CN117201151A - EDR-based terminal identification method and device - Google Patents
EDR-based terminal identification method and device Download PDFInfo
- Publication number
- CN117201151A CN117201151A CN202311219194.XA CN202311219194A CN117201151A CN 117201151 A CN117201151 A CN 117201151A CN 202311219194 A CN202311219194 A CN 202311219194A CN 117201151 A CN117201151 A CN 117201151A
- Authority
- CN
- China
- Prior art keywords
- terminal equipment
- characteristic information
- information
- security
- edr
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012544 monitoring process Methods 0.000 claims abstract description 34
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 16
- 238000001514 detection method Methods 0.000 claims description 13
- 238000003672 processing method Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 8
- 238000010801 machine learning Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to a terminal identification method and device based on EDR, belonging to the technical field of terminal identification, wherein the method comprises the following steps: collecting first characteristic information of the first terminal equipment and security events related to the first characteristic information through an EDR agent program; analyzing the first characteristic information and the security event related to the first characteristic information to obtain a security policy of the first terminal equipment; when receiving an instruction for identifying the terminal equipment, acquiring second characteristic information of the second terminal equipment through an EDR agent program; if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to a security policy corresponding to the first terminal equipment to obtain monitoring data; the invention combines various feature information with practical significance to identify, monitors the terminal equipment in real time according to the security policy, can process abnormal behaviors and security holes, and improves the accuracy of terminal equipment identification and the security of the terminal equipment network.
Description
Technical Field
The invention belongs to the technical field of terminal identification, and particularly relates to an EDR-based terminal identification method and device.
Background
EDR (Endpoint Detection and Response ) is a security technology used to detect and prevent infection of malware or other threats on endpoint devices. It works with client agents installed on computers or other devices that can monitor the state and behavior of the system and collect data about potential threats. When suspicious activity is detected, the EDR client takes action to block the execution of the threat and provides detailed information about the event to security analysts.
With the continuous development of information technology, the demands of enterprises and individuals for security and privacy protection of terminal devices are increasing, and the use of terminal devices has become very popular. Different types of terminal devices, such as smartphones, tablet computers, notebook computers, etc., have different identification requirements. At present, a plurality of terminal identification methods exist in the market, and most of the terminal identification methods are used for identifying terminal equipment according to the type of the terminal equipment so as to easily identify errors, and malicious attacks coming from the terminal equipment cannot be processed after the terminal equipment is identified.
Disclosure of Invention
Therefore, the invention provides an EDR-based terminal identification method and device, which are used for solving the problems that the existing terminal identification method mostly adopts the method that the terminal equipment is directly identified according to the type of the terminal equipment, the terminal equipment is easy to identify errors, and malicious attacks coming from the ground cannot be processed after the identification.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in a first aspect, the present invention provides an EDR-based terminal identification method, including:
collecting first characteristic information of first terminal equipment through an EDR agent program and a security event related to the first characteristic information; the characteristic information comprises a terminal equipment type, an operating system, an application program and process information;
analyzing the first characteristic information and the security event related to the first characteristic information to obtain a security policy of the first terminal equipment; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
when receiving an instruction for identifying the terminal equipment, acquiring second characteristic information of second terminal equipment through the EDR agent program;
if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
Further, before the first feature information of the first terminal device and the security event related to the first feature information are collected by the EDR agent program, the method further includes:
receiving a network request of a user to obtain user information;
if the request operating system in the user information is windows or linux, detecting whether an EDR agent is installed, and if the EDR agent is not installed, sending a download link of the EDR agent to the user so that the user can acquire information of terminal equipment after downloading and installing the EDR agent at a PC (personal computer) end;
if the request operating system in the user information is an IOS flat-panel system, an IOS mobile phone system, an android flat-panel system or an android mobile phone system, the request IP address in the network request is added to an EDR white list, so that the user can acquire information of the terminal equipment through the EDR agent program at the mobile terminal.
Further, the method further comprises:
storing the first characteristic information and the security policy of the first terminal equipment into a terminal information database to improve reusability so as to facilitate subsequent identification of the terminal equipment;
when receiving an instruction for identifying the terminal equipment, acquiring third characteristic information of third terminal equipment through an EDR agent program;
if the third characteristic information is the same as the first characteristic information in the terminal information database, judging that the third terminal equipment and the first terminal equipment are the same terminal equipment;
the third terminal equipment is monitored in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
Further, the method further comprises:
if the second characteristic information is different from the first characteristic information, acquiring a security event related to the second characteristic information through the EDR agent;
analyzing the second characteristic information and the security event related to the second characteristic information to obtain a security policy of the second terminal equipment;
storing the second characteristic information of the second terminal equipment and the security policy of the second terminal equipment into the terminal information database;
and monitoring the second terminal equipment in real time according to the security policy corresponding to the second terminal equipment to obtain monitoring data.
Further, the analyzing the first feature information and the security event related to the first feature information to obtain the security policy of the first terminal device includes:
respectively associating the security events with corresponding terminal equipment types, operating systems, application programs or process information to obtain abnormal behavior information and security vulnerability information;
acquiring a processing method corresponding to the abnormal behavior information and the security vulnerability information from the Internet through machine learning and big data technology; the processing method is used for processing abnormal behaviors and security vulnerabilities.
In a second aspect, the present invention provides an EDR-based terminal identification device, including:
the acquisition module is used for acquiring first characteristic information of the first terminal equipment and a security event related to the first characteristic information through the EDR agent program; the characteristic information comprises a terminal equipment type, an operating system, an application program and process information;
the policy generation module is used for analyzing the first characteristic information and the security event related to the first characteristic information to obtain the security policy of the first terminal equipment; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
the identification module is used for acquiring second characteristic information of the second terminal equipment through the EDR agent program when receiving an instruction for identifying the terminal equipment; if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
The invention adopts the technical proposal and has at least the following beneficial effects:
the terminal equipment is identified according to the type of the terminal equipment, an operating system, an application program and process information after the information of the terminal equipment is acquired through an EDR agent program, the terminal equipment which is successfully identified is subjected to Internet activities by adopting a corresponding security policy, various characteristic information with practical significance is combined for identification, meanwhile, the terminal equipment is monitored in real time according to the security policy, abnormal behaviors and security holes can be processed, and the accuracy of the identification of the terminal equipment and the security of a terminal equipment network are improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an EDR-based terminal identification method according to an exemplary embodiment of the present invention;
FIG. 2 is a schematic block diagram of an EDR-based terminal identification device, according to an exemplary embodiment of the present invention;
the invention is further described below with reference to the drawings and the detailed description.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, based on the examples herein, which are within the scope of the invention as defined by the claims, will be within the scope of the invention as defined by the claims.
With the continuous development of internet information technology, the phenomenon of hijacking network information is more and more serious, and the security and privacy protection of enterprises and individuals on terminal equipment cannot be guaranteed; different types of terminal equipment, such as smart phones, tablet computers, notebook computers and the like, have different recognition requirements, and terminal recognition methods exist in the market at present, and most of terminal equipment is recognized directly according to the type of the terminal equipment, so that mistakes are easy to recognize, and malicious attacks coming after recognition cannot be processed.
The embodiment of the invention provides an EDR-based terminal identification method and device, which are used for identifying terminal equipment according to the type, an operating system, an application program and process information of the terminal equipment after information of the terminal equipment is safely acquired through an EDR agent program, carrying out internet activities on the successfully identified terminal equipment by adopting a corresponding security policy, combining various characteristic information with practical significance for identification, simultaneously carrying out real-time monitoring on the terminal equipment according to the security policy, processing abnormal behaviors and security holes, and improving the accuracy of terminal equipment identification and the security of a terminal equipment network.
The method for pushing the message in real time in the invention is described below by a specific embodiment.
Referring to fig. 1, fig. 1 is a flowchart illustrating an EDR-based terminal identification method according to an exemplary embodiment of the present invention, referring to fig. 1, the method includes:
step S11, collecting first characteristic information of a first terminal device and a security event related to the first characteristic information through an EDR agent program; the characteristic information comprises terminal equipment type, an operating system, an application program and process information;
step S12, analyzing the first characteristic information and the security event related to the first characteristic information to obtain a security policy of the first terminal equipment; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
step S13, when receiving an instruction for identifying the terminal equipment, acquiring second characteristic information of the second terminal equipment through an EDR agent program;
step S14, if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to a security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
It should be noted that, the method provided in this embodiment may be implemented in an applet form, or loaded into an existing system in a plug-in form, or implemented in a separate application form, and then provided with a functional interface for calling; suitable scenarios include, but are not limited to: and identifying and generating a terminal security policy by the terminal.
Specifically, the information of terminal equipment and related security events on the Internet can be safely collected through the existing EDR agent program; according to the security event analysis, obtaining a security policy of the corresponding terminal equipment, wherein the security policy can be: 1. terminal safety admittance system: for all terminal devices accessing the network, a terminal security access system should be used for management and control. The system can perform identity authentication and security check on the equipment to prevent unauthorized equipment from accessing the network; 2. network boundary access layer admission control: in the network boundary access layer, the 802.1x authentication is used for carrying out identity authorization and checking on all accessed terminal equipment, and the network access authority can be set according to the identity and authorization condition of the equipment; 3. and (3) account centralized management: all account numbers are created, modified and deleted through a centralized account number management system, so that unauthorized access and malicious invasion can be prevented; 4. single sign-on: the single sign-on is carried out on the centralized authentication server, so that the non-secret sign-on of a plurality of systems can be realized, the working efficiency is improved, and errors are reduced; 5. vulnerability scanning and repairing: scanning all terminal equipment by periodically using a vulnerability scanning tool to find and repair possible security vulnerabilities, and for known vulnerabilities, repairing as soon as possible to prevent malicious exploitation; 6. data encryption: for the transmitted data, encryption should be performed to secure the data. Optionally, SSL/TLS protocols can be used for data encryption; 7. security audit: auditing the operation of all terminal equipment, and recording all access, modification and deletion operations, so that possible illegal operation can be tracked and malicious behaviors can be prevented; 8. access control: for terminal equipment needing to access sensitive data, strict access control should be performed, corresponding authority and policy can be set, and only authorized equipment is allowed to access the sensitive data.
It can be appreciated that, in the method provided in this embodiment, after the information of the terminal device is obtained through the EDR agent program, the terminal device is identified according to the type of the terminal device, the operating system, the application program and the process information, and the terminal device which is successfully identified adopts the corresponding security policy to perform internet activities, so that the terminal device is identified by combining with various feature information having practical significance, and meanwhile, the terminal device is monitored in real time according to the security policy, and abnormal behaviors and security holes can be processed, so that the accuracy of identifying the terminal device and the security of the terminal device network are improved.
In specific practice, before the first characteristic information of the first terminal device and the security event related to the first characteristic information are collected by the EDR agent program, the method further comprises:
receiving a network request of a user to obtain user information;
if the request operating system in the user information is windows or linux, detecting whether an EDR agent program is installed, and if the EDR agent program is not installed, sending a download link of the EDR agent program to a user so that the user can acquire information of terminal equipment after downloading and installing the EDR agent program at a PC end;
if the request operating system in the user information is an IOS flat system, an IOS mobile phone system, an android flat system or an android mobile phone system, the request IP address in the network request is added to the EDR white list, so that the user can acquire the information of the terminal equipment at the mobile terminal through an EDR agent program.
It can be understood that the technical scheme provided by the embodiment adopts the EDR technology to collect the information of the terminal equipment, so that the data can be safely obtained, and effective data assurance is provided for subsequent operation.
In specific practice, the method further comprises the steps of:
storing the first characteristic information and the security policy of the first terminal equipment into a terminal information database to improve reusability so as to facilitate the subsequent identification of the terminal equipment;
when receiving an instruction for identifying the terminal equipment, acquiring third characteristic information of third terminal equipment through an EDR agent program;
if the third characteristic information is the same as the first characteristic information in the terminal information database, judging that the third terminal equipment and the first terminal equipment are the same terminal equipment;
monitoring the third terminal equipment in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
It should be noted that, the terminal information database has a duplication removal function, and the duplication removal operation is performed on the information in the database according to the type of the terminal device, the operating system, the application program and the process information.
It can be appreciated that in the technical scheme provided by the embodiment, in the terminal identification process, new terminal equipment is added to the terminal information database, so that the reusability of information identified by the terminal can be effectively improved, and the identification efficiency is further improved.
In specific practice, the method further comprises:
if the second characteristic information is different from the first characteristic information, acquiring a security event related to the second characteristic information through the EDR agent program;
analyzing the second characteristic information and the security event related to the second characteristic information to obtain a security policy of the second terminal equipment;
storing second characteristic information of the second terminal equipment and a security policy of the second terminal equipment into a terminal information database;
and monitoring the second terminal equipment in real time according to the security policy corresponding to the second terminal equipment to obtain monitoring data.
In specific practice, step S12 of analyzing the first feature information and the security event related to the first feature information to obtain a security policy of the first terminal device, where the security event is respectively associated with a corresponding terminal device type, an operating system, an application program or process information to obtain abnormal behavior information and security hole information;
acquiring processing methods corresponding to the abnormal behavior information and the security vulnerability information from the Internet through machine learning and big data technology; the processing method is used for processing abnormal behaviors and security vulnerabilities.
It can be understood that, by using the existing machine learning and big data technology, the technical scheme provided by the embodiment provides stronger data correlation and richer information quantity for terminal identification, and provides effective data guarantee for subsequent operation.
Referring to fig. 2, fig. 2 is a schematic block diagram of an EDR-based terminal identification device according to an exemplary embodiment of the present invention, and referring to fig. 2, the EDR-based terminal identification device 100 includes:
the acquisition module 101 is configured to acquire first feature information of a first terminal device and a security event related to the first feature information through an EDR agent program; the characteristic information comprises terminal equipment type, an operating system, an application program and process information;
the policy generation module 102 is configured to analyze the first feature information and a security event related to the first feature information to obtain a security policy of the first terminal device; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
the identifying module 103 is configured to obtain second feature information of the second terminal device through the EDR agent program when receiving an instruction for identifying the terminal device; if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to a security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
It should be noted that, the device provided in this embodiment may be implemented in an applet manner, or loaded into an existing system in a plug-in manner, or implemented in a separate application manner, and then provided with a functional interface for calling; suitable scenarios include, but are not limited to: and identifying and generating a terminal security policy by the terminal.
Specifically, the information of terminal equipment and related security events on the Internet can be safely collected through the existing EDR agent program; according to the security event analysis, obtaining a security policy of the corresponding terminal equipment, wherein the security policy can be: 1. terminal safety admittance system: for all terminal devices accessing the network, a terminal security access system should be used for management and control. The system can perform identity authentication and security check on the equipment to prevent unauthorized equipment from accessing the network; 2. network boundary access layer admission control: in the network boundary access layer, the 802.1x authentication is used for carrying out identity authorization and checking on all accessed terminal equipment, and the network access authority can be set according to the identity and authorization condition of the equipment; 3. and (3) account centralized management: all account numbers are created, modified and deleted through a centralized account number management system, so that unauthorized access and malicious invasion can be prevented; 4. single sign-on: the single sign-on is carried out on the centralized authentication server, so that the non-secret sign-on of a plurality of systems can be realized, the working efficiency is improved, and errors are reduced; 5. vulnerability scanning and repairing: scanning all terminal equipment by periodically using a vulnerability scanning tool to find and repair possible security vulnerabilities, and for known vulnerabilities, repairing as soon as possible to prevent malicious exploitation; 6. data encryption: for the transmitted data, encryption should be performed to secure the data. Optionally, SSL/TLS protocols can be used for data encryption; 7. security audit: auditing the operation of all terminal equipment, and recording all access, modification and deletion operations, so that possible illegal operation can be tracked and malicious behaviors can be prevented; 8. access control: for terminal equipment needing to access sensitive data, strict access control should be performed, corresponding authority and policy can be set, and only authorized equipment is allowed to access the sensitive data.
It can be understood that, in the device provided in this embodiment, after the information of the terminal device is obtained through the EDR agent program, the terminal device is identified according to the type of the terminal device, the operating system, the application program and the process information, and the terminal device which is successfully identified adopts the corresponding security policy to perform internet activities, so that the terminal device is identified by combining with various feature information having practical significance, and meanwhile, the terminal device is monitored in real time according to the security policy, and abnormal behaviors and security holes can be processed, so that the accuracy of identifying the terminal device and the security of the terminal device network are improved.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (6)
1. An EDR-based terminal identification method, the method comprising:
collecting first characteristic information of first terminal equipment through an EDR agent program and a security event related to the first characteristic information; the characteristic information comprises a terminal equipment type, an operating system, an application program and process information;
analyzing the first characteristic information and the security event related to the first characteristic information to obtain a security policy of the first terminal equipment; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
when receiving an instruction for identifying the terminal equipment, acquiring second characteristic information of second terminal equipment through the EDR agent program;
if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
2. The method of claim 1, further comprising, prior to the collecting, by the EDR agent, first characteristic information of a first terminal device and a security event associated with the first characteristic information:
receiving a network request of a user to obtain user information;
if the request operating system in the user information is windows or linux, detecting whether an EDR agent is installed, and if the EDR agent is not installed, sending a download link of the EDR agent to the user so that the user can acquire information of terminal equipment after downloading and installing the EDR agent at a PC (personal computer) end;
if the request operating system in the user information is an IOS flat-panel system, an IOS mobile phone system, an android flat-panel system or an android mobile phone system, the request IP address in the network request is added to an EDR white list, so that the user can acquire information of the terminal equipment through the EDR agent program at the mobile terminal.
3. The method as recited in claim 1, further comprising:
storing the first characteristic information and the security policy of the first terminal equipment into a terminal information database to improve reusability so as to facilitate subsequent identification of the terminal equipment;
when receiving an instruction for identifying the terminal equipment, acquiring third characteristic information of third terminal equipment through an EDR agent program;
if the third characteristic information is the same as the first characteristic information in the terminal information database, judging that the third terminal equipment and the first terminal equipment are the same terminal equipment;
the third terminal equipment is monitored in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
4. A method according to claim 3, characterized in that the method further comprises:
if the second characteristic information is different from the first characteristic information, acquiring a security event related to the second characteristic information through the EDR agent;
analyzing the second characteristic information and the security event related to the second characteristic information to obtain a security policy of the second terminal equipment;
storing the second characteristic information of the second terminal equipment and the security policy of the second terminal equipment into the terminal information database;
and monitoring the second terminal equipment in real time according to the security policy corresponding to the second terminal equipment to obtain monitoring data.
5. The method according to claim 1, wherein the analyzing the first characteristic information and the security event related to the first characteristic information to obtain the security policy of the first terminal device includes:
respectively associating the security events with corresponding terminal equipment types, operating systems, application programs or process information to obtain abnormal behavior information and security vulnerability information;
acquiring a processing method corresponding to the abnormal behavior information and the security vulnerability information from the Internet through machine learning and big data technology; the processing method is used for processing abnormal behaviors and security vulnerabilities.
6. An EDR-based terminal identification device, comprising:
the acquisition module is used for acquiring first characteristic information of the first terminal equipment and a security event related to the first characteristic information through the EDR agent program; the characteristic information comprises a terminal equipment type, an operating system, an application program and process information;
the policy generation module is used for analyzing the first characteristic information and the security event related to the first characteristic information to obtain the security policy of the first terminal equipment; the security policy comprises abnormal behavior detection, security vulnerability detection and corresponding processing methods;
the identification module is used for acquiring second characteristic information of the second terminal equipment through the EDR agent program when receiving an instruction for identifying the terminal equipment; if the second characteristic information is the same as the first characteristic information, monitoring the second terminal equipment in real time according to the security policy corresponding to the first terminal equipment to obtain monitoring data; the monitoring data includes abnormal behavior information and security hole information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311219194.XA CN117201151A (en) | 2023-09-20 | 2023-09-20 | EDR-based terminal identification method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311219194.XA CN117201151A (en) | 2023-09-20 | 2023-09-20 | EDR-based terminal identification method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117201151A true CN117201151A (en) | 2023-12-08 |
Family
ID=88997765
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311219194.XA Pending CN117201151A (en) | 2023-09-20 | 2023-09-20 | EDR-based terminal identification method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117201151A (en) |
-
2023
- 2023-09-20 CN CN202311219194.XA patent/CN117201151A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110691064B (en) | Safety access protection and detection system for field operation terminal | |
CN108304704B (en) | Authority control method and device, computer equipment and storage medium | |
CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
CN112637220B (en) | Industrial control system safety protection method and device | |
EP2893447B1 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
CA2968201A1 (en) | Systems and methods for malicious code detection | |
CN112351017B (en) | Transverse penetration protection method, device, equipment and storage medium | |
CN111327601B (en) | Abnormal data response method, system, device, computer equipment and storage medium | |
CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
JP7204247B2 (en) | Threat Response Automation Methods | |
CN104392177A (en) | Android platform based virus forensics system and method | |
CN112217835A (en) | Message data processing method and device, server and terminal equipment | |
CN113177205B (en) | Malicious application detection system and method | |
CN113438249B (en) | Attack tracing method based on strategy | |
Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
CN112149123A (en) | Safety inspection system and method for application program | |
CN110519216A (en) | A kind of electric power industrial control system static state and dynamic leak analysis and method for digging | |
CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
US8978150B1 (en) | Data recovery service with automated identification and response to compromised user credentials | |
CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
CN113411295A (en) | Role-based access control situation awareness defense method and system | |
CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
CN113364744A (en) | Method and system for detecting domain user login authentication abnormity based on windows log | |
CN107231365B (en) | Evidence obtaining method, server and firewall |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |