CN116484364B - Hidden port detection method and device based on Linux kernel - Google Patents
Hidden port detection method and device based on Linux kernel Download PDFInfo
- Publication number
- CN116484364B CN116484364B CN202310125746.4A CN202310125746A CN116484364B CN 116484364 B CN116484364 B CN 116484364B CN 202310125746 A CN202310125746 A CN 202310125746A CN 116484364 B CN116484364 B CN 116484364B
- Authority
- CN
- China
- Prior art keywords
- port
- information
- open
- hidden
- linux kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a hidden port detection method and a hidden port detection device based on a Linux kernel, wherein the method comprises the following steps: acquiring all open ports based on a linux kernel to obtain a first open port set; acquiring all the open ports based on the port information acquisition command to obtain a second open port set; comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set; and acquiring corresponding process information based on the unique port to obtain the malicious program for acquiring the user data. All open ports can be found through a hash table provided by the kernel, hidden ports can be obtained quickly only by comparing ports obtained by the port information obtaining command, associated processes can be determined, tcp6, udp and udp6 are supported, the obtained ports can find the corresponding processes, and the detection mode is efficient and data is accurate.
Description
Technical Field
The invention relates to the technical field of software detection, in particular to a hidden port detection method and device based on a Linux kernel.
Background
With the high-speed development of the Internet, the Linux operating system not only keeps a strong development trend in the field of servers, but also has a great progress in the field of PCs. However, in terms of security, vulnerabilities still exist. Malware may use hidden ports to hide communication ports, resulting in malware not being discovered when data is stolen.
In the prior art, it has been disclosed that a task_struct structure in a kernel is relied on to obtain current all process information, obtain a sock structure related to a process, further find a quadruple, obtain all open port information, compare with a netstat command, and find a hidden port. However, the method needs to take the process as a basis, and the states of the process are various, and some special states of the process may cause inaccurate corresponding port data, and in addition, the acquisition process of the process is complicated, and the corresponding sock structure body can be obtained by traversing the process information first, and then the open port is acquired. The above process requires excessive consumption of system resources, degrading system performance.
Disclosure of Invention
The embodiment of the invention aims to provide a hidden port detection method and device based on a Linux kernel, all open ports can be detected through a hash table provided by the kernel, the hidden ports can be obtained quickly by comparing ports obtained by a command of obtaining port information only by Linux, associated processes can be determined, tcp6, udp and udp6 are supported, the obtained ports can find the corresponding processes, and the detection mode is efficient and data is accurate.
In order to solve the technical problem, a first aspect of the embodiments of the present invention provides a method for detecting a hidden port based on a Linux kernel, including the following steps:
acquiring all open ports based on a linux kernel to obtain a first open port set;
acquiring all the open ports based on the port information acquisition command to obtain a second open port set;
comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set;
and acquiring corresponding process information based on the unique port to obtain a malicious program for acquiring the user data.
Further, the obtaining, based on the linux kernel, all the open ports to obtain a first open port set includes:
traversing a hash table structure body variable of port information management in a global port management data structure in a Linux kernel to obtain the first open port set;
wherein the fabric variable stores bound port number information, the bound port number information comprising: port information and node information.
Further, the traversing the hash table structure variable of port information management in the global port management data structure in the Linux kernel obtains the first open port set, including:
traversing the port management data structure to obtain a hash table for port information management;
judging whether the hash table head node managed by the port information is empty or not;
if yes, terminating the hidden port detection;
if not, judging whether the hash table managed by the port information is empty or not;
and stopping the hidden port detection when the hash table managed by the port information is empty, and obtaining the first open port set when the hash table managed by the port information is not empty.
Further, the malicious program for obtaining the obtained user data based on the unique port obtaining the corresponding process information includes:
acquiring a process inode number corresponding to each unique port based on a tcp file and a udp file of the unique port under/proc/net;
traversing/proc the pid file, comparing inode numbers to determine the process, and obtaining the malicious program.
Further, after comparing the inode numbers to determine the process, the method further includes:
judging whether the process is positioned on a hidden port white list or not according to a preset strategy;
if so, allowing the process to continue to run;
if not, the process is terminated and alarm information is sent.
Accordingly, a second aspect of the embodiments of the present invention provides a hidden port detection device based on a Linux kernel, including: comprising the following steps:
the first port acquisition module is used for acquiring all open ports based on the linux kernel to obtain a first open port set;
the second port acquisition module is used for acquiring all the open ports based on the port information acquisition command to obtain a second open port set;
the port comparison module is used for comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set;
and the process acquisition module is used for acquiring corresponding process information based on the unique port to obtain a malicious program for acquiring the user data.
Further, the first port obtaining module traverses a hash table structure body variable of port information management in a global port management data structure in a Linux kernel to obtain the first open port set;
wherein the fabric variable stores bound port number information, the bound port number information comprising: port information and node information.
Further, the first port acquisition module includes:
the information acquisition unit is used for traversing the port management data structure to obtain a hash table of the port information management;
a first judging unit, configured to judge whether the hash header node managed by the port information is empty;
the first control unit is used for terminating the hidden port detection when the hash table head node managed by the port information is empty;
a second judging unit, configured to judge, when the hash table header node managed by the port information is not empty, whether the hash table managed by the port information is empty;
and the second control unit is used for terminating the hidden port detection when the hash table managed by the port information is empty, and obtaining the first open port set when the hash table managed by the port information is not empty.
Further, the process acquisition module includes:
an inode number obtaining unit, configured to obtain a process inode number corresponding to each unique port based on a tcp file and a udp file of the unique port under/proc/net;
and the process acquisition unit is used for traversing/proc the pid file, comparing the inode numbers to determine the process, and obtaining the malicious program.
Further, the hidden port detection device based on the Linux kernel further comprises: the misjudgment judging module comprises:
the misjudgment judging unit is used for judging whether the process is positioned on the hidden port white list or not according to a preset strategy;
the misjudgment control unit is used for allowing the process to continue running when the process is located in the hidden port white list;
the misjudgment control unit is further used for terminating the process and sending alarm information when the process is not located in the hidden port white list.
Accordingly, a third aspect of the embodiment of the present invention provides an electronic device, including: at least one processor; and a memory coupled to the at least one processor; the memory stores instructions executable by the one processor, and the instructions are executed by the one processor, so that the at least one processor executes the hidden port detection method based on the Linux kernel.
Accordingly, a fourth aspect of the embodiments of the present invention provides a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the Linux kernel-based hidden port detection method described above.
The technical scheme provided by the embodiment of the invention has the following beneficial technical effects:
all open ports can be found through a hash table provided by the kernel, hidden ports can be obtained quickly only by comparing ports obtained by netstat, associated processes can be determined, tcp6, udp and udp6 are supported, the obtained ports can find the corresponding processes, and the detection mode is efficient and data is accurate.
Drawings
FIG. 1 is a flowchart of a hidden port detection method based on a Linux kernel provided by an embodiment of the invention;
fig. 2 is a schematic diagram of inet_hashinfo structure information provided in an embodiment of the present invention;
FIG. 3 is a logic diagram of a hidden port detection method based on a Linux kernel provided by an embodiment of the present invention;
fig. 4 is a block diagram of a hidden port detection device based on a Linux kernel according to an embodiment of the present invention;
FIG. 5 is a block diagram of a first port acquisition module provided by an embodiment of the present invention;
FIG. 6 is a block diagram of a process acquisition module provided by an embodiment of the present invention;
fig. 7 is a block diagram of a misjudgment module according to an embodiment of the present invention.
Reference numerals:
1. the device comprises a first port acquisition module, 11, an information acquisition unit, 12, a first judgment unit, 13, a first control unit, 14, a second judgment unit, 15, a second control unit, 2, a second port acquisition module, 3, a port comparison module, 4, a process acquisition module, 41, an inode number acquisition unit, 42, a process acquisition unit, 5, a misjudgment judgment module, 51, a misjudgment judgment unit, 52 and a misjudgment control unit.
Detailed Description
The objects, technical solutions and advantages of the present invention will become more apparent by the following detailed description of the present invention with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
Referring to fig. 1, a first aspect of the embodiment of the present invention provides a method for detecting a hidden port based on a Linux kernel, including the following steps:
step S100, acquiring all open ports based on a linux kernel to obtain a first open port set.
Step S200, based on the linux acquisition port information, commanding a netstat command to acquire all the open ports, and obtaining a second open port set.
Step S300, comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set.
Step S400, corresponding process information is acquired based on the unique port, and a malicious program for acquiring the user data is obtained.
In a specific implementation manner of the embodiment of the present invention, in step S100, a procedure of obtaining a first open port set based on obtaining all open ports by a linux kernel is specifically as follows:
and traversing a hash table inet_bind_hash structure variable of port information management in a global port management data structure inet_hash_info in the Linux kernel to obtain a first open port set. Wherein the structure body variable stores bound port number information, the bound port number information including: port information and node information. Specifically, as shown in fig. 2, the port management data structure inet_hash_info structure information: the relation between the port management data structure inet_bind_hash bucket and the port information inet_bind_bucket is mainly four main structures below inet_hash_info.
Further, referring to fig. 3, the process of traversing the inet_bind_hash structure variable in the global inet_hash_info in the Linux kernel to obtain the first open port set specifically includes the following steps:
step S110, traversing the inet_hash_info to obtain the inet_bind_hash bucket.
Step S120, judging whether the inet_bind_hash bucket header node is empty.
Step S130, if so, the hidden port detection is terminated.
Step S140, if not, judging whether the inet_bind_hash bucket is empty.
Step S150, the hidden port detection is terminated when the inet_bind_hash bucket is empty, and the first open port set is obtained when the inet_bind_hash bucket is not empty.
In addition, step S400, obtaining a malicious program for obtaining user data based on the unique port obtaining the corresponding process information, specifically includes the following steps:
step S410, based on tcp files and udp files of the unique ports under/proc/net, process inode numbers corresponding to each unique port are obtained. The tcp file is a file storing tcp related information in the linux system, and the udp file is a file storing dup related information in the linux system. Step S420, traversing/proc the pid file, comparing inode numbers to determine the process, and obtaining the malicious program. Wherein/proc is a Linux system process information path, the pid file is a Linux system process unique identifier (number), and the inode number is a file unique identifier (number) in the Linux system.
In addition, in order to further improve accuracy of process judgment, a white list of the process is predetermined according to system configuration, specifically: after comparing the inode numbers in step S420 to determine the process, the method further includes the following steps:
step S510, judging whether the process is in the hidden port white list according to a preset strategy.
Step S520, if yes, allows the process to continue.
Step S530, if not, the process is terminated and alarm information is sent.
Through the steps, misjudgment of the process in the hidden port detection method based on the Linux kernel can be avoided, the problem that the normal process is stopped accidentally is avoided, and the stability and the safety of the system are improved.
According to the hidden port detection based on the Linux kernel, the hashinfo in the kernel is obtained, the inet_bind_hashbucket structure is obtained, the inet_bind_hbucket is found through the hashipocket structure to obtain all the ports opened by the machine, the ports obtained by netstat are compared to obtain the hidden ports, the corresponding process information is found through the ports, and whether the process is released or not is judged according to a strategy.
Accordingly, referring to fig. 4, a second aspect of the embodiment of the present invention provides a hidden port detection device based on a Linux kernel, including:
the first port acquisition module 1 is used for acquiring all open ports based on a linux kernel to obtain a first open port set;
a second port obtaining module 2, configured to obtain all open ports based on a netstat command, to obtain a second open port set;
the port comparison module 3 is used for comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set;
and the process acquisition module 4 is used for acquiring corresponding process information based on the unique port to obtain a malicious program for acquiring the user data.
Further, the first port obtaining module 1 traverses an inet_bind_hash bucket structure variable in a global inet_hash_info in a Linux kernel to obtain a first open port set;
wherein the structure body variable stores bound port number information, the bound port number information including: port information and node information.
Further, referring to fig. 5, the first port obtaining module 1 includes:
an information obtaining unit 11, configured to traverse the inet_hash_info to obtain an inet_bind_hash bucket;
a first judging unit 12, configured to judge whether the inet_bind_hash header node is empty;
a first control unit 13, configured to terminate hidden port detection when an inet_bind_hash header node is empty;
a second judging unit 14, configured to judge whether the inet_bind_hash bucket is empty when the inet_bind_hash bucket header node is not empty;
and a second control unit 15, configured to terminate the hidden port detection when the inet_bind_hash bucket is empty, and obtain the first open port set when the inet_bind_hash bucket is not empty.
Further, referring to fig. 6, the process obtaining module 4 includes:
an inode number obtaining unit 41, configured to obtain a process inode number corresponding to each unique port based on tcp and udp files under the unique port/proc/net;
and a process obtaining unit 42, configured to traverse/proc the pid file, compare the inode numbers to determine a process, and obtain a malicious program.
Further, referring to fig. 7, the hidden port detection device based on the Linux kernel further includes: a misjudgment judgment module 5, which includes:
a misjudgment judging unit 51, configured to judge whether the process is located on the hidden port whitelist according to a preset policy;
a misjudgment control unit 52, configured to allow the process to continue running when the process is located on the hidden port white list;
the misjudgment control unit 52 is further configured to terminate the process when the process is not located in the hidden port whitelist, and send alert information.
Accordingly, a third aspect of the embodiment of the present invention provides an electronic device, including: at least one processor; and a memory coupled to the at least one processor; the memory stores instructions executable by a processor, and the instructions are executed by the processor, so that at least one processor executes the hidden port detection method based on the Linux kernel.
Accordingly, a fourth aspect of the embodiments of the present invention provides a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the Linux kernel-based hidden port detection method described above.
The embodiment of the invention aims to protect a hidden port detection method and a hidden port detection device based on a Linux kernel, wherein the method comprises the following steps: acquiring all open ports based on a linux kernel to obtain a first open port set; acquiring all open ports based on a netstat command to obtain a second open port set; comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set; and acquiring corresponding process information based on the unique port to obtain the malicious program for acquiring the user data. The technical scheme has the following effects:
all open ports can be found through a hash table provided by the kernel, hidden ports can be obtained quickly only by comparing ports obtained by netstat, associated processes can be determined, tcp6, udp and udp6 are supported, the obtained ports can find the corresponding processes, and the detection mode is efficient and data is accurate.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (6)
1. The hidden port detection method based on the Linux kernel is characterized by comprising the following steps:
acquiring all open ports based on a linux kernel to obtain a first open port set;
acquiring all the open ports based on the port information acquisition command to obtain a second open port set;
comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set;
acquiring corresponding process information based on the unique port to obtain a malicious program for acquiring user data;
the obtaining, based on the linux kernel, all the open ports to obtain a first open port set includes:
traversing a hash table structure body variable of port information management in a global port management data structure in a Linux kernel to obtain the first open port set;
wherein the fabric variable stores bound port number information, the bound port number information comprising: port information and node information;
the traversing the hash table structure body variable of the port information management in the global port management data structure in the Linux kernel obtains the first open port set, which comprises the following steps:
traversing the port management data structure to obtain a hash table for port information management;
judging whether the hash table head node managed by the port information is empty or not;
if yes, terminating the hidden port detection;
if not, judging whether the hash table managed by the port information is empty or not;
and stopping the hidden port detection when the hash table managed by the port information is empty, and obtaining the first open port set when the hash table managed by the port information is not empty.
2. The method for detecting a hidden port based on a Linux kernel according to claim 1, wherein the obtaining the corresponding process information based on the unique port obtains a malicious program for obtaining user data, comprising:
acquiring a process inode number corresponding to each unique port based on a tcp file and a udp file of the unique port under/proc/net;
traversing/proc the pid file, comparing inode numbers to determine the process, and obtaining the malicious program.
3. The method for detecting hidden ports based on Linux kernel according to claim 1 or 2, wherein after comparing inode numbers to determine the process, further comprising:
judging whether the process is positioned on a hidden port white list or not according to a preset strategy;
if so, allowing the process to continue to run;
if not, the process is terminated and alarm information is sent.
4. Hidden port detection device based on Linux kernel, characterized by comprising:
the first port acquisition module is used for acquiring all open ports based on the linux kernel to obtain a first open port set;
the second port acquisition module is used for acquiring all the open ports based on the port information acquisition command to obtain a second open port set;
the port comparison module is used for comparing the first open port set with the second open port set to obtain a plurality of unique ports in the first open port set;
the process acquisition module is used for acquiring corresponding process information based on the unique port to obtain a malicious program for acquiring user data;
the first port acquisition module traverses a hash table structure body variable of port information management in a global port management data structure in a Linux kernel to obtain the first open port set;
wherein the fabric variable stores bound port number information, the bound port number information comprising: port information and node information;
the first port acquisition module includes:
the information acquisition unit is used for traversing the port management data structure to obtain a hash table of the port information management;
a first judging unit, configured to judge whether the hash header node managed by the port information is empty;
the first control unit is used for terminating the hidden port detection when the hash table head node managed by the port information is empty;
a second judging unit, configured to judge, when the hash table header node managed by the port information is not empty, whether the hash table managed by the port information is empty;
and the second control unit is used for terminating the hidden port detection when the hash table managed by the port information is empty, and obtaining the first open port set when the hash table managed by the port information is not empty.
5. The Linux kernel-based hidden port detection apparatus of claim 4, wherein the process acquisition module comprises:
an inode number obtaining unit, configured to obtain a process inode number corresponding to each unique port based on a tcp file and a udp file of the unique port under/proc/net;
and the process acquisition unit is used for traversing/proc the pid file, comparing the inode numbers to determine the process, and obtaining the malicious program.
6. The Linux kernel-based hidden port detection apparatus of claim 4 or 5, further comprising: the misjudgment judging module comprises:
the misjudgment judging unit is used for judging whether the process is positioned on the hidden port white list or not according to a preset strategy;
the misjudgment control unit is used for allowing the process to continue running when the process is located in the hidden port white list;
the misjudgment control unit is further used for terminating the process and sending alarm information when the process is not located in the hidden port white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310125746.4A CN116484364B (en) | 2023-02-03 | 2023-02-03 | Hidden port detection method and device based on Linux kernel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310125746.4A CN116484364B (en) | 2023-02-03 | 2023-02-03 | Hidden port detection method and device based on Linux kernel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116484364A CN116484364A (en) | 2023-07-25 |
| CN116484364B true CN116484364B (en) | 2024-01-26 |
Family
ID=87218425
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310125746.4A Active CN116484364B (en) | 2023-02-03 | 2023-02-03 | Hidden port detection method and device based on Linux kernel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116484364B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119577753B (en) * | 2024-11-11 | 2025-07-15 | 北京市大数据中心 | Method and device for detecting port multiplexing attack of Linux system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| CN109446806A (en) * | 2018-09-17 | 2019-03-08 | 平安科技(深圳)有限公司 | Bundling port type back door detection method, device, computer equipment and storage medium |
| CN109918392A (en) * | 2018-12-15 | 2019-06-21 | 中国平安人寿保险股份有限公司 | Structured query language localization method, device, server and storage medium |
| WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
| CN113765888A (en) * | 2021-08-06 | 2021-12-07 | 北京天融信网络安全技术有限公司 | Method and device for detecting hidden port of vehicle-mounted machine system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2769075C1 (en) * | 2021-06-10 | 2022-03-28 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method for active detection of malicious network resources |
-
2023
- 2023-02-03 CN CN202310125746.4A patent/CN116484364B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| CN109446806A (en) * | 2018-09-17 | 2019-03-08 | 平安科技(深圳)有限公司 | Bundling port type back door detection method, device, computer equipment and storage medium |
| CN109918392A (en) * | 2018-12-15 | 2019-06-21 | 中国平安人寿保险股份有限公司 | Structured query language localization method, device, server and storage medium |
| WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
| CN113765888A (en) * | 2021-08-06 | 2021-12-07 | 北京天融信网络安全技术有限公司 | Method and device for detecting hidden port of vehicle-mounted machine system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116484364A (en) | 2023-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12013928B2 (en) | Credential safety management for software containers | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| US10614210B2 (en) | Systems and methods of protecting data from injected malware | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| JP5094928B2 (en) | Method and apparatus for intelligent bot using fake virtual machine information | |
| CN114416464B (en) | A supervision method and storage medium for trusted processes | |
| US20140019962A1 (en) | Scan systems and methods of scanning virtual machines | |
| US20170364677A1 (en) | Usb stack isolation for enhanced security | |
| CN112099904A (en) | Nested page table management method and device for virtual machine, processor chip and server | |
| CN116484364B (en) | Hidden port detection method and device based on Linux kernel | |
| CN108388793B (en) | A virtual machine escape protection method based on active defense | |
| CN107480522B (en) | ELF file execution control system and method | |
| EP3652667B1 (en) | System and method for detecting malware injected into memory of a computing device | |
| CN111736851B (en) | Method and system for improving compatibility of software for linux system | |
| EP2881883B1 (en) | System and method for reducing load on an operating system when executing antivirus operations | |
| CN116389027A (en) | A Payload process detection method and device in cloud environment based on eBPF | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN116418593A (en) | Dynamic credibility measuring method, electronic equipment and storage medium | |
| KR20110057297A (en) | Malicious Bot Dynamic Analysis System and Method | |
| US20190317676A1 (en) | Executable memory protection | |
| US11811803B2 (en) | Method of threat detection | |
| CN115576626A (en) | Method, device and storage medium for safe mounting and dismounting of USB (Universal Serial bus) device | |
| WO2009048158A1 (en) | File check device, file check program, and file check method | |
| CN112199673A (en) | Method and device for detecting authority lifting behavior and readable storage medium | |
| CN114647843B (en) | Parent process identification method, device, electronic equipment, storage medium and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |