WO2004013755A1 - データ処理方法、データ処理装置、コンピュータプログラム、及び記録媒体 - Google Patents
データ処理方法、データ処理装置、コンピュータプログラム、及び記録媒体 Download PDFInfo
- Publication number
- WO2004013755A1 WO2004013755A1 PCT/JP2003/009894 JP0309894W WO2004013755A1 WO 2004013755 A1 WO2004013755 A1 WO 2004013755A1 JP 0309894 W JP0309894 W JP 0309894W WO 2004013755 A1 WO2004013755 A1 WO 2004013755A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- instruction code
- instruction
- data
- branch
- address
- Prior art date
Links
- 238000004590 computer program Methods 0.000 title claims description 26
- 238000003672 processing method Methods 0.000 title claims description 8
- 238000000034 method Methods 0.000 claims description 69
- 230000008569 process Effects 0.000 claims description 58
- 230000000694 effects Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 33
- 230000010365 information processing Effects 0.000 description 24
- 238000001514 detection method Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 12
- 241000700605 Viruses Species 0.000 description 8
- 239000000872 buffer Substances 0.000 description 7
- 238000005336 cracking Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 239000004973 liquid crystal related substance Substances 0.000 description 3
- 229920001690 polydopamine Polymers 0.000 description 3
- 101150014174 calm gene Proteins 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 210000001061 forehead Anatomy 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- the present invention relates to a data processing method for detecting data for executing an unauthorized process, a data processing device, a computer program for realizing the data processing device, and a computer on which the computer program is recorded.
- the present invention relates to a readable recording medium. Background art
- attack data containing instruction codes for performing illegal processing (hereinafter referred to as “illegal codes”) is targeted for server devices, personal computers, etc. And the instruction code is executed by the information processing device.
- malicious codes There are a variety of such attack methods, one of which is known as a buffer overflow attack method.
- buffer overflow the number of buffers allocated in the stack exceeds the number of allocated buffers. If the buffer overflows when the query is being written to and the buffer overflows, unexpected variable rupture may occur and cause a program malfunction.
- a buffer overflow attack intentionally causes a program to malfunction, for example, acquiring system administrator privileges.
- the conventional detection method for attack data is not suitable for attack processing such as the detection of a known bit pattern or the simple repetition of a NOP instruction (NOP: non-operation). Attempts have been made to detect structures that are not qualitative. Therefore, it is weak to the variation of attack data, and every time unknown attack data appears, it is necessary to update the database of bit patterns used for detection, and the time lag until the database is updated has become a problem.
- the present invention has been made in view of such circumstances, and relates to a branch instruction.
- the input code is searched for the instruction code to be executed, and it is determined whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address. If it is determined that the instruction code is associated with the branch destination address, it is determined whether the call destination address of the instruction code is between the branch source address and the branch destination address.
- a data processing method, a data processing device, a computer program for realizing the data processing device, and a computer-readable recording medium storing the computer program The and provide child and purpose.
- the data processing method receives an input of data including a plurality of instruction codes, and determines whether or not a process executed based on the instruction codes included in the received data is an illegal process.
- an instruction code related to a branch instruction is searched from the data, and a branch source address associated with the searched instruction code and a branch destination of the instruction code are determined.
- the branch destination address is stored, and it is determined whether the branch destination address is associated with an instruction code for calling an instruction code group for executing a predetermined process. If it is determined that the instruction code is associated with the branch destination address, the call destination address of the instruction code is stored, and the stored call destination address is the branch source address and the branch destination address. Characterized in that to determine whether there between dress.
- the data processing device includes means for receiving input of data including a plurality of instruction codes, and a process executed based on the instruction code included in the data received by the means is an unauthorized process.
- Means for storing a branch destination address associated with the instruction, and whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address.
- the data processing device is the data processing device according to the second aspect, The apparatus further comprises means for determining whether a predetermined character string is associated with the return destination address. If the character string is associated with the return destination address, the data executes an illegal process. It is characterized in that it is designed to output information that it is data to be processed.
- a data processing device includes a means for receiving input of data including a plurality of instruction codes, and a process executed based on the instruction codes included in the data received by the means is an unauthorized process.
- a data processing device for determining whether or not the instruction code for executing a predetermined process is called from the data; and a return address of the instruction code group.
- a data processing device includes means for receiving input of data including a plurality of instruction codes, and a process executed based on the instruction codes included in the data received by the means is an unauthorized process.
- a data processing device for determining whether or not the instruction code for calling a group of instruction codes for executing predetermined processing is searched from the data; and Means for determining whether or not the instruction code for obtaining the return address of the instruction code group is included in the instruction code group; and the instruction code is included in the instruction code group.
- the information processing apparatus further comprises means for outputting information indicating that the data is data for executing an unauthorized process.
- a computer program is a computer program having a step of causing a computer to determine whether or not a process executed based on data including a plurality of input instruction codes is an illegal process.
- a step of storing a branch destination address that has been previously associated, and whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address in the computer. Determining whether or not the instruction code is associated with the branch destination address. If it is determined that there is a call destination address of the instruction code, the computer stores the stored call destination address between the branch source address and the branch destination address. It is characterized by having a step of judging whether or not it is.
- the computer readable recording medium stores the computer based on data including a plurality of instruction codes inputted.
- Computer program having a step of judging whether or not a process to be executed is an illegal process is recorded on a computer-readable recording medium on which a computer program is recorded.
- a computer program which has a step of storing an address and a step of determining whether or not the stored call destination address is between the branch source address and the branch destination address.
- the instruction code related to the branch instruction is searched from the input data, and the searched instruction code is searched for.
- the branch source address and the branch destination address of the code are stored, and it is determined whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address. If it is determined that the instruction code is associated with the branch destination address, the call destination address of the instruction code is stored, and the stored call destination address is the branch source address and the branch destination address.
- the detection accuracy of the illegal code is improved. improves.
- an instruction code for calling an instruction code group for executing a predetermined process is searched from the input data, and a predetermined character is added to a return address of the instruction code group. Since it is determined whether or not a column is associated, it is easy to determine whether or not the code is illegal, and it is possible to determine with high accuracy.
- an instruction code for calling an instruction code group for executing a predetermined process is searched from the input data, and if the instruction code is found, the instruction code group is searched. Since it is determined whether or not an instruction code for acquiring the return address is included in the data, it is easy to determine whether the code is an illegal code and the determination is made with high accuracy. Can be done.
- FIG. 1 is a schematic configuration diagram illustrating an intrusion detection system using the data processing device of the present invention
- FIG. 2 is a conceptual diagram illustrating a characteristic structure of an unauthorized code
- FIG. FIG. 4 is a conceptual diagram illustrating a characteristic structure
- FIG. 4 is a flowchart illustrating a processing procedure of the intrusion detection system according to the present embodiment
- FIG. 5 is an example of a branch table used for intrusion detection.
- Fig. 6 is a conceptual diagram illustrating the characteristic structure of spoofed malicious code
- Fig. 7 is a conceptual diagram illustrating the characteristic structure of spoofed malicious code
- Fig. 8 is the present embodiment.
- FIG. 9 is a flowchart illustrating a processing procedure
- FIG. 9 is a schematic diagram illustrating a configuration of an intrusion detection system according to the present embodiment.
- FIG. 1 is a schematic configuration diagram illustrating an intrusion detection system using the data processing device of the present invention.
- reference numeral 10 denotes a relay device that embodies the data processing device of the present invention, for example, a device that relays data communication such as a router, a switch, or a broadband router.
- the relay device 10 includes a CPU 11, a memory 12, and communication interfaces (hereinafter, referred to as communication IFs) 13, 14, and information processing devices connected to the communication IF 13 are provided. It relays transmission and reception of various data between the device 20 and another information processing device 30 connected to the communication IF 14 via a data communication network N such as the Internet.
- the information processing devices 20 and 30 are, for example, personal computers, server devices, mobile phones, PDAs
- the relay device 10 When the relay device 10 receives the data transmitted from the information processing device 30, the relay device 10 transmits the data including an instruction code (hereinafter referred to as an invalid code) for executing the invalid processing on the received data. Judgment is made as to whether or not it is illegal, and if it contains an illegal code, processing such as shutting down communication and outputting an alarm is performed.
- an instruction code hereinafter referred to as an invalid code
- the memory 12 of the relay device 10 includes a routing table 12a, a filtering table 12b, and a branch table 12c.
- the routing table 12a stores communication path control information, and the transmission path of data transmitted from the information processing device 20 is determined based on the path control information.
- the filtering table 12b stores identification information (for example, an IP address or a port number) of a communication partner whose reception should be refused, and is transmitted from an information processing apparatus corresponding to the identification information. When receiving this data, the data is not transmitted to the information processing device 20.
- the computer program of the present invention is stored in the memory 12 in advance, and the relay apparatus 10 detects the illegal code by executing the computer program by the CPU 11. It operates as an intrusion detection system.
- the branch table 12c stores a memory address (hereinafter, simply referred to as an address) related to a specific instruction code acquired during the activation of the computer program, and is a data containing an illegal code. It is used to determine whether or not there is.
- the CPU 11 of the intermediate thread lowering device 10 performs a writing process or a reading process on these tables as appropriate to control the communication.
- the following description is based on the knowledge of the inventors.
- the characteristic structure of the obtained malicious code will be described.
- the inventor sets a call instruction (hereinafter referred to as a cal 1 instruction) at a branch destination specified by a branch instruction (hereinafter referred to as a jmp instruction). And that the callee is between the jmp instruction and the ca11 instruction. Then, the address stored in the stack by the ca11 instruction, that is, the address following the ca11 instruction is acquired by the instruction code group of the call destination, and the acquired address is used. And execute the command you want to start.
- a call instruction hereinafter referred to as a cal 1 instruction
- a branch instruction hereinafter referred to as a jmp instruction
- FIG. 2 and FIG. 3 are conceptual diagrams illustrating the characteristic structure of the malicious code.
- the jmp instruction for branching the processing The ca11 instruction is set according to the forehead. That is, the cal1 instruction is associated with the branch destination address (A10) of the jmp instruction, and the instruction code group (A2) for calling the external command is called at the call destination of the ca11 instruction. ⁇ A6) is associated, and the call destination by the cal1 instruction is set so as to be between the branch source address (A1) and the branch destination address (A10).
- the address stored in the stack by the ca11 instruction in this instruction code group, that is,. a11 The address (All) following the instruction is acquired by the pop instruction, and an external command is executed using the acquired address.
- dummy initial data and a work area may be provided between the instruction code group and the call instruction (A7 to A9).
- the illegal code described above is (1) that the call instruction exists at the branch destination of the jmp instruction, and (2) the call destination of the call instruction is the ca11 instruction and the jmp instruction.
- the feature is that it exists between
- the relay device 10 detects an illegal code having such a characteristic structure from the data received by the communication IF 14, and outputs an alarm or cuts off the communication.
- FIG. 4 is a flowchart for explaining the processing procedure of the intrusion detection system according to the present embodiment
- FIG. 5 is used for intrusion detection.
- FIG. 5 is a conceptual diagram showing an example of a branch table 1 2c to be executed.
- the CPU 11 of the relay device 10 reads one byte of data received by the communication IF 14 (step S 1). Then, the CPU 11 determines whether or not the read data is a jmp instruction (step S2). If the read data is an imp instruction (S2: YES), the CPU 11 determines whether the address of the branch destination specified by the jmp instruction is larger than the address of the current position. Is determined (step S3).
- step S4 If it is determined that the address of the branch destination is larger than the address of the current position (S3: YES), the address of the current position (branch source address) and the address of the branch destination (branch destination address) are determined. Is associated and stored in the branch table 12c (step S4).
- the data is a jmp instruction, and the address of the branch destination designated by the ⁇ mp instruction is used.
- Al is stored in the branch table 12 c as the branch source address and A 10 is stored in the branch table 12 c as the branch destination address. See figure).
- step S3 If it is determined in step S3 that the branch destination address is smaller than the address of the current position (S3: NO), or in step S4, the branch source address is stored in the branch table 12c.
- step S5 determines that the data to be read is completed (step S5), and determines that the data to be read still remains, (S5: NO), the process returns to step SI, and if it is determined that the data to be read has been completed (S5: YES), this routine ends.
- step S2 If it is determined in step S2 that the data is not a read data jmp instruction (S2: NO), the CPU 11 matches the address at the current position with the branch destination address stored in the branch table 12c. Whether to do Judge (Step S6). If the address at the current position does not match the address at the branch destination (S6: NO), a branch destination address smaller than the address at the current position is deleted from the branch table 12c (step S7). . Then, the process of step S5 is performed, and the process returns to step S1 again, or it is determined whether to end the process of this routine. The address of the current position is stored in the branch table 12c.
- Step S8 the CPU 11 determines whether the instruction code associated with the address at the current position is the ca 11 instruction. If it is determined that the instruction code corresponding to the address at the current position is the ca11 instruction (S8: YES), the CPU 11 refers to the branch table 12c to execute the ca11 instruction. 11. It is determined whether the call destination by the 1 instruction is between the branch source address and the branch destination address (step S9).
- step S8 If it is determined in step S8 that the instruction is not the ca11 instruction (S8: NO), or if the call destination is not between the branch source address and the branch destination address in step S9. If judged (S9: NO), the process proceeds to step S5.
- step S10 If it is determined that the call destination by the ca11 instruction is between the branch source address and the branch destination address stored in the branch table 12c (S9: YES), the CPU 11 is invalid. Information indicating that a code has been detected is generated (step S10).
- Information indicating that the illegal code has been detected may be displayed on the relay device 10 by providing a display unit such as a liquid crystal display, or by providing an alarm unit such as a buzzer or an LED lamp. You may be notified. Further, the information may be transmitted to the information processing device 20 and displayed on a display unit (not shown) of the information processing device 20. Further, in response to the generation of information indicating that the unauthorized code has been detected, Communication may be interrupted.
- the address stored in the stack by the ca11 instruction contains the character string of the external command to be executed, so the ASCII address is the address following the ca11 instruction.
- the inventors of the present invention have studied that the presence or absence of an illegal code can be detected by independently determining whether or not an ASCII character string exists at the address following the ca11 instruction. Is known.
- the present embodiment by sequentially reading and processing data, it is possible to determine whether or not an illegal code is included.
- the mechanism is simple and high-speed processing is possible.
- the illegal code described above is characterized in that an external command to be executed is placed at the address following the ca11 instruction.
- a special command for calling such an external command is used.
- the malicious code was detected.
- the external command to be executed does not necessarily have to be placed after the ca 11 instruction, and can be shifted by an address predetermined by the creator of the illegal code.
- Such a malicious code is referred to as a spoofed fraudulent code, and the characteristic structure of the spoofed fraudulent code and a detection procedure will be described below. Note that the configuration of the relay device 10 and the connection configuration with the information processing devices 20 and 30 are the same as those in the first embodiment, and a description thereof will be omitted.
- Fig. 6 and Fig. 7 are conceptual diagrams explaining the characteristic structure of spoofed fraudulent code.
- ca11 instruction In the instruction code group called as above, the address corresponding to the external command to be activated is obtained in the same manner as described above, but the ca11 instruction and the external command are used. This is different from the illegal code described in the first embodiment in that a dummy instruction code having a fixed length is placed between them and disguised.
- the address (A 2) stored in the stack by the ca 11 instruction is changed to A 16 to A 20.
- the specified command code group is acquired, and an external command associated with the fifth address (A7) from address A2 is started.
- FIG. 8 is a flowchart illustrating a processing procedure of the intrusion detection system according to the present embodiment.
- the CPU 11 of the relay device 10 searches for the ca 11 instruction from the received data (step S 21). Then, as a result of the search, it is determined whether or not there is a ca11 instruction (step S22). If there is a ca11 instruction (S22: YES), the CPU 11 determines the searched ca. 11. Store the address of the 1 instruction in memory 12 (step S23). If the received data does not include the ca11 instruction If (S22: NO), the processing by the intrusion detection system ends. After the address of the searched ca11 instruction is stored, it is moved to the call destination address specified by the ca11 instruction (step S24), and one byte of data is read. (Step S25).
- the CPU 11 determines whether the read data is a push instruction for storing an address in the stack (step S26). If it is determined that the read data is a push instruction (S2 6: YES), memorize the current address (step S27), and return to step S25. If it is determined that the read data is not a push instruction (S26: NO), a pop instruction Is determined (step S28). If it is determined that the instruction is not a pop instruction (S28: NO), it is determined whether or not the called routine has been completed (step S31).
- step S31: NO If it is determined that the called routine has not ended (S31: NO), the process returns to step S25, and if it is determined that the called routine has ended (S31: YES), the step The address stored in step S23 is referred to, moved to the next address of the calling source (step S32), and the ca11 instruction is searched again.
- step S25 If it is determined that the data read in step S25 is a pop instruction (S28: YES), the CPU 11 refers to the address stored in step S27 by referring to the address stored in step S27. Then, it is determined whether or not the push instruction is a pop instruction that does not precede (step S29). The push instruction does not precede; if it is determined that the instruction is not a pop instruction (S29: NO), the process proceeds to step S31.
- the CPU 11 sends information indicating that an illegal code has been detected.
- the information indicating that the above-described illegal code is detected is the same as in the first embodiment.
- the relay device 10 may be provided with a display unit such as a liquid crystal display or the like, or may be provided with an alarm unit such as a buzzer or an LED lamp to notify. Further, the information may be transmitted to the information processing device 20 and displayed on a display unit (not shown) included in the information processing device 20. Further, the communication may be cut off in response to the generation of the information indicating that the unauthorized code has been detected.
- a relay device used for data communication such as a router, a switch, and a broadband router
- a personal computer, a server device It can also be applied to information processors with communication functions such as telephones and PDAs.
- FIG. 9 is a schematic diagram illustrating a configuration of an intrusion detection system according to the present embodiment.
- 50 is an information processing device such as a personal computer, which is connected to the data communication network N via a relay device 40 such as a router.
- the information processing device 50 receives data from various communication devices and other information processing devices through the data communication network N and the relay device 40, and transmits data to the communication devices and the information processing device. I try to send it.
- the relay device 40 includes a CPU 41, a memory 42, and a communication interface 434, and the memory 42 has a routing in which communication path control information is stored. It has a table 42a and a filtering table 42b in which identification information (for example, an IP address or a port number) of a communication partner whose reception is to be rejected is stored.
- identification information for example, an IP address or a port number
- a transmission path is set by the routing table 42a, and when data is received from the outside, the data is referred to the filtering table 42b. Communication phase for which reception should be refused It is determined whether or not it is a hand.
- the information processing device 50 includes a CPU 51, and has a ROM 53, a RAM 54, a display unit 55, an input unit 56, a communication unit 57, and an auxiliary storage device via a bus 52. It is connected to various hardware such as 58 and internal storage device 59.
- the CPU 51 controls the hardware according to a control program stored in the ROM 53.
- the RAM 54 is composed of an SRAM or a flash memory, and stores data generated when the control program stored in the ROM 53 is executed.
- the display unit 55 is a display device such as a CRT or a liquid crystal display
- the input unit 56 is an input device such as a keyboard and a mouse.
- the display unit 55 and the input unit 56 are used, for example, when inputting and displaying data to be transmitted.
- the communication unit 57 includes a line terminating device such as a modem, and controls transmission and reception of various data via the relay device 40.
- the auxiliary storage device 58 includes an FD drive for reading the computer program and data from a recording medium 60 such as an FD or a CD-ROM in which the computer program and data of the present invention are recorded, a CD-ROM drive or the like.
- the read computer program and data are stored in the internal storage device 59.
- the computer program and data stored in the internal storage device 59 are read into the RAM 54 and executed by the CPU 51 to operate as the information processing device 50 according to the present embodiment.
- the computer program of the present invention may be provided not only by the recording medium 60 but also through a data communication network N.
- the above-mentioned computer program is desirably a resident type program that is automatically read into the RAM 54 when the information processing device 50 is started up, and when the communication unit 57 receives data from outside. Automatically It is advisable to detect unauthorized code in advance. The procedure for detecting an unauthorized code is the same as that described in the first and second embodiments, and therefore the description is omitted.
- data including an unauthorized code is detected by using an information processing device 50 such as a personal computer.
- an information processing device 50 such as a personal computer.
- the present invention can be applied to electronic game machines, in-vehicle communication devices, and various information appliances.
- the instruction code relating to the branch instruction is input and retrieved from the data, the branch source address and the branch destination address of the retrieved instruction code are stored, and the branch destination address is stored. It is determined whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the address, and it is determined that the instruction code is associated with the branch destination address. In such a case, the call destination address of the instruction code is stored, and it is determined whether the stored call destination address is between the branch source address and the branch destination address. Therefore, since we focus on a universal structure that cannot be found in ordinary executable code, it is highly likely that even if the malicious code is transformed, it is likely to be detected, and unknown attack data will appear.
- the malicious code can be detected.
- the processing speed is high, and for example, real-time determination can be made for data received through communication.
- the apparatus further includes means for determining whether or not a predetermined character string is associated with the return address of the instruction code group, the detection accuracy of an unauthorized code is improved.
- an instruction code for calling an instruction code group for executing a predetermined process is searched from the input data, and a predetermined character string is associated with a return address of the instruction code group. Since it is determined whether or not the code is incorrect, it is easy to determine whether or not the code is invalid, and the determination can be made with high accuracy.
- an instruction code for calling an instruction code group for executing a predetermined process is searched from the input data, and when the instruction code is found, a return address is obtained in the instruction code group.
- the present invention has an excellent effect, for example, it is easy to judge whether or not an illegal code is included because it is possible to judge whether or not an instruction code for performing the operation is included. .
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/523,690 US7805760B2 (en) | 2002-08-05 | 2003-08-04 | Data processing method, data processing device computer program and recording medium |
AU2003252387A AU2003252387A1 (en) | 2002-08-05 | 2003-08-04 | Data processing method, data processing device, computer program, and recording medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2002-227888 | 2002-08-05 | ||
JP2002227888A JP4660056B2 (ja) | 2002-08-05 | 2002-08-05 | データ処理装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004013755A1 true WO2004013755A1 (ja) | 2004-02-12 |
Family
ID=31492232
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2003/009894 WO2004013755A1 (ja) | 2002-08-05 | 2003-08-04 | データ処理方法、データ処理装置、コンピュータプログラム、及び記録媒体 |
Country Status (5)
Country | Link |
---|---|
US (1) | US7805760B2 (ja) |
JP (1) | JP4660056B2 (ja) |
AU (1) | AU2003252387A1 (ja) |
TW (1) | TW200402634A (ja) |
WO (1) | WO2004013755A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111552959A (zh) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | 一种程序特征序列生成方法和装置 |
CN111930651A (zh) * | 2020-08-14 | 2020-11-13 | 山东云海国创云计算装备产业创新中心有限公司 | 一种指令执行方法、装置、设备及可读存储介质 |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100586500B1 (ko) * | 2004-03-18 | 2006-06-07 | 학교법인고려중앙학원 | 버퍼 오버플로우 공격들을 감지하고 복구하는 방법 및 그장치 |
JP2006018765A (ja) * | 2004-07-05 | 2006-01-19 | Infocom Corp | ソフトウエアの一時的な修正方法およびプログラム |
US9064115B2 (en) | 2006-04-06 | 2015-06-23 | Pulse Secure, Llc | Malware detection system and method for limited access mobile platforms |
US9202049B1 (en) | 2010-06-21 | 2015-12-01 | Pulse Secure, Llc | Detecting malware on mobile devices |
US8726338B2 (en) | 2012-02-02 | 2014-05-13 | Juniper Networks, Inc. | Dynamic threat protection in mobile networks |
CN103309762B (zh) * | 2013-06-21 | 2015-12-23 | 杭州华三通信技术有限公司 | 设备异常处理方法及装置 |
CN103473057A (zh) * | 2013-09-10 | 2013-12-25 | 江苏中科梦兰电子科技有限公司 | 一种memcpy函数的优化方法 |
US10103890B2 (en) * | 2014-08-08 | 2018-10-16 | Haw-Minn Lu | Membership query method |
US10728040B1 (en) * | 2014-08-08 | 2020-07-28 | Tai Seibert | Connection-based network behavioral anomaly detection system and method |
CN105988905A (zh) * | 2015-02-12 | 2016-10-05 | 中兴通讯股份有限公司 | 异常处理方法及装置 |
JP7316613B2 (ja) * | 2020-03-27 | 2023-07-28 | パナソニックIpマネジメント株式会社 | 異常検出方法、異常検出プログラム、異常検出装置、書き換え方法、書き換えプログラム及び書き換え装置 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5313616A (en) * | 1990-09-18 | 1994-05-17 | 88Open Consortium, Ltd. | Method for analyzing calls of application program by inserting monitoring routines into the executable version and redirecting calls to the monitoring routines |
JP2702462B2 (ja) * | 1995-10-31 | 1998-01-21 | 日本電気アイシーマイコンシステム株式会社 | 情報制御装置及びその制御方法 |
US6148437A (en) * | 1998-05-04 | 2000-11-14 | Hewlett-Packard Company | System and method for jump-evaluated trace designation |
US6301699B1 (en) * | 1999-03-18 | 2001-10-09 | Corekt Security Systems, Inc. | Method for detecting buffer overflow for computer security |
US6697950B1 (en) * | 1999-12-22 | 2004-02-24 | Networks Associates Technology, Inc. | Method and apparatus for detecting a macro computer virus using static analysis |
US7085920B2 (en) * | 2000-02-02 | 2006-08-01 | Fujitsu Limited | Branch prediction method, arithmetic and logic unit, and information processing apparatus for performing brach prediction at the time of occurrence of a branch instruction |
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
US8341743B2 (en) * | 2000-07-14 | 2012-12-25 | Ca, Inc. | Detection of viral code using emulation of operating system functions |
US20030041315A1 (en) * | 2001-08-21 | 2003-02-27 | International Business Machines Corporation | Debugger with automatic detection of control points influencing program behavior |
US7340777B1 (en) * | 2003-03-31 | 2008-03-04 | Symantec Corporation | In memory heuristic system and method for detecting viruses |
-
2002
- 2002-08-05 JP JP2002227888A patent/JP4660056B2/ja not_active Expired - Fee Related
-
2003
- 2003-08-04 AU AU2003252387A patent/AU2003252387A1/en not_active Abandoned
- 2003-08-04 US US10/523,690 patent/US7805760B2/en not_active Expired - Fee Related
- 2003-08-04 TW TW092121250A patent/TW200402634A/zh unknown
- 2003-08-04 WO PCT/JP2003/009894 patent/WO2004013755A1/ja active Application Filing
Non-Patent Citations (3)
Title |
---|
GAKUTO MASUDA: "Computer Virus", 16 January 2000, KABUSHIKI KAISHA SCC, pages: 108 - 110, XP002974929 * |
PALEVICH J., TRANSLATED BY MAKINO: "E-mail from mountain view dai 31 kai computer virus no subete", ASCII DOS/V ISSUE, vol. 5, no. 9, 1 September 1999 (1999-09-01), pages 124 - 125, XP002974930 * |
SUGURU YAMAGUCHI: "Joho Security", 20 September 2000, KYORITSU SHUPPAN CO., LTD., pages: 150 - 161, XP002974928 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111552959A (zh) * | 2020-06-18 | 2020-08-18 | 南方电网科学研究院有限责任公司 | 一种程序特征序列生成方法和装置 |
CN111552959B (zh) * | 2020-06-18 | 2023-08-29 | 南方电网科学研究院有限责任公司 | 一种程序特征序列生成方法和装置 |
CN111930651A (zh) * | 2020-08-14 | 2020-11-13 | 山东云海国创云计算装备产业创新中心有限公司 | 一种指令执行方法、装置、设备及可读存储介质 |
CN111930651B (zh) * | 2020-08-14 | 2022-03-08 | 山东云海国创云计算装备产业创新中心有限公司 | 一种指令执行方法、装置、设备及可读存储介质 |
Also Published As
Publication number | Publication date |
---|---|
US7805760B2 (en) | 2010-09-28 |
JP2004070605A (ja) | 2004-03-04 |
US20060041863A1 (en) | 2006-02-23 |
TW200402634A (en) | 2004-02-16 |
JP4660056B2 (ja) | 2011-03-30 |
AU2003252387A1 (en) | 2004-02-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10484424B2 (en) | Method and system for security protection of account information | |
US7827612B2 (en) | Malicious-process-determining method, data processing apparatus and recording medium | |
WO2004013755A1 (ja) | データ処理方法、データ処理装置、コンピュータプログラム、及び記録媒体 | |
US20180351995A1 (en) | Fake web addresses and hyperlinks | |
US7895655B2 (en) | Malicious-process-determining method, data processing apparatus and recording medium | |
KR102271545B1 (ko) | 도메인 생성 알고리즘(dga) 멀웨어 탐지를 위한 시스템 및 방법들 | |
CN102571812B (zh) | 一种网络威胁的跟踪识别方法及装置 | |
US20110277033A1 (en) | Identifying Malicious Threads | |
US20090320134A1 (en) | Detecting Secondary Infections in Virus Scanning | |
US8776240B1 (en) | Pre-scan by historical URL access | |
CN110717183B (zh) | 病毒查杀方法、装置、设备及存储介质 | |
CN101901232A (zh) | 用于处理网页数据的方法和装置 | |
JP2018519604A (ja) | マルウェアの検出 | |
CN104980404B (zh) | 保护账号信息安全的方法和系统 | |
JP5779334B2 (ja) | 出力制御装置、出力制御プログラム、出力制御方法および出力制御システム | |
CN113904820A (zh) | 网络入侵防护方法、系统、计算机及可读存储介质 | |
EP2728472B1 (en) | User terminal, reliability management server, and method and program for preventing unauthorized remote operation | |
US20090126005A1 (en) | Method, apparatus and system for managing malicious-code spreading sites using firewall | |
JP4589996B2 (ja) | データ処理方法、データ処理装置、コンピュータプログラム、及び記録媒体 | |
CN110830518B (zh) | 溯源分析方法、装置、电子设备及存储介质 | |
JP2021051483A (ja) | 偽装サイト検知装置、偽装サイト検知プログラム、及び偽装サイト検知方法 | |
JP2011258018A (ja) | セキュリティサーバシステム | |
CN113055446B (zh) | 零信任中保护应用流量的方法、装置及计算设备 | |
JP2011013974A (ja) | ウェブサイト評価装置およびプログラム | |
JP2007025789A (ja) | メールサーバ、プロキシサーバ、サーバシステム、誘導アドレス判定方法、アクセス先確認方法及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: 2006041863 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10523690 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase | ||
WWP | Wipo information: published in national office |
Ref document number: 10523690 Country of ref document: US |