WO2013152672A1 - 病毒趋势异常的监控方法及装置 - Google Patents
病毒趋势异常的监控方法及装置 Download PDFInfo
- Publication number
- WO2013152672A1 WO2013152672A1 PCT/CN2013/073357 CN2013073357W WO2013152672A1 WO 2013152672 A1 WO2013152672 A1 WO 2013152672A1 CN 2013073357 W CN2013073357 W CN 2013073357W WO 2013152672 A1 WO2013152672 A1 WO 2013152672A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virus
- hits
- residual
- hit
- moving average
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- the present invention relates to the field of computer technologies, and in particular, to a method and apparatus for monitoring abnormal virus trends. Background technique
- the computer virus is regularly checked and killed by the anti-virus engine, which can reduce the growth of the virus to a certain extent.
- the anti-virus engine's ability to kill a certain virus seriously deviates from the original trend in a short period of time, it indicates that there may be the following abnormal conditions: If the number of such viruses is increased, it indicates that this is a short time. A virus may explode on a large scale; if the number of such viruses is detected to drop sharply, it indicates that the ability of the antivirus engine to recognize the virus may be reduced or even lost, or the virus may start to change. Therefore, it is important to monitor the abnormality of the virus's development trend and monitor the virus development trend in an abnormal manner. It is important to prevent the large-scale explosion of the virus.
- the prior art has a monitoring method based on the number of virus samples or the growth rate of virus samples, setting a corresponding threshold for each virus, monitoring whether the number of virus samples is greater than a threshold, or monitoring whether the growth rate of the virus samples is greater than A threshold to determine if there is an abnormality in the virus's development trend.
- a monitoring method based on the number of virus samples or the growth rate of virus samples, setting a corresponding threshold for each virus, monitoring whether the number of virus samples is greater than a threshold, or monitoring whether the growth rate of the virus samples is greater than A threshold to determine if there is an abnormality in the virus's development trend.
- timely and effective monitoring of new or variant viruses is not possible. Summary of the invention
- Embodiments of the present invention provide a method and apparatus for monitoring abnormal virus trends, which enable timely and effective monitoring of various viruses.
- the time point when the number of hits corresponding to the standardized residual is generated is identified as an abnormal point of the development trend of the virus.
- a monitoring device for abnormal virus trends including:
- the obtaining module is configured to obtain the number of hits obtained each time the virus is checked and killed;
- An operation module configured to perform an M-day moving average operation by using each hit number of the virus, and obtain a value of each M-day moving average, where the M is a positive integer;
- the operation module is further configured to calculate a standardized residual of each hit number of the virus and a corresponding M-day moving average value of the virus;
- an identifying module configured to identify, when the standardized residual is greater than the first preset threshold, a time point when the number of hits corresponding to the normalized residual is generated as an abnormal point of the development trend of the virus.
- the 7-day moving average operation is performed by using the number of hits of the virus, and the values of the 7-day moving averages are obtained, and the number of hits of the virus and the respective corresponding 7 are calculated.
- the standardized residual of the daily average value due to the above combined 7-day moving average
- the standardized residuals obtained by the operation conform to the normal distribution. Therefore, the confidence interval can accurately determine whether there is an abnormality in the number of hits obtained each time the virus is detected and killed, and then whether the virus trend is abnormal.
- the first preset interpretation value is set to 1.96 corresponding to the 95% confidence interval, that is, when the standardized residual is greater than the first preset threshold, the number of hits corresponding to the standardized residual is The time point at the time of production is identified as an abnormal point in the development trend of the virus.
- the first preset threshold when the virus trend is abnormal, the first preset threshold may be determined according to different confidence intervals. Compared with the prior art, the embodiment of the present invention does not require a large amount of historical data to determine. The first preset threshold value described above can thus accurately monitor new viruses and variant viruses. Moreover, each time the number of hits obtained when the virus is detected and killed is obtained, the method provided by the present invention can be used for judging, if the latest hit count of the virus and the corresponding 7-day moving average value are calculated. When the residual is greater than the first preset threshold, it indicates that there is an abnormality in the latest hit count of the virus, and thus, timely and effective monitoring of various viruses can be realized. DRAWINGS
- FIG. 1 is a flowchart of a method for monitoring a virus trend abnormality according to Embodiment 1 of the present invention
- FIG. 2 is a flowchart of implementing Step 103 of a virus trend abnormality monitoring method according to Embodiment 1 of the present invention
- FIG. 3 is a flowchart of another method for monitoring a virus trend abnormality according to Embodiment 1 of the present invention
- FIG. 4 is a flowchart of another method for monitoring a virus trend abnormality according to Embodiment 1 of the present invention
- FIG. 5 is a schematic diagram of monitoring a virus trend by using a monitoring method provided by an embodiment of the present invention, and not monitoring an abnormality;
- FIG. 6 is a schematic diagram showing the effect of monitoring the trend of the virus by using the monitoring method provided by the embodiment of the present invention, and monitoring the abnormality and alarming;
- FIG. 7 is a schematic diagram showing another effect of monitoring the trend of the virus by using the monitoring method provided by the embodiment of the present invention, and monitoring the abnormality and alarming;
- FIG. 8 is a schematic diagram showing the effect of monitoring the trend of the virus by using the monitoring method shown in FIG. 4 according to the embodiment of the present invention, and not performing an alarm because the condition C w+1 > is not satisfied;
- FIG. 9 is a schematic diagram showing the results of verifying that the normalized residual calculated by the method provided by the embodiment of the present invention conforms to a normal distribution
- FIG. 10 is a structural diagram of a monitoring device for abnormal virus trend according to Embodiment 2 of the present invention
- FIG. 11 is another structural diagram of a monitoring device for virus abnormality according to Embodiment 1 of the present invention.
- FIG. 12 is still another structural diagram of a monitoring apparatus for virus trend abnormality according to Embodiment 2 of the present invention. detailed description
- viruses engine When a virus engine is used to periodically check and kill a virus, different virus engines can kill it.
- the types of viruses are also different.
- the following methods provided in the embodiments of the present invention can be used to monitor the development trend of each virus.
- a virus is taken as an example to describe in detail the monitoring method of virus trend abnormality.
- an embodiment of the present invention provides a method for monitoring a virus trend abnormality, including:
- the number of hits of the obtained virus may be stored in the database in the order of killing time from morning to night.
- the number of hits per virus can be stored in the format "Virus Engine ID - Virus ID - Date - Time Point - Number of Hits".
- the latest hit number of the virus B is 3354, assuming that the virus B has been stored in the database before.
- the total number of hits is N, and the first N hits have been stored in the order of the killing time from morning to night. It can be seen that the latest hit number of the virus is the N+1th, at this time, the virus can be The number of N+1 hits is in the format of "Virus Engine A-Virus B-February 21 ⁇ -12: 08 -3354" and is stored in the database.
- the virus engine A is checked against Virus B. After the Nth hit count obtained at the time of kill.
- the number of hits obtained each time the virus is detected and killed in a certain period can be obtained from the database, or the number of hits obtained when the virus is checked and killed in each period is obtained. .
- the embodiment of the present invention obtains the latest first N+1 hits of the virus from the database, wherein the N+1 hits indicate that the virus is searched for the latest time.
- the value of N can be a positive integer greater than 90.
- M-day for example, 7th
- M is a positive integer.
- M may also take values of 4, 5, 6, 8, 9, 10, 11, and the like.
- M 4 Shang said average value, wherein, beta]; for the use of i-th number of hits of the virus into the first i-M + 1 calculated number of hits day moving average value M, « ' e [MKN + l] and i is a positive integer, +1 is the total number of hits of the virus, and 4- ⁇ is the ijth hit count of the virus.
- C is a residual of the number of i-th hits of the virus and the value of the M-day moving average calculated by using the i-th hit count of the virus to the i-M+1 hits
- the i-th hit of the virus is the value of the M-day moving average calculated by using the i-th hit of the virus to the i-M+1 hits, i e [MK N + 1] and i is positive
- ⁇ +l is the total number of hits for the virus.
- N - max(M, N - L) i max ( M , «-i) where is the mean of the residuals corresponding to the number of hits of the virus, Le[lKN] and L is a positive integer.
- S is the standard deviation of the residual corresponding to each hit count of the virus.
- +1 is the normalized residual of the +1st hit of the virus and the corresponding M-day moving average
- ⁇ +1 is the +1th hit of the virus and the virus is utilized
- the residual of the M-day moving average calculated from the first +1 hits to the third- ⁇ +2 hits.
- the time point when the number of hits corresponding to the standardized residual is generated is identified as an abnormal point of the development trend of the virus.
- the time point when the +1th hit number of the virus is generated is identified as the abnormal trend of the development trend of the virus, where is the first preset threshold.
- the value may be 2.58 corresponding to 95% of the confidence interval, or 1.96 corresponding to 99% of the confidence interval.
- the M-day moving average operation is performed by using the number of hits of the virus, and the value of each M-day moving average is obtained, and the number of hits of the virus and the corresponding residual value of the M ⁇ mean line are calculated.
- Poor since the above-mentioned standardized residuals obtained by combining the M-day moving average operation conform to the normal distribution (for example, the example of verifying that the normalized residuals obtained by combining the M-day moving average operation conform to the normal distribution is as follows), and thus the confidence interval can be used. Accurately determine whether there is an abnormality in the number of hits obtained each time the virus is detected and killed, and then determine whether there is an abnormality in the virus trend.
- the first preset threshold is set to 1.96 corresponding to the 95% confidence interval, that is, when the standardized residual is greater than the first preset threshold, the number of hits corresponding to the standardized residual is generated.
- the time point of the time is identified as an abnormal point in the development trend of the virus. It can be seen that, in the embodiment of the present invention, when the virus trend is abnormal, the first preset threshold may be determined according to different confidence intervals. When performing the M-day moving average operation, at least M data is needed, and the existing Thresholds in technology need to be learned and analyzed for a large amount of historical data.
- the embodiment of the present invention does not require a large amount of historical data to determine the first preset threshold, and thus can accurately monitor new viruses and variant viruses.
- the method provided by the present invention can be used for judging, if the latest hit count of the virus and the corresponding M-day moving average value are calculated. When the residual is greater than the first preset threshold, it indicates that there is an abnormality in the latest hit count of the virus, and thus, timely and effective monitoring of various viruses can be realized.
- the foregoing method further includes:
- the first preset threshold is Two preset thresholds
- the value of the above is 1.96 corresponding to 99% of the confidence interval, and the value of “ 2 ” is 2.58 corresponding to 95% of the confidence interval.
- the probability that the development trend of the virus is abnormal is 95%, and the N+1 of the virus is The first level of warning is given at the time when the number of hits is generated, for example, a blue warning is issued to notify the technician to perform related processing.
- a second-level early warning is performed on the time point when the N+1th hit count of the virus is generated.
- the probability that the development trend of the virus is abnormal is 99%, and the N+1 of the virus is A second-level warning is made at the time when the number of hits is generated, for example, a red alert is issued to notify the technician to perform related processing.
- the foregoing method further includes:
- the threshold is a second preset threshold, which is a preset amplitude.
- the value of the above is 1.96 corresponding to 99% of the confidence interval, and the value of the above ⁇ 3 ⁇ 4 is 2.58 corresponding to 95% of the confidence interval.
- the precondition C M > is further added to the first level warning, and the above value may be 500.
- C M is the residual of the N+1 hits of the virus and the value of the M-day moving average calculated by using the N+1th hits of the virus to the N-M+2 hits, That is, C M represents the magnitude of the change of the M ⁇ mean value calculated from the N+1th hit count relative to the N+1th hit count to the N-M+2 hits using the virus.
- C Pain +1 is less than 500, it indicates that the change of the number of N+1 hits is small, and the monitoring value of abnormal virus trend can provide a small reference value, and when C Intel +1 is larger than At 500 o'clock, it indicates that the change of the number of N+1 hits is large.
- the reference value that can be provided is relatively large, and the more accurate the virus development trend can be reflected.
- this step is based on the above step 105, and further to the second level.
- the pre-condition Cw+i > is added to the warning, and the above value can be 500.
- the above value can be 500.
- FIG. 5 is a schematic diagram of monitoring the trend of the virus identifier Vi rus. Win32. Loader, b [1023] by using the monitoring method provided by the embodiment of the present invention, and not monitoring the abnormality. Among them, the abscissa indicates the killing time of the virus, and the ordinate indicates the number of hits obtained when the virus is killed.
- FIG. 6 is a schematic diagram of monitoring the trend of the virus Virus. Win32. ICE. a [1040] by using the method provided by the embodiment of the present invention, and monitoring the abnormality and alarming;
- FIG. 7 is a method for using the method provided by the embodiment of the present invention.
- the trend of the virus Trojan. Win32. BHO. ds [1408] is monitored, and the effect of the abnormality and alarm is monitored.
- the abscissa indicates the killing time of the virus, and the ordinate indicates the number of hits obtained when the virus is killed.
- the triangle represents the blue warning and the circle represents the red warning.
- FIG. 8 is a monitoring method shown in FIG. 4 according to an embodiment of the present invention, and monitors a trend of a virus identifier of Trojan. Win32. Pas ta. ghc [1291], and does not perform because the condition C Canal +1 > is not satisfied.
- the monitoring method in the embodiment of the present invention is based on the Layida criterion, and the principle is as follows:
- the data conforming to the normal distribution can accurately determine whether there is an abnormal point according to the confidence interval.
- each of the standardized residuals obtained by the above-mentioned combined M-average line operation provided in the embodiment of the present invention conforms to a normal distribution.
- the verification process in which the normalized residuals obtained by combining the M-day moving average operation are in accordance with the normal distribution will be described in detail below: For a virus engine, the number of hits of each virus detected by the virus engine is classified into a set of data in order from the first to the last. Each virus will correspond to a set of data.
- 10 sets of sample data are randomly selected, which are the sample data of the virus D1000 shown in the first column in Table 1, and the sample data of the virus D1003 shown in the column 4-5 of Table 1, the first in Table 1.
- Table 4 Sample data of virus D400015 shown in columns 1-2, and sample data of virus D500003 shown in columns 4-5 of Table 4.
- the third, sixth, and ninth columns in Table 1-2 are the standardized residuals of the number of hits of the virus and the corresponding M-day moving average; the third and sixth columns in Table 3-4 are the number of hits of the virus and the corresponding The standardized residual of the value of the M daily average.
- the embodiment of the present invention provides a monitoring device for abnormal virus trend, as shown in FIG. 10, comprising: an obtaining module 11 for acquiring a hit number obtained each time a virus is detected and killed; and an operation module 12, configured to use the The number of hits of the virus is calculated by the M-day moving average, and the value of each M-day moving average is obtained, where M is a positive integer.
- M 7 is used as an example.
- M may also take values of 4, 5, 6, 8, 9, 10, 1 1 and the like;
- the operation module 12 is further configured to calculate a standardized residual of each hit number of the virus and a corresponding M ⁇ mean line value;
- the identification module 13 is configured to identify, when the standardized residual is greater than the first preset threshold, a time point when the number of hits corresponding to the standardized residual is generated as an abnormal point of the development trend of the virus.
- the device provided by the embodiment of the present invention obtains the value of each M ⁇ mean line by using the M-day moving average operation of each number of hits of the virus, and calculates the number of hits of the virus and the corresponding M-day moving average values.
- Standardized residuals because the standardized residuals obtained by combining the M-day moving average operation are in accordance with the normal distribution, the confidence interval can be used to accurately determine whether there is an abnormality in the number of hits each time the virus is detected and killed, and then judge Whether there is an abnormality in the virus trend.
- the first preset threshold is set to 1.96 corresponding to the 95% confidence interval, that is, when the standardized residual is greater than the first preset threshold, the number of hits corresponding to the standardized residual is generated. The time point of the time is identified as an abnormal point in the development trend of the virus.
- the first preset threshold when the virus trend is abnormal, the first preset threshold may be determined according to different confidence intervals. Compared with the prior art, the embodiment of the present invention does not require a large amount of historical data. The first preset threshold is determined, so that new viruses and variant viruses can also be accurately monitored. Moreover, each time the number of hits obtained when the virus is detected and killed is obtained, the method provided by the present invention can be used for judging, if the latest hit count of the virus and the corresponding M-day moving average value are calculated. When the residual is greater than the first preset threshold, it indicates that there is an abnormality in the latest hit count of the virus, and thus, timely and effective monitoring of various viruses can be realized.
- the obtained M-day moving average takes, e [MK N + 1] and i is a positive integer, ⁇ +1 is the total number of hits of the virus, and 4 - is the ij hit number of the virus.
- the residual of the M-day moving average calculated by i-M+1 hits is the i-th hit of the virus, and is the i-th hit number of the virus to the i-M+1
- the M-day moving average calculated by the number of hits, i e [MK N + l] and i is a positive integer, ⁇ + l is the total number of hits of the virus; and the mean of the residuals is calculated according to £ , Yd, Where £ is the disease
- N M,N- L)-l the standard deviation of the residual corresponding to each hit count of the virus
- the identifying module 13 is specifically configured to identify, when Z)dus +i >, a time point when the +1th hit number of the virus is generated as an abnormal point of the virus development trend, where , is the first preset threshold.
- the device further includes:
- the first early warning module 14 is configured to: when ⁇ D N+l >, perform a first-level early warning on a time point when the ⁇ +1 hit times of the virus are generated, where ⁇ is the first preset a threshold, which is a second preset threshold; The first early warning module 14 is further configured to perform a second level of warning on a time point when the N+1th hit count of the virus is generated when ⁇ + ⁇ >.
- the device further includes:
- the second early warning module 15 is configured to perform, when the ⁇ , the first level of early warning for the time when the N+1th hit count of the virus is generated, where ⁇ is the first preset threshold , the second preset threshold is a preset amplitude;
- the second early warning module 15 is further configured to perform a second level of warning on a time point when the N+ 1th hit count of the virus is generated when 3 ⁇ 4+ ⁇ > ⁇ 3 ⁇ 4 and C Cons +1> .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Pure & Applied Mathematics (AREA)
- Probability & Statistics with Applications (AREA)
- Mathematical Physics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- Algebra (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
- Apparatus Associated With Microorganisms And Enzymes (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112014001804A BR112014001804A2 (pt) | 2012-04-09 | 2013-03-28 | método e dispositivo para monitoramento de anomalia de tendência de vírus |
US14/178,825 US9817973B2 (en) | 2012-04-09 | 2014-02-12 | Method and device for monitoring virus trend abnormality |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210101792.2 | 2012-04-09 | ||
CN201210101792.2A CN103366119B (zh) | 2012-04-09 | 2012-04-09 | 病毒趋势异常的监控方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/178,825 Continuation US9817973B2 (en) | 2012-04-09 | 2014-02-12 | Method and device for monitoring virus trend abnormality |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013152672A1 true WO2013152672A1 (zh) | 2013-10-17 |
Family
ID=49327087
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2013/073357 WO2013152672A1 (zh) | 2012-04-09 | 2013-03-28 | 病毒趋势异常的监控方法及装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US9817973B2 (zh) |
CN (1) | CN103366119B (zh) |
BR (1) | BR112014001804A2 (zh) |
WO (1) | WO2013152672A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2571721C2 (ru) * | 2014-03-20 | 2015-12-20 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ обнаружения мошеннических онлайн-транзакций |
CN105915556B (zh) * | 2016-06-29 | 2019-02-12 | 北京奇虎科技有限公司 | 一种终端的攻击面的确定方法及设备 |
EP3511856A1 (en) * | 2018-01-16 | 2019-07-17 | Nokia Solutions and Networks Oy | Method, apparatus and computer readable medium to detect at least one change in continuous data |
CN112152834B (zh) * | 2019-06-29 | 2023-06-06 | 北京金山云网络技术有限公司 | 一种网络异常报警方法、装置及电子设备 |
CN113836535B (zh) * | 2021-08-31 | 2024-08-09 | 中国人民解放军空军工程大学 | 一种零日病毒的动态防御方法 |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1848745A (zh) * | 2005-04-13 | 2006-10-18 | 安氏互联网安全系统(中国)有限公司 | 基于网络流量特征的蠕虫病毒检测方法 |
JP4156540B2 (ja) * | 2004-02-23 | 2008-09-24 | Kddi株式会社 | ログ分析装置、ログ分析プログラムおよび記録媒体 |
EP1995929A2 (en) * | 2007-05-24 | 2008-11-26 | Deutsche Telekom AG | Distributed system for the detection of eThreats |
JP2009015427A (ja) * | 2007-07-02 | 2009-01-22 | Nippon Telegr & Teleph Corp <Ntt> | ワーム感染ホスト特定処理における最適値設定方法および最適値設定システム |
WO2009083022A1 (en) * | 2007-12-31 | 2009-07-09 | Telecom Italia S.P.A. | Method of detecting anomalies in a communication system using numerical packet features |
US7936682B2 (en) * | 2004-11-09 | 2011-05-03 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
JP4723466B2 (ja) * | 2006-12-19 | 2011-07-13 | 三菱電機株式会社 | データ処理装置及びデータ処理方法及びプログラム |
US8112801B2 (en) * | 2007-01-23 | 2012-02-07 | Alcatel Lucent | Method and apparatus for detecting malware |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6886099B1 (en) * | 2000-09-12 | 2005-04-26 | Networks Associates Technology, Inc. | Computer virus detection |
US6892209B2 (en) * | 2001-06-13 | 2005-05-10 | International Business Machines Corporation | Technique for determination of an exception in multi-dimensional data |
CA2531410A1 (en) * | 2005-12-23 | 2007-06-23 | Snipe Network Security Corporation | Behavioural-based network anomaly detection based on user and group profiling |
US20070234424A1 (en) * | 2006-03-31 | 2007-10-04 | Lucent Technologies, Inc. | Design and evaluation of a fast and robust worm detection algorithm |
US8321935B1 (en) * | 2009-02-26 | 2012-11-27 | Symantec Corporation | Identifying originators of malware |
-
2012
- 2012-04-09 CN CN201210101792.2A patent/CN103366119B/zh active Active
-
2013
- 2013-03-28 BR BR112014001804A patent/BR112014001804A2/pt not_active Application Discontinuation
- 2013-03-28 WO PCT/CN2013/073357 patent/WO2013152672A1/zh active Application Filing
-
2014
- 2014-02-12 US US14/178,825 patent/US9817973B2/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4156540B2 (ja) * | 2004-02-23 | 2008-09-24 | Kddi株式会社 | ログ分析装置、ログ分析プログラムおよび記録媒体 |
US7936682B2 (en) * | 2004-11-09 | 2011-05-03 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
CN1848745A (zh) * | 2005-04-13 | 2006-10-18 | 安氏互联网安全系统(中国)有限公司 | 基于网络流量特征的蠕虫病毒检测方法 |
JP4723466B2 (ja) * | 2006-12-19 | 2011-07-13 | 三菱電機株式会社 | データ処理装置及びデータ処理方法及びプログラム |
US8112801B2 (en) * | 2007-01-23 | 2012-02-07 | Alcatel Lucent | Method and apparatus for detecting malware |
EP1995929A2 (en) * | 2007-05-24 | 2008-11-26 | Deutsche Telekom AG | Distributed system for the detection of eThreats |
JP2009015427A (ja) * | 2007-07-02 | 2009-01-22 | Nippon Telegr & Teleph Corp <Ntt> | ワーム感染ホスト特定処理における最適値設定方法および最適値設定システム |
WO2009083022A1 (en) * | 2007-12-31 | 2009-07-09 | Telecom Italia S.P.A. | Method of detecting anomalies in a communication system using numerical packet features |
Also Published As
Publication number | Publication date |
---|---|
CN103366119B (zh) | 2016-08-03 |
US20140189872A1 (en) | 2014-07-03 |
CN103366119A (zh) | 2013-10-23 |
US9817973B2 (en) | 2017-11-14 |
BR112014001804A2 (pt) | 2017-03-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11568042B2 (en) | System and methods for sandboxed malware analysis and automated patch development, deployment and validation | |
CN106790186B (zh) | 基于多源异常事件关联分析的多步攻击检测方法 | |
US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
EP3635602B1 (en) | Validating correlation between chains of alerts using cloud view | |
WO2016095626A1 (zh) | 监控进程的方法和装置 | |
US11991191B2 (en) | Detecting a missing security alert using a machine learning model | |
CN108683687B (zh) | 一种网络攻击识别方法及系统 | |
US20190197239A1 (en) | Method and system for generating cognitive security intelligence for detecting and preventing malwares | |
WO2013152672A1 (zh) | 病毒趋势异常的监控方法及装置 | |
US9935972B2 (en) | Emulator-based malware learning and detection | |
JP6410547B2 (ja) | ネットワーク動作アーチファクトの順序によるマルウェアの分類 | |
US10354197B2 (en) | Pattern analytics for real-time detection of known significant pattern signatures | |
US20180157700A1 (en) | Storing and verifying event logs in a blockchain | |
JP2011523748A5 (zh) | ||
CN105989283A (zh) | 一种识别病毒变种的方法及装置 | |
US20170091461A1 (en) | Malicious code analysis method and system, data processing apparatus, and electronic apparatus | |
RU2014121249A (ru) | Системы и способы защиты от вредоносного программного обеспечения на основе нечеткого вайтлистинга | |
JP2013035539A5 (zh) | ||
US20170139759A1 (en) | Pattern analytics for real-time detection of known significant pattern signatures | |
CN110602135B (zh) | 网络攻击处理方法、装置以及电子设备 | |
CN108959071B (zh) | 一种基于RASP的PHP变形webshell的检测方法及系统 | |
WO2017197942A1 (zh) | 病毒库的获取方法及装置、设备、服务器、系统 | |
US20190266323A1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
US11436323B2 (en) | Detecting anomalies in software service usage activity | |
CN104915593B (zh) | 对软件的去捆绑处理方法及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13775896 Country of ref document: EP Kind code of ref document: A1 |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112014001804 Country of ref document: BR |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) OF 270215 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13775896 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 112014001804 Country of ref document: BR Kind code of ref document: A2 Effective date: 20140124 |