CN102375946B - Method and device for detecting webpage trojan - Google Patents
Method and device for detecting webpage trojan Download PDFInfo
- Publication number
- CN102375946B CN102375946B CN201010259553.0A CN201010259553A CN102375946B CN 102375946 B CN102375946 B CN 102375946B CN 201010259553 A CN201010259553 A CN 201010259553A CN 102375946 B CN102375946 B CN 102375946B
- Authority
- CN
- China
- Prior art keywords
- file
- tcp
- user
- tcp bag
- download
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 32
- 230000005540 biological transmission Effects 0.000 claims abstract description 5
- 238000012546 transfer Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000001514 detection method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a device for detecting webpage trojan. In order to detect the webpage trojan effectively, a received transmission control protocol (TCP) packet is monitored; and when a portable execute (PE) file is found to be loaded to a computer, the method and the device are used for prompting a user to ensure the safety of the user. In the invention, an active and effective technical scheme for detecting the webpage trojan is provided, so that the webpage trojan can be quickly found and can be effectively detected.
Description
Technical field
The present invention relates to network security technology, espespecially a kind of method and apparatus detecting webpage Trojan horse.
Background technology
So-called webpage Trojan horse, utilize exactly the service end of the wooden horse configured downloads to by visitor automatically to the leak of method, system or browser computer on automatically perform.Webpage Trojan horse is actually a html web page, trojan horse program " planter ", it is by attacking the leak of browser or browser externally hung program (target is IE browser and ActiveX program normally), steals to targeted customer's machine implantation wooden horse, virus, password.
What current strick precaution webpage Trojan horse was relatively more conventional is Firewall of Web Pages, net shield, and they are generally the ways adopting " condition code " to judge.When submit to HTTP request and return data bag time, detect whether there is known attack code, when there is known attack code, then stop its download and run.
But because leak emerges in an endless stream, and according to the difference of leak, malicious code is also changing constantly, and the measure of such attack-defending forever lags behind hacker and finds leak and that time of hanging horse, effectively can not detect webpage Trojan horse.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of method and apparatus detecting webpage Trojan horse, applies effective detection that method and apparatus provided by the present invention can realize webpage Trojan horse.
For achieving the above object, technical scheme of the present invention is achieved in that
Detect a method for webpage Trojan horse, the method comprises:
Intercept and capture transmission control protocol (Transmission Control Protocol, the TCP) bag that browser receives;
Detect in the TCP bag intercepted and captured and whether carry PE file, when carrying PE file, pointing out the operation existing and download PE file to user, receiving the instruction that user returns; When user indicates download, then allow to download this PE file; When user refuses to download, then refusal downloads this PE file.
Detect a device for webpage Trojan horse, this device comprises intercepts and captures unit, detecting unit and user interface section;
Described intercepting and capturing unit, for intercepting and capturing the TCP bag that browser receives;
Described detecting unit, PE file whether is carried during the TCP intercepted and captured for detecting described intercepting and capturing unit wraps, if carry PE file, then pointed out the operation existing and download PE file to user by described user interface section, the instruction returned by described user interface section reception user; When user indicates download, then run and download this PE file; When user refuses to download, then refusal downloads this PE file;
Described user interface section, for providing the interface of described detecting unit and user.
A kind of method and apparatus detecting webpage Trojan horse provided by the present invention, in order to effectively detect webpage Trojan horse, monitor the TCP bag received, then pointing out user, ensureing the safety of user when finding that there is on PE file download to computer.Technical scheme of the present invention provides a kind of positive, effective technical scheme detecting webpage Trojan horse, can find webpage Trojan horse rapidly, realize the effective detection to webpage Trojan horse.Adopt technical scheme of the present invention, even if when user does not beat associated patch and do not install antivirus software, also can guarantee to browse when hanging horse website and eject prompting, so that user operates.The present invention realizes the most complicated function in the most succinct mode.
Accompanying drawing explanation
Fig. 1 is the exemplary process diagram of the inventive method;
Fig. 2 is the exemplary process diagram of apparatus of the present invention;
Fig. 3 is the exemplary process diagram of embodiment of the present invention method;
Fig. 4 is a design sketch of prior art;
Fig. 5 is the another design sketch of prior art;
The software interface that Fig. 6 uses for the embodiment of the present invention;
Fig. 7 is a design sketch of the embodiment of the present invention;
Fig. 8 is the another design sketch of the embodiment of the present invention;
Fig. 9 is a design sketch again of the embodiment of the present invention.
Embodiment
In the detailed description of this part, by means of only the example to the best mode implemented desired by inventor of the present invention, illustrate and describe preferred embodiment of the present invention.It will be appreciated that and can not deviate under prerequisite of the present invention, with regard to each apparent aspect, it is modified.Correspondingly, drawing and description should be regarded as being exemplary in itself, instead of restrictive.
Can find that nearly all trojan horse is all transplantable perform bulk (PE, Portable Execute) file by long-term analysis, research.Common PE file comprises EXE, DLL, OCX, SYS, COM.Assailant, by by carrying the PE file download of trojan horse on computer, implements Trojan attack.Therefore, in order to effectively detect webpage Trojan horse, can the packet received be monitored, when finding that there is PE file download on computer, then think that it is may greatly, pointing out to user of trojan horse.
Can be specifically the exemplary process diagram of the inventive method see Fig. 1, Fig. 1.In a step 101, the packet that browser receives is intercepted and captured; In a step 102, detecting in the packet intercepted and captured whether carry PE file, when carrying PE file, pointing out the operation existing and download PE file to user.
Because user is perfectly clear all operations of self current execution, user can judge which is the PE file of illegal download accurately, and which is the PE file of legal download, thus can more effectively detect webpage Trojan horse.Therefore the present invention can also receive the instruction that user returns further; When user indicates download, then allow to download this PE file; When user refuses to download, then refusal downloads this PE file.
When not carrying PE file in the packet intercepted and captured, then terminate current treatment scheme.
The various data that packet general reference browser in the present invention receives, comprise TCP bag.
When packet is TCP bag, whether carry PE file during the described TCP detecting intercepting and capturing wraps to comprise: determine the data division in the TCP bag intercepted and captured, judge that the head of data division comprises MZ mark and PE mark, if comprised, then carry PE file in the TCP bag intercepted and captured; Otherwise, in the TCP bag of intercepting and capturing, do not carry PE file.Data division in the described TCP bag determining to intercept and capture comprises: when TCP bag is based on http protocol, and the part determining in TCP bag after two new lines symbol is the data division of TCP bag; When TCP bag is based on file transfer protocol (FTP) (File Transfer Protocol, FTP) agreement, then determine that the data received from FTP FPDP are the data division of TCP bag.
In addition, the TCP handbag that described intercepting and capturing browser wherein receives is drawn together: adopt application programming interface (API, Application Programming Interface) hook (HOOK) technology, WSArecv function IE being received to data use is monitored, and intercepts and captures the TCP bag that browser receives.
After refusal downloads this PE file, return log information to user, download the time of this PE file comprising refusal, and download process corresponding to this PE file.
The all or part of step realizing said method embodiment can have been come by the hardware that programmed instruction is relevant, and aforesaid program can be stored in a computer read/write memory medium, and this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
In addition, be the exemplary block diagram of apparatus of the present invention see Fig. 2, Fig. 2.Device provided by the invention comprises: intercept and capture unit, detecting unit and user interface section.Wherein, described intercepting and capturing unit, for intercepting and capturing the TCP bag that browser receives; Whether described detecting unit, being carried PE file during the TCP intercepted and captured wraps, if carry PE file, being pointed out the operation existing and download PE file by described user interface section to user for detecting described intercepting and capturing unit; Described user interface section, for providing the interface of described detecting unit and user.
Described detecting unit, is further used for the instruction returned by described user interface section reception user; When user indicates download, then allow to download this PE file; When user refuses to download, then perform the operation that described refusal downloads this PE file.
The packet that described intercepting and capturing unit is intercepted and captured is TCP bag.Wherein, described detecting unit, for determining the data division in the TCP bag of intercepting and capturing, judging that the head of data division comprises MZ mark and PE mark, if comprised, then carrying PE file in the TCP bag intercepted and captured; Otherwise, in the TCP bag of intercepting and capturing, do not carry PE file.
Wherein, described detecting unit determines that the data division in the TCP bag of intercepting and capturing comprises: when TCP bag is based on http protocol, determines that the part in TCP bag after two new lines symbols is the data division that TCP wraps; When TCP bag is based on File Transfer Protocol, then determine that the data received from FTP FPDP are the data division of TCP bag.
Wherein, the TCP handbag that described intercepting and capturing unit intercepts and captures browser reception is drawn together: adopt API HOOK technology, and WSArecv function IE being received to data use is monitored, and intercepts and captures the TCP bag of browser reception.
Described detecting unit, is further used for, after refusal downloads this PE file, returning log information by described user interface section to user, downloads the time of this PE file, and download process corresponding to this PE file comprising refusal.
Below enumerate embodiment, technical scheme of the present invention is described in further detail.
Be the process flow diagram of the embodiment of the present invention see Fig. 3, Fig. 3.Specifically comprise:
In step 301, browse in the process of webpage user, intercept and capture the TCP bag that browser receives.
The TCP bag intercepting and capturing browser reception as a rule has 3 kinds of schemes.Specifically comprise 1, adopt APIHOOK technology, the winsock function called by monitoring browser is realized; 2, SPI is installed, is realized by the data of filtering all application layers; 3, based on the Interception Technology of ndis.Here, can first kind of way be adopted, because this mode not only can filtering data bag, the control of certain procedures can also be carried out to objective browser.
The realization of API HOOK method also has two kinds, comprises IAT hook and inline hook.Because need start/stop monitoring at any time, therefore preferably can choice for use inline hook technology.Meanwhile, the Detours Express that Microsoft can also be adopted to develop wraps, and it solves the problem that inline hook multithreading runs, thus can ensure the stability of inline hook technology.Be implemented as and SetWindowsHookEx (WH_GETMESSAGE) is injected global hook, DLL is injected remote thread.
Like this, the WSArecv function used when receiving data by monitoring IE receives the TCP bag that IE receives.Meanwhile, the technical scheme of the present embodiment can also monitor the send function used when IE sends data, intercepting and capturing, like this, can provide the current information browsing webpage when being necessary to user to the data that IE sends.Specifically can be realized by following statement:
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_send,hook_send);
DetourAttach(&(PVOID&)Real_WSARecv,hook_WSARecv);
return DetourTransactionCommit();
In step 302, the data division in the TCP bag of intercepting and capturing is determined.
Because the data intercepted and captured are TCP bag, therefore need by application layer protocol head part from, finding real data division to start, could effectively judging whether comprising PE file.
For http protocol, accord with as separation with two new lines between protocol headers and data entity, detect from separation.Therefore, when TCP bag is based on http protocol, determine that the part in TCP bag after two new line symbols is the data division that TCP wraps.
For File Transfer Protocol, data protocol part and data entity adopt different ports to send, as long as therefore determine the end receiving data, just determine the data division of TCP bag.Like this, when TCP bag is based on File Transfer Protocol, then determine that the data received from FTP FPDP are the data division of TCP bag.
In step 303, judge whether the head of data division comprises MZ mark and PE mark, if comprised, then determines currently downloading PE file, execution step 304; Otherwise, then determine the current operation not performing download PE file, terminate current treatment scheme.
Step 302 and 303 concrete operations can be: first, detect the TCP bag received and whether comprise 2 new lines symbols, be then after 2 new lines symbols for detecting starting point, now think that TCP bag is based on http protocol; Otherwise unwrap initial point as detection starting point using TCP, now think that TCP bag is based on File Transfer Protocol; Then, from detection starting point, judge that whether beginning 2 bytes are the ASCII character of " MZ " two characters, if not, then current TCP wraps and does not carry PE file; If MZ, then to move forward 36 bytes from detection starting point, read the numerical value n of 4 bytes, obtain the address of PE mark, then from detection starting point reach n byte, the content of reading 4 bytes, judges that whether this content is the ASCII character of " PE 00 " four characters, be confirm as and carry PE file, otherwise do not carry PE file.
In step 304, the current webpage browsed is pointed out to there is the operation of downloading PE file to user.
In step 305, receive the instruction that user returns, when user indicates download, then allow to download current PE file; When user refuses to download, then refusal downloads this PE file.Terminate current treatment scheme.
After refusal downloads this PE file, return log information by described user interface section to user, download the time of this PE file comprising refusal, and download process corresponding to this PE file.
In addition, see Fig. 4 ~ 9, wherein Fig. 4 and Fig. 5 is the design sketch of prior art, and Fig. 6 ~ 9 are the design sketch of technical solution of the present invention.
Fig. 4 is that when not using technical solution of the present invention, user accesses the situation of hanging horse webpage http: // 192.168.125.1/mm.htm.Fig. 5 for after user accesses this extension horse webpage, the file downloaded in temporary file.Wherein, ScanPort.exe is trojan horse program.
The user interface that Fig. 6 uses for the embodiment of the present invention.Wherein comprise " beginning ", " time-out ", " exiting " button.Click " beginning " and perform method of the present invention.Access equally user like this and hang horse webpage http: during // 192.168.125.1/mm.htm, the present invention will eject dialog box as shown in Figure 7, and prompting user, monitors the download of program file, allow user carry out judgement and select.Fig. 8 shows, when user selects "Yes", and the log information that technical solution of the present invention returns.Fig. 9 is for after employing technical scheme of the present invention, and the file existed in temporary folder, does not now comprise trojan horse program ScanPort.exe.
As can be seen here, after utilization technical scheme of the present invention, effectively can carry out webpage Trojan horse and detect.Even if when user does not beat associated patch and do not install antivirus software, also can guarantee to browse when hanging horse website and eject prompting, so that user operates.The present invention realizes the most complicated function in the most succinct mode.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. detect a method for webpage Trojan horse, it is characterized in that, the method comprises:
Intercept and capture the packet that browser receives and sends, wherein monitor when browser sends data and use send function, the data that browser sends are intercepted and captured; Described packet is transmission control protocol TCP bag; The TCP handbag that described intercepting and capturing browser receives is drawn together: adopt application programming interface hook API HOOK technology, WSArecv function IE being received to data use is monitored, and intercepts and captures the TCP bag that browser receives; Wherein adopt inline hook mode to realize API HOOK, and adopt Detours Express bag, specifically comprise and SetWindowsHookEx (WH_GETMESSAGE) is injected global hook, DLL is injected remote thread;
Detecting in the packet intercepted and captured and whether carry transplantable perform bulk PE file, when carrying PE file, pointing out the operation existing and download PE file to user.
2. method according to claim 1, is characterized in that, the method comprises further:
Receive the instruction that user returns, when user indicates download, then allow to download this PE file; When user refuses to download, then refusal downloads this PE file.
3. method according to claim 1, is characterized in that, whether carries PE file and comprise during the described TCP detecting intercepting and capturing wraps:
Determine the data division in the TCP bag intercepted and captured, judge that the head of data division comprises MZ mark and PE mark, if comprised, then carry PE file in the TCP bag intercepted and captured; Otherwise, in the TCP bag of intercepting and capturing, do not carry PE file.
4. method according to claim 3, is characterized in that, the data division in the described TCP bag determining to intercept and capture comprises:
When TCP bag is based on http protocol, determine that the part in TCP bag after two new line symbols is the data division that TCP wraps;
When TCP bag is based on file transfer protocol (FTP) File Transfer Protocol, then determine that the data received from FTP FPDP are the data division of TCP bag.
5. method according to claim 1 and 2, is characterized in that, after refusal downloads this PE file, returns log information to user, downloads the time of this PE file, and download process corresponding to this PE file comprising refusal.
6. detect a device for webpage Trojan horse, it is characterized in that, this device comprises intercepts and captures unit, detecting unit and user interface section;
Described intercepting and capturing unit, for intercepting and capturing the packet that browser receives and sends, wherein monitoring when browser sends data and using send function, intercepting and capturing the data that browser sends; Described packet is transmission control protocol TCP bag; The TCP handbag that described intercepting and capturing browser receives is drawn together: adopt application programming interface hook API HOOK technology, WSArecv function IE being received to data use is monitored, and intercepts and captures the TCP bag that browser receives; Wherein adopt inline hook mode to realize API HOOK, and adopt Detours Express bag, specifically comprise and SetWindowsHookEx (WH_GETMESSAGE) is injected global hook, DLL is injected remote thread;
Described detecting unit, for detecting in packet that described intercepting and capturing unit intercepts and captures whether carry PE file, if carry PE file, points out the operation existing and download PE file to user by described user interface section;
Described user interface section, for providing the interface of described detecting unit and user.
7. device according to claim 6, is characterized in that,
Described detecting unit, is further used for the instruction returned by described user interface section reception user; When user indicates download, then allow to download this PE file; When user refuses to download, then perform the operation that described refusal downloads this PE file.
8. device according to claim 7, is characterized in that,
Described detecting unit, for determining the data division in the TCP bag of intercepting and capturing, judging that the head of data division comprises MZ mark and PE mark, if comprised, then carrying PE file in the TCP bag intercepted and captured; Otherwise, in the TCP bag of intercepting and capturing, do not carry PE file.
9. device according to claim 8, is characterized in that,
Described detecting unit determines that the data division in the TCP bag of intercepting and capturing comprises: when TCP bag is based on http protocol, determines that the part in TCP bag after two new lines symbols is the data division that TCP wraps; When TCP bag is based on File Transfer Protocol, then determine that the data received from FTP FPDP are the data division of TCP bag.
10. the device according to claim 6 or 7, is characterized in that,
Described detecting unit, is further used for, after refusal downloads this PE file, returning log information by described user interface section to user, downloads the time of this PE file, and download process corresponding to this PE file comprising refusal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010259553.0A CN102375946B (en) | 2010-08-19 | 2010-08-19 | Method and device for detecting webpage trojan |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010259553.0A CN102375946B (en) | 2010-08-19 | 2010-08-19 | Method and device for detecting webpage trojan |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102375946A CN102375946A (en) | 2012-03-14 |
| CN102375946B true CN102375946B (en) | 2015-06-03 |
Family
ID=45794540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010259553.0A Active CN102375946B (en) | 2010-08-19 | 2010-08-19 | Method and device for detecting webpage trojan |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102375946B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634127A (en) * | 2012-08-20 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Website hung Trojan early warning method and device |
| CN103294952B (en) * | 2012-11-29 | 2016-03-09 | 北京安天电子设备有限公司 | A kind of method and system detecting webshell based on page relation |
| CN105117649B (en) * | 2015-07-30 | 2018-11-30 | 中国科学院计算技术研究所 | A kind of anti-virus method and system for virtual machine |
| CN107451470A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | Pages Security detection method, device and equipment |
| CN106529292A (en) * | 2016-10-31 | 2017-03-22 | 北京奇虎科技有限公司 | Virus checking and killing method and apparatus |
| CN109409080B (en) * | 2018-10-09 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Auditing method and device for HTTPS of browser |
| CN114785542B (en) * | 2022-03-10 | 2023-05-23 | 安芯网盾(北京)科技有限公司 | Trojan horse detection method, trojan horse detection system, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1920832A (en) * | 2006-09-28 | 2007-02-28 | 北京理工大学 | Linkage analysis based web page Trojan track technique |
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8346951B2 (en) * | 2002-03-05 | 2013-01-01 | Blackridge Technology Holdings, Inc. | Method for first packet authentication |
| US20080016573A1 (en) * | 2006-07-13 | 2008-01-17 | Aladdin Knowledge System Ltd. | Method for detecting computer viruses |
-
2010
- 2010-08-19 CN CN201010259553.0A patent/CN102375946B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1920832A (en) * | 2006-09-28 | 2007-02-28 | 北京理工大学 | Linkage analysis based web page Trojan track technique |
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102375946A (en) | 2012-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102375946B (en) | Method and device for detecting webpage trojan | |
| CN103886252B (en) | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space | |
| RU2698776C2 (en) | Method of maintaining database and corresponding server | |
| US8701189B2 (en) | Method of and system for computer system denial-of-service protection | |
| US9407648B1 (en) | System and method for detecting malicious code in random access memory | |
| KR100938672B1 (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
| US8793682B2 (en) | Methods, systems, and computer program products for controlling software application installations | |
| CN102694817B (en) | The whether abnormal method of the network behavior of a kind of recognizer, Apparatus and system | |
| US8484736B2 (en) | Storage device having an anti-malware protection | |
| CN106709325B (en) | Method and device for monitoring program | |
| CN102737188A (en) | Method and device for detecting malicious webpage | |
| Polychronakis et al. | ROP payload detection using speculative code execution | |
| EP2979219A1 (en) | Suspicious program detection | |
| CN102651060A (en) | Method and system for detecting vulnerability | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| WO2022133499A1 (en) | Runtime memory protection (rmp) engine | |
| CN101258470A (en) | Automatic deployment of protection agents to devices connected to a distributed computer network | |
| JP6341964B2 (en) | System and method for detecting malicious computer systems | |
| Hsu et al. | Browserguard: A behavior-based solution to drive-by-download attacks | |
| CN103049696A (en) | Virtual machine identification dodging method and device | |
| KR20120070019A (en) | Hybrid interaction client honeypot system and its operation method | |
| KR101781780B1 (en) | System and Method for detecting malicious websites fast based multi-server, multi browser | |
| Sun et al. | API monitoring system for defeating worms and exploits in MS-Windows system | |
| JP4845948B2 (en) | Keyword search observer tracking method and system | |
| KR101410289B1 (en) | system and method for tracking remote access server of malicious code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |