WO2022219819A1 - 判定装置、判定方法、および、判定プログラム - Google Patents
判定装置、判定方法、および、判定プログラム Download PDFInfo
- Publication number
- WO2022219819A1 WO2022219819A1 PCT/JP2021/015759 JP2021015759W WO2022219819A1 WO 2022219819 A1 WO2022219819 A1 WO 2022219819A1 JP 2021015759 W JP2021015759 W JP 2021015759W WO 2022219819 A1 WO2022219819 A1 WO 2022219819A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attack
- communication
- blind
- communication log
- logs
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 19
- 238000004891 communication Methods 0.000 claims abstract description 102
- 238000001514 detection method Methods 0.000 claims abstract description 36
- 230000004044 response Effects 0.000 claims abstract description 30
- 239000000284 extract Substances 0.000 claims abstract description 10
- 238000000605 extraction Methods 0.000 claims description 9
- 230000014509 gene expression Effects 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 238000002347 injection Methods 0.000 description 6
- 239000007924 injection Substances 0.000 description 6
- 230000010365 information processing Effects 0.000 description 4
- 241000282326 Felis catus Species 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000000470 constituent Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- the present invention relates to a determination device, a determination method, and a determination program for determining whether or not a blind attack has succeeded.
- Example 1 Blind SQL injection
- an object of the present invention is to solve the above-described problem and determine whether or not a blind attack has succeeded.
- the present invention uses a session extracting unit that extracts a series of communication logs of the same session from the communication log that is the target of attack detection, and a URL of the request destination of the communication log to perform a blind attack.
- an attack detection unit that identifies the location of the target of the blind attack and the content of the attack, and the extracted series of communication logs of the same session, Extracting a communication log that matches the location of the attack target, and if it is determined that the extracted communication log has multiple types of attack content and multiple response status codes and response sizes, the series of communications It is characterized by comprising a success/failure determining unit for determining that a blind attack has succeeded based on communication indicated by a log, and a determination result output unit for outputting the result of the determination.
- FIG. 1 is a diagram for explaining an outline of the operation of the determination device.
- FIG. 2 is a diagram illustrating a configuration example of a determination device.
- FIG. 3 is a diagram showing an example of the communication log in FIG. 2;
- FIG. 4 is a diagram showing an example of detection data in FIG.
- FIG. 5 is a diagram for explaining success/failure determination by the success/failure determination unit in FIG. 2 .
- FIG. 6 is a flowchart illustrating an example of a processing procedure of the determination device;
- FIG. 7 is a diagram showing a configuration example of a system including a determination device.
- FIG. 8 is a diagram showing a configuration example of a computer that executes the determination program.
- a blind attack is an attack in which requests with different parameters are sent to an attack target, and information is sought from differences in responses to the requests.
- the determination device 10 obtains a request to the web server ((1)) from the communication log of the communication with the web server, and the status code and response size of the response to the request ((2) ) and get Then, based on the acquired data, the determination device 10 identifies blind attacks between the same sessions, and determines success or failure of the attacks from status codes and response sizes ((3)).
- the determination device 10 extracts a series of communication logs of the same session (see reference numeral 101 in FIG. 1) from among the acquired communication logs. Then, the determination device 10 determines whether or not the series of communications is a blind attack from the URL of the request destination of the extracted series of communication logs.
- the determination device 10 determines that the series of communications is a blind attack, the attack target part is the same (for example, the parameter id of the URL), and the contents of the attack (for example, the parameters set in the request) are different, In addition, when the response status code and response size are different, the determination device 10 determines that the blind attack by a series of communications indicated by reference numeral 101 has succeeded.
- the determination device 10 can detect a blind attack and determine whether or not the blind attack was successful.
- the determination device 10 includes a storage section 11 and a control section 12 .
- the storage unit 11 stores data referred to when the control unit 12 executes various processes and data generated by executing various processes.
- the storage unit 11 stores a communication log that is a target of attack detection, session data (details will be described later) extracted by the control unit 12, detection data (details will be described later), and whether or not the attack was successful. It stores determination result data and the like.
- the communication log includes, for each identification information (No.) of the communication log targeted for attack detection, the time of occurrence of communication, the source and destination of the request, the URL of the request destination, and the response. status code, response size, etc.
- the communication log is input via an input/output unit (not shown) of the determination device 10, for example.
- the control unit 12 controls the entire determination device 10 .
- the control unit 12 includes a session extraction unit 121 , a blind attack detection unit 122 , a success/failure determination unit 123 , and a determination result output unit 124 .
- the session extraction unit 121 extracts communication logs of the same session from the communication logs. For example, the session extraction unit 121 extracts, from the communication log, a series of communications with the same source and destination and within a predetermined period of time as the communication log of the same session.
- the session extraction unit 121 detects [1,2,5], [3,4], [ 6] are extracted as communication logs of the same session. Then, the session extraction unit 121 assigns session identification information (for example, S1, S2, S3) to each of the extracted communication logs.
- session identification information for example, S1, S2, S3
- the blind attack detection unit 122 uses existing signature detection, for example, to determine whether or not the request indicated by the communication log is a blind attack.
- the blind attack detection unit 122 detects [2, 3, 4, 5] having the above detection signature from the communication log shown in FIG. 3 as the communication log of the blind attack (see FIG. 4).
- the blind attack detection unit 122 also identifies the target location of the blind attack and the content of the blind attack from the communication log of the blind attack, for example, as shown in FIG. Then, the blind attack detection unit 122 stores the identification information (No.) of the communication log in which the blind attack was detected, the target location of the blind attack, the information indicating the details of the blind attack (see FIG. 4), etc. as detection data. 11.
- the success/failure determination unit 123 extracts, from among the communication logs of the same session, communication logs with the same attack target location. Then, if the success/failure determination unit 123 determines that there are multiple types of attack contents in the extracted communication log and multiple response status codes and response sizes, it determines that the blind attack was successful. On the other hand, the success/failure determination unit 123 determines that the blind attack has failed when it determines that the contents of the attack in the extracted communication log are not multiple types, the response status code is not multiple, or the response size is not multiple. .
- the success/failure determination unit 123 refers to the session data and extracts the communication log of the same session from the communication log. Then, the success/failure determination unit 123 refers to the detection data, and identifies, from the extracted communication logs, a communication log in which a blind attack is detected and the location of the attack target matches.
- the blind attacks in communication logs Nos. 2 and 5 belong to session S1, and the attack target locations match with the parameter id. Further, since the contents of the blind attacks in the communication logs of Nos. 2 and 5 are different, and the status codes and response sizes are different, the success/failure determination unit 123 determines that the attacks have succeeded.
- the blind attacks in the communication logs Nos. 3 and 4 belong to session S2, and the attack target locations match with the parameter pw.
- the details of the blind attacks in communication logs Nos. 3 and 4 are different, the status code and response size are the same, so the success/failure determination unit 123 determines that the attack has failed.
- the determination result output unit 124 outputs the determination result by the success/failure determination unit 123 .
- the judgment result output unit 124 outputs the judgment result that the communication logs Nos. 2 and 5 indicate the blind attacks against the parameter id and that the attacks are successful.
- the determination device 10 detects a blind attack without modifying an existing system, and determines whether or not the blind attack has succeeded from the behavior of communication between sessions in which the attack is being performed. can do.
- the session extraction unit 121 determines whether the communication log is a new session or a part of an existing session based on the session data. Accordingly, the session data is updated (S12).
- the process ends. If the blind attack detection unit 122 detects the new communication log as a blind attack (Yes in S13), the success/failure determination unit 123 determines whether the blind attack succeeded or failed based on the session data (S14). Then, the judgment result output unit 124 outputs the judgment result of S14 (S15). On the other hand, if the new communication log is not detected as a blind attack by the blind attack detection unit 122 (No in S13), the process ends.
- the determination device 10 detects a blind attack without modifying the existing system, and determines whether or not the blind attack was successful from the behavior of communication between sessions in which the attack is being performed. can do. As a result, maintenance personnel and administrators can distinguish between priority alerts and non-prioritized alerts regarding the above-described attacks, so security operations can be performed efficiently.
- the blind attack detection unit 122 in the determination device 10 may be installed outside the determination device 10 .
- the blind attack detection unit 122 may be realized by an attack detection device such as a WAF (Web Application Firewall) installed outside the determination device 10, as shown in (1) and (2) of FIG. .
- the determination device 10 may have a configuration (in-line configuration) that is directly connected to a web server to be used for determination of success or failure of an attack, as shown in FIG. 7(1), or as shown in FIG. 7(2).
- a configuration (tap configuration) that connects to a web server via an attack detection device such as a WAF may be used.
- each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure.
- the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured.
- all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
- the determination device 10 described above can be implemented by installing a program as package software or online software on a desired computer.
- the information processing device can function as the determination device 10 by causing the information processing device to execute the above program.
- the information processing apparatus referred to here includes a desktop or notebook personal computer.
- information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and terminals such as PDAs (Personal Digital Assistants).
- the determination device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with services related to the above processing.
- the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
- FIG. 8 is a diagram showing an example of a computer that executes a determination program.
- the computer 1000 has a memory 1010 and a CPU 1020, for example.
- Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 .
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- Hard disk drive interface 1030 is connected to hard disk drive 1090 .
- a disk drive interface 1040 is connected to the disk drive 1100 .
- a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
- Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
- Video adapter 1060 is connected to display 1130, for example.
- the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, a program that defines each process executed by the determination device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 .
- the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the determination device 10 .
- the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
- the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program modules 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
- the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
- LAN Local Area Network
- WAN Wide Area Network
- determination device 11 storage unit 12 control unit 121 session extraction unit 122 blind attack detection unit 123 success/failure determination unit 124 determination result output unit
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
例えば、ウェブアプリケーション/index.phpにSQLインジェクションの脆弱性が存在し、以下のようなブラインド攻撃を受けた場合を考える。
GET /index.php?id=“1 AND user() != ‘admin’#”
また、以下のようなブラインド攻撃を受けた場合を考える。
GET /index.php?name=x; X=$(cat /etc/passwd|tail -n 1|cut -f 1 -d":");test $X != ”admin”
本実施形態の判定装置10の概要を説明する。なお、以下の説明において、ブラインド攻撃とは、攻撃対象に対し、異なるパラメタを設定したリクエストを送信し、そのリクエストに対するレスポンスの違いから、情報を探る攻撃である。
次に、図2を用いて、判定装置10の構成例を説明する。判定装置10は、記憶部11と、制御部12とを備える。記憶部11は、制御部12が各種処理を実行する際に参照するデータや、各種処理の実行により生成されたデータを記憶する。
次に、図6を用いて判定装置10の処理手順の例を説明する。まず、判定装置10が新たな通信ログを取得すると(S11)、セッション抽出部121でセッションデータをもとに通信ログが新たなセッションか既存のセッションの一部かを判定し、判定の結果に応じて、セッションデータを更新する(S12)。
なお、判定装置10におけるブラインド攻撃検知部122は、判定装置10の外部に設置されていてもよい。例えば、ブラインド攻撃検知部122は、図7の(1)および(2)に示すように、判定装置10の外部に設置されるWAF(Web Application Firewall)等の攻撃検知機器により実現されてもよい。また、判定装置10は、図7の(1)に示すように、攻撃の成否の判定対象となるウェブサーバと直接接続する構成(インライン構成)としてもよいし、図7の(2)に示すように、ウェブサーバとWAF等の攻撃検知機器経由で接続する構成(タップ構成)としてもよい。
また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
前記した判定装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を判定装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。
11 記憶部
12 制御部
121 セッション抽出部
122 ブラインド攻撃検知部
123 成否判定部
124 判定結果出力部
Claims (5)
- 攻撃の検知対象の通信ログから、同じセッションの一連の通信ログを抽出するセッション抽出部と、
前記通信ログのリクエスト先のURLを用いて、ブラインド攻撃の通信ログを検知し、ブラインド攻撃を検知した前記通信ログから、ブラインド攻撃の攻撃対象の箇所および攻撃の内容を特定する攻撃検知部と、
抽出された前記同じセッションの一連の通信ログのうち、前記ブラインド攻撃の攻撃対象の箇所が一致する通信ログを抽出し、抽出した前記通信ログに、攻撃の内容が複数種類あり、かつ、レスポンスのステータスコードおよびレスポンスサイズが複数あると判定した場合、前記一連の通信ログの示す通信によりブラインド攻撃が成功したと判定する成否判定部と、
前記判定の結果を出力する判定結果出力部と
を備えることを特徴とする判定装置。 - 前記攻撃検知部は、
前記通信ログのリクエスト先のURLに対し、攻撃検知シグネチャを適用することにより、ブラインド攻撃の通信ログを検知する
ことを特徴とする請求項1に記載の判定装置。 - 前記攻撃検知部は、
正規表現“AND.*[!=<>]+.*#”、“test \$.+ !?=”、および、正規表現“test \$.+ -(z|n|eq|ne|gt|ge|lt|le)”のうち、少なくともいずれか1つを攻撃検知シグネチャとして用いて、ブラインド攻撃の通信ログを検知する
ことを特徴とする請求項1に記載の判定装置。 - 判定装置により実行される判定方法であって、
攻撃の検知対象の通信ログから、同じセッションの一連の通信ログを抽出する工程と、
前記通信ログのリクエスト先のURLを用いて、ブラインド攻撃の通信ログを検知し、ブラインド攻撃を検知した前記通信ログから、ブラインド攻撃の攻撃対象の箇所および攻撃の内容を特定する工程と、
抽出された前記同じセッションの一連の通信ログのうち、前記ブラインド攻撃の攻撃対象の箇所が一致する通信ログを抽出し、抽出した前記通信ログに、攻撃の内容が複数種類あり、かつ、レスポンスのステータスコードおよびレスポンスサイズが複数あると判定した場合、前記一連の通信ログの示す通信によりブラインド攻撃が成功したと判定する工程と、
前記判定の結果を出力する工程と
を含むことを特徴とする判定方法。 - 攻撃の検知対象の通信ログから、同じセッションの一連の通信ログを抽出する工程と、
前記通信ログのリクエスト先のURLを用いて、ブラインド攻撃の通信ログを検知し、ブラインド攻撃を検知した前記通信ログから、ブラインド攻撃の攻撃対象の箇所および攻撃の内容を特定する工程と、
抽出された前記同じセッションの一連の通信ログのうち、前記ブラインド攻撃の攻撃対象の箇所が一致する通信ログを抽出し、抽出した前記通信ログに、攻撃の内容が複数種類あり、かつ、レスポンスのステータスコードおよびレスポンスサイズが複数あると判定した場合、前記一連の通信ログの示す通信によりブラインド攻撃が成功したと判定する工程と、
前記判定の結果を出力する工程と
をコンピュータに実行させるための判定プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/015759 WO2022219819A1 (ja) | 2021-04-16 | 2021-04-16 | 判定装置、判定方法、および、判定プログラム |
US18/281,761 US20240154976A1 (en) | 2021-04-16 | 2021-04-16 | Determination device, determination method, and determination program |
JP2023514312A JP7505642B2 (ja) | 2021-04-16 | 2021-04-16 | 判定装置、判定方法、および、判定プログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/015759 WO2022219819A1 (ja) | 2021-04-16 | 2021-04-16 | 判定装置、判定方法、および、判定プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022219819A1 true WO2022219819A1 (ja) | 2022-10-20 |
Family
ID=83640320
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/015759 WO2022219819A1 (ja) | 2021-04-16 | 2021-04-16 | 判定装置、判定方法、および、判定プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240154976A1 (ja) |
JP (1) | JP7505642B2 (ja) |
WO (1) | WO2022219819A1 (ja) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002318734A (ja) * | 2001-04-18 | 2002-10-31 | Teamgia:Kk | 通信ログ処理方法及びシステム |
US20180349602A1 (en) * | 2017-06-06 | 2018-12-06 | Sap Se | Security testing framework including virtualized server-side platform |
-
2021
- 2021-04-16 US US18/281,761 patent/US20240154976A1/en active Pending
- 2021-04-16 WO PCT/JP2021/015759 patent/WO2022219819A1/ja active Application Filing
- 2021-04-16 JP JP2023514312A patent/JP7505642B2/ja active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002318734A (ja) * | 2001-04-18 | 2002-10-31 | Teamgia:Kk | 通信ログ処理方法及びシステム |
US20180349602A1 (en) * | 2017-06-06 | 2018-12-06 | Sap Se | Security testing framework including virtualized server-side platform |
Also Published As
Publication number | Publication date |
---|---|
US20240154976A1 (en) | 2024-05-09 |
JP7505642B2 (ja) | 2024-06-25 |
JPWO2022219819A1 (ja) | 2022-10-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3552098B1 (en) | Operating system update management for enrolled devices | |
CN105721461B (zh) | 利用专用计算机安全服务的***和方法 | |
US8635700B2 (en) | Detecting malware using stored patterns | |
US8677481B1 (en) | Verification of web page integrity | |
EP2790122B1 (en) | System and method for correcting antivirus records to minimize false malware detections | |
CN109586282B (zh) | 一种电网未知威胁检测***及方法 | |
US8776236B2 (en) | System and method for providing storage device-based advanced persistent threat (APT) protection | |
US20070033586A1 (en) | Method for blocking the installation of a patch | |
US8561180B1 (en) | Systems and methods for aiding in the elimination of false-positive malware detections within enterprises | |
CN108924139B (zh) | 基于云端提升文件检测效率的方法、装置及执行服务器 | |
EP2417551B1 (en) | Providing information to a security application | |
US11216554B2 (en) | Determining apparatus, determining method, and determining program | |
JP6282217B2 (ja) | 不正プログラム対策システムおよび不正プログラム対策方法 | |
EP2417552B1 (en) | Malware determination | |
US8935778B2 (en) | Maintaining data integrity | |
US11550920B2 (en) | Determination apparatus, determination method, and determination program | |
WO2022219819A1 (ja) | 判定装置、判定方法、および、判定プログラム | |
CN115495740A (zh) | 一种病毒检测方法和装置 | |
US8918873B1 (en) | Systems and methods for exonerating untrusted software components | |
WO2022219806A1 (ja) | 判定装置、判定方法、および、判定プログラム | |
US9667649B1 (en) | Detecting man-in-the-middle and denial-of-service attacks | |
CN112948831A (zh) | 应用程序风险识别的方法和装置 | |
CN113992447B (zh) | 一种sql注入告警处理方法及装置 | |
US20230088671A1 (en) | Inspection apparatus, inspection method and program | |
WO2022249416A1 (ja) | 分析装置、分析方法、および、分析システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21937013 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2023514312 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18281761 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21937013 Country of ref document: EP Kind code of ref document: A1 |