CN103475663A - Trojan recognition method based on network communication behavior characteristics - Google Patents
Trojan recognition method based on network communication behavior characteristics Download PDFInfo
- Publication number
- CN103475663A CN103475663A CN2013104199490A CN201310419949A CN103475663A CN 103475663 A CN103475663 A CN 103475663A CN 2013104199490 A CN2013104199490 A CN 2013104199490A CN 201310419949 A CN201310419949 A CN 201310419949A CN 103475663 A CN103475663 A CN 103475663A
- Authority
- CN
- China
- Prior art keywords
- wooden horse
- network
- communication
- trojan
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a Trojan recognition method based on network communication behavior characteristics. The method comprises the step of establishing a markov model of Trojan data flow; the step of monitoring the data flow in the network; the step of screening monitored network communication behaviors, wherein if the monitored network communication behaviors are not Trojan communication conversation, the current data flow is proved to be unrelated data flow, and otherwise, a timing sequence of the network communication behaviors is obtained; the step of restoring the actual network data flow into a plurality of network conversations and matching the network conversations with the markov model, wherein if the network conversations are not matched with the markov model, the current network conversations are not Trojan communication data, andotherwise, the current network conversations are proved to be the Trojan communication data. The Trojan communication behaviors are monitored according to the Trojan communication behavior characteristics and the timing sequence of the Trojan communication behavior characteristics, the effect on the Trojan detecting result from the evading technologies such as Trojan transformation packer is effectively avoided, and the efficiency and accuracy of detecting the network Trojan are improved.
Description
Technical field
The invention belongs to field of information security technology, especially, relate to a kind of wooden horse recognition methods of communication behavior feature Network Based.
Background technology
Along with the universal and application of cyber-net, people are also more and more higher to the degree of dependence of cyber-net.Once each work with and home-use computer in store non-public or secret important documents and personal information in a large number. the implanted trojan horse program of these computers, its information can be stolen, thereby causes important information to leak, secret papers are divulged a secret, individual privacy information exposes and loss economically etc. problem.In addition, wooden horse can also destroy information system, causes systemic breakdown and loss of vital data.
At present, the detection of wooden horse and means of defence can be divided into two large classes:
One class is traditional detection mode based on file eigenvalue, and at first the method extracts the condition code of trojan horse program file, then by scanning, detects in file and whether comprises condition code and identify the wooden horse file.But the wooden horse producer adds various forms of " shells " usually can to the trojan horse program file, makes wooden horse be propagated in the mode of multiple types, many condition codes, thereby brought increasing challenge to collection, monitoring, killing and pre-anti-Trojan.
Another kind of is the wooden horse fire compartment wall, and it is mounted in the Software tool of subscriber's main station end, and it adopts the mode of dynamic monitoring, and the suspicious connection in network is monitored, and filter out unsafe network and connect, thereby protected host is avoided the danger of outside world.But, because needs operate in the subscriber's main station system, need in the course of the work to take CPU and the memory source of subscriber's main station system, thereby affected the performance of other work of system, and these class methods are very easy to produce wrong report.
Along with the fast development of Internet, the kind of wooden horse is further numerous and diverse, and its harm for computer is also more and more serious.The wooden horse network behavior mainly refers to the communication behavior between other main frame on wooden horse and network.Can reach by the network behavior wooden horse and implement network attack, steal security information, operate the purpose such as controlled main frame.Therefore, to the wooden horse network behavior in time, accurately identification just seem most important.
Different trojan horse programs function, for operating system and the network communication protocol of employing aspect have very big-difference, but there is again certain similitude on communication behavior.By a large amount of main flow wooden horse samples are analyzed to discovery: the whole communication process of wooden horse is divided into three phases by the communication behavior feature, the stage that connects, maintenance access phase and mutual access phase.The network service behavior of wooden horse different phase shows as different features on flow, uses this feature can distinguish different wooden horse working stages.
Summary of the invention
The shortcoming of prior art in view of the above, the object of the present invention is to provide a kind of wooden horse recognition methods of communication behavior feature Network Based, by by wooden horse communication behavior feature and timing thereof, realizing the identification to wooden horse, can effectively avoid wooden horse distortion to add shell etc. and evade the impact of technology on the wooden horse testing result.
Reach for achieving the above object other relevant purposes, the invention provides a kind of wooden horse recognition methods of communication behavior feature Network Based, described wooden horse recognition methods at least comprises the following steps: the Markov model of setting up the wooden horse data traffic; Data traffic on network is monitored; Monitored network service behavior is screened; If the network service behavior monitored not is the wooden horse communication session, prove that the current data flow is for irrelevant flow; If the network service behavior monitored is the wooden horse communication session, obtain the time series of described network service behavior; The real network data traffic is reduced into to some BlueDramas, then BlueDrama and Markov model are mated; If the two does not mate, prove that the current network session is not the wooden horse communication data; If the two coupling, prove that the current network session is the wooden horse communication data.
According to the wooden horse recognition methods of upper communication behavior feature Network Based, wherein: further comprising the steps of: after proving that the current network session is the wooden horse communication data, send the warning of wooden horse identification.
According to the wooden horse recognition methods of upper communication behavior feature Network Based, wherein: when the data traffic on network is monitored, adopt switch to obtain the mirror image data flow of network traffic data.
Wooden horse recognition methods according to upper communication behavior feature Network Based, wherein: in described Markov model, adopt packet length, bag direction and inter-packet gap to describe the network service behavioural characteristic of wooden horse as attribute, and take the elementary cell of a TCP session as research.
According to the wooden horse recognition methods of upper communication behavior feature Network Based, wherein: in described Markov model, the loaded packet of tool sent in the wooden horse communication session triggers the migration of a behavior state.
According to the wooden horse recognition methods of upper communication behavior feature Network Based, wherein: described network service behavior comprises catalogue browsing, file download, remote terminal, keyboard record, screen monitor.
According to the wooden horse recognition methods of upper communication behavior feature Network Based, wherein: during by the BlueDrama of reduction and Markov model coupling, according to the transfer matrix in Markov model, judge the stage that the network service behavior of wooden horse occurs.
As mentioned above, the wooden horse recognition methods of communication behavior feature Network Based of the present invention has following beneficial effect:
(1) the network service behavior of wooden horse is compared and is had certain particularity with normal network application, therefore realize the identification to wooden horse with network service behavioural characteristic and the timing thereof of wooden horse, can effectively avoid wooden horse to be out of shape adding shell etc. to evade the impact of technology on the wooden horse testing result;
(2) efficiency and accuracy rate that the network wooden horse detects have effectively been improved.
The accompanying drawing explanation
Fig. 1 is shown as the data attribute acquisition sequence schematic diagram of the mutual access phase of wooden horse;
Fig. 2 be shown as wooden horse connect the stage, keep the data attribute acquisition sequence schematic diagram of access phase;
Data attribute acquisition sequence schematic diagram when Fig. 3 is shown as normal browsing webpage, instant messaging, mail transmission/reception, data download behavior;
Fig. 4 is shown as the current flow chart of PI wooden horse;
Fig. 5 is shown as the structure of the wooden horse recognition system of communication behavior feature Network Based of the present invention;
Fig. 6 is shown as the flow chart of the wooden horse recognition methods of communication behavior feature Network Based of the present invention.
Embodiment
Below, by specific instantiation explanation embodiments of the present invention, those skilled in the art can understand other advantages of the present invention and effect easily by the disclosed content of this specification.The present invention can also be implemented or be applied by other different embodiment, and the every details in this specification also can be based on different viewpoints and application, carries out various modifications or change not deviating under spirit of the present invention.
It should be noted that, the diagram provided in the present embodiment only illustrates basic conception of the present invention in a schematic way, satisfy in graphic and only show with assembly relevant in the present invention but not component count, shape and size drafting while implementing according to reality, during its actual enforcement, kenel, quantity and the ratio of each assembly can be a kind of random change, and its assembly layout kenel also may be more complicated.
Usually, a kind of network service behavior of application shows as different features on flow, uses this feature can distinguish different network applications.The a different set of attribute of this network service feature available network flow is described, and these attributes comprise: inter-packet gap time, packet length, bag direction, connection duration, TCP flag bit etc.
The present invention is directed to the characteristics of wooden horse network service behavior, by using Markov model, the wooden horse data traffic is carried out to modeling, then carry out the identification of wooden horse.At first, investigate the loaded packet of TCP stream top n tool, by its portray be a Markov chain to describe its communication feature, thereby realize the identification to wooden horse network service behavior.Consider the concrete characteristics of wooden horse network service behavior, packet length for the present invention, bag direction and inter-packet gap are described the network service behavioural characteristic of wooden horse by modeling as attribute, and take the elementary cell of a TCP session as research.
Describe the network service behavior of wooden horse by Markov process, the loaded packet of tool that selection sends in the wooden horse communication session triggers the migration of a behavior state.For direction, load and the interval of portraying packet in model, add that by sign data packet length and sign add that the time interval describes a state, mail to the direction of service end from client on the occasion of representative, the direction of client is mail in the negative value representative from service end, the absolute value of state is packet payload length and inter-packet gap time.
If the initial condition probability vector of Markov process is ∏, at any one moment t
iin a certain state s
i, just trigger the status change of primary network action process between client and service end during a packet of every transmission, make it enter next specific state.Each state adds that by the big or small inter-packet gap of bag sign is described, and state space is S={s
i|-MSS<=s
i<=MSS, e
i, i=0,1,2 ....Wherein, e
ifor inter-packet gap, the maximum burst size of MSS, transition probability matrix is A.But, the problem that the packet length of usining is brought as the modeling attribute is, because packet length is possible in theory value is [MSS, MSS], bag possible value of the time interval is [0, + ∞), this makes the state space scale become very huge, has increased computation complexity, and in training process, the transition probability of state distributes and too disperses, and is not easy to determine the parameters of model.Therefore, in actual implementation procedure, according to the network service behavioural characteristic of wooden horse, packet length is divided into to several intervals, as [MSS ,-1400] (being defined as-3 in transfer matrix), [1399,-257] (be defined as-2 in transfer matrix), [256 ,-1] (being defined as-1 in transfer matrix), [0,256] (be defined as 1 in transfer matrix), [257,1399] (being defined as 2 in transfer matrix), [1399, MSS] (being defined as 3 in transfer matrix).The bag time interval is divided into several intervals, as (0,1] (being defined as 1 in transfer matrix), (1,2] (being defined as 2 in transfer matrix), (2,5] (being defined as 3 in transfer matrix), (5 ,+∞] (being defined as 4 in transfer matrix).So, the state space number just drops to the cartesian product of interval number, has greatly reduced the complexity of Markov model.
For a kind of wooden horse, it will reach the purposes such as long-range control host machine and steal information and certainly lead to network traffics.According to the difference of the sequential of controlling, mode, intention, a kind of wooden horse can produce the multiple network service behavior with multiple different flow feature.Wooden horse network service behavior comprises catalogue browsing, file download, remote terminal, keyboard record, screen monitor etc.After the control end of wooden horse and controlled terminal connect, control end generally all re-establishes a special connection for this specific control behavior in any network behavior more than implementing again, and also will have its specific traffic characteristic in a new TCP session.
The mutual access phase data attribute of wooden horse acquisition sequence as shown in Figure 1.As seen from the figure, the Y-axis positive direction is the controlled terminal data attribute, and its attribute-value ranges is (3 ,-1), and the Y-axis negative direction is the control end data attribute, and its attribute-value ranges is (1,3), and X-axis is time shaft, and its attribute-value ranges is (Isosorbide-5-Nitrae).Because the attribute of stealing secret information of wooden horse can be found out the mutual access phase of wooden horse, the controlled terminal data are obviously more than the control end data.
The mutual rank of wooden horse linked section, according to attribute acquisition value input Markov model, is calculated to transfer matrix as follows:
The sequence chart that the same with the mutual access phase data attribute of wooden horse gatherer process, wooden horse connects the stage, keep access phase as shown in Figure 2.Wooden horse connects the stage, the transfer matrix that keeps the data attribute collection value input Markov model of access phase to calculate is as follows:
Normal browsing webpage, instant messaging, mail transmission/reception, data are downloaded behavior sequence figure as shown in Figure 3.The transfer matrix that the data attribute collection value input Markov model of normal browsing webpage, instant messaging, mail transmission/reception, data download behavior calculates is as follows:
Relatively wooden horse connect the stage, keep the transfer matrix of access phase and the transfer matrix of normal behaviour to find out, its numerical discretization of the transfer matrix of normal behaviour is near leading diagonal, and the transfer matrix of wooden horse behavior concentrates on leading diagonal relatively.More obviously, the transfer matrix numerical value of the mutual access phase of wooden horse mainly concentrates near minor diagonal, has formed obvious contrast near concentrating on leading diagonal with normal behaviour.
Connect stage, the data based call duration time scope that keeps access phase and the mutual access phase of wooden horse, communicating pair address, sequential of communicating by letter etc. of wooden horse are carried out to integrated relational analysis, can judge more accurately wooden horse network service behavior.
With reference to Fig. 4, the current step of PI wooden horse is as follows:
(1) operation PI wooden horse controlled terminal on the controlled terminal main frame;
(2) operation PI wooden horse control end on the control end main frame, open 110 port services, the password admin of the company of returning;
(3) the PI controlled terminal company's of returning control end main frame 110 ports initiatively, enable password admin;
(4) the control end main frame receives controlled terminal Hui Lian, and shows the control end relevant information;
(5) the control end main frame is browsed controlled terminal host computer system dish catalogue by remote command, and steals the related data of system disk storage.
The above-mentioned PI process of stealing secret information is analyzed, can be found that its connection procedure has following common network behavior feature:
The size of the loaded packet of first tool 1, connected is 256 bytes, and this packet sends to control end from controlled terminal;
2, from initially connecting, start to count, controlled terminal and control end, after certain reciprocal process, enter mutually to send the stage of the packet of 48 bytes as the heartbeat connection, and until connect end;
3,, before the heartbeat access phase in the loaded packet of tool, the overwhelming majority is large packet;
4, produce the mass communication data in the man-machine interaction stage, and this communication data mostly is from controlled terminal and flows to control end.
Actual mirror image data flow is carried out to session recover, network data flow is reduced to some BlueDramas, the transfer matrix between computing network session connection and heartbeat bonding pad, result is as follows:
Known by this transfer matrix: in network data flow, exist and the typical wooden horse pattern that stage and heart phase be complementary that connects, can judge and the alarm network data flow in comprise the wooden horse data that connect.
By the input of the data attribute value between mass data transmission range Markov process in BlueDrama, the transfer matrix calculated is:
Known by this transfer matrix: as to have the pattern be complementary with the typical mutual access phase of wooden horse in network data flow, can judge also and have wooden horse man-machine interaction behavior in the alarm network data flow.
In order not disturb normal network service, with reference to Fig. 5, in the wooden horse recognition system of communication behavior Network Based of the present invention, switch 4 carries out the exchanges data between controlled terminal main frame 1 and control end main frame 2, wooden horse network service behavior detects server 3 and catches and analyze the network traffic data that bypass is come from switch 4, find the network service behavior of wooden horse by the monitor network mirror image data, and suspicious actions are reported to the police.
As shown in Figure 6, in the present invention, concrete wooden horse recognition methods step is as follows:
Step S1: the Markov model of setting up the wooden horse data traffic;
Step S2: the data traffic on network is monitored;
Step S3: monitored network service behavior is screened; If the network service behavior monitored not is the wooden horse communication session, prove that present flow rate is irrelevant flow;
Step S4: if the wooden horse communication session obtains the time series of network service behavior;
Step S5: the real network flow is imported, and network data flow is reduced into to some BlueDramas, then BlueDrama and Markov model are mated; If the two does not mate, prove that the current network session is not the wooden horse communication data;
Step S6: if the two coupling proves that the current network session is the wooden horse communication data.
Preferably, can also comprise that step S7(is not shown): send warning.
In sum, wooden horse recognition methods based on the communication behavior feature of the present invention realizes the monitoring to the wooden horse communication behavior by wooden horse communication behavior feature and timing thereof, effectively avoid wooden horse distortion to add shell etc. and evade the impact of technology on the wooden horse testing result, effectively improved efficiency and accuracy rate that the network wooden horse detects.So the present invention has effectively overcome various shortcoming of the prior art and the tool high industrial utilization.
Above-described embodiment is illustrative principle of the present invention and effect thereof only, but not for limiting the present invention.Any person skilled in the art scholar all can, under spirit of the present invention and category, be modified or be changed above-described embodiment.Therefore, such as in affiliated technical field, have and usually know that the knowledgeable, not breaking away from all equivalence modifications that complete under disclosed spirit and technological thought or changing, must be contained by claim of the present invention.
Claims (7)
1. the wooden horse recognition methods of a communication behavior feature Network Based, is characterized in that, described wooden horse recognition methods at least comprises the following steps:
Set up the Markov model of wooden horse data traffic;
Data traffic on network is monitored;
Monitored network service behavior is screened; If the network service behavior monitored not is the wooden horse communication session, prove that the current data flow is for irrelevant flow;
If the network service behavior monitored is the wooden horse communication session, obtain the time series of described network service behavior;
The real network data traffic is reduced into to some BlueDramas, then BlueDrama and Markov model are mated; If the two does not mate, prove that the current network session is not the wooden horse communication data;
If the two coupling, prove that the current network session is the wooden horse communication data.
2. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1 is characterized in that: further comprising the steps of: after proving that the current network session is the wooden horse communication data, send the warning of wooden horse identification.
3. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1 is characterized in that: when the data traffic on network is monitored, adopt switch to obtain the mirror image data flow of network traffic data.
4. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1, it is characterized in that: in described Markov model, adopt packet length, bag direction and inter-packet gap to describe the network service behavioural characteristic of wooden horse as attribute, and take the elementary cell of a TCP session as research.
5. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1 is characterized in that: in described Markov model, the loaded packet of tool sent in the wooden horse communication session triggers the migration of a behavior state.
6. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1 is characterized in that: described network service behavior comprises catalogue browsing, file download, remote terminal, keyboard record, screen monitor.
7. the wooden horse recognition methods of communication behavior feature Network Based according to claim 1, it is characterized in that: during by the BlueDrama of reduction and Markov model coupling, according to the transfer matrix in Markov model, judge the stage that the network service behavior of wooden horse occurs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310419949.0A CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310419949.0A CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103475663A true CN103475663A (en) | 2013-12-25 |
| CN103475663B CN103475663B (en) | 2016-08-17 |
Family
ID=49800359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310419949.0A Expired - Fee Related CN103475663B (en) | 2013-09-13 | 2013-09-13 | Trojan horse recognition method based on network service behavior characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103475663B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
| CN105243328A (en) * | 2015-09-24 | 2016-01-13 | 哈尔滨工程大学 | Behavioral characteristic based Ferry horse defense method |
| CN107086978A (en) * | 2016-02-15 | 2017-08-22 | ***通信集团福建有限公司 | A kind of method and device for recognizing trojan horse |
| CN107370752A (en) * | 2017-08-21 | 2017-11-21 | 北京工业大学 | A kind of efficient remote control Trojan detection method |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN104660584B (en) * | 2014-12-30 | 2018-12-18 | 赖洪昌 | Analysis of Trojan Virus technology based on network session |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102202064A (en) * | 2011-06-13 | 2011-09-28 | 刘胜利 | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis |
-
2013
- 2013-09-13 CN CN201310419949.0A patent/CN103475663B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102202064A (en) * | 2011-06-13 | 2011-09-28 | 刘胜利 | Method for extracting behavior characteristics of Trojan communication based on network data flow analysis |
Non-Patent Citations (1)
| Title |
|---|
| 田雪峰: "基于马尔可夫链的网络异常检测***研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
| CN104660584B (en) * | 2014-12-30 | 2018-12-18 | 赖洪昌 | Analysis of Trojan Virus technology based on network session |
| CN105243328A (en) * | 2015-09-24 | 2016-01-13 | 哈尔滨工程大学 | Behavioral characteristic based Ferry horse defense method |
| CN107086978A (en) * | 2016-02-15 | 2017-08-22 | ***通信集团福建有限公司 | A kind of method and device for recognizing trojan horse |
| CN107086978B (en) * | 2016-02-15 | 2019-12-10 | ***通信集团福建有限公司 | Method and device for identifying Trojan horse virus |
| CN107370752A (en) * | 2017-08-21 | 2017-11-21 | 北京工业大学 | A kind of efficient remote control Trojan detection method |
| CN107370752B (en) * | 2017-08-21 | 2020-09-25 | 北京工业大学 | Efficient remote control Trojan detection method |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN107733851B (en) * | 2017-08-23 | 2020-05-01 | 刘胜利 | DNS tunnel Trojan detection method based on communication behavior analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103475663B (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103475663A (en) | Trojan recognition method based on network communication behavior characteristics | |
| Peng et al. | Smartphone malware and its propagation modeling: A survey | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| TWI727060B (en) | Network attack defense system, method and device | |
| CN103810424B (en) | Method and device for identifying abnormal application programs | |
| CN102088379A (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN104253842B (en) | Method, apparatus, terminal and the server of synchronous terminal mirror image | |
| CN108259472A (en) | Dynamic joint defence mechanism based on attack analysis realizes system and method | |
| CN104980421B (en) | Batch request processing method and system | |
| CN104243407A (en) | Generation method and device for malicious software network intrusion detection feature codes | |
| CN103152341A (en) | Virtuality and reality combined network security situation awareness simulation method and system | |
| CN112804263A (en) | Vulnerability scanning method, system and equipment for Internet of things | |
| CN115086064A (en) | Large-scale network security defense system based on cooperative intrusion detection | |
| CN106572103B (en) | hidden port detection method based on SDN network architecture | |
| Zhang et al. | Density approach: a new model for BigData analysis and visualization | |
| CN106888115B (en) | A kind of constructing network topology method and system | |
| CN106302520B (en) | A kind of far control class wooden horse sweep-out method and device | |
| CN110460620A (en) | Website defence method, device, equipment and storage medium | |
| CN114499983A (en) | Tor flow detection method, device, terminal equipment and storage medium | |
| CN112769847B (en) | Safety protection method, device, equipment and storage medium for Internet of things equipment | |
| CN112003853B (en) | Network security emergency response system supporting ipv6 | |
| CN113761522A (en) | Method, device, equipment and storage medium for detecting webshell flow | |
| CN114422207A (en) | Multi-mode-based C & C communication flow detection method and device | |
| CN112311717B (en) | Network data recovery method and device, storage medium and computer equipment | |
| CN107360196A (en) | attack detection method, device and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160817 Termination date: 20190913 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |