TW202205116A - Method for detecting malicious attacks and network security management device - Google Patents

Method for detecting malicious attacks and network security management device Download PDF

Info

Publication number
TW202205116A
TW202205116A TW109125349A TW109125349A TW202205116A TW 202205116 A TW202205116 A TW 202205116A TW 109125349 A TW109125349 A TW 109125349A TW 109125349 A TW109125349 A TW 109125349A TW 202205116 A TW202205116 A TW 202205116A
Authority
TW
Taiwan
Prior art keywords
application
analysis data
malicious
applications
unknown
Prior art date
Application number
TW109125349A
Other languages
Chinese (zh)
Other versions
TWI741698B (en
Inventor
鄭棕翰
熊永菁
陳奕明
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109125349A priority Critical patent/TWI741698B/en
Application granted granted Critical
Publication of TWI741698B publication Critical patent/TWI741698B/en
Publication of TW202205116A publication Critical patent/TW202205116A/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method for detecting malicious attacks by combining static and dynamic analysis and a network security management device. The method includes: extracting specific static analysis data of an unknown application, and determining whether the unknown application is a benign application or a malicious application based on the specific static analysis data; in response to determining that the unknown application is a malicious application, collecting specific dynamic analysis data of the unknown application, and determining a malware family to which the unknown application belongs based on the specific dynamic analysis data.

Description

察覺惡意攻擊的方法及網路安全管理裝置Method and network security management device for detecting malicious attack

本發明是有關於一種網路安全技術,且特別是有關於一種結合靜態與動態分析以察覺惡意攻擊的方法及網路安全管理裝置。The present invention relates to a network security technology, and more particularly, to a method and network security management device for detecting malicious attacks by combining static and dynamic analysis.

隨著科技的進步,智能裝置的效能提升與功能多樣化,令人們的生活越來越依賴它。然而,由於智能裝置上儲存了許多個人隱私資訊,也令其成為駭客的攻擊目標。隨著惡意應用程式的數量以及變形的技術與日俱增,單以人力進行應用程式分析是不可行的。另外,靜態分析技術無法分析混淆技術後的應用程式,以及會忽略執行期間的惡意行為。相對的,動態分析則有耗費大量時間與運算資源的缺點。With the advancement of technology, the performance improvement and functional diversification of smart devices have made people's lives more and more dependent on them. However, due to the storage of a lot of personal private information on smart devices, it has also become a target for hackers. With the ever-increasing number of malicious applications and morphing technologies, human-only application analysis is not feasible. In addition, static analysis techniques cannot analyze obfuscated applications and ignore malicious behavior during execution. In contrast, dynamic analysis has the disadvantage of consuming a lot of time and computing resources.

有鑑於此,本發明提供一種結合靜態與動態分析以察覺惡意攻擊的方法及網路安全管理裝置,其可用於解決上述技術問題。In view of this, the present invention provides a method and a network security management device for detecting malicious attacks by combining static and dynamic analysis, which can be used to solve the above-mentioned technical problems.

本發明提供一種結合靜態與動態分析以察覺惡意攻擊的方法,適於一網路安全管理裝置,包括:萃取一未知應用程式的一特定靜態分析資料,並基於特定靜態分析資料判斷未知應用程式屬於一良性應用程式或一惡意應用程式;以及反應於判定未知應用程式屬於惡意應用程式,收集未知應用程式的一特定動態分析資料,並基於特定動態分析資料決定未知應用程式所屬的一惡意軟體家族。The present invention provides a method for detecting malicious attacks by combining static and dynamic analysis, suitable for a network security management device, comprising: extracting a specific static analysis data of an unknown application, and determining, based on the specific static analysis data, that the unknown application belongs to a benign application or a malicious application; and in response to determining that the unknown application is a malicious application, collecting a specific dynamic analysis data of the unknown application, and determining a malware family to which the unknown application belongs based on the specific dynamic analysis data.

本發明提供一種網路安全管理裝置,其包括儲存電路及處理器。儲存電路儲存多個模組。處理器耦接儲存電路,存取前述模組以執行下列步驟:萃取一未知應用程式的一特定靜態分析資料,並基於特定靜態分析資料判斷未知應用程式屬於一良性應用程式或一惡意應用程式;以及反應於判定未知應用程式屬於惡意應用程式,收集未知應用程式的一特定動態分析資料,並基於特定動態分析資料決定未知應用程式所屬的一惡意軟體家族。The present invention provides a network security management device, which includes a storage circuit and a processor. The storage circuit stores a plurality of modules. The processor is coupled to the storage circuit, and accesses the aforementioned module to perform the following steps: extracting a specific static analysis data of an unknown application, and determining whether the unknown application belongs to a benign application or a malicious application based on the specific static analysis data; and in response to determining that the unknown application belongs to a malicious application, collecting a specific dynamic analysis data of the unknown application, and determining a malware family to which the unknown application belongs based on the specific dynamic analysis data.

概略而言,本發明的目的是建置一套能夠自動化偵測惡意應用程式,並且辨識該惡意應用程式所屬的惡意軟體家族的機制。本發明提出的網路安全管理裝置可於分析應用程式前進行初步靜態偵測,過濾出具有風險的惡意程式。此方式能大量減少動態分析中應用程式的動態資料蒐集數量,以幫助提升整個動態分析處理之速度。並且從應用程式的執行活動中,同時提取多種類封包特徵,以提升動態網路封包分析偵測的準確度,同時降低誤判率。具有進行惡意軟體家族分類的能力。由於不同惡意軟體家族具有不同的惡意行為,藉由分類結果來找出同家族內樣本的共通性,進一步歸納出惡意軟體家族之行為及特徵。不論惡意應用程式經過混淆技術變動,此系統皆可將有相似惡意行為及特徵的惡意應用程式偵測出來。經過回饋新增威脅情資資料庫的新情資,下次塑模時產生的分類器就會因為情資的增加而分類的越來越精準。以下將作進一步說明。In summary, the purpose of the present invention is to construct a mechanism capable of automatically detecting malicious applications and identifying the malware family to which the malicious application belongs. The network security management device proposed by the present invention can perform preliminary static detection before analyzing application programs, and filter out risky malicious programs. This method can greatly reduce the amount of dynamic data collection by the application in dynamic analysis, to help improve the speed of the entire dynamic analysis processing. And from the execution activities of the application, multiple types of packet features are simultaneously extracted to improve the accuracy of dynamic network packet analysis and detection, while reducing the false positive rate. Has the ability to classify malware families. Since different malware families have different malicious behaviors, the commonalities of samples in the same family are found through the classification results, and the behaviors and characteristics of malware families are further summarized. The system can detect malicious applications with similar malicious behavior and characteristics, regardless of the obfuscation technology changes malicious applications have undergone. After feeding back the new information of the newly added threat information database, the classifier generated in the next molding will be more and more accurate due to the increase of the information. It will be further explained below.

請參照圖1A,其是依據本發明之一實施例繪示的網路安全系統架構示意圖。如圖1A所示,本發明的網路安全系統架構可包括網路安全管理裝置100、網路設備190、外部應用程式資源池195及多個電子裝置199。在一實施例中,當企業欲藉由本發明提出的察覺惡意攻擊的方法偵測與阻斷惡意應用程式的威脅時,可以在企業內部的網路閘道口架設網路安全管理裝置100,透過定期收容與分析外部應用程式資源池195,網路安全管理裝置100可定期產生應用程式之黑白名單給企業的網路設備190(例如防火牆、代理伺服器)。另外,企業的網路設備190也能透過網路安全管理裝置100分析不在黑白名單的應用程式(例如未知應用程式P1)。Please refer to FIG. 1A , which is a schematic diagram of a network security system architecture according to an embodiment of the present invention. As shown in FIG. 1A , the network security system architecture of the present invention may include a network security management device 100 , a network device 190 , an external application resource pool 195 and a plurality of electronic devices 199 . In one embodiment, when an enterprise wants to detect and block the threat of malicious applications by using the method for detecting malicious attacks provided by the present invention, the network security management device 100 can be set up at the network gateway within the enterprise, and through regular The external application resource pool 195 is accommodated and analyzed, and the network security management device 100 can periodically generate a black and white list of applications to the enterprise's network equipment 190 (eg firewall, proxy server). In addition, the network device 190 of the enterprise can also analyze the applications that are not on the black and white list (eg, the unknown application P1 ) through the network security management device 100 .

在不同的實施例中,電子裝置199個別可以是物聯網裝置、各式智慧型裝置或其他具有下載外部應用程式資源池195內應用程式需求的裝置,但可不限於此。In different embodiments, the electronic device 199 may be an Internet of Things device, various smart devices, or other devices that need to download applications in the external application resource pool 195, but it is not limited thereto.

請參照圖1B,其是依據本發明之一實施例繪示的網路安全管理裝置示意圖。如圖1B所示,網路安全管理裝置100可包括威脅情資資料庫11、靜態分析模組12、第一模型訓練模組13、動態分析模組14、第二模型訓練模組15及情資收集模組16。Please refer to FIG. 1B , which is a schematic diagram of a network security management device according to an embodiment of the present invention. As shown in FIG. 1B , the network security management device 100 may include a threat intelligence database 11 , a static analysis module 12 , a first model training module 13 , a dynamic analysis module 14 , a second model training module 15 and an intelligence module Data collection module 16.

在一實施例中,情資收集模組16可用於接收不同來源的應用程式情資。所述應用程式情資來源為可信任的內外部資料,內容有已知的良性應用程式(例如GoogleTM Store Top 1000)、惡意應用程式(例如Drebin)以及未知應用程式P1,另外也可以整合應用程式產生的靜態分析資料以及動態分析資料以及新辨識出來的惡意應用程式等有助於系統分類的資料,但可不限於此。In one embodiment, the intelligence gathering module 16 may be used to receive application intelligence from various sources. The application information sources are trusted internal and external data, and the content includes known benign applications (such as Google TM Store Top 1000), malicious applications (such as Drebin) and unknown applications P1, and can also integrate applications The static analysis data and dynamic analysis data generated by the program, as well as newly identified malicious applications, etc., are helpful for system classification, but are not limited to this.

威脅情資資料庫11可用於儲存不同來源的應用程式情資,例如已知的良性/惡意應用程式及未知應用程式P1。The threat information database 11 can be used to store application information from different sources, such as known benign/malicious applications and unknown applications P1.

在圖1B中,靜態分析模組12可用於對未知應用程式P1進行靜態分析,以初步地判定未知應用程式P1屬於良性應用程式或惡意應用程式。若未知應用程式P1屬於良性應用程式,則情資收集模組16可相應地將未知應用程式P1的資訊予以記錄,但可不限於此。另一方面,若靜態分析模組12判定未知應用程式P1屬於惡意應用程式,則動態分析模組14可相應地用於對未知應用程式P1進行動態分析,以判定未知應用程式P1所屬的惡意軟體家族。以下將輔以圖2作進一步說明。In FIG. 1B , the static analysis module 12 can be used to perform static analysis on the unknown application P1 to preliminarily determine whether the unknown application P1 is a benign application or a malicious application. If the unknown application P1 is a benign application, the information collection module 16 can correspondingly record the information of the unknown application P1, but it is not limited to this. On the other hand, if the static analysis module 12 determines that the unknown application P1 belongs to a malicious application, the dynamic analysis module 14 can accordingly be used to dynamically analyze the unknown application P1 to determine the malware to which the unknown application P1 belongs. family. The following will be supplemented with FIG. 2 for further description.

請參照圖2,其是依據本發明之一實施例繪示的結合靜態與動態分析以察覺惡意攻擊的方法流程圖。本實施例的方法可由圖1A及圖1B的網路安全管理裝置100執行,以下即搭配圖1A及圖1B所示的元件說明圖2各步驟的細節。Please refer to FIG. 2 , which is a flowchart of a method for detecting malicious attacks by combining static and dynamic analysis according to an embodiment of the present invention. The method of this embodiment can be executed by the network security management apparatus 100 shown in FIGS. 1A and 1B . The details of each step in FIG. 2 will be described below in conjunction with the elements shown in FIGS. 1A and 1B .

在一實施例中,假設電子裝置199欲從外部應用程式資源池195下載未知應用程式P1(其例如是更新程式)。在此情況下,在電子裝置199發出對於未知應用程式P1的下載請求時,網路設備190及網路安全管理裝置100例如可先執行一定的機制以判斷是否應允許電子裝置199下載未知應用程式P1。In one embodiment, it is assumed that the electronic device 199 wants to download an unknown application P1 (eg, an updater) from the external application resource pool 195 . In this case, when the electronic device 199 sends a download request for the unknown application P1, the network device 190 and the network security management device 100 may first execute a certain mechanism to determine whether the electronic device 199 should be allowed to download the unknown application. P1.

舉例而言,網路設備190可儲存有關於各式應用程式的黑/白名單,而若未知應用程式P1經判定屬於所述黑名單,則網路設備190可禁止電子裝置199下載未知應用程式P1。另一方面,若未知應用程式P1經判定屬於所述白名單,則網路設備190可相應地允許電子裝置199下載未知應用程式P1,但本發明可不限於此。For example, the network device 190 may store a black/white list of various applications, and if the unknown application P1 is determined to belong to the blacklist, the network device 190 may prohibit the electronic device 199 from downloading the unknown application P1. On the other hand, if the unknown application P1 is determined to belong to the whitelist, the network device 190 can accordingly allow the electronic device 199 to download the unknown application P1, but the invention is not limited thereto.

在其他實施例中,若未知應用程式P1經判定不屬於上述黑/白名單,則網路安全管理裝置100可相應地執行圖2的方法以對未知應用程式P1進行相關的靜態/動態分析。In other embodiments, if the unknown application P1 is determined not to belong to the above black/white list, the network security management device 100 can correspondingly execute the method of FIG. 2 to perform relevant static/dynamic analysis on the unknown application P1.

具體而言,在步驟S210中,靜態分析模組12可萃取未知應用程式P1的特定靜態分析資料SD1,並基於特定靜態分析資料SD1判斷未知應用程式P1屬於良性應用程式或惡意應用程式。Specifically, in step S210, the static analysis module 12 may extract specific static analysis data SD1 of the unknown application P1, and determine whether the unknown application P1 is a benign application or a malicious application based on the specific static analysis data SD1.

在圖1B中,靜態分析模組12可包括靜態分析資料特徵萃取模組121及良性/惡意應用程式偵測模型122。在一實施例中,特定靜態分析資料SD1例如是未知應用程式P1的權限資料,但可不限於此。在此情況下,靜態分析資料特徵萃取模組121例如可使用aapt dump permission指令對於未知應用程式P1的宣告權限列表進行提取。在一實施例中,未知應用程式P1的宣告權限列表例如可具有下表1所示態樣,但本發明可不限於此。 權限列表 android.permission.INTERACT_ACROSS_USERS_FULL android.permission.ACCESS_WIFI_STATE android.permission.CHANGE_WIFI_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_PHONE_STATE android.permission.WRITE_SETTINGS android.permission.CALL PHONE 表1In FIG. 1B , the static analysis module 12 may include a static analysis data feature extraction module 121 and a benign/malicious application detection model 122 . In one embodiment, the specific static analysis data SD1 is, for example, permission data of the unknown application P1, but not limited to this. In this case, the static analysis data feature extraction module 121 may use the aapt dump permission command to extract the declared permission list of the unknown application P1, for example. In one embodiment, the announcement permission list of the unknown application P1 may have the form shown in Table 1 below, but the present invention is not limited thereto. list of permissions android.permission.INTERACT_ACROSS_USERS_FULL android.permission.ACCESS_WIFI_STATE android.permission.CHANGE_WIFI_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_PHONE_STATE android.permission.WRITE_SETTINGS android.permission.CALL PHONE Table 1

之後,靜態分析資料特徵萃取模組121例如可將所提取的權限列表轉換為對應的權限向量,以作為特定靜態分析資料SD1,但可不限於此。在其他實施例中,特定靜態分析資料SD1亦可以是未知應用程式P1的OpCode或其他本領域具通常知識者所熟知的應用程式靜態分析資料。Afterwards, the static analysis data feature extraction module 121 can convert the extracted permission list into a corresponding permission vector, for example, to serve as the specific static analysis data SD1, but it is not limited thereto. In other embodiments, the specific static analysis data SD1 may also be the OpCode of the unknown application P1 or other application static analysis data well known to those skilled in the art.

之後,靜態分析資料特徵萃取模組121可將特定靜態分析資料SD1饋入良性/惡意應用程式偵測模型122,以由良性/惡意應用程式偵測模型122依據特定靜態分析資料SD1判定未知應用程式P1屬於良性應用程式或是惡意應用程式。After that, the static analysis data feature extraction module 121 can feed the specific static analysis data SD1 into the benign/malicious application detection model 122, so that the benign/malicious application detection model 122 determines unknown applications according to the specific static analysis data SD1 P1 is a benign application or a malicious application.

在一實施例中,良性/惡意應用程式偵測模型122例如是一機器學習模型(例如隨機森林(random forest)模型),而其可基於多個已知應用程式的靜態分析資料而被第一模型訓練模組13而預先訓練過。In one embodiment, the benign/malicious application detection model 122 is, for example, a machine learning model (eg, a random forest model), which can be first detected based on static analysis data of a plurality of known applications. The model training module 13 is pre-trained.

舉例而言,第一模型訓練模組13例如可包括良性/惡意應用程式資料集131、靜態資料特徵萃取模組132及機器學習演算法模組133。在一實施例中,第一模型訓練模組13例如可從威脅情資資料庫11取得多個已知應用程式(其包括多個已知良性應用程式及多個已知惡意應用程式),並儲存至良性/惡意應用程式資料集131。之後,第一模型訓練模組13可經由靜態資料特徵萃取模組132萃取各已知應用程式的靜態資料(例如權限、OpCode等)。For example, the first model training module 13 may include, for example, a benign/malicious application data set 131 , a static data feature extraction module 132 and a machine learning algorithm module 133 . In one embodiment, the first model training module 13 may obtain, for example, a plurality of known applications (including a plurality of known benign applications and a plurality of known malicious applications) from the threat intelligence database 11, and Save to benign/malicious application data set 131. After that, the first model training module 13 can extract the static data (such as permissions, OpCode, etc.) of each known application program through the static data feature extraction module 132 .

之後,第一模型訓練模組13例如可透過機器學習演算法模組133以基於各已知良性應用程式的靜態分析資料及各已知惡意應用程式的靜態分析資料訓練良性/惡意應用程式偵測模型122。相應地,良性/惡意應用程式偵測模型122可因應於各已知良性應用程式的靜態分析資料學習各已知良性應用程式的靜態分析資料的良性靜態分析資料特徵,並因應於各已知惡意應用程式的靜態分析資料學習各已知惡意應用程式的靜態分析資料的惡意靜態分析資料特徵。After that, the first model training module 13 can train benign/malicious application detection based on the static analysis data of each known benign application and the static analysis data of each known malicious application, for example, through the machine learning algorithm module 133 Model 122. Accordingly, the benign/malicious application detection model 122 can learn the benign static analysis data characteristics of the static analysis data of each known benign application in response to the static analysis data of each known benign application, and respond to each known malicious application. Application Static Analysis Data Learn the malicious static analysis data characteristics of the static analysis data of each known malicious application.

因此,當良性/惡意應用程式偵測模型122接收到特定靜態分析資料SD1時,良性/惡意應用程式偵測模型122即可相應地據以判定未知應用程式P1係良性應用程式或惡意應用程式,但本發明可不限於此。Therefore, when the benign/malicious application detection model 122 receives the specific static analysis data SD1, the benign/malicious application detection model 122 can accordingly determine that the unknown application P1 is a benign application or a malicious application. But the present invention may not be limited to this.

在一實施例中,若未知應用程式P1經判定為良性應用程式,此即代表未知應用程式P1對於電子裝置199而言應屬安全,故靜態分析模組12可相應地允許電子裝置199下載未知應用程式P1,但可不限於此。In one embodiment, if the unknown application P1 is determined to be a benign application, it means that the unknown application P1 should be safe for the electronic device 199, so the static analysis module 12 can accordingly allow the electronic device 199 to download the unknown application. Application P1, but not limited to this.

另一方面,若未知應用程式P1經判定為惡意應用程式,此即代表未知應用程式P1對於電子裝置199而言有安全上的疑慮,故靜態分析模組12可相應地禁止電子裝置199下載未知應用程式P1,且網路安全管理裝置100可接續透過動態分析模組14執行步驟S220以對經判定為惡意應用程式的未知應用程式P1進行後續的動態分析。On the other hand, if the unknown application P1 is determined to be a malicious application, it means that the unknown application P1 has security concerns for the electronic device 199, so the static analysis module 12 can accordingly prohibit the electronic device 199 from downloading the unknown application. application program P1, and the network security management device 100 can continue to perform step S220 through the dynamic analysis module 14 to perform subsequent dynamic analysis on the unknown application program P1 determined as a malicious application program.

如圖2所示,在步驟S220中,反應於判定未知應用程式P1屬於惡意應用程式,動態分析模組14可收集未知應用程式P1的特定動態分析資料DD1,並基於特定動態分析資料DD1決定未知應用程式P1所屬的惡意軟體家族。As shown in FIG. 2, in step S220, in response to determining that the unknown application P1 is a malicious application, the dynamic analysis module 14 may collect the specific dynamic analysis data DD1 of the unknown application P1, and determine the unknown application based on the specific dynamic analysis data DD1 Malware family to which application P1 belongs.

具體而言,如圖1B所示,動態分析模組14包括動態資料特徵萃取模組141及軟體家族分類模型142。在一實施例中,動態資料特徵萃取模組141可用於萃取未知應用程式P1的特定動態分析資料DD1。在不同的實施例中,特定動態分析資料DD1例如是未知應用程式P1的網路流量內容、系統呼叫(system call)的相關特徵資料,但可不限於此。Specifically, as shown in FIG. 1B , the dynamic analysis module 14 includes a dynamic data feature extraction module 141 and a software family classification model 142 . In one embodiment, the dynamic data feature extraction module 141 can be used to extract the specific dynamic analysis data DD1 of the unknown application P1. In different embodiments, the specific dynamic analysis data DD1 is, for example, the network traffic content of the unknown application P1 and the related feature data of system calls, but it is not limited thereto.

在一實施例中,上述網路流量內容可包括域名系統(domain name system,DNS)封包內容、超文本傳輸協定(Hyper Text Transfer Protocol,HTTP)封包內容、傳輸控制協定(transfer control protocol,TCP)封包內容及其他封包內容,而上述各種封包內容可如下表2所例示,但可不限於此。 網路流量 內容 TCP封包 l  上/下行封包數量 l  上/下行流量 l  封包平均上/下行流量 l  連線IP HTTP封包 l  HOST l  Request-URI l  Request-Method l  User-Agent DNS封包 l  Domain Name   其他封包 l  隱私洩漏種類 l  IP聲譽分數 表2In one embodiment, the above-mentioned network traffic content may include domain name system (DNS) packet content, Hyper Text Transfer Protocol (Hyper Text Transfer Protocol, HTTP) packet content, transfer control protocol (transfer control protocol, TCP) content The packet content and other packet contents, and the above-mentioned various packet contents can be exemplified in Table 2 below, but not limited thereto. Internet traffic content TCP packets l Number of upstream/downstream packets l Upstream/downstream traffic l Average packet upstream/downstream traffic l Connection IP HTTP packets l HOST l Request-URI l Request-Method l User-Agent DNS packets l Domain Name other packets l Types of privacy leaks l IP reputation score Table 2

此外,其他封包內容可另具有如下表3所示態樣,但可不限於此。   內容 隱私洩漏種類 l  name l  mac address l  videos l  date of birth l  phone l  passwords l  gender l  passport number l  email l  contacts l  photos l  employment info l  ssn l  listofapps l  IMEI l  SIM serial number l  address l  location l  IMSI l  Credit card 隱私洩漏內容 l  IMEI l  聯絡人資訊     IP聲譽分數 l  detected_url l  detected_communicating l  detected_download 表3In addition, other packet contents may have other aspects as shown in Table 3 below, but are not limited thereto. content Types of privacy leaks l name l mac address l videos l date of birth l phone l passwords l gender l passport number l email lcontacts l photos l employment info l ssn l listofapps l IMEI l SIM serial number l address l location lIMSI l Credit card Privacy leaks l IMEI l Contact information IP Reputation Score l detected_url l detected_communicating l detected_download table 3

在一些實施例中,上述各式封包內容的取得方式例如可把未知應用程式P1安裝在一android模擬器中,透過monkey工具產生事件來觸發惡意行為並使用tcpdump取得相關的網路封包,從.pcap檔案中,分別以DNS封包、TCP封包、HTTP封包以及其它網路封包內容的特徵。此外,在一實施例中,上述IP聲譽分數可透過VirusTotal的應用程式介面(application programming interface,API)提取,但可不限於此。In some embodiments, the above various packet content acquisition methods can be, for example, to install the unknown application P1 in an android emulator, generate events through the monkey tool to trigger malicious behavior, and use tcpdump to obtain relevant network packets, from . In the pcap file, the characteristics of the content of DNS packets, TCP packets, HTTP packets and other network packets are respectively used. In addition, in one embodiment, the above-mentioned IP reputation score can be extracted through an application programming interface (API) of VirusTotal, but it is not limited thereto.

在一實施例中,在取得所需的網路流量內容之後,動態資料特徵萃取模組141可萃取其特徵作為特定動態分析資料DD1,但可不限於此。之後,動態資料特徵萃取模組141可將特定動態分析資料DD1饋入軟體家族分類模型142,以由軟體家族分類模型142判定未知應用程式P1所屬的惡意軟體家族。In one embodiment, after obtaining the required network traffic content, the dynamic data feature extraction module 141 can extract the feature as the specific dynamic analysis data DD1, but it is not limited to this. Afterwards, the dynamic data feature extraction module 141 may feed the specific dynamic analysis data DD1 into the software family classification model 142 , so that the software family classification model 142 determines the malware family to which the unknown application P1 belongs.

在一實施例中,軟體家族分類模型142例如是一機器學習模型(例如隨機森林模型),而其可基於多個已知應用程式的動態分析資料而被第二模型訓練模組15而預先訓練過。In one embodiment, the software family classification model 142 is, for example, a machine learning model (eg, a random forest model), which can be pre-trained by the second model training module 15 based on dynamic analysis data of a plurality of known applications pass.

舉例而言,第二模型訓練模組15例如可包括已知所屬軟體家族的應用程式資料集151、動態資料特徵萃取模組152及機器學習演算法模組153。在一實施例中,第二模型訓練模組15例如可從威脅情資資料庫11取得多個已知應用程式(其包括多個已知良性應用程式及多個已知惡意應用程式)及其個別所屬的軟體家族,並儲存至已知所屬軟體家族的應用程式資料集151。之後,第二模型訓練模組15可經由動態資料特徵萃取模組152萃取各已知應用程式的動態資料(例如網路流量內容、系統呼叫等)。For example, the second model training module 15 may include, for example, an application data set 151 of a known software family, a dynamic data feature extraction module 152 and a machine learning algorithm module 153 . In one embodiment, the second model training module 15 can obtain a plurality of known applications (including a plurality of known benign applications and a plurality of known malicious applications) and their The software family to which the individual belongs is stored in the application data set 151 of the known software family. Afterwards, the second model training module 15 can extract dynamic data (eg, network traffic content, system calls, etc.) of each known application program through the dynamic data feature extraction module 152 .

之後,第二模型訓練模組15例如可透過機器學習演算法模組153以基於各已知良性應用程式的動態資料及各已知惡意應用程式的動態資料及其個別所屬的軟體家族訓練軟體家族分類模型142。在完成軟體家族分類模型142的訓練後,當軟體家族分類模型142接收到特定動態分析資料DD1時,軟體家族分類模型142即可相應地據以判定未知應用程式P1所屬的惡意軟體家族,但本發明可不限於此。Afterwards, the second model training module 15 can, for example, through the machine learning algorithm module 153, train the software family based on the dynamic data of each known benign application, the dynamic data of each known malicious application and their respective software families Classification model 142 . After the training of the software family classification model 142 is completed, when the software family classification model 142 receives the specific dynamic analysis data DD1, the software family classification model 142 can accordingly determine the malware family to which the unknown application P1 belongs. The invention may not be limited to this.

在本發明的實施例中,所考慮的軟體家族例如可為包括「BaseBridge」、「DroidKungFu」、「Plankton」、「FakeDoc」、「Iconosys」、「Opfake」、「FakeInstaller」、「FakeRun」、「Gappusin」、「MobileTx」及「Benign」等11個軟體家族,其中除了「Benign」為良性軟體家族之外,其餘的10個皆屬惡意軟體家族,但本發明可不限於此。In an embodiment of the present invention, the considered software family may include, for example, "BaseBridge", "DroidKungFu", "Plankton", "FakeDoc", "Iconosys", "Opfake", "FakeInstaller", "FakeRun", " There are 11 software families including Gappusin", "MobileTx" and "Benign", among which, except "Benign" which is a benign software family, the other 10 belong to malware families, but the present invention is not limited to this.

在判定未知應用程式P1所屬的惡意軟體家族之後,網路安全管理裝置100即可相應地將相關資訊提供於資安人員參考,藉以讓資安人員能夠較有效率地採取相應的網路防禦手段。After determining the malware family to which the unknown application P1 belongs, the network security management device 100 can accordingly provide relevant information to the information security personnel for reference, so that the information security personnel can take corresponding network defense measures more efficiently .

此外,經實驗證實,本發明的方法相較於習知只進行靜態分析或只進行動態分析的方式可達到更佳的軟體家族分類準確度及效率。In addition, it has been confirmed by experiments that the method of the present invention can achieve better software family classification accuracy and efficiency than the conventional methods that only perform static analysis or only dynamic analysis.

具體而言,在一實施例中,良性/惡意應用程式偵測模型122例如可先基於1000個良性應用程式及1024個惡意應用程式進行訓練,而軟體家族分類模型142則例如可先基於1410個已知應用程式進行訓練。在此實施例中,所述1410個已知應用程式例如可包括50個良性應用程式,以及分屬於上述10個惡意軟體家族的1360個惡意應用程式,但可不限於此。Specifically, in one embodiment, the benign/malicious application detection model 122 can be trained based on, for example, 1000 benign applications and 1024 malicious applications, and the software family classification model 142 can be trained based on, for example, 1410 malicious applications. Known apps for training. In this embodiment, the 1410 known applications may include, for example, 50 benign applications and 1360 malicious applications belonging to the above 10 malware families, but not limited thereto.

之後,本發明的網路安全管理裝置100可對100個惡意應用程式及100個良性應用程式進行辨識。亦即,網路安全管理裝置100可將所述100個惡意應用程式及100個良性應用程式個別視為未知應用程式(即,共有200個未知應用程式),並對其個別進行先前教示的靜態分析及動態分析。Afterwards, the network security management device 100 of the present invention can identify 100 malicious applications and 100 benign applications. That is, the network security management device 100 may regard the 100 malicious applications and the 100 benign applications as unknown applications individually (ie, there are 200 unknown applications in total), and perform the previously taught static Analysis and dynamic analysis.

為佐證本發明的辨識表現,以下另將本發明的相關的偵測結果與現有技術(例如是僅採用動態分析的方法)的偵測結果例示於下表5中。   誤判數量 收集動態資料所耗費的時間 準確度 本發明的方法 11 1,900分鐘 94.5% 僅採用動態分析的方法 14 4,000分鐘 93% 表5In order to prove the identification performance of the present invention, the related detection results of the present invention and the detection results of the prior art (for example, the method only using dynamic analysis) are illustrated in Table 5 below. Number of false positives Time spent collecting dynamic data Accuracy Method of the present invention 11 1,900 minutes 94.5% Only the method of dynamic analysis 14 4,000 minutes 93% table 5

經測試,本發明的方法在靜態分析(即,步驟S210)中將上述200個未知應用程式中的105個判定為良性應用程式(即,共有5個惡意應用程式被誤判為良性應用程式),並在動態分析(即步驟S220)中花費約1900分鐘收集被判定為惡意應用程式的剩餘95個未知應用程式的特定動態分析資料。在剩餘的95個未知應用程式中,共有6個未知應用程式的軟體家族出現分類錯誤的情形。因此,本發明的方法共有11個未知應用程式出現誤判的情形。After testing, the method of the present invention determines 105 of the above 200 unknown applications as benign applications in the static analysis (ie, step S210 ) (that is, a total of 5 malicious applications are misjudged as benign applications), And in the dynamic analysis (ie, step S220 ), it takes about 1900 minutes to collect the specific dynamic analysis data of the remaining 95 unknown applications determined as malicious applications. Of the remaining 95 unknown applications, there were 6 software families of unknown applications that were misclassified. Therefore, in the method of the present invention, a total of 11 unknown application programs are misjudged.

相較之下,若僅對上述200個未知應用程式採取動態分析,則共需約4000分鐘來收集所述200個未知應用程式的動態資料,且共有14個未知應用程式出現誤判的情形。由此可知,本發明的方法除了可有效節省收集動態資料的時間,更可提高軟體家族分類的準確度。In contrast, if only dynamic analysis is performed on the above 200 unknown applications, it takes about 4000 minutes to collect dynamic data of the 200 unknown applications, and a total of 14 unknown applications are misjudged. It can be seen that, the method of the present invention can not only effectively save the time for collecting dynamic data, but also can improve the accuracy of software family classification.

此外,習知技術中雖有採用網路流量內容進行惡意威脅偵測的方法,但其多半僅關注單一種網路流量內容(例如僅關注HTTP封包內容、TCP封包內容、DNS封包內容及其他封包內容中的一者),因而忽略其他種網路流量內容亦有助於觀察到惡意程式特徵的事實。In addition, although there are methods for malicious threat detection using network traffic content in the prior art, most of them only focus on a single type of network traffic content (for example, only focus on HTTP packet content, TCP packet content, DNS packet content and other packets). content), thus ignoring the fact that other types of web traffic content also help to observe malware signatures.

然而,由於本發明在進行動態分析時可同時考慮HTTP封包內容、TCP封包內容、DNS封包內容及其他封包內容,因此相較之下可達到更為精確的偵測結果。However, since the present invention can simultaneously consider HTTP packet content, TCP packet content, DNS packet content and other packet contents when performing dynamic analysis, a more accurate detection result can be achieved by comparison.

此外,由於取得網路流量內容的過程相當耗費資源,故若直接對所有的未知應用程式皆提取其網路流量內容實質上並不可行。In addition, since the process of obtaining the network traffic content is quite resource-intensive, it is not practical to directly extract the network traffic content of all unknown applications.

然而,由於本發明在進行動態分析前已先行透過靜態分析找出屬於惡意應用程式的未知應用程式,故僅需對被判定為惡意應用程式的未知應用程式進行動態分析即可,因而使得同時考慮多種網路流量內容的想法變得可行,也進而提高了辨識上的準確度。However, since the present invention finds out unknown applications belonging to malicious applications through static analysis before dynamic analysis is performed, it is only necessary to perform dynamic analysis on unknown applications determined as malicious applications, thus making it possible to simultaneously consider The idea of multiple web traffic content becomes feasible, which in turn improves the accuracy of identification.

請參照圖3,其是依據本發明之一實施例繪示的準確度比較圖。如圖3所示,相較於僅考慮單一種網路流量內容的作法而言,本發明同時考慮多種網路流量內容的作法具有較高的辨識準確度。Please refer to FIG. 3 , which is an accuracy comparison diagram according to an embodiment of the present invention. As shown in FIG. 3 , compared to the method of considering only a single type of network traffic content, the method of the present invention considering multiple network traffic contents at the same time has higher identification accuracy.

綜上所述,本發明至少具有以下特點:(1)透過收集公開與私有之應用程式建構惡意程式偵測與分類系統;(2)結合靜態與動態分析,有效節省對於未知應用程式的分析資源以及提升準確度;(3)可以提升動態網路封包分析偵測的準確度,同時降低誤判率;(4)透過辨識惡意應用程式所屬的惡意軟體家族以協助資安人員歸納家族特性,進而建立與執行防範策略。In summary, the present invention has at least the following features: (1) Constructing a malware detection and classification system by collecting public and private applications; (2) Combining static and dynamic analysis, effectively saving analysis resources for unknown applications and improve the accuracy; (3) It can improve the accuracy of dynamic network packet analysis and detection, while reducing the false positive rate; (4) By identifying the malware family to which the malicious application belongs, it helps the information security personnel to summarize the family characteristics, and then establish and implement preventive strategies.

此外,本發明的網路安全管理裝置可部屬在企業內部,並可對於公開與私有的應用程式進行自動化的分析與塑模,以對於未知應用程式進行分析與偵測。此外,經本發明的方法所取得的惡意應用程式的威脅情資可作為第三方可信賴之黑名單提供給防火牆、代理伺服器等網路設備進行黑名單比對進而阻斷下載。In addition, the network security management device of the present invention can be deployed in an enterprise, and can automatically analyze and model public and private applications, so as to analyze and detect unknown applications. In addition, the threat information of malicious applications obtained by the method of the present invention can be provided as a third-party trusted blacklist to network devices such as firewalls and proxy servers for blacklist comparison to block downloads.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed above by the embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The protection scope of the present invention shall be determined by the scope of the appended patent application.

100:網路安全管理裝置 11:威脅情資資料庫 12:靜態分析模組 121:靜態分析資料特徵萃取模組 122:良性/惡意應用程式偵測模型 13:第一模型訓練模組 131:良性/惡意應用程式資料集 132:靜態資料特徵萃取模組 133:機器學習演算法模組 14:動態分析模組 141:動態資料特徵萃取模組 142:軟體家族分類模型 15:第二模型訓練模組 16:情資收集模組 190:網路設備 195:外部應用程式資源池 199:電子裝置 P1:未知應用程式 S210, S220:步驟 SD1:特定靜態分析資料 DD1:特定動態分析資料100: Network Security Management Device 11: Threat Intelligence Database 12: Static Analysis Module 121: Static analysis data feature extraction module 122: Benign/Malicious Application Detection Model 13: The first model training module 131: Benign/Malicious Application Dataset 132: Static data feature extraction module 133: Machine Learning Algorithm Module 14: Dynamic Analysis Module 141: Dynamic data feature extraction module 142: Software Family Classification Model 15: Second model training module 16: Information collection module 190: Network Equipment 195: External Application Resource Pool 199: Electronics P1: Unknown application S210, S220: Steps SD1: specific static analysis data DD1: Specific Dynamic Analysis Data

圖1A是依據本發明之一實施例繪示的網路安全系統架構示意圖。 圖1B是依據本發明之一實施例繪示的網路安全管理裝置示意圖。 圖2是依據本發明之一實施例繪示的結合靜態與動態分析以察覺惡意攻擊的方法流程圖。 圖3是依據本發明之一實施例繪示的準確度比較圖。FIG. 1A is a schematic diagram of a network security system architecture according to an embodiment of the present invention. FIG. 1B is a schematic diagram of a network security management apparatus according to an embodiment of the present invention. FIG. 2 is a flowchart of a method for detecting malicious attacks by combining static and dynamic analysis according to an embodiment of the present invention. FIG. 3 is an accuracy comparison diagram according to an embodiment of the present invention.

S210,S220:步驟S210, S220: Steps

Claims (12)

一種結合靜態與動態分析以察覺惡意攻擊的方法,適於一網路安全管理裝置,包括: 萃取一未知應用程式的一特定靜態分析資料,並基於該特定靜態分析資料判斷該未知應用程式屬於一良性應用程式或一惡意應用程式;以及 反應於判定該未知應用程式屬於該惡意應用程式,收集該未知應用程式的一特定動態分析資料,並基於該特定動態分析資料決定該未知應用程式所屬的一惡意軟體家族。A method for detecting malicious attacks by combining static and dynamic analysis, suitable for a network security management device, comprising: extracting a specific static analysis data of an unknown application, and determining that the unknown application is a benign application or a malicious application based on the specific static analysis data; and In response to determining that the unknown application belongs to the malicious application, a specific dynamic analysis data of the unknown application is collected, and a malware family to which the unknown application belongs is determined based on the specific dynamic analysis data. 如請求項1所述的方法,其中基於該特定靜態分析資料判斷該未知應用程式屬於該良性應用程式或該惡意應用程式的步驟包括: 將該特定靜態分析資料饋入經預訓練的一良性/惡意應用程式偵測模型,其中該良性/惡意應用程式偵測模型反應於該特定靜態分析資料而判定該未知應用程式屬於該良性應用程式或該惡意應用程式。The method of claim 1, wherein the step of judging whether the unknown application belongs to the benign application or the malicious application based on the specific static analysis data comprises: Feeding the specific static analysis data into a pretrained benign/malicious application detection model, wherein the benign/malicious application detection model determines that the unknown application belongs to the benign application in response to the specific static analysis data or the malicious application. 如請求項2所述的方法,更包括: 從一威脅情資資料庫取得多個已知應用程式,並萃取各該已知應用程式的一靜態分析資料,其中該些已知應用程式包括多個已知良性應用程式及多個已知惡意應用程式; 基於各該已知良性應用程式的該靜態分析資料及各該已知惡意應用程式的該靜態分析資料訓練該良性/惡意應用程式偵測模型,其中該良性/惡意應用程式偵測模型因應於各該已知良性應用程式的該靜態分析資料學習各該已知良性應用程式的該靜態分析資料的良性靜態分析資料特徵,並因應於各該已知惡意應用程式的該靜態分析資料學習各該已知惡意應用程式的該靜態分析資料的惡意靜態分析資料特徵。The method according to claim 2, further comprising: Obtain a plurality of known applications from a threat intelligence database, and extract a static analysis data of each of the known applications, wherein the known applications include a plurality of known benign applications and a plurality of known malicious applications application; The benign/malicious application detection model is trained based on the static analysis data for each of the known benign applications and the static analysis data for each of the known malicious applications, wherein the benign/malicious application detection model corresponds to each The static analysis data of the known benign application learns the benign static analysis data characteristics of the static analysis data of the known benign applications, and learns the static analysis data of the known malicious applications in response to the static analysis data of the known malicious applications. The malicious static analysis data signature of the static analysis data of the known malicious application. 如請求項1所述的方法,其中基於該特定動態分析資料決定該未知應用程式所屬的該惡意軟體家族的步驟包括: 將該特定動態分析資料饋入經預訓練的一軟體家族分類模型,其中該軟體家族分類模型反應於該特定動態分析資料而決定該未知應用程式所屬的該惡意軟體家族。The method of claim 1, wherein the step of determining the malware family to which the unknown application belongs based on the specific dynamic analysis data comprises: The specific dynamic analysis data is fed into a pretrained software family classification model, wherein the software family classification model determines the malware family to which the unknown application belongs in response to the specific dynamic analysis data. 如請求項4所述的方法,更包括: 從一威脅情資資料庫取得多個已知應用程式,並萃取各該已知應用程式的一動態分析資料,其中該些已知應用程式包括多個已知良性應用程式及多個已知惡意應用程式,且各該已知應用程式屬於對應的一軟體家族; 基於各該已知良性應用程式的該動態分析資料、所屬的該軟體家族及各該已知惡意應用程式的該動態分析資料、所屬的該軟體家族訓練該軟體家族分類模型。The method according to claim 4, further comprising: Obtain a plurality of known applications from a threat intelligence database, and extract a dynamic analysis data of each of the known applications, wherein the known applications include a plurality of known benign applications and a plurality of known malicious applications applications, and each of the known applications belongs to a corresponding software family; The software family classification model is trained based on the dynamic analysis data of each of the known benign applications, the software family to which they belong, and the dynamic analysis data of each of the known malicious applications, and the software family to which they belong. 如請求項1所述的方法,其中該特定動態分析資料包括該未知應用程式的多種網路流量內容。The method of claim 1, wherein the specific dynamic analysis data includes various network traffic content of the unknown application. 如請求項6所述的方法,其中該些網路流量內容包括域名系統封包內容、超文本傳輸協定封包內容及傳輸控制協定封包內容。The method of claim 6, wherein the network traffic contents include Domain Name System packet contents, Hypertext Transfer Protocol packet contents and Transmission Control Protocol packet contents. 如請求項7所述的方法,其中該些網路流量內容更包括隱私洩漏種類、隱私洩漏內容及協定位址聲譽分數的至少其中之一。The method of claim 7, wherein the network traffic content further includes at least one of privacy leak type, privacy leak content and agreed address reputation score. 如請求項1所述的方法,其中萃取該未知應用程式的該特定靜態分析資料的步驟包括: 反應於一電子裝置對於該未知應用程式提出的一下載請求而萃取該未知應用程式的該特定靜態分析資料,其中該未知應用程式已通過一黑/白名單的驗證。The method of claim 1, wherein the step of extracting the specific static analysis data of the unknown application comprises: Extracting the specific static analysis data of the unknown application program in response to a download request made by an electronic device for the unknown application program, wherein the unknown application program has passed the verification of a black/white list. 如請求項9所述的方法,其中反應於判定該未知應用程式屬於該良性應用程式,所述方法更包括: 允許該電子裝置下載該未知應用程式。The method of claim 9, wherein in response to determining that the unknown application belongs to the benign application, the method further comprises: Allow the electronic device to download the unknown application. 如請求項9所述的方法,其中反應於判定該未知應用程式屬於該惡意應用程式,所述方法更包括: 禁止該電子裝置下載該未知應用程式。The method of claim 9, wherein in response to determining that the unknown application belongs to the malicious application, the method further comprises: The electronic device is prohibited from downloading the unknown application. 一種網路安全管理裝置,包括: 一靜態分析模組,其萃取一未知應用程式的一特定靜態分析資料,並基於該特定靜態分析資料判斷該未知應用程式屬於一良性應用程式或一惡意應用程式;以及 一動態分析模組,其反應於該靜態分析模組判定該未知應用程式屬於該惡意應用程式,收集該未知應用程式的一特定動態分析資料,並基於該特定動態分析資料決定該未知應用程式所屬的一惡意軟體家族。A network security management device, comprising: a static analysis module that extracts a specific static analysis data of an unknown application, and determines that the unknown application belongs to a benign application or a malicious application based on the specific static analysis data; and a dynamic analysis module, which collects a specific dynamic analysis data of the unknown application in response to the static analysis module determining that the unknown application belongs to the malicious application, and determines the unknown application to which the unknown application belongs based on the specific dynamic analysis data of a malware family.
TW109125349A 2020-07-28 2020-07-28 Method for detecting malicious attacks and network security management device TWI741698B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109125349A TWI741698B (en) 2020-07-28 2020-07-28 Method for detecting malicious attacks and network security management device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109125349A TWI741698B (en) 2020-07-28 2020-07-28 Method for detecting malicious attacks and network security management device

Publications (2)

Publication Number Publication Date
TWI741698B TWI741698B (en) 2021-10-01
TW202205116A true TW202205116A (en) 2022-02-01

Family

ID=80782353

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109125349A TWI741698B (en) 2020-07-28 2020-07-28 Method for detecting malicious attacks and network security management device

Country Status (1)

Country Link
TW (1) TWI741698B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130298221A1 (en) * 2012-05-01 2013-11-07 Harris Corporation Firewalls for filtering communications in a dynamic computer network
TWI647574B (en) * 2017-10-26 2019-01-11 中華電信股份有限公司 Cloud safety network browsing method and system
CN111131335B (en) * 2020-03-30 2020-08-28 腾讯科技(深圳)有限公司 Network security protection method and device based on artificial intelligence and electronic equipment

Also Published As

Publication number Publication date
TWI741698B (en) 2021-10-01

Similar Documents

Publication Publication Date Title
US11783035B2 (en) Multi-representational learning models for static analysis of source code
Wang et al. Detecting android malware leveraging text semantics of network flows
US10218740B1 (en) Fuzzy hash of behavioral results
US11816214B2 (en) Building multi-representational learning models for static analysis of source code
US10193929B2 (en) Methods and systems for improving analytics in distributed networks
US11863571B2 (en) Context profiling for malware detection
US11374946B2 (en) Inline malware detection
US11636208B2 (en) Generating models for performing inline malware detection
Feng et al. Cj-sniffer: Measurement and content-agnostic detection of cryptojacking traffic
JP2024023875A (en) Inline malware detection
US20240037231A1 (en) Sample traffic based self-learning malware detection
WO2023141103A1 (en) Deep learning pipeline to detect malicious command and control traffic
US20230306114A1 (en) Method and system for automatically generating malware signature
US11743286B2 (en) Combination rule mining for malware signature generation
TWI741698B (en) Method for detecting malicious attacks and network security management device
US20220245249A1 (en) Specific file detection baked into machine learning pipelines
KR102676386B1 (en) Inline malware detection
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium
US20240154997A1 (en) Tor-based malware detection
US20230082289A1 (en) Automated fuzzy hash based signature collecting system for malware detection
Costea et al. Detection of Suspicious Connections on Android Mobile Devices
Abaid Time-sensitive prediction of malware attacks and analysis of machine-learning classifiers in adversarial settings
CN116232612A (en) Abnormal flow detection method, device and computer readable storage medium
García-Cervigon Gutiérrez Distributed detection of anomalous internet sessions
Gutiérrez Distributed detection of anomalous internet sessions.