JP5882542B2 - マルウェアプロセスの検出 - Google Patents

マルウェアプロセスの検出 Download PDF

Info

Publication number
JP5882542B2
JP5882542B2 JP2015525646A JP2015525646A JP5882542B2 JP 5882542 B2 JP5882542 B2 JP 5882542B2 JP 2015525646 A JP2015525646 A JP 2015525646A JP 2015525646 A JP2015525646 A JP 2015525646A JP 5882542 B2 JP5882542 B2 JP 5882542B2
Authority
JP
Japan
Prior art keywords
permission
memory block
malware
read
base address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
JP2015525646A
Other languages
English (en)
Japanese (ja)
Other versions
JP2015523668A (ja
JP2015523668A5 (enExample
Inventor
ニエ・ワンチュエン
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Publication of JP2015523668A publication Critical patent/JP2015523668A/ja
Publication of JP2015523668A5 publication Critical patent/JP2015523668A5/ja
Application granted granted Critical
Publication of JP5882542B2 publication Critical patent/JP5882542B2/ja
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)
JP2015525646A 2012-08-28 2013-08-26 マルウェアプロセスの検出 Expired - Fee Related JP5882542B2 (ja)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN201210310462.4 2012-08-28
CN201210310462.4A CN103632088A (zh) 2012-08-28 2012-08-28 一种木马检测方法及装置
US13/973,229 2013-08-22
US13/973,229 US9152788B2 (en) 2012-08-28 2013-08-22 Detecting a malware process
PCT/US2013/056562 WO2014035857A1 (en) 2012-08-28 2013-08-26 Detecting a malware process

Related Child Applications (1)

Application Number Title Priority Date Filing Date
JP2016018519A Division JP6165900B2 (ja) 2012-08-28 2016-02-03 マルウェアプロセスの検出

Publications (3)

Publication Number Publication Date
JP2015523668A JP2015523668A (ja) 2015-08-13
JP2015523668A5 JP2015523668A5 (enExample) 2016-01-21
JP5882542B2 true JP5882542B2 (ja) 2016-03-09

Family

ID=50189431

Family Applications (2)

Application Number Title Priority Date Filing Date
JP2015525646A Expired - Fee Related JP5882542B2 (ja) 2012-08-28 2013-08-26 マルウェアプロセスの検出
JP2016018519A Active JP6165900B2 (ja) 2012-08-28 2016-02-03 マルウェアプロセスの検出

Family Applications After (1)

Application Number Title Priority Date Filing Date
JP2016018519A Active JP6165900B2 (ja) 2012-08-28 2016-02-03 マルウェアプロセスの検出

Country Status (6)

Country Link
US (2) US9152788B2 (enExample)
EP (2) EP2891104B1 (enExample)
JP (2) JP5882542B2 (enExample)
CN (1) CN103632088A (enExample)
TW (1) TWI554907B (enExample)
WO (1) WO2014035857A1 (enExample)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10223530B2 (en) 2013-11-13 2019-03-05 Proofpoint, Inc. System and method of protecting client computers
US9378367B2 (en) 2014-03-31 2016-06-28 Symantec Corporation Systems and methods for identifying a source of a suspect event
WO2016186902A1 (en) * 2015-05-20 2016-11-24 Alibaba Group Holding Limited Detecting malicious files
CN106295328B (zh) 2015-05-20 2019-06-18 阿里巴巴集团控股有限公司 文件检测方法、装置及系统
US10083296B2 (en) * 2015-06-27 2018-09-25 Mcafee, Llc Detection of malicious thread suspension
CN105608377A (zh) * 2015-12-24 2016-05-25 国家电网公司 一种信息系统进程安全管理系统及管理方法
US10049214B2 (en) * 2016-09-13 2018-08-14 Symantec Corporation Systems and methods for detecting malicious processes on computing devices
CN110414230B (zh) * 2019-06-21 2022-04-08 腾讯科技(深圳)有限公司 病毒查杀方法、装置、计算机设备和存储介质
CN111552962B (zh) * 2020-03-25 2024-03-01 三六零数字安全科技集团有限公司 一种基于Windows操作系统的U盘PE格式文件病毒的拦截方法
US11874920B2 (en) * 2020-12-30 2024-01-16 Acronis International Gmbh Systems and methods for preventing injections of malicious processes in software
CN112948863B (zh) * 2021-03-15 2022-07-29 清华大学 敏感数据的读取方法、装置、电子设备及存储介质
CN113641997B (zh) * 2021-07-19 2025-03-14 卡奥斯工业智能研究院(青岛)有限公司 工业主机的安全防护方法、装置、系统及存储介质
CN114969737A (zh) * 2022-05-26 2022-08-30 深信服科技股份有限公司 一种病毒处理的方法、装置、电子设备及介质
CN115766279A (zh) * 2022-12-06 2023-03-07 北京天融信网络安全技术有限公司 网络攻击取证方法、装置、电子设备及可读取存储介质

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5812848A (en) * 1995-08-23 1998-09-22 Symantec Corporation Subclassing system for computer that operates with portable-executable (PE) modules
US7493498B1 (en) * 2002-03-27 2009-02-17 Advanced Micro Devices, Inc. Input/output permission bitmaps for compartmentalized security
EP1684151A1 (en) * 2005-01-20 2006-07-26 Grant Rothwell William Computer protection against malware affection
WO2006090647A1 (ja) * 2005-02-25 2006-08-31 Matsushita Electric Industrial Co., Ltd. 処理装置
US7673345B2 (en) 2005-03-31 2010-03-02 Intel Corporation Providing extended memory protection
KR100843701B1 (ko) * 2006-11-07 2008-07-04 소프트캠프(주) 콜 스택에 기록된 정보를 이용한 에이피아이 확인방법
US7917725B2 (en) * 2007-09-11 2011-03-29 QNX Software Systems GmbH & Co., KG Processing system implementing variable page size memory organization using a multiple page per entry translation lookaside buffer
US8578483B2 (en) * 2008-07-31 2013-11-05 Carnegie Mellon University Systems and methods for preventing unauthorized modification of an operating system
CA2806368C (en) * 2009-07-29 2019-04-30 Reversinglabs Corporation Portable executable file analysis
US8572740B2 (en) 2009-10-01 2013-10-29 Kaspersky Lab, Zao Method and system for detection of previously unknown malware
TW201137660A (en) * 2009-12-23 2011-11-01 Ibm Method and system for protecting an operating system against unauthorized modification
CN101826139B (zh) * 2009-12-30 2012-05-30 厦门市美亚柏科信息股份有限公司 一种非可执行文件挂马检测方法及其装置
US8468602B2 (en) 2010-03-08 2013-06-18 Raytheon Company System and method for host-level malware detection
US20120036569A1 (en) * 2010-04-05 2012-02-09 Andrew Cottrell Securing portable executable modules
KR101122650B1 (ko) * 2010-04-28 2012-03-09 한국전자통신연구원 정상 프로세스에 위장 삽입된 악성코드 탐지 장치, 시스템 및 방법
AU2011293160B2 (en) * 2010-08-26 2015-04-09 Verisign, Inc. Method and system for automatic detection and analysis of malware
TW201220186A (en) * 2010-11-04 2012-05-16 Inventec Corp Data protection method for damaged memory cells
US8955132B2 (en) 2011-04-14 2015-02-10 F-Secure Corporation Emulation for malware detection
RU2487405C1 (ru) * 2011-11-24 2013-07-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ для исправления антивирусных записей
US9614865B2 (en) * 2013-03-15 2017-04-04 Mcafee, Inc. Server-assisted anti-malware client
EP2784716A1 (en) * 2013-03-25 2014-10-01 British Telecommunications public limited company Suspicious program detection

Also Published As

Publication number Publication date
WO2014035857A1 (en) 2014-03-06
JP2016105310A (ja) 2016-06-09
US20140068774A1 (en) 2014-03-06
JP2015523668A (ja) 2015-08-13
EP2891104A1 (en) 2015-07-08
JP6165900B2 (ja) 2017-07-19
EP3422238A1 (en) 2019-01-02
EP3422238B1 (en) 2020-03-11
EP2891104B1 (en) 2018-10-10
US20160087998A1 (en) 2016-03-24
US9152788B2 (en) 2015-10-06
TWI554907B (zh) 2016-10-21
US9516056B2 (en) 2016-12-06
TW201409272A (zh) 2014-03-01
CN103632088A (zh) 2014-03-12

Similar Documents

Publication Publication Date Title
JP6165900B2 (ja) マルウェアプロセスの検出
US10810309B2 (en) Method and system for detecting kernel corruption exploits
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
US9514305B2 (en) Code pointer authentication for hardware flow control
CN103559446B (zh) 一种基于安卓系统的设备的动态病毒检测方法和装置
EP2666116B1 (en) System and method for supporting jit in a secure system with randomly allocated memory ranges
US20090172814A1 (en) Dynamic generation of integrity manifest for run-time verification of software program
JP2007529803A (ja) 周辺機器に対するアクセスを制御する方法およびデバイス
JP2016081522A (ja) メモリからの情報漏洩を低減するためのシステム及び方法
CN102831339B (zh) 一种针对网页的恶意攻击进行防护的方法、装置和浏览器
CN105205413B (zh) 一种数据的保护方法及装置
US11055168B2 (en) Unexpected event detection during execution of an application
US9942268B1 (en) Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments
TW202101262A (zh) 內核安全檢測方法、裝置、設備及儲存媒體
CN112395609B (zh) 应用层shellcode的检测方法及装置
CN112395599B (zh) 系统内核数据的攻击检测方法及装置、存储介质、计算机设备
EP3387535B1 (en) Apparatus and method for software self test
KR102411770B1 (ko) 전자 장치를 보호하기 위한 장치 및 방법
WO2021026938A1 (zh) shellcode的检测方法及装置
US11809550B2 (en) Electronic device and control method therefor
Chen et al. Vulnerability-based backdoors: Threats from two-step trojans
CN120145369A (zh) 内核防护方法、装置、电子设备及可读存储介质
CN114282178A (zh) 一种软件自防护方法、装置、电子设备及存储介质
JP6594213B2 (ja) 制御装置およびプログラム
Hou et al. An Enhancement Method for Android Permission Mechanism based on Context

Legal Events

Date Code Title Description
A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20150323

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20150128

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20151124

A871 Explanation of circumstances concerning accelerated examination

Free format text: JAPANESE INTERMEDIATE CODE: A871

Effective date: 20151124

A975 Report on accelerated examination

Free format text: JAPANESE INTERMEDIATE CODE: A971005

Effective date: 20151218

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20151224

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20160112

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20160203

R150 Certificate of patent or registration of utility model

Ref document number: 5882542

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

LAPS Cancellation because of no payment of annual fees