[go: up one dir, main page]

CN109766691B - A method and device for monitoring ransomware - Google Patents

A method and device for monitoring ransomware Download PDF

Info

Publication number
CN109766691B
CN109766691B CN201811564804.9A CN201811564804A CN109766691B CN 109766691 B CN109766691 B CN 109766691B CN 201811564804 A CN201811564804 A CN 201811564804A CN 109766691 B CN109766691 B CN 109766691B
Authority
CN
China
Prior art keywords
sequence
ransomware
classification model
suspicious
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811564804.9A
Other languages
Chinese (zh)
Other versions
CN109766691A (en
Inventor
龙震岳
吴勤勤
沈伍强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Information Center of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Information Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Information Center of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN201811564804.9A priority Critical patent/CN109766691B/en
Publication of CN109766691A publication Critical patent/CN109766691A/en
Application granted granted Critical
Publication of CN109766691B publication Critical patent/CN109766691B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明提供一种勒索病毒监控方法及装置,该方法包括:监测到存在对蜜罐系统进行操作的可疑操作后,获取与可疑操作对应的可疑序列;初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若重放的结果和可疑序列满足预置恶意条件,则确定可疑序列为恶意序列;获取与对用户系统进行操作的正常操作对应的正常序列后,将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;再次向第一分类模型输入恶意序列,对第一分类模型进行勒索病毒类型的分类,得到第二分类模型;将用户系统上的操作序列输入第二分类模型,若是勒索病毒所产生的序列,则进行预警。本发明可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。

The present invention provides a ransomware virus monitoring method and device, the method comprising: after monitoring suspicious operations on the honeypot system, obtaining suspicious sequences corresponding to the suspicious operations; initializing the sandbox system, and inputting the suspicious sequences into the sandbox The system replays, and if the replayed result and the suspicious sequence meet the preset malicious conditions, the suspicious sequence is determined to be a malicious sequence; after obtaining the normal sequence corresponding to the normal operation on the user system, the normal operation, suspicious operation and Malicious operations are input into the preset machine learning engine for training to obtain the first classification model; input malicious sequences into the first classification model again, and classify the first classification model into ransomware types to obtain the second classification model; The operation sequence is input into the second classification model, and if it is a sequence generated by a ransomware virus, an early warning will be given. The present invention can effectively monitor existing ransomware, its variants or new ransomware.

Description

一种勒索病毒监控方法及装置A method and device for monitoring ransomware

技术领域technical field

本发明涉及计算机安全技术领域,尤其涉及一种勒索病毒监控方法及装置。The invention relates to the technical field of computer security, in particular to a ransomware virus monitoring method and device.

背景技术Background technique

勒索病毒一般采用零日漏洞进行传播,区别于其它恶意行为类病毒,勒索病毒往往通过正常的加密手段对数据进行加密,其行为特征与人工操作有较大的相似度,且对勒索病毒进行变种也较为简单,基于固定特征行为进行分析的杀毒软件一般难以对其行为与其它正常操作有效区分,导致无法进行预判,查杀的准确率、效率较低。Ransomware generally uses zero-day vulnerabilities to spread. Different from other malicious behavior viruses, ransomware often encrypts data through normal encryption methods, and its behavior characteristics are similar to manual operations. It is also relatively simple. Anti-virus software that analyzes based on fixed characteristic behaviors is generally difficult to effectively distinguish its behavior from other normal operations, resulting in the inability to predict, and the accuracy and efficiency of scanning and killing are low.

发明内容Contents of the invention

本发明实施例提供了一种勒索病毒监控方法及装置,可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。The embodiments of the present invention provide a ransomware virus monitoring method and device, which can effectively monitor existing ransomware viruses, their variants, or new ransomware viruses.

根据本发明的一个方面,提供一种勒索病毒监控方法,包括:According to one aspect of the present invention, a method for monitoring ransomware is provided, including:

监测到存在对蜜罐系统进行操作的可疑操作后,获取与所述可疑操作对应的可疑序列;After detecting that there is a suspicious operation on the honeypot system, obtaining a suspicious sequence corresponding to the suspicious operation;

初始化沙箱系统,将所述可疑序列输入所述沙箱系统进行重放,若重放的结果和所述可疑序列满足预置恶意条件,则确定所述可疑序列为恶意序列;Initializing the sandbox system, inputting the suspicious sequence into the sandbox system for replay, and determining that the suspicious sequence is a malicious sequence if the replayed result and the suspicious sequence meet preset malicious conditions;

获取与对用户系统进行操作的正常操作对应的正常序列后,将所述正常操作、所述可疑操作和所述恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;After obtaining the normal sequence corresponding to the normal operation on the user system, input the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training to obtain a first classification model;

再次向所述第一分类模型输入所述恶意序列,对所述第一分类模型进行勒索病毒类型的分类,得到第二分类模型;Input the malicious sequence to the first classification model again, and classify the type of ransomware to the first classification model to obtain a second classification model;

将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警。The operation sequence on the user system is input into the second classification model, and if it is a sequence generated by a ransomware virus, an early warning is given.

优选地,所述若重放的结果和所述可疑序列满足预置恶意条件具体为:Preferably, if the replayed result and the suspicious sequence meet the preset malicious conditions, it is specifically:

若被重放的文件状态为预置恶意状态,且所述可疑序列包含加密API的调用的子序列。If the state of the file to be played back is a preset malicious state, and the suspicious sequence includes a subsequence of an encrypted API call.

优选地,所述预置恶意状态为已删除或无法打开或打开异常。Preferably, the preset malicious status is deleted or cannot be opened or opened abnormally.

优选地,所述对所述第一分类模型进行勒索病毒类型的分类具体为:Preferably, the classification of the ransomware type on the first classification model is specifically:

基于序列相似度对所述第一分类模型进行勒索病毒类型的分类。Classify the type of ransomware on the first classification model based on the sequence similarity.

优选地,所述基于序列相似度对所述第一分类模型进行勒索病毒类型的分类具体为:Preferably, the classification of the ransomware type by the first classification model based on the sequence similarity is specifically:

通过词嵌套方式计算所述恶意序列之间的序列相似度,根据所述序列相似度对所述第一分类模型进行勒索病毒类型的分类。The sequence similarity between the malicious sequences is calculated by word embedding, and the first classification model is used to classify the type of ransomware according to the sequence similarity.

优选地,所述将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警之后还包括:Preferably, inputting the operation sequence on the user system into the second classification model, if it is a sequence generated by a ransomware virus, after the warning, it also includes:

将所述勒索病毒产生的序列输入所述第二分类模型中进行模型更新。Inputting the sequence generated by the ransomware into the second classification model to update the model.

优选地,所述将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警之后还包括:Preferably, inputting the operation sequence on the user system into the second classification model, if it is a sequence generated by a ransomware virus, after the warning, it also includes:

生成所述勒索病毒的监控报告。A monitoring report of the ransomware is generated.

根据本发明的另一方面,提供一种勒索病毒监控装置,包括:According to another aspect of the present invention, a ransomware monitoring device is provided, including:

获取模块,用于监测到存在对蜜罐系统进行操作的可疑操作后,获取与所述可疑操作对应的可疑序列;The obtaining module is used to obtain a suspicious sequence corresponding to the suspicious operation after monitoring that there is a suspicious operation on the honeypot system;

重放模块,用于初始化沙箱系统,将所述可疑序列输入所述沙箱系统进行重放,若重放的结果和所述可疑序列满足预置恶意条件,则确定所述可疑序列为恶意序列;A replay module, configured to initialize a sandbox system, input the suspicious sequence into the sandbox system for replay, and if the replayed result and the suspicious sequence meet preset malicious conditions, then determine that the suspicious sequence is malicious sequence;

训练模块,用于获取与对用户系统进行操作的正常操作对应的正常序列后,将所述正常操作、所述可疑操作和所述恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;The training module is used to obtain the normal sequence corresponding to the normal operation on the user system, input the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training, and obtain a first classification model ;

分类模块,用于再次向所述第一分类模型输入所述恶意序列,对所述第一分类模型进行勒索病毒类型的分类,得到第二分类模型;A classification module, configured to input the malicious sequence into the first classification model again, classify the type of ransomware on the first classification model, and obtain a second classification model;

监控模块,用于将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警。The monitoring module is used to input the operation sequence on the user system into the second classification model, and give an early warning if it is a sequence generated by a ransomware virus.

根据本发明的另一方面,提供一种勒索病毒监控装置,包括处理器和存储器,所述存储器上存储有计算机程序指令,当所述程序指令被处理器执行时实现如以上所述的勒索病毒监控方法。According to another aspect of the present invention, there is provided a ransomware monitoring device, including a processor and a memory, and computer program instructions are stored on the memory, and when the program instructions are executed by the processor, the ransomware virus as described above is implemented. monitoring method.

根据本发明的另一方面,提供一种计算机可读存储介质,所述介质上存储有计算机程序指令,当所述程序指令被处理器执行时实现如以上所述的勒索病毒监控方法。According to another aspect of the present invention, there is provided a computer-readable storage medium, on which computer program instructions are stored, and when the program instructions are executed by a processor, the method for monitoring ransomware as described above is implemented.

从以上技术方案可以看出,本发明实施例具有以下优点:It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages:

本发明提供了一种勒索病毒监控方法及装置,该方法包括:监测到存在对蜜罐系统进行操作的可疑操作后,获取与可疑操作对应的可疑序列;初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若重放的结果和可疑序列满足预置恶意条件,则确定可疑序列为恶意序列;获取与对用户系统进行操作的正常操作对应的正常序列后,将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;再次向第一分类模型输入恶意序列,对第一分类模型进行勒索病毒类型的分类,得到第二分类模型;将用户系统上的操作序列输入第二分类模型,若是勒索病毒所产生的序列,则进行预警。本发明通过蜜罐系统收集可疑序列,并通过沙箱系统进行回放后确定恶意序列,然后将正常序列、可疑序列和恶意序列输入监督式机器学习引擎进行训练,得到可以分辨正常操作、病毒恶意操作的第一分类模型,然后再对第一分类模型进行基于病毒类型的分裂,得到第二分类模型,因此本发明可以不需要知道勒索病毒的先验特征,就可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。The present invention provides a ransomware virus monitoring method and device. The method includes: after monitoring suspicious operations on the honeypot system, obtaining suspicious sequences corresponding to the suspicious operations; initializing the sandbox system, and inputting the suspicious sequences into the sandbox If the replayed result and the suspicious sequence meet the preset malicious conditions, it is determined that the suspicious sequence is a malicious sequence; after obtaining the normal sequence corresponding to the normal operation on the user system, the normal operation, suspicious operation Enter the preset machine learning engine with malicious operations for training to obtain the first classification model; input the malicious sequence into the first classification model again, classify the type of ransomware on the first classification model, and obtain the second classification model; Input the operation sequence into the second classification model, and if it is a sequence generated by ransomware, an early warning will be given. The invention collects suspicious sequences through the honeypot system, and determines the malicious sequence after playback through the sandbox system, and then inputs the normal sequence, suspicious sequence and malicious sequence into the supervised machine learning engine for training, and obtains a method that can distinguish between normal operations and malicious operations of viruses The first classification model of the first classification model, and then split the first classification model based on the virus type to obtain the second classification model, so the present invention can effectively target the existing ransomware without knowing the prior characteristics of the ransomware , its variants, or new ransomware viruses.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings on the premise of not paying creative efforts.

图1为本发明提供的一种勒索病毒监控方法的一个实施例的流程示意图;Fig. 1 is the schematic flow chart of an embodiment of a kind of blackmail virus monitoring method provided by the present invention;

图2为本发明提供的一种勒索病毒监控方法的另一个实施例的流程示意图;Fig. 2 is a schematic flow chart of another embodiment of a ransomware monitoring method provided by the present invention;

图3为本发明提供的一种勒索病毒监控装置的一个实施例的结构示意图。Fig. 3 is a schematic structural diagram of an embodiment of a ransomware monitoring device provided by the present invention.

具体实施方式Detailed ways

本发明实施例提供了一种勒索病毒监控方法及装置,可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。The embodiments of the present invention provide a ransomware virus monitoring method and device, which can effectively monitor existing ransomware viruses, their variants, or new ransomware viruses.

为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,下面所描述的实施例仅仅是本发明一部分实施例,而非全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the purpose, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the following The described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

请参阅图1,本发明提供的一种勒索病毒监控方法的一个实施例,包括:Referring to Fig. 1, an embodiment of a method for monitoring ransomware provided by the present invention includes:

101、监测到存在对蜜罐系统进行操作的可疑操作后,获取与可疑操作对应的可疑序列;101. After detecting that there is a suspicious operation on the honeypot system, obtain a suspicious sequence corresponding to the suspicious operation;

102、初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若重放的结果和可疑序列满足预置恶意条件,则确定可疑序列为恶意序列;102. Initialize the sandbox system, input the suspicious sequence into the sandbox system for replay, if the replayed result and the suspicious sequence meet the preset malicious conditions, then determine the suspicious sequence as a malicious sequence;

103、获取与对用户系统进行操作的正常操作对应的正常序列后,将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;103. After obtaining the normal sequence corresponding to the normal operation on the user system, input the normal operation, suspicious operation and malicious operation into the preset machine learning engine for training to obtain the first classification model;

104、再次向第一分类模型输入恶意序列,对第一分类模型进行勒索病毒类型的分类,得到第二分类模型;104. Input the malicious sequence into the first classification model again, classify the type of ransomware on the first classification model, and obtain the second classification model;

105、将用户系统上的操作序列输入第二分类模型,若是勒索病毒所产生的序列,则进行预警。105. Input the operation sequence on the user system into the second classification model, and give an early warning if it is a sequence generated by a ransomware virus.

需要说明的是,蜜罐系统用于在网络中获取利用未知漏洞的攻击行为,所述蜜罐部署于用于期望监控勒索病毒的网络中,可以以蜜罐设备网络或者单台蜜罐设备的形式呈现。蜜罐其上运行常规的操作系统,包括Linux或者 Windows等;运行典型的系统软件和应用软件,包括数据库系统、控制类系统、办公系统、文件编辑系统等。所述蜜罐中运行的操作系统被预先植入软件探针,所述探针用于收集系统中产生的事件,至少包括网络操作事件、文件操作事件、进程操作事件、关键API调用事件。It should be noted that the honeypot system is used to obtain attack behaviors that exploit unknown vulnerabilities in the network. The honeypot is deployed in a network that is expected to monitor ransomware. It can be used as a honeypot device network or a single honeypot device Form presented. Honeypots run conventional operating systems, including Linux or Windows, etc.; run typical system software and application software, including database systems, control systems, office systems, file editing systems, etc. The operating system running in the honeypot is pre-implanted with software probes, and the probes are used to collect events generated in the system, including at least network operation events, file operation events, process operation events, and key API call events.

沙箱系统用于记录并分析勒索病毒在单台设备中的操作行为,所述设备安装了常规的操作系统,包括Linux或者Windows操作系统,运行典型的系统软件和应用软件,包括数据库系统、控制类系统、办公系统、文件编辑系统等。所述沙箱可以有效执行下发的计算机指令,捕获和记录中系统状态(内存及文件系统快照),所述沙箱可以设定初始状态,可以设定存储运行中的任意时间状态,并可以在执行若干还原到所设定的状态。The sandbox system is used to record and analyze the operation behavior of the ransomware virus on a single device. The device is installed with a conventional operating system, including Linux or Windows operating system, and runs typical system software and application software, including database systems, control class system, office system, file editing system, etc. The sandbox can effectively execute issued computer instructions, capture and record the state of the system (memory and file system snapshots), the sandbox can set the initial state, can set the state at any time during the storage operation, and can After performing several restores to the set state.

机器学习引擎用于对输入的事件序列和对应标签进行监督训练,形成勒索病毒与正常行为的分类模型。机器学习引擎对事件序列按照其相似度进行非监督训练,形成不同勒索病毒之间的分类模型。对于一个指定软件的事件序列,机器学习引擎用于对其进行推理,用于判断其是否勒索软件。The machine learning engine is used to conduct supervised training on the input event sequence and corresponding labels to form a classification model of ransomware and normal behavior. The machine learning engine performs unsupervised training on the event sequence according to its similarity to form a classification model between different ransomware. For a sequence of events of a specified software, the machine learning engine is used to reason about it and determine whether it is ransomware.

本发明通过蜜罐系统收集可疑序列,并通过沙箱系统进行回放后确定恶意序列,然后将正常序列、可疑序列和恶意序列输入监督式机器学习引擎进行训练,得到可以分辨正常操作、病毒恶意操作的第一分类模型,然后再对第一分类模型进行基于病毒类型的分裂,得到第二分类模型,因此本发明可以不需要知道勒索病毒的先验特征,就可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。The invention collects suspicious sequences through the honeypot system, and determines the malicious sequence after playback through the sandbox system, and then inputs the normal sequence, suspicious sequence and malicious sequence into the supervised machine learning engine for training, and obtains a method that can distinguish between normal operations and malicious operations of viruses The first classification model of the first classification model, and then split the first classification model based on the virus type to obtain the second classification model, so the present invention can effectively target the existing ransomware without knowing the prior characteristics of the ransomware , its variants, or new ransomware viruses.

以上为一种勒索病毒监控方法的一个实施例,为进行更具体的说明,下面提供一种勒索病毒监控方法的另一个实施例,请参阅图2,本发明提供的一种勒索病毒监控方法的另一个实施例,包括:The above is an embodiment of a method for monitoring a ransomware virus. For a more specific description, another embodiment of a method for monitoring a ransomware virus is provided below, please refer to FIG. Another embodiment includes:

201、监测到存在对蜜罐系统进行操作的可疑操作后,获取与可疑操作对应的可疑序列;201. After detecting that there is a suspicious operation on the honeypot system, obtain a suspicious sequence corresponding to the suspicious operation;

在本实施例中,被检测的目标网络中部署有蜜罐系统、沙箱系统和用户系统,且设定蜜罐系统无用户操作。可以通过蜜罐系统收集其上运行的各进程的事件序列,并监测是否有对用户文件、数据库文件、配置文件等关键数据的操作,若有,称之为可疑操作,并获取到包含该可疑操作的可疑序列。In this embodiment, a honeypot system, a sandbox system, and a user system are deployed in the detected target network, and the honeypot system is set to have no user operation. The event sequence of each process running on it can be collected through the honeypot system, and whether there is any operation on key data such as user files, database files, configuration files, etc., if there is, it is called a suspicious operation, and the suspicious operation is obtained. Suspicious sequence of operations.

202、初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若被重放的文件状态为预置恶意状态,且可疑序列包含加密API的调用的子序列,则确定可疑序列为恶意序列;202. Initialize the sandbox system, input the suspicious sequence into the sandbox system for replay, if the state of the replayed file is a preset malicious state, and the suspicious sequence contains a subsequence of encrypted API calls, then determine that the suspicious sequence is a malicious sequence ;

在本实施例中,由于可疑操作中不一定是由勒索病毒进行的,因此,本发明通过初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若被重放的文件状态为已删除或无法打开或打开异常,且可疑序列包含加密API的调用的子序列,则确定可疑序列为恶意序列,即由勒索病毒所引起的恶意序列。In this embodiment, since the suspicious operation is not necessarily performed by a ransomware virus, the present invention inputs the suspicious sequence into the sandbox system for replay by initializing the sandbox system, if the replayed file status is deleted Or cannot be opened or opened abnormally, and the suspicious sequence includes a subsequence of the encrypted API call, then it is determined that the suspicious sequence is a malicious sequence, that is, a malicious sequence caused by a ransomware virus.

203、获取与对用户系统进行操作的正常操作对应的正常序列后,将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;203. After obtaining the normal sequence corresponding to the normal operation on the user system, input the normal operation, suspicious operation and malicious operation into the preset machine learning engine for training to obtain the first classification model;

确定恶意序列后,需要通过在用户系统收集其上运行的各进程的正常事件序列,即正常序列。然后将将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型。可以理解的是,第一分类模型可以用于针对勒索病毒恶意程序的操作、正常操作、可疑操作(非勒索病毒进行的)进行分类。After the malicious sequence is determined, it is necessary to collect the normal event sequence of each process running on the user system, that is, the normal sequence. Then input the normal operation, suspicious operation and malicious operation into the preset machine learning engine for training to obtain the first classification model. It can be understood that the first classification model can be used to classify operations of ransomware malicious programs, normal operations, and suspicious operations (performed by non-ransomware).

204、再次向第一分类模型输入恶意序列,通过词嵌套方式计算恶意序列之间的序列相似度,根据序列相似度对第一分类模型进行勒索病毒类型的分类,得到第二分类模型;204. Input the malicious sequence into the first classification model again, calculate the sequence similarity between the malicious sequences by word embedding, classify the type of ransomware on the first classification model according to the sequence similarity, and obtain the second classification model;

得到第一分类模型后,可以再次向第一分类模型输入恶意序列,由于恶意序列通常包含多个序列,可以是不同类型的勒索病毒产生的,故本发明通过词嵌套方式计算恶意序列之间的序列相似度,根据序列相似度对相似序列进行归类,即完成对第一分类模型进行勒索病毒类型的分类,得到第二分类模型。After obtaining the first classification model, the malicious sequence can be input to the first classification model again. Since the malicious sequence usually contains multiple sequences and can be generated by different types of ransomware, the present invention calculates According to the sequence similarity, the similar sequences are classified according to the sequence similarity, that is, the classification of the ransomware type is completed on the first classification model, and the second classification model is obtained.

205、将用户系统上的操作序列输入第二分类模型,若是勒索病毒所产生的序列,则进行预警。205. Input the operation sequence on the user system into the second classification model, and give an early warning if it is a sequence generated by a ransomware virus.

得到第二分类模型后,既可以用于对用户系统上的操作序列进行监控,若是勒索病毒所产生的序列,则可以找到对应的进程并进行预警After obtaining the second classification model, it can be used to monitor the operation sequence on the user system. If it is a sequence generated by a ransomware virus, the corresponding process can be found and an early warning can be given

更进一步地,步骤205之后还包括:Furthermore, after step 205, it also includes:

206、将勒索病毒产生的序列输入第二分类模型中进行模型更新。206. Input the sequence generated by the ransomware virus into the second classification model to update the model.

由于步骤205中的勒索病毒可能是新类型的勒索病毒,因此可以将其对应的序列输入第二分裂模型进行增量训练,以更新模型。Since the ransomware in step 205 may be a new type of ransomware, its corresponding sequence can be input into the second split model for incremental training to update the model.

更进一步地,步骤205之后还包括:Furthermore, after step 205, it also includes:

207、生成勒索病毒的监控报告。207. Generate a monitoring report for ransomware.

确定是勒索病毒产生的操作后,可以生成勒索病毒的监控报告供用户查阅。After it is determined that the operation is caused by the ransomware, a monitoring report of the ransomware can be generated for users to review.

本发明通过蜜罐系统收集可疑序列,并通过沙箱系统进行回放后确定恶意序列,然后将正常序列、可疑序列和恶意序列输入监督式机器学习引擎进行训练,得到可以分辨正常操作、病毒恶意操作的第一分类模型,然后再对第一分类模型进行基于病毒类型的分裂,得到第二分类模型,因此本发明可以不需要知道勒索病毒的先验特征,就可有效针对于已有的勒索病毒、其变种或者新型勒索病毒进行监控。The invention collects suspicious sequences through the honeypot system, and determines the malicious sequence after playback through the sandbox system, and then inputs the normal sequence, suspicious sequence and malicious sequence into the supervised machine learning engine for training, and obtains a method that can distinguish between normal operations and malicious operations of viruses The first classification model of the first classification model, and then split the first classification model based on the virus type to obtain the second classification model, so the present invention can effectively target the existing ransomware without knowing the prior characteristics of the ransomware , its variants, or new ransomware viruses.

以上是对本发明提供的一种勒索病毒监控方法进行的详细说明,以下将对本发明提供的一种勒索病毒监控装置的结构和连接关系进行说明,请参阅图3,本发明提供的一种勒索病毒监控装置的一个实施例,包括:The above is a detailed description of a blackmail virus monitoring method provided by the present invention. The structure and connection relationship of a blackmail virus monitoring device provided by the present invention will be described below. Please refer to Figure 3, a blackmail virus provided by the present invention One embodiment of the monitoring device includes:

获取模块301,用于监测到存在对蜜罐系统进行操作的可疑操作后,获取与可疑操作对应的可疑序列;The obtaining module 301 is configured to obtain a suspicious sequence corresponding to the suspicious operation after monitoring that there is a suspicious operation on the honeypot system;

重放模块302,用于初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若重放的结果和可疑序列满足预置恶意条件,则确定可疑序列为恶意序列;The replay module 302 is used to initialize the sandbox system, input the suspicious sequence into the sandbox system for replay, and if the replayed result and the suspicious sequence meet preset malicious conditions, then determine that the suspicious sequence is a malicious sequence;

训练模块303,用于获取与对用户系统进行操作的正常操作对应的正常序列后,将正常操作、可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;The training module 303 is used to obtain the normal sequence corresponding to the normal operation on the user system, input the normal operation, suspicious operation and malicious operation into the preset machine learning engine for training, and obtain the first classification model;

分类模块304,用于再次向第一分类模型输入恶意序列,对第一分类模型进行勒索病毒类型的分类,得到第二分类模型;The classification module 304 is used to input the malicious sequence to the first classification model again, classify the type of ransomware virus to the first classification model, and obtain the second classification model;

监控模块305,用于将用户系统上的操作序列输入第二分类模型,若是勒索病毒所产生的序列,则进行预警。The monitoring module 305 is used to input the operation sequence on the user system into the second classification model, and if it is a sequence generated by a ransomware virus, it will give an early warning.

更进一步地,重放模块302还用于初始化沙箱系统,将可疑序列输入沙箱系统进行重放,若被重放的文件状态为预置恶意状态,且可疑序列包含加密API的调用的子序列,则确定可疑序列为恶意序列。Furthermore, the replay module 302 is also used to initialize the sandbox system, and input the suspicious sequence into the sandbox system for replay. sequence, the suspicious sequence is determined to be a malicious sequence.

更进一步地,预置恶意状态为已删除或无法打开或打开异常。Furthermore, the preset malicious state is deleted or cannot be opened or opened abnormally.

更进一步地,分类模块304,用于再次向第一分类模型输入恶意序列,通过词嵌套方式计算恶意序列之间的序列相似度,根据序列相似度对第一分类模型进行勒索病毒类型的分类,得到第二分类模型。Furthermore, the classification module 304 is configured to input the malicious sequence to the first classification model again, calculate the sequence similarity between the malicious sequences by word embedding, and classify the type of ransomware to the first classification model according to the sequence similarity , to get the second classification model.

更进一步地,本发明提供的一种勒索病毒监控装置还包括:Furthermore, a ransomware monitoring device provided by the present invention also includes:

更新模块,用于将勒索病毒产生的序列输入第二分类模型中进行模型更新。The update module is used to input the sequence generated by the ransomware virus into the second classification model for model update.

更进一步地,本发明提供的一种勒索病毒监控装置还包括:Furthermore, a ransomware monitoring device provided by the present invention also includes:

生成模块,用于生成勒索病毒的监控报告。The generation module is used to generate the monitoring report of ransomware.

本发明提供的一种勒索病毒监控装置的另一个实施例,包括处理器和存储器,存储器上存储有计算机程序指令,当程序指令被处理器执行时实现如以上所述的勒索病毒监控方法。Another embodiment of a ransomware monitoring device provided by the present invention includes a processor and a memory, and computer program instructions are stored in the memory, and when the program instructions are executed by the processor, the method for monitoring ransomware as described above is realized.

本发明还涉及一种计算机可读存储介质,介质上存储有计算机程序指令,当程序指令被处理器执行时实现如以上所述的勒索病毒监控方法。The present invention also relates to a computer-readable storage medium, on which computer program instructions are stored, and when the program instructions are executed by a processor, the method for monitoring ransomware as described above is realized.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on such an understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, and other media that can store program codes.

以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still understand the foregoing The technical solutions recorded in each embodiment are modified, or some of the technical features are replaced equivalently; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (8)

1.一种勒索病毒监控方法,其特征在于,包括:1. A ransomware virus monitoring method, is characterized in that, comprises: 监测到存在对蜜罐系统进行操作的可疑操作后,获取与所述可疑操作对应的可疑序列;After detecting that there is a suspicious operation on the honeypot system, obtaining a suspicious sequence corresponding to the suspicious operation; 初始化沙箱系统,将所述可疑序列输入所述沙箱系统进行重放,若重放的结果和所述可疑序列满足预置恶意条件,则确定所述可疑序列为恶意序列;Initializing the sandbox system, inputting the suspicious sequence into the sandbox system for replay, and determining that the suspicious sequence is a malicious sequence if the replayed result and the suspicious sequence meet preset malicious conditions; 获取与对用户系统进行操作的正常操作对应的正常序列后,将所述正常操作、所述可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;After obtaining the normal sequence corresponding to the normal operation on the user system, input the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training to obtain a first classification model; 再次向所述第一分类模型输入所述恶意序列,对所述第一分类模型进行勒索病毒类型的分类,得到第二分类模型;Input the malicious sequence to the first classification model again, and classify the type of ransomware to the first classification model to obtain a second classification model; 所述对所述第一分类模型进行勒索病毒类型的分类的步骤,包括:The step of classifying the type of ransomware on the first classification model includes: 基于序列相似度对所述第一分类模型进行勒索病毒类型的分类;Classify the type of ransomware on the first classification model based on the sequence similarity; 所述基于序列相似度对所述第一分类模型进行勒索病毒类型的分类具体为:The classification of the ransomware type of the first classification model based on the sequence similarity is specifically: 通过词嵌套方式计算所述恶意序列之间的序列相似度,根据所述序列相似度对所述第一分类模型进行勒索病毒类型的分类;Calculate the sequence similarity between the malicious sequences by word embedding, and classify the first classification model according to the sequence similarity to the type of ransomware; 将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警。The operation sequence on the user system is input into the second classification model, and if it is a sequence generated by a ransomware virus, an early warning is given. 2.根据权利要求1所述的勒索病毒监控方法,其特征在于,所述若重放的结果和所述可疑序列满足预置恶意条件具体为:2. The ransomware monitoring method according to claim 1, characterized in that if the replayed result and the suspicious sequence meet the preset malicious conditions, it is specifically: 若被重放的文件状态为预置恶意状态,且所述可疑序列包含加密API的调用的子序列。If the state of the file to be played back is a preset malicious state, and the suspicious sequence includes a subsequence of an encrypted API call. 3.根据权利要求2所述的勒索病毒监控方法,其特征在于,所述预置恶意状态为已删除或无法打开或打开异常。3. The ransomware monitoring method according to claim 2, wherein the preset malicious state is deleted or cannot be opened or opened abnormally. 4.根据权利要求1至3任意一项所述的勒索病毒监控方法,其特征在于,所述将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警之后还包括:4. The ransomware monitoring method according to any one of claims 1 to 3, characterized in that, if the operation sequence on the user system is input into the second classification model, if it is a sequence generated by a ransomware, After warning, it also includes: 将所述勒索病毒产生的序列输入所述第二分类模型中进行模型更新。Inputting the sequence generated by the ransomware into the second classification model for model update. 5.根据权利要求1至3任意一项所述的勒索病毒监控方法,其特征在于,所述将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警之后还包括:5. The ransomware monitoring method according to any one of claims 1 to 3, wherein the input of the operation sequence on the user system into the second classification model, if it is a sequence generated by a ransomware, After warning, it also includes: 生成所述勒索病毒的监控报告。A monitoring report of the ransomware is generated. 6.一种勒索病毒监控装置,其特征在于,包括:6. A ransomware monitoring device, comprising: 获取模块,用于监测到存在对蜜罐系统进行操作的可疑操作后,获取与所述可疑操作对应的可疑序列;The obtaining module is used to obtain a suspicious sequence corresponding to the suspicious operation after monitoring that there is a suspicious operation on the honeypot system; 重放模块,用于初始化沙箱系统,将所述可疑序列输入所述沙箱系统进行重放,若重放的结果和所述可疑序列满足预置恶意条件,则确定所述可疑序列为恶意序列;A replay module, configured to initialize a sandbox system, input the suspicious sequence into the sandbox system for replay, and if the replayed result and the suspicious sequence meet preset malicious conditions, then determine that the suspicious sequence is malicious sequence; 训练模块,用于获取与对用户系统进行操作的正常操作对应的正常序列后,将所述正常操作、所述可疑操作和恶意操作输入预置机器学习引擎进行训练,得到第一分类模型;The training module is used to obtain the normal sequence corresponding to the normal operation on the user system, input the normal operation, the suspicious operation and the malicious operation into a preset machine learning engine for training, and obtain the first classification model; 分类模块,用于再次向所述第一分类模型输入所述恶意序列,对所述第一分类模型进行勒索病毒类型的分类,得到第二分类模型;A classification module, configured to input the malicious sequence into the first classification model again, classify the type of ransomware on the first classification model, and obtain a second classification model; 所述分类模块具体用于:The classification module is specifically used for: 再次向所述第一分类模型输入所述恶意序列,基于序列相似度对所述第一分类模型进行勒索病毒类型的分类,得到第二分类模型;Input the malicious sequence to the first classification model again, and classify the type of ransomware to the first classification model based on sequence similarity to obtain a second classification model; 所述基于序列相似度对所述第一分类模型进行勒索病毒类型的分类具体为:The classification of the ransomware type by the first classification model based on the sequence similarity is specifically: 通过词嵌套方式计算所述恶意序列之间的序列相似度,根据所述序列相似度对所述第一分类模型进行勒索病毒类型的分类;Calculate the sequence similarity between the malicious sequences by word embedding, and classify the first classification model according to the sequence similarity to the type of ransomware; 监控模块,用于将所述用户系统上的操作序列输入所述第二分类模型,若是勒索病毒所产生的序列,则进行预警。The monitoring module is used to input the operation sequence on the user system into the second classification model, and give an early warning if it is a sequence generated by a ransomware virus. 7.一种勒索病毒监控装置,其特征在于,包括处理器和存储器,所述存储器上存储有计算机程序指令,当所述程序指令被处理器执行时实现如权利要求1至权利要求5中任一项所述的勒索病毒监控方法。7. A ransomware monitoring device, characterized in that it includes a processor and a memory, and computer program instructions are stored on the memory, and when the program instructions are executed by the processor, any of claims 1 to 5 can be realized. A described ransomware monitoring method. 8.一种计算机可读存储介质,其特征在于,所述介质上存储有计算机程序指令,当所述程序指令被处理器执行时实现如权利要求1至权利要求5中任一项所述的勒索病毒监控方法。8. A computer-readable storage medium, wherein computer program instructions are stored on the medium, and when the program instructions are executed by a processor, the method according to any one of claims 1 to 5 is realized. Ransomware monitoring method.
CN201811564804.9A 2018-12-20 2018-12-20 A method and device for monitoring ransomware Active CN109766691B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811564804.9A CN109766691B (en) 2018-12-20 2018-12-20 A method and device for monitoring ransomware

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811564804.9A CN109766691B (en) 2018-12-20 2018-12-20 A method and device for monitoring ransomware

Publications (2)

Publication Number Publication Date
CN109766691A CN109766691A (en) 2019-05-17
CN109766691B true CN109766691B (en) 2023-08-22

Family

ID=66450773

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811564804.9A Active CN109766691B (en) 2018-12-20 2018-12-20 A method and device for monitoring ransomware

Country Status (1)

Country Link
CN (1) CN109766691B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110363002A (en) * 2019-07-16 2019-10-22 杭州安恒信息技术股份有限公司 A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing
CN110555306B (en) * 2019-09-02 2024-02-06 慧盾信息安全科技(苏州)股份有限公司 System and method for automatically controlling access authority of process to server data
CN115314320A (en) * 2022-08-30 2022-11-08 中京天裕科技(杭州)有限公司 Method and device for trapping and defending against email ransomware
CN119128880A (en) * 2023-06-13 2024-12-13 华为技术有限公司 A method for detecting ransomware attacks and related equipment
CN117235712B (en) * 2023-11-14 2024-02-02 北京网藤科技有限公司 A sandbox method and system for detecting ransomware viruses
CN117540385B (en) * 2024-01-09 2024-03-29 北京数基信息有限公司 Script file monitoring method, system and storage medium
CN119740136B (en) * 2024-11-04 2025-11-11 北京亚鸿世纪科技发展有限公司 Lesovirus classification method and system based on large model

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN103150509A (en) * 2013-03-15 2013-06-12 长沙文盾信息技术有限公司 Virus detection system based on virtual execution
CN103918222A (en) * 2011-10-21 2014-07-09 迈克菲公司 System and method for detection of denial of service attacks
CN104541293A (en) * 2012-05-14 2015-04-22 高通股份有限公司 Architecture for client-cloud behavior analyzer
CN105787370A (en) * 2016-03-07 2016-07-20 成都驭奔科技有限公司 Malicious software collecting and analyzing method based on honeypots
CN107273747A (en) * 2017-05-22 2017-10-20 中国人民公安大学 The method for extorting software detection
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
KR20180062998A (en) * 2018-05-28 2018-06-11 한국인터넷진흥원 Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN103918222A (en) * 2011-10-21 2014-07-09 迈克菲公司 System and method for detection of denial of service attacks
CN104541293A (en) * 2012-05-14 2015-04-22 高通股份有限公司 Architecture for client-cloud behavior analyzer
CN103150509A (en) * 2013-03-15 2013-06-12 长沙文盾信息技术有限公司 Virus detection system based on virtual execution
CN105787370A (en) * 2016-03-07 2016-07-20 成都驭奔科技有限公司 Malicious software collecting and analyzing method based on honeypots
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
CN107273747A (en) * 2017-05-22 2017-10-20 中国人民公安大学 The method for extorting software detection
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream
KR20180062998A (en) * 2018-05-28 2018-06-11 한국인터넷진흥원 Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning

Also Published As

Publication number Publication date
CN109766691A (en) 2019-05-17

Similar Documents

Publication Publication Date Title
CN109766691B (en) A method and device for monitoring ransomware
US10791133B2 (en) System and method for detecting and mitigating ransomware threats
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
CN103078864B (en) A kind of Initiative Defense Ile repair method based on cloud security
CN109586282B (en) A system and method for detecting unknown threats to power grid
CN111274583A (en) A kind of big data computer network security protection device and its control method
US10037425B2 (en) Detecting suspicious file prospecting activity from patterns of user activity
US12341801B2 (en) System and method of anomaly detection with configuration-related activity profiles
CN107563199A (en) It is a kind of that software detection and defence method in real time are extorted based on file request monitoring
CN110912884A (en) Detection method, detection equipment and computer storage medium
CN109684833B (en) System and method for adapting program dangerous behavior patterns to user computer system
CN111241545A (en) A software processing method, system, device and medium
JP2017142744A (en) Information processing apparatus, virus detection method, and program
CN110909349A (en) Detection method and system for rebound shell in docker container
KR101988747B1 (en) Ransomware dectecting method and apparatus based on machine learning through hybrid analysis
US10452841B1 (en) Modeling malicious behavior that occurs in the absence of users
US20250023898A1 (en) Security incident detection based on historian configuration data collected over time
KR20210025448A (en) Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis
CN117914582A (en) Method, device, equipment and storage medium for detecting process hollowing attack
KR101754964B1 (en) Method and Apparatus for Detecting Malicious Behavior
CN109818945A (en) Application program behavior feature selection method and device
JP2019220132A (en) System and method of adapting patterns of dangerous behavior of programs to computer systems of users
CN114640529A (en) Attack protection method, apparatus, device, storage medium and computer program product
CN116204876A (en) Abnormality detection method, apparatus, and storage medium
CN111832030A (en) A data security audit device and method based on domestic cryptographic data identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant