WO2022102110A1 - Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification - Google Patents

Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification Download PDF

Info

Publication number
WO2022102110A1
WO2022102110A1 PCT/JP2020/042534 JP2020042534W WO2022102110A1 WO 2022102110 A1 WO2022102110 A1 WO 2022102110A1 JP 2020042534 W JP2020042534 W JP 2020042534W WO 2022102110 A1 WO2022102110 A1 WO 2022102110A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
unit
scan order
monitored device
scan
Prior art date
Application number
PCT/JP2020/042534
Other languages
English (en)
Japanese (ja)
Inventor
真奈美 伊藤
友貴 山中
亮太 佐藤
良彰 中嶋
伸浩 千葉
浩義 瀧口
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2020/042534 priority Critical patent/WO2022102110A1/fr
Publication of WO2022102110A1 publication Critical patent/WO2022102110A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to a falsification detection device, a falsification detection method, and a falsification detection program.
  • the cyclic scan is a scan method in which all files are scanned in order based on the file list, and all files can be reliably monitored.
  • on-access scanning is a scanning method that detects file access, hooks the access, scans the file, and permits access if it has not been tampered with (see, for example, Patent Documents 1 to 3).
  • Random scan is a scan method that randomly generates the scan order of all files.
  • on-access scan can reliably monitor all files, but since access to files is hooked once, the effect on the operation of the monitored device tends to increase. Also, in a random scan, the files to be scanned are completely random, so there is no guarantee that all files will be monitored reliably.
  • the tampering detection device has the acquisition unit that acquires predetermined information from the monitored device and the monitoring from the information acquired by the acquisition unit.
  • a determination unit that determines the scan order of files of the target device, a transmission unit that transmits the scan order determined by the determination unit to the monitored device, and a unit generated by the monitored device based on the scan order. It is characterized by including a verification unit for verifying whether or not the file has been tampered with by using a digest of the file.
  • the tampering detection method is a tampering detection method executed by a tampering detection device, and is based on an acquisition process of acquiring predetermined information from a monitored device and the information acquired by the acquisition unit.
  • the tampering detection program has an acquisition step of acquiring predetermined information from the monitored device and a determination step of determining a scan order of files of the monitored device from the information acquired by the acquisition unit.
  • the file is tampered with by using a transmission step of transmitting the scan order determined by the determination unit to the monitored device and a digest of the file generated by the monitored device based on the scan order. It is characterized by having a computer perform a verification step for verifying the presence or absence.
  • the present invention can optimally and comprehensively monitor all files in software tampering detection.
  • FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment.
  • FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the first embodiment.
  • FIG. 3 is a block diagram showing a configuration example of the monitored device according to the first embodiment.
  • FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment.
  • FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment.
  • FIG. 6 is a diagram showing a computer that executes a program.
  • FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment.
  • the falsification detection system 100 includes a falsification detection device 10 such as a server and a monitored device 20 such as various terminals.
  • the falsification detection device 10 and the monitored device 20 are connected so as to be communicable by wire or wirelessly via a predetermined communication network (not shown).
  • the falsification detection system 100 shown in FIG. 1 may include a plurality of falsification detection devices 10 and a plurality of monitored devices 20.
  • the monitored device 20 transmits information for determining the optimum scanning order to the falsification detection device 10 (step S1).
  • the information for determining the optimum scan order includes information on the inside of the monitored device (appropriately, “monitored device information”) and information on the importance of the file (appropriately, “file importance information”). And so on.
  • the monitored device information is information related to the resources of the monitored device, for example, information such as CPU processing speed, memory capacity, storage capacity, etc., but is not particularly limited. Further, the monitored device information is basic information of a file stored in the monitored device, and is, for example, the type of the file, the data capacity, the number of files, and the like, but is not particularly limited.
  • the file importance information is information related to the importance of the file stored in the monitored device, for example, the number of accesses and the access frequency for each file, the access source, the type of flag setting related to the importance of the file, and the like.
  • information such as the scan frequency that minimizes the sum of the expected values (appropriately, "expected values") of the time from the access of the file to the execution of the scan is also included, but is not particularly limited.
  • the falsification detection device 10 determines the optimum scan order based on the acquired information (step S2).
  • the scan order is the order of processing in which the monitored device 20 generates a digest of each file (appropriately, "file digest") at least once for the file group stored in the monitored device 20. It is shown.
  • the digest of the file generated by the monitored device 20 is data or the like generated by using hash calculation or the like, but is not particularly limited.
  • the tampering detection device 10 can also determine the scan order that does not include a specific file by static or dynamic settings.
  • the falsification detection device 10 can determine the scan order based on the file importance information. For example, the falsification detection device 10 determines the scan order so as to preferentially scan a file with a high number of accesses, or preferentially scan a file flagged with importance by the file creator. can do. The determination of the scan order based on the scan frequency that minimizes the sum of the expected values of time will be described in the flow of calculation processing described later.
  • the falsification detection device 10 transmits the determined scan order to the monitored device 20 (step S3). Then, the monitored device 20 generates a digest of the file according to the acquired scan order (step S4). Further, the monitored device 20 transmits a digest of the generated file to the falsification detection device 10 (step S5).
  • the tampering detection device 10 verifies whether or not the file has been tampered with based on the digest of the acquired file (step S6). At this time, the tampering detection device 10 compares the digest of the correct file stored in the tampering detection device 10 with the digest of the acquired file, and if the digests are different, it is determined that the file has been tampered with. ..
  • the optimum scan order is determined while considering the information inside the device to be determined. Therefore, in a device having a limited available CPU and memory resources, it is possible to detect software tampering with a high probability while suppressing the resources used.
  • the importance of the file is estimated from the file access frequency, and the optimum scan order for reducing the expected value of the time from the alteration of the software to the detection is determined. Therefore, in the present system 100, when the access frequency is proportional to the susceptibility to tampering, the time from the tampering of the software to the detection can be shortened as much as possible.
  • FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the present embodiment.
  • the falsification detection device 10 includes an input unit 11, an output unit 12, a communication unit 13, a control unit 14, and a storage unit 15.
  • the input unit 11 controls the input of various information to the falsification detection device 10.
  • the input unit 11 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the falsification detection device 10.
  • the output unit 12 controls the output of various information from the falsification detection device 10.
  • the output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the falsification detection device 10.
  • the communication unit 13 controls data communication with other devices. For example, the communication unit 13 performs data communication with each communication device. Further, the communication unit 13 can perform data communication with a terminal of an operator (not shown).
  • the storage unit 15 stores various information referred to when the control unit 14 operates and various information acquired when the control unit 14 operates.
  • the storage unit 15 includes a monitored device information storage unit 15a, a file importance information storage unit 15b, and a file digest storage unit 15c.
  • the storage unit 15 is, for example, a RAM (Random Access Memory), a semiconductor memory element such as a flash memory, or a storage device such as a hard disk or an optical disk.
  • the storage unit 15 is installed inside the falsification detection device 10, but it may be installed outside the falsification detection device 10, or a plurality of storage units may be installed. good.
  • the monitored device information storage unit 15a stores information for the determination unit 14c of the control unit 14 to determine the scan order.
  • the monitored device information storage unit 15a is, for example, information about device resources such as CPU processing speed, memory capacity, and storage capacity, and files stored in the monitored device such as file type, data capacity, and number of files. Memorize the basic information of.
  • the file importance information storage unit 15b stores information regarding the importance of the file acquired by the acquisition unit 14a of the control unit 14. Further, the file importance information storage unit 15b stores the information calculated by the calculation unit 14b of the control unit 14. For example, the file importance information storage unit 15b minimizes the sum of the importance flag information for each file, the number of times the file is accessed, the access frequency, the access source, the calculated importance of the file, and the expected value of time. Memorize frequency etc.
  • the file digest storage unit 15c stores information on the correct monitored file for the acquisition unit 14d of the control unit 14 to verify tampering.
  • the file digest storage unit 15c stores a file digest generated based on a hash calculation from a regular file stored in the monitored device.
  • the control unit 14 controls the entire falsification detection device 10.
  • the control unit 14 includes an acquisition unit 14a, a calculation unit 14b, a determination unit 14c, a transmission unit 14d, and a verification unit 14e.
  • the control unit 14 is, for example, an electronic circuit such as a CPU or MPU (Micro Processing Unit) or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).
  • the acquisition unit 14a acquires predetermined information from the monitored device 20. For example, the acquisition unit 14a acquires the access frequency of the file of the monitored device 20. Further, the acquisition unit 14a acquires the monitored device information and the file importance information as information for determining the optimum scan order. Further, the acquisition unit 14a acquires a digest of the file generated by the monitored device 20.
  • the acquisition unit 14a stores the acquired device information to be monitored such as resources of the device to be monitored in the device information storage unit 15a to be monitored. Further, the acquisition unit 14a stores the acquired file importance information such as the access frequency in the file importance information storage unit 15b. Further, the acquisition unit 14a transmits a digest of the acquired file to the verification unit 15e.
  • the calculation unit 14b calculates the importance of the file of the monitored device 20 based on the access frequency of the file of the monitored device 20 acquired from the acquisition unit 14a. For example, the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed, as the importance of the file of the monitored device 20. On the other hand, the calculation unit 14b stores the calculated file importance information such as the scan frequency in the file importance information storage unit 15b.
  • the determination unit 14c determines the scan order of the files of the monitored device 20 from the information acquired by the acquisition unit 14a. Further, the determination unit 14c determines the scan order in which all the files are included at least once as the scan order of the files of the monitored device 20. Further, the determination unit 14c determines the scan order based on the importance of the file of the monitored device 20 calculated by the calculation unit 14b. For example, the determination unit 14c allocates the scan frequency corresponding to the scan frequency that minimizes the sum of the expected values of the time from the file access to the scan execution as the importance of the file of the monitored device 20. To determine the scan order.
  • the determination unit 14c refers to the monitoring target device information stored in the monitoring target device information storage unit 15a. Further, the determination unit 14c refers to the file importance information stored in the file importance information storage unit 15b.
  • the transmission unit 14d transmits the scan order determined by the determination unit 14c to the monitored device 20. Further, the transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
  • the verification unit 14e verifies whether or not the file has been tampered with by using the digest of the file generated by the monitored device 20 based on the scan order. At this time, the verification unit 14e refers to the file digest of the correct monitored file stored in the file digest storage unit 15c.
  • FIG. 3 is a block diagram showing a configuration example of the monitored device according to the present embodiment.
  • the monitored device 20 has an input unit 21, an output unit 22, a communication unit 23, a control unit 24, and a storage unit 25.
  • the input unit 21 controls the input of various information to the monitored device 20.
  • the input unit 21 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the monitored device 20.
  • the output unit 22 controls the output of various information from the monitored device 20.
  • the output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the monitored device 20.
  • the communication unit 23 controls data communication with other devices. For example, the communication unit 23 performs data communication with each communication device. Further, the communication unit 23 can perform data communication with a terminal of an operator (not shown).
  • the storage unit 25 stores various information referred to when the control unit 24 operates and various information acquired when the control unit 24 operates.
  • the storage unit 25 has, for example, a monitored file storage unit 25a.
  • the storage unit 25 is, for example, a semiconductor memory element such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk.
  • the storage unit 25 is installed inside the monitored device 20, but it may be installed outside the monitored device 20, or a plurality of storage units may be installed. good.
  • the monitored file storage unit 25a stores a monitored file that may be accessed from the outside and may be tampered with.
  • the control unit 24 controls the entire monitored device 20.
  • the control unit 24 includes an acquisition unit 24a, a generation unit 24b, and a transmission unit 24c.
  • the control unit 24 is, for example, an electronic circuit such as a CPU or MPU, or an integrated circuit such as an ASIC or FPGA.
  • the acquisition unit 24a acquires the file scan order from the falsification detection device 10. Further, the acquisition unit 24a may acquire the presence or absence of falsification of the file verified by the falsification detection device 10.
  • the generation unit 24b generates a digest of the file according to the scan order of the file acquired from the falsification detection device 10. Further, the generation unit 24b may store the digest of the generated file in the storage unit 25.
  • the transmission unit 24c transmits a digest of the file generated by the generation unit 24b to the falsification detection device 10. Further, the transmission unit 24c may transmit the digest of the file to a terminal other than the falsification detection device 10.
  • the i-th file is represented as file i.
  • the falsification detection device 10 acquires in advance access logs for each of n files in the monitored device 20 for a certain period of time.
  • the access frequency Pa (i) of the file i is expressed as the equation (1).
  • Pa (i) differs depending on the setting method of important files. In this process, since it is assumed that an important file is a file that is frequently accessed, Pa (i) is given by Eq. (1).
  • Pa (i) is the frequency of appearance of the file i in the scan sequence.
  • the falsification detection device 10 calculates Pc (i) that minimizes the equation (3). In this process, the higher the access frequency, the higher the scan frequency.
  • All file scan end time T is set, and the number of scans is assigned to each file based on Pc (i) for the number of possible scans in the time excluding the time required for one file cycle.
  • the falsification detection device 10 may determine the scan order in which the files with the highest number of accesses in the past files are prioritized. That is, based on the number of accesses of each file, the number of scans may be assigned to each file, and the scan order for scanning all files at least once may be determined. Further, the falsification detection device 10 may determine the scan order in consideration of the access source as well as the number of accesses.
  • the falsification detection device 10 may determine the scan order in which the file having the flag setting regarding the importance by the file creator is prioritized. That is, a flag may be set according to the importance of the file, the number of scans may be assigned to each file based on the flag, and the scan order for scanning all files at least once may be determined.
  • FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment.
  • the acquisition unit 14a of the falsification detection device 10 acquires information from the monitored device 20 in order to determine the optimum scan order (step S101).
  • the acquisition unit 14a may acquire information from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the information directly input via the input unit 11.
  • the determination unit 14c determines the optimum scan order based on the information acquired from the monitored device 20 (step S102).
  • the calculation unit 14b may perform calculation processing of information necessary for the determination unit 14c to determine the scan order. Further, if the scan order created in advance exists, the determination unit 14c can also adopt the scan order. Further, when a plurality of scan orders can be determined, the determination unit 14c may adopt one from the scan order, or may adopt a plurality of scan orders.
  • the transmission unit 14d transmits the scan order determined to the monitored device 20 (step S103). At this time, the transmission unit 14d may transmit the scan order in bulk, or may transmit one by one for each order. Further, the transmission unit 14d may transmit a plurality of scan sequence sequences.
  • the acquisition unit 14a acquires a digest of the file generated and transmitted by the generation unit 24b of the monitored device 20 (step S104).
  • the verification unit 14e verifies whether or not the file has been tampered with based on the digest of the file acquired by the acquisition unit 14a (step S105), and the tampering detection process ends.
  • the transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
  • FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment.
  • the acquisition unit 14a of the falsification detection device 10 acquires the access log of the file for a certain period in the monitored device 20 (step S201).
  • the acquisition unit 14a may acquire the access log from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the access log directly input via the input unit 11.
  • the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the times from falsification to scan execution in all files (step S202), and determines the scan end time of all files (step S202). S203), the number of possible scans is calculated within the time obtained by excluding the time required for one round of file scanning from the determined end time (step S204).
  • the order of processing in steps S202 to S204 is an example, and the calculation unit 14b may perform processing in a different order. Further, the calculation unit 14b may omit a part of the processing of steps S202 to S204.
  • the calculation unit 14b allocates the number of scans to each file based on the calculated scan frequency (step S205). Finally, the determination unit 14c determines the scan order (step S206), and the process ends.
  • the scan order in which all the files are included at least once is determined as the scan order of the files of the monitored device. Therefore, in this process, all files can be reliably scanned in software tampering detection, and all files can be optimally and comprehensively monitored.
  • the access frequency of the file of the monitored device is acquired, the importance of the file is calculated based on the acquired access frequency, and the calculated importance of the file is calculated. Determine the scan order based on.
  • all files can be optimally and comprehensively monitored by considering the importance of each file in the detection of software tampering.
  • the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed is calculated as the importance of the file. , Assign the number of scans corresponding to the scan frequency to determine the scan order. In this process, it is possible to determine a more efficient scan order in software tampering detection, and it is possible to optimally and comprehensively monitor all files.
  • each component of each of the illustrated devices according to the above embodiment is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of them may be functionally or physically distributed / physically distributed in any unit according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
  • ⁇ program ⁇ It is also possible to create a program in which the process executed by the falsification detection device 10 described in the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as that of the above embodiment can be obtained by executing the program by the computer. Further, the same processing as that of the above embodiment may be realized by recording the program on a computer-readable recording medium, reading the program recorded on the recording medium into the computer, and executing the program.
  • FIG. 6 is a diagram showing a computer that executes a program.
  • the computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. However, each of these parts is connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012, as illustrated in FIG.
  • the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1090, as illustrated in FIG.
  • the disk drive interface 1040 is connected to the disk drive 1100 as illustrated in FIG.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120, as illustrated in FIG.
  • the video adapter 1060 is connected, for example, to a display 1130, as illustrated in FIG.
  • the hard disk drive 1090 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. That is, the above program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
  • the various data described in the above embodiment are stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes various processing procedures.
  • the program module 1093 and program data 1094 related to the program are not limited to those stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via a disk drive or the like. .. Alternatively, the program module 1093 and the program data 1094 related to the program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.) and stored via the network interface 1070. It may be read by the CPU 1020.
  • LAN Local Area Network
  • WAN Wide Area Network
  • Tampering detection device 11 Input unit 12 Output unit 13 Communication unit 14 Control unit 14a Acquisition unit 14b Calculation unit 14c Determination unit 14d Transmission unit 14e Verification unit 15 Storage unit 15a Monitored device information storage unit 15b File Importance information storage unit 15c file Digest storage unit 20 Monitoring target device 21 Input unit 22 Output unit 23 Communication unit 24 Control unit 24a Acquisition unit 24b Generation unit 24c Transmission unit 25 Storage unit 25a Monitoring target file storage unit 100 Tampering detection system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)

Abstract

Le présent dispositif de détection de falsification (10) comprend : une unité d'acquisition (14a) qui acquiert des informations prédéterminées à partir d'un dispositif à surveiller ; une unité de détermination (14c) qui détermine, à partir des informations acquises par l'unité d'acquisition (14a), un ordre de balayage de fichiers du dispositif à surveiller ; une unité de transmission (14d) qui transmet l'ordre de balayage déterminé par l'unité de détermination (14c) au dispositif à surveiller ; et une unité de vérification (14e) qui utilise le résumé d'un fichier généré par le dispositif à surveiller sur la base de l'ordre de balayage pour vérifier si le fichier a été saboté.
PCT/JP2020/042534 2020-11-13 2020-11-13 Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification WO2022102110A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/042534 WO2022102110A1 (fr) 2020-11-13 2020-11-13 Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/042534 WO2022102110A1 (fr) 2020-11-13 2020-11-13 Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification

Publications (1)

Publication Number Publication Date
WO2022102110A1 true WO2022102110A1 (fr) 2022-05-19

Family

ID=81602164

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/042534 WO2022102110A1 (fr) 2020-11-13 2020-11-13 Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification

Country Status (1)

Country Link
WO (1) WO2022102110A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132206A1 (en) * 2003-12-12 2005-06-16 International Business Machines Corporation Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
JP2009009372A (ja) * 2007-06-28 2009-01-15 Panasonic Corp 情報端末、クライアントサーバシステムおよびプログラム
US20160294849A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting suspicious files resident on a network
US20200034534A1 (en) * 2018-07-24 2020-01-30 EMC IP Holding Company LLC Predictive scheduled anti-virus scanning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132206A1 (en) * 2003-12-12 2005-06-16 International Business Machines Corporation Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
JP2009009372A (ja) * 2007-06-28 2009-01-15 Panasonic Corp 情報端末、クライアントサーバシステムおよびプログラム
US20160294849A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting suspicious files resident on a network
US20200034534A1 (en) * 2018-07-24 2020-01-30 EMC IP Holding Company LLC Predictive scheduled anti-virus scanning

Similar Documents

Publication Publication Date Title
US20090133125A1 (en) Method and apparatus for malware detection
US11475133B2 (en) Method for machine learning of malicious code detecting model and method for detecting malicious code using the same
JP6698056B2 (ja) 異常な事象を検出するシステム及び方法
US20220229906A1 (en) High-confidence malware severity classification of reference file set
CN107403093B (zh) 检测多余软件的系统和方法
US20180341769A1 (en) Threat detection method and threat detection device
CN103559438A (zh) 进程识别方法及系统
CN108234441B (zh) 确定伪造访问请求的方法、装置、电子设备和存储介质
WO2022102110A1 (fr) Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification
CN111967016B (zh) 基板管理控制器的动态监控方法及基板管理控制器
CN109522683A (zh) 软件溯源方法、系统、计算机设备及存储介质
US20090254311A1 (en) Method for monitoring computer system performance and computer readable medium thereof
CN109635567B (zh) 针对应用客户端的校验方法、装置及服务器平台
KR20190020998A (ko) 악성코드 진단장치, 진단방법 및 진단시스템
KR101899774B1 (ko) 랜섬웨어 대응을 위한 데이터 처리 방법, 이를 실행시키는 프로그램 및 상기 프로그램을 기록한 컴퓨터 판독 가능한 기록매체
CN111538566A (zh) 镜像文件处理方法、装置、系统、电子设备及存储介质
WO2022153410A1 (fr) Dispositif de détection de falsification, procédé de détection de falsification et programme de détection de falsification
WO2022153415A1 (fr) Dispositif de détection de falsification, procédé de détection de falsification, et programme de détection de falsification
CN112347479B (zh) 恶意软件检测的误报纠正方法、装置、设备和存储介质
CN114285664A (zh) 异常用户识别方法、系统、设备及介质
US20230267202A1 (en) Fast antimalware scan
US20100306844A1 (en) Application information tampering monitoring apparatus and method
US20230161877A1 (en) Efficient integrity monitoring of processing operations with multiple memory arrays
JP2017102566A (ja) 不正ファイル検知装置、不正ファイル検知方法、および、不正ファイル検知プログラム
US20230244786A1 (en) File integrity monitoring

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20961638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20961638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP