[go: up one dir, main page]

CN111813774B - Method for monitoring and acquiring traceability information based on sysdig system - Google Patents

Method for monitoring and acquiring traceability information based on sysdig system Download PDF

Info

Publication number
CN111813774B
CN111813774B CN202010417508.7A CN202010417508A CN111813774B CN 111813774 B CN111813774 B CN 111813774B CN 202010417508 A CN202010417508 A CN 202010417508A CN 111813774 B CN111813774 B CN 111813774B
Authority
CN
China
Prior art keywords
address
sysdig
mapping table
system call
port number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010417508.7A
Other languages
Chinese (zh)
Other versions
CN111813774A (en
Inventor
吴建亮
胡鹏
叶翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jeeseen Network Technologies Co Ltd
Original Assignee
Guangzhou Jeeseen Network Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jeeseen Network Technologies Co Ltd filed Critical Guangzhou Jeeseen Network Technologies Co Ltd
Priority to CN202010417508.7A priority Critical patent/CN111813774B/en
Publication of CN111813774A publication Critical patent/CN111813774A/en
Application granted granted Critical
Publication of CN111813774B publication Critical patent/CN111813774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/74Reverse engineering; Extracting design information from source code
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for monitoring and acquiring tracing information based on a sysdig system, which belongs to the field of network security, and is characterized in that when the sysdig monitors the invocation of an accept or a connect system, tracing information related to system invocation, such as an IP address, a port number, a process and the like, is acquired, the acquired tracing information is stored in map1, when the system invocation except the accept or the connect, such as open, execute and the like, is monitored, the system invocation is inquired in map2, when the system invocation is not detected, the inquiry is carried out in map1, and the result inquired from map1 is stored in map2 for inquiry when the system invocation except the accept or the connect is monitored. The invention utilizes the sysdig system to monitor and build the mapping table, so that any system call can obtain the tracing information such as IP address.

Description

Method for monitoring and acquiring traceability information based on sysdig system
Technical Field
The invention relates to the field of network security, in particular to a method for monitoring and acquiring traceability information based on a sysdig system.
Background
Linux is a multi-user, multi-tasking, free-of-use and free-propagation Unix-like operating system that supports multiple threads and multiple CPUs (central processing units). Linux is open source software, and system performance is stable, and its core firewall component performance is high-efficient, the configuration is simple, powerful, is widely used in many enterprise networks.
Sysdig is a super-strong tool developed mainly based on Lua language for Sysdig group products, and is an open-source, system-level probe: it can capture the system state and behavior from running Linux instances and then save, filter and analyze. Sysdig is a super system tool that can be considered as a set of strace, tcpdump, and lsof, and is even more powerful than the set of strace, tcpdump, and lsof. The sysdig developed using the Lua language provides a command line interface as well as a powerful interactive interface.
Sysdig registers the hook of the system call in the driver module of the Linux kernel, so that when the system call is generated and completed, the Sysdig copies the system call information to a specific buffer, and then the components of the user module decompress, analyze, filter and the like the information, and finally interact with the user through a Sysdig command line. Chisels may also be written for more detailed data analysis. Chisels is a hardware language written by Lua script, and the relational diagram of Chisels is shown in FIG. 1.
In the Linux system, all operations are performed on files, and the operations on the files are implemented by using file descriptors fd. Each process has an array of "open files" in the kernel, storing pointers to the objects of the files, and fd is the index of this array. When the file is operated, the system calls to transmit fd to the kernel, and the kernel finds the file through the fd and operates the file. Fd can be a file, a process, a network, a pipe, etc. Most system calls are associated with fd, such as accept, connect, open, and execute, among others.
In the prior art, the method for monitoring sysdig to save the traceability information such as the IP address and the like only when the accept and the connet system are called, and acquiring the traceability information such as the IP address and the like comprises the following steps:
1. and when the kernel layer monitors that the accept or connect system is called, the IP address and the port number are obtained through the parameters and are sent to the application layer for association.
2. The application layer Lua may obtain the tracing information such as the IP address and the port number associated with the fd through system call.
If fd does not store association at sysdig user level, when system call other than accept and connect occurs, the IP address and port number are not obtained by step 2 above. As shown in fig. 2, when an open system call is monitored, no IP address can be obtained from the corresponding fd 3.
In chinese patent document CN106302404B, a system and method for collecting network tracing information are provided, the method includes the following steps: (1) a network source tracing interception step, wherein an interception function is called to intercept the system calls of accept, connect, send and recv, and the step comprises the following substeps: (11) an add intercept code substep: directly embedding interception functions of an interceptor _ accept, an interceptor _ connect, an interceptor _ send and an interceptor _ recv into socket related system call functions sys _ accept, sys _ connect, sys _ send and sys _ recv for interception; (12) define global variables substep: defining a global structure variable as meeting the modularization requirement, wherein the member variables of the global structure variable are a plurality of function pointers, and the function pointers point to interception functions, namely, intercept _ accept, intercept _ connect, intercept _ send and intercept _ recv for collecting network traceability information; under the initial condition, the function pointers are null, which indicates that no tracing information is collected; if the network tracing information is to be collected, a corresponding value is given to the function pointer, and an interception function is called to collect the tracing information; when the module is unloaded, the function pointers are restored to the default null pointers. (2) A network tracing observation step, namely initializing tracing variables, and collecting IP addresses, port number information, user IDs and connection creation time of socket tracing information and socket associated by using an interception function, wherein the step comprises the following substeps: comprising the following substeps: (21) IP address collection substep: initializing a socket and collecting generated tracing information; when sys _ accept and sys _ connect system call functions are executed, initializing the socket, and executing an observer _ initsocket function to initialize a source tracing variable in the inode structural body corresponding to the socket; then executing an object _ socket function, and collecting IP addresses, port numbers, user IDs and connection establishment time information obtained by the interrupt _ accept function and the interrupt _ connect function; (22) dependent data collection substep: calling an observation function, and collecting dependent data information: when the sys _ send system calling function is executed, the process writes data into the network object, dependent data information is generated, the interrupt _ send function is executed for intercepting, and the obever _ send function is called for collecting the dependent data information; when the sys _ recv system calling function is executed, the system receiving data from the network is shown, dependent data information is generated, the interrupt _ recv function is executed for intercepting, and the observer _ recv function is called for collecting the dependent data information. (3) A network tracing analysis step, which is responsible for processing tracing information, removing repeated information and ensuring no loop; (4) and a network tracing distribution step, namely writing the network tracing information into a tracing file system and storing the network tracing information in a log file.
The prior art has at least the following disadvantages:
1. the existing sysdig technology cannot acquire tracing information such as IP addresses and the like aiming at all system calls, so that tracing of all attacks cannot be met.
2. The above patent application document adopts a means of intercepting socket functions such as accept, send, connect, and the like to obtain traceability information such as an IP address, but cannot obtain information of other behaviors except for a socket, such as a file, and therefore cannot obtain traceability information related to the behaviors.
Disclosure of Invention
In order to solve the technical problem that the tracing of all attacks cannot be met in the prior art, the invention provides a method for monitoring and acquiring tracing information based on a sysdig system. The invention provides a technical scheme for carrying out secondary development based on open-source sysdig, which is characterized in that system behavior event information which is comprehensively related to various system calls (syscalls) is collected by using the sysdig, and tracing information such as an IP address, a port number and a process is obtained through accept and connect, wherein the process can be a current process or a generated sub-process. The tracing information obtained during the system call of the accept or the connect is stored for being inquired during the call of other systems, any system call can obtain the tracing information such as the IP address, and all the system calls can be associated with the IP address.
The invention provides a method for monitoring and acquiring traceability information based on a sysdig system, which comprises the following steps:
s1: obtaining tracing information related to system call from the accept or connect system call monitored by sysdig;
s2: storing the tracing information related to the system call acquired in the step S1 to a map mapping table map 1;
s3: when sysdig monitors system calls except accept and connect, obtaining traceability information related to the system calls from a map mapping table map 2;
s4: if the tracing information related to the system call is acquired in the step S3, jumping to a step S3; if the tracing information related to the system call is not acquired in step S3, acquiring the tracing information related to the system call from the map mapping table map1 stored in step S2;
s5: the tracing information related to the system call acquired from the map mapping table map1 in step S4 is stored in the map mapping table map2, and it jumps to step S3.
Preferably, the tracing information related to the system call acquired in step S1 includes: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
Preferably, the mapping table map1 is a hash table with the remote IP address and the remote port number as key.
Preferably, the mapping table map1 includes the following information: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
Preferably, the mapping table map2 is a hash table with a process identity PID and a parent process identity FPID as keys.
Preferably, the mapping table map2 includes the following information: a far-end IP address, a far-end port number, a local IP address, and a local port number.
Preferably, the system call other than accept and connect in step S3 includes: open, execave, read, create, rename, and write.
Compared with the prior art, the invention has the following beneficial effects:
(1) the method adopts the sysdig open source technology, stores the tracing information related to system call through the self-established mapping table when monitoring the call of the accept or the connect system, and provides query when monitoring the call of other systems except the accept and the connect system, thereby solving the problem that the sysdig can not obtain the tracing information for the system calls except the accept and the connect in the prior art and achieving the effect of obtaining the tracing information for all sysdig system calls.
(2) The system adopts the sysdig open source technology, and can acquire tracing information such as IP addresses and the like for other behaviors except the socket compared with the condition that only tracing information related to the socket can be acquired by adopting an interception socket function.
Drawings
FIG. 1 is a diagram of Chisels in relation to Sysdig, where Chisels is equivalent to a functional plug-in written in the Lua language;
fig. 2 is a schematic diagram of the prior art that sysdig acquires tracing information such as an IP address, and the sysdig cannot acquire the tracing information such as the IP address except for an accept and a connect system call.
FIG. 3 is a schematic diagram illustrating a process of obtaining traceability information according to the present invention;
FIG. 4 is a schematic diagram of the storage content of the map mapping table map 1;
FIG. 5 is a schematic diagram of the storage content of the map mapping table map 2;
Detailed Description
The following detailed description of the embodiments of the present invention is provided in conjunction with the accompanying drawings of fig. 1-5.
The invention provides a method for monitoring and acquiring traceability information based on a sysdig system, which comprises the following steps:
s1: obtaining tracing information related to system call from the accept or connect system call monitored by sysdig;
s2: storing the tracing information related to the system call acquired in the step S1 to a map mapping table map 1;
s3: when sysdig monitors system calls except accept and connect, obtaining traceability information related to the system calls from a map mapping table map 2;
s4: if the tracing information related to the system call is acquired in the step S3, jumping to a step S3; if the tracing information related to the system call is not acquired in step S3, acquiring the tracing information related to the system call from the map mapping table map1 stored in step S2;
s5: the tracing information related to the system call acquired from the map mapping table map1 in step S4 is stored in the map mapping table map2, and it jumps to step S3.
As a preferred embodiment, the tracing information related to the system call acquired in step S1 includes: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
In a preferred embodiment, the mapping table map1 is a hash table with the remote IP address and the remote port number as key.
As a preferred embodiment, the mapping table map1 includes the following information: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
As a preferred embodiment, the mapping table map2 is a hash table with a process identity PID and a parent process identity FPID as keys.
As a preferred embodiment, the mapping table map2 includes the following information: a far-end IP address, a far-end port number, a local IP address, and a local port number.
As a preferred embodiment, the system calls other than accept and connect in step S3 include: open, execave, read, create, rename, and write.
Example 1
The invention provides a method for monitoring and acquiring traceability information based on a sysdig system, which comprises the following steps:
s1: obtaining tracing information related to the system call from the accept or connect system call monitored by the sysdig, wherein the tracing information related to the system call comprises; a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID. The invention encapsulates a function g _ sysrun _ netstat { } to obtain the traceability information related to system call, wherein the code is realized by using the chipset of sysdig.
g_sysrun_netstat={}
rip=g_field:getfieldinstance("fd.rip")
lport=g_field:getfieldinstance("fd.lport")
rport=g_field:getfieldinstance("fd.rport")
ip=g_field:getfieldinstance("fd.lip")
local pid=g_field:getfieldinstance("proc.pid")
local ppid=g_field:getfieldinstance("proc.ppid")
local key=rip..rport
g_sysrun_netstat[key].srcip=rip
g_sysrun_netstat[key].srcport=rport
g_sysrun_netstat[key].dstip=lip
g_sysrun_netstat[key].dstport=lport
g_sysrun_netstat[key].pid=pid
g_sysrun_netstat[key].dstport=ppid
S2: storing the tracing information related to the system call acquired in step S1 into a map mapping table map1, where map1 is a hash table with the IP address and the port number as key, and referring to fig. 4, the map1 includes the following information: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
S3: when sysdig monitors system calls (including open, execute, read, create, rename and write system calls, and there may be other system calls besides accept and connect) except accept and connect, tracing information related to the system calls is obtained from a map mapping table map2, where map2 is a hash table with a process identity PID or a parent process identity FPID as key, and referring to fig. 5, map2 includes the following information: a far-end IP address, a far-end port number, a local IP address, and a local port number.
S4: if the tracing information related to the system call is acquired in the step S3, jumping to a step S3; if the tracing information related to the system call is not obtained in step S3, the tracing information related to the system call is obtained from the map mapping table map1 storing the tracing information related to the system call in step S2, which includes the remote IP address, the remote port number, the local IP address, the local port number, the process identity PID, and the parent process identity FPID. Wherein, the IP address is searched in the map mapping table map1, and the IP address is searched in the calling result of the encapsulated function g _ sysrun _ netstat { }, and the implementation code is as follows:
Figure BDA0002495572030000061
s5: and storing the tracing information related to the system call, which is obtained from the map mapping table map1 in the step S4, including the remote IP address, the remote port number, the local IP address, and the local port number, into the map mapping table map2 with the process identity PID and the parent process identity FPID as keys, and jumping to a step S3. The implementation code for writing the tracing information related to the system call acquired from the map1 to the map2 is as follows:
g_pid_ip_map_table={}
g_pid_ip_map_table[pid].dstip=dstip
g_pid_ip_map_table[pid].dstport=dstport
g_pid_ip_map_table[pid].srcip=srcip
g_pid_ip_map_table[pid].srcport=srcport
g_pid_ip_map_table[pid].key=srcip..srcport
the invention provides a technical scheme for obtaining traceability information when all systems are called by carrying out secondary development on sysdig based on open source, which is characterized in that system behavior event information which is comprehensively related to various system calls (syscall) is collected by utilizing the sysdig, the traceability information is obtained through accept and connect, and the traceability information obtained when the accept and connect systems are called is stored for being inquired when other systems are called. The monitoring of the system through the sysdig is achieved, and all system calls can obtain the tracing information.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (7)

1. A method for monitoring and acquiring traceability information based on a sysdig system is characterized by comprising the following steps:
s1: obtaining tracing information related to system call from the accept or connect system call monitored by sysdig;
s2: storing the tracing information related to the system call acquired in the step S1 to a map mapping table map 1;
s3: when sysdig monitors system calls except accept and connect, obtaining traceability information related to the system calls from a map mapping table map 2;
s4: if the tracing information related to the system call is acquired in the step S3, jumping to a step S3; if the tracing information related to the system call is not acquired in step S3, acquiring the tracing information related to the system call from the map mapping table map1 stored in step S2;
s5: the tracing information related to the system call acquired from the map mapping table map1 in step S4 is stored in the map mapping table map2, and it jumps to step S3.
2. The method according to claim 1, wherein the tracing information related to the system call obtained in step S1 includes: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
3. The method of claim 1, wherein the mapping table map1 is a hash table with a remote IP address and a remote port number as key.
4. The method according to claim 1, wherein the mapping table map1 includes the following information: a remote IP address, a remote port number, a local IP address, a local port number, a process identity PID, and a parent process identity FPID.
5. The method of claim 1, wherein the mapping table map2 is a hash table with a process identity PID and a parent process identity FPID as keys.
6. The method according to claim 1, wherein the mapping table map2 includes the following information: a far-end IP address, a far-end port number, a local IP address, and a local port number.
7. The method according to claim 1, wherein the system call except accept and connect in step S3 includes: open, execave, read, create, rename, and write.
CN202010417508.7A 2020-05-18 2020-05-18 Method for monitoring and acquiring traceability information based on sysdig system Active CN111813774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010417508.7A CN111813774B (en) 2020-05-18 2020-05-18 Method for monitoring and acquiring traceability information based on sysdig system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010417508.7A CN111813774B (en) 2020-05-18 2020-05-18 Method for monitoring and acquiring traceability information based on sysdig system

Publications (2)

Publication Number Publication Date
CN111813774A CN111813774A (en) 2020-10-23
CN111813774B true CN111813774B (en) 2021-02-05

Family

ID=72848291

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010417508.7A Active CN111813774B (en) 2020-05-18 2020-05-18 Method for monitoring and acquiring traceability information based on sysdig system

Country Status (1)

Country Link
CN (1) CN111813774B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113395287B (en) * 2021-06-22 2022-06-28 杭州默安科技有限公司 Method and system for recording network attack IP and command execution echo
CN113407416B (en) * 2021-06-29 2022-06-24 杭州默安科技有限公司 File operation IP tracing method and system
CN113572751B (en) * 2021-07-20 2023-05-09 杭州默安科技有限公司 Analysis system and method for network traffic

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212338A (en) * 2006-12-30 2008-07-02 上海复旦光华信息科技股份有限公司 Detecting probe interlock based network security event tracking system and method
CN103825763A (en) * 2014-02-26 2014-05-28 中国联合网络通信集团有限公司 Method and system for user source tracing
CN104333615A (en) * 2014-11-05 2015-02-04 中国联合网络通信集团有限公司 Method and device for tracing address source
CN106027529A (en) * 2016-05-25 2016-10-12 华中科技大学 Intrusion detection system and method based on traceability information
CN106302404A (en) * 2016-08-01 2017-01-04 华中科技大学 A kind of collection network is traced to the source the method and system of information
CN106549790A (en) * 2015-09-22 2017-03-29 华为技术有限公司 A kind of update method of mapping table and device for tracing to the source
CN110096363A (en) * 2019-04-29 2019-08-06 亚信科技(成都)有限公司 A kind of correlating method and device of network event and process
CN110830500A (en) * 2019-11-20 2020-02-21 北京天融信网络安全技术有限公司 Network attack tracking method and device, electronic equipment and readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180239864A1 (en) * 2015-03-05 2018-08-23 Indian Institute Of Science Hardware accelerator for alignment of short reads in sequencing platforms
CN110601889B (en) * 2019-09-16 2022-07-26 上海梦鱼信息科技有限公司 System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212338A (en) * 2006-12-30 2008-07-02 上海复旦光华信息科技股份有限公司 Detecting probe interlock based network security event tracking system and method
CN103825763A (en) * 2014-02-26 2014-05-28 中国联合网络通信集团有限公司 Method and system for user source tracing
CN104333615A (en) * 2014-11-05 2015-02-04 中国联合网络通信集团有限公司 Method and device for tracing address source
CN106549790A (en) * 2015-09-22 2017-03-29 华为技术有限公司 A kind of update method of mapping table and device for tracing to the source
CN106549790B (en) * 2015-09-22 2019-11-05 华为技术有限公司 A kind of update method and device of the mapping table for tracing to the source
CN106027529A (en) * 2016-05-25 2016-10-12 华中科技大学 Intrusion detection system and method based on traceability information
CN106302404A (en) * 2016-08-01 2017-01-04 华中科技大学 A kind of collection network is traced to the source the method and system of information
CN110096363A (en) * 2019-04-29 2019-08-06 亚信科技(成都)有限公司 A kind of correlating method and device of network event and process
CN110830500A (en) * 2019-11-20 2020-02-21 北京天融信网络安全技术有限公司 Network attack tracking method and device, electronic equipment and readable storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Passive IP traceback: capturing the origin of anonymous traffic through network telescopes;Guang Yao 等;《SIGCOMM "10》;20100831;第41卷(第4期);413–414 *
匿名网络追踪溯源综述;陈周国 等;《计算机研究与发展》;20121015;111-117 *
基于流量分析的信息溯源关键技术研究;宋鸣;《中国优秀硕士学位论文全文数据库 信息科技辑》;20150415(第4期);I139-132 *

Also Published As

Publication number Publication date
CN111813774A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
CN102314561B (en) Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
EP3506139B1 (en) Malware detection in event loops
US9787706B1 (en) Modular architecture for analysis database
Bayer et al. Scalable, behavior-based malware clustering.
CN111813774B (en) Method for monitoring and acquiring traceability information based on sysdig system
CN101923617B (en) A method for dynamic maintenance of sample database based on cloud
CN109918907B (en) Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform
EP3227819B1 (en) Security information and event management
EP3531329A1 (en) Anomaly-based-malicious-behavior detection
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
CN112528279B (en) A method and device for establishing an intrusion detection model
CN111046011A (en) Log collection method, system, node, electronic device and readable storage medium
CN108334399A (en) A kind of multi-source heterogeneous cloud form state data capture method based on cloud probe
CN108228322B (en) Distributed link tracking and analyzing method, server and global scheduler
CN103927252A (en) Cross-component log recording method, device and system
CN111967044A (en) Method and system for tracking leaked private data suitable for cloud environment
CN113569240B (en) Method, device and equipment for detecting malicious software
CN113312615B (en) Terminal detection and response system
CN105159834B (en) A kind of software dynamic testing service data extracting method
CN108566392B (en) Machine learning-based system and method for preventing CC attack
CN107688481B (en) Multi-node-supporting KVM virtual machine hiding process detection system
Fatemi et al. Threat hunting in windows using big security log data
CN117955854A (en) Data processing method and system
US7913233B2 (en) Performance analyzer
CN113792294B (en) Malicious class detection method, system, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant