904796B/en
Publication of CN113904796A publication Critical patent/CN113904796A/en
Application granted granted Critical
Publication of CN113904796B publication Critical patent/CN113904796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of network security, and discloses a device backdoor detection method for network traffic security detection, which comprises a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when traffic is abnormally increased, and the consistency between the abnormal release file sample recorded by the registry and detected by a backward-past registry and the file packet sample received when the backward-past traffic is abnormally increased is compared. According to the invention, through directly obtaining the file sample with the back door in the equipment software and the back door associated with abnormal release, when the back flow abnormality increases, the abnormal phenomenon of the equipment is compared with the registry in a combined way, and the current is monitored in real time, so that compared with the process of only checking the current IP abnormal communication and the single investigation registry, the efficiency is relatively higher, and the accuracy is improved through comparison.

Description

Equipment back door detection method for network flow safety detection
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a device back door detection method for network traffic security detection.
Background
The back doors of the device refer to a program which bypasses the security monitoring of the system and directly obtains the direct access right and control right to related programs and the system, the back doors are generally left by developers when the system program is developed and are convenient for modifying the system program in the development process, and the like, but if the back doors are not removed before the device software is released, the back doors become so-called loopholes, and immeasurable losses can be caused if the back doors are utilized by illegal personnel.
The general developer can remove the back door of the product after the product is released, but lawless persons can still utilize some other holes of the software to transplant other back doors into the software, so that the equipment software needs to be subjected to check work on the back door in unscheduled maintenance, but the existing check means generally monitor data of the equipment program and the software after the equipment program and the software run and check whether the equipment program and other IP addresses are communicated, but the back door program must be communicated and downloaded after being activated, and the like, so that the step can not necessarily check the equipment back door, and whether the registered item is really the back door program is difficult to judge by only depending on the registry of the equipment program, so that a new mode is required for checking the check difficulty.
Disclosure of Invention
The invention aims to provide a device back door detection method for network traffic safety detection, which aims to solve the problems in the background technology.
In order to achieve the above object, the present invention provides the following technical solutions: the equipment back door detection method for network traffic safety detection comprises a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when traffic is abnormally increased, comparing the consistency between the abnormal release file sample recorded by the registry and detected by a retrospective registry and the file packet sample received when the retrospective traffic is abnormally increased, and judging whether a back door exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
Preferably, the steps of checking the abnormal release file samples recorded by the registry and checking the file package samples received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time, so that the efficiency is improved.
Preferably, the ESP theorem shelling method can also be replaced by an OD loading method.
Preferably, the error of the size matching degree between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow rate is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow rate is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released at the time point of statistics, the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
Preferably, the abnormal release file samples recorded in the registry are obtained by overlapping release files with different addresses at the same time point, if only a release file with a single certain address at the time point is adopted and the release file with different time points is not overlapped, the abnormal release file samples cannot be compared with the file packet samples received when the traffic is abnormally increased at the same time, unless three file exceptions are released from the time point.
The beneficial effects of the invention are as follows:
according to the invention, through checking the abnormally released file samples recorded in the registry and the file package samples received when the past flow is abnormally increased, the time points and the file package types and sizes of the file samples which are abnormally released are listed, the file package samples are compared with the file package samples received when the past flow is abnormally increased, whether the time points are identical or not is observed, whether the file sizes are identical or very close to each other is judged, if the file sizes are identical, a file sample with a back door in equipment software and the back door associated with the abnormally released can be directly obtained, when the past flow is abnormally increased, the abnormal phenomenon of the equipment is combined and compared with the registry, the current is monitored in real time, compared with the case that only the current IP abnormal communication and single investigation registry are checked, the efficiency is relatively high, and the accuracy is improved through comparison.
Drawings
FIG. 1 is a flowchart of a sample check of an abnormal release file recorded in a registry according to the present invention;
FIG. 2 is a flow chart of a received sample of a file packet when the past traffic is abnormally increased;
FIG. 3 is a schematic diagram showing the comparison conditions according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1 to fig. 3, in the embodiment of the present invention, a device backdoor detection method for network traffic safety detection includes a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded in a registry, and a file packet sample received when traffic is abnormally increased, comparing a consistency between the abnormal release file sample recorded in the registry and detected by a backtracking past registry and the file packet sample received when traffic is abnormally increased, and judging whether a backdoor exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
The method comprises the steps of checking an abnormal release file sample recorded by the registry and checking a file packet sample received when the past flow is abnormally increased, wherein the checking steps of the abnormal release file sample recorded by the registry and the file packet sample received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can synchronously run and compare in real time, so that the efficiency is improved.
Wherein the ESP theorem shelling method can also be replaced by an OD loading method.
The size matching error between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released when the time point is counted, and the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
The abnormal release file samples recorded in the registry are obtained by superposing release files at different addresses at the same time point, if only a release file at a single address at the time point is adopted and the release file at the different time point is not superposed with the release file at the same time point, the abnormal release file samples cannot be compared with the file packet samples received when the flow is abnormally increased at the same time, and unless three file exceptions are released from the time point.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (5)

1. The utility model provides a network traffic safety detection's equipment back door detection method, includes sandbox virtual system program, shelling procedure, tracking procedure, judgement procedure, registry recorded abnormal release file sample and flow abnormal when increasing receive file package sample, its characterized in that: comparing the consistency between the abnormal release file sample recorded by the registry and checked by the retrospective registry and the file packet sample received when the retrospective past flow is abnormally increased, and judging whether a backdoor exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: the method comprises the steps of establishing a sandbox virtual system, dragging suspicious equipment programs and software into the sandbox to prepare for operation, firstly, running fileinfo.exe in the sandbox, checking whether the suspicious equipment programs and software are shelled, judging the type of the shelled by the detection result, and calling the corresponding shelling program to prepare for shelling;
and a second step of: if the suspicious program and software of the equipment are shelled, unshelling is carried out by adopting an ESP theorem unshelling method, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the process directly jumps to the third step;
and a third step of: directly running suspicious programs and software, loading tracking programs and judging programs, carrying out data transmission tracking on the suspicious programs and software to be detected by the tracking programs, checking whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and the outside unknown IP addresses and whether new registration items are added, displaying and recording all the IP addresses of the current communication, displaying the byte numbers of data transmission and reception in unit time in real time, recording flow mutation behaviors in a time period, judging whether the new registration items are suspicious registration items or not by the aid of the judging programs, and recording and listing the suspicious registration items;
fourth step: backtracking past registration items of a registry, listing the registration items, carrying out inspection in a judging program, carrying out listing and recording on suspicious registration items by the judging program, searching new files record of past abnormality in the registration items, determining the position of suspicious files by checking operation logs, comparing the past suspicious files with newly-added files released by suspicious programs and software of current equipment, comparing whether the types of the past suspicious files are similar or identical, judging the starting time of the current equipment program and software in past execution of the operation if the types of the past suspicious files are similar or identical, and only recording the adding position and time information of the past suspicious files if the current suspicious files are not newly-added;
fifth step: checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, wherein the back door exists in the past suspicious files, and if not, checking file package samples received when the past flow is abnormally increased;
the specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: checking whether file sharing behaviors exist between suspicious programs and software of equipment and other non-trigger source IP addresses in a past flow abnormal increasing time point;
comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
2. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: the inspection steps of the abnormal release file samples recorded by the registry and the inspection steps of the file packet samples received when the past flow abnormality increases are carried out in a sandbox virtual system, and the two inspection steps run synchronously and are compared in real time.
3. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: the ESP theorem shelling method is replaced by the OD loading method.
4. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: and when the size coincidence degree error between the abnormal release file sample recorded by the registry and the file packet sample received when the retrospective past flow is abnormally increased is not more than 1MB, the file packet samples are regarded as consistent.
5. The method for detecting the back door of the device for detecting the network traffic safety according to claim 1, wherein: and the abnormal release file samples recorded by the registry are obtained by superposing release files at different addresses at the same time.
CN202110995717.4A 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection Active CN113904796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110995717.4A CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110995717.4A CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Publications (2)

Publication Number Publication Date
CN113904796A CN113904796A (en) 2022-01-07
CN113904796B true CN113904796B (en) 2023-11-17

Family

ID=79188267

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110995717.4A Active CN113904796B (en) 2021-08-27 2021-08-27 Equipment back door detection method for network flow safety detection

Country Status (1)

Country Link
CN (1) CN113904796B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011063729A1 (en) * 2009-11-26 2011-06-03 成都市华为赛门铁克科技有限公司 Method, equipment and system for early warning about unknown malicious codes
CN103473501A (en) * 2013-08-22 2013-12-25 北京奇虎科技有限公司 Malware tracking method based on cloud safety
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN106301974A (en) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 A kind of website back door detection method and device
CN107196960A (en) * 2017-06-27 2017-09-22 四维创智(北京)科技发展有限公司 A kind of net horse detecting system and its detection method based on sandbox technology
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox
CN110362994A (en) * 2018-03-26 2019-10-22 华为技术有限公司 Detection method, equipment and the system of malicious file
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN112580044A (en) * 2019-09-30 2021-03-30 卡巴斯基实验室股份制公司 System and method for detecting malicious files
CN112580049A (en) * 2020-12-23 2021-03-30 苏州三六零智能安全科技有限公司 Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9356945B2 (en) * 2014-07-17 2016-05-31 Check Point Advanced Threat Prevention Ltd Automatic content inspection system for exploit detection
US9680845B2 (en) * 2015-03-31 2017-06-13 Juniper Neworks, Inc. Detecting a malicious file infection via sandboxing
US11716337B2 (en) * 2020-02-10 2023-08-01 IronNet Cybersecurity, Inc. Systems and methods of malware detection

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011063729A1 (en) * 2009-11-26 2011-06-03 成都市华为赛门铁克科技有限公司 Method, equipment and system for early warning about unknown malicious codes
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN103473501A (en) * 2013-08-22 2013-12-25 北京奇虎科技有限公司 Malware tracking method based on cloud safety
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
CN106301974A (en) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 A kind of website back door detection method and device
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN107196960A (en) * 2017-06-27 2017-09-22 四维创智(北京)科技发展有限公司 A kind of net horse detecting system and its detection method based on sandbox technology
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox
CN110362994A (en) * 2018-03-26 2019-10-22 华为技术有限公司 Detection method, equipment and the system of malicious file
CN112580044A (en) * 2019-09-30 2021-03-30 卡巴斯基实验室股份制公司 System and method for detecting malicious files
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN112580049A (en) * 2020-12-23 2021-03-30 苏州三六零智能安全科技有限公司 Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Automating Linux Malware Analysis Using Limon Sandbox;Monnappa K A;《blackhat》;全文 *
火焰病毒探析;史洪;李波;王开建;何乔;;保密科学技术(第11期);全文 *

Also Published As

Publication number Publication date
CN113904796A (en) 2022-01-07

Similar Documents

Publication Publication Date Title
CN105069355B (en) The static detection method and device of webshell deformations
CN112668010B (en) Method, system and computing device for scanning loopholes of industrial control system
KR102225460B1 (en) Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same
CN102469146B (en) A kind of cloud security downloading method
CN102902924B (en) The method that file behavioural characteristic is detected and device
EP3566166B1 (en) Management of security vulnerabilities
US8661543B2 (en) Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal
CN109995705B (en) Attack chain detection method and device based on high-interaction honeypot system
CN116781430B (en) Network information security system and method for gas pipe network
CN105306467B (en) The analysis method and device that web data is distorted
CN110516448A (en) A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing
CN110099044A (en) Cloud Host Security detection system and method
CN107566401B (en) Protection method and device for virtualized environment
CN113158191B (en) Vulnerability verification method based on intelligent probe and related IAST method and system
Provataki et al. Differential malware forensics
CN115033887A (en) Open source component safety management method and system, electronic equipment and storage medium
CN106446685A (en) Methods and devices for detecting malicious documents
CN112039858A (en) Block chain service security reinforcement system and method
CN107666464A (en) A kind of information processing method and server
TWI515599B (en) Computer program products and methods for monitoring and defending security
CN117527412A (en) Data security monitoring method and device
CN113904796B (en) Equipment back door detection method for network flow safety detection
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
Gashi et al. A study of the relationship between antivirus regressions and label changes
CN110210216A (en) A kind of method and relevant apparatus of viral diagnosis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant