Unlock instant, AI-driven research and patent intelligence for your innovation.

Malicious drive detection method, device, equipment and medium

A detection method and malicious technology, applied in the field of network security, can solve the problem that malicious drivers cannot be obtained, and achieve the effect of low false positives and stable performance.

Inactive Publication Date: 2021-11-09
GUANGTONGTIANXIA NETWORK TECH CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] In order to overcome the deficiencies of the prior art, one of the purposes of the present invention is to provide a malicious driver detection method, which can traverse the malicious driver in a deeper level, and effectively avoid the situation that the malicious driver cannot be obtained after the relevant data structure is manipulated

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious drive detection method, device, equipment and medium
  • Malicious drive detection method, device, equipment and medium
  • Malicious drive detection method, device, equipment and medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0050] This embodiment provides a malicious driver detection method, which aims to filter malicious drivers by extracting driver objects from various aspects, and can effectively avoid manipulation of the corresponding data structure, so that the traditional two-way linked list cannot traverse malicious drivers and global variables. Defects that are accurately screened by addresses can comprehensively detect and locate drive objects based on SSDT, system global variable addresses, and memory addresses, and can also extract maliciously hidden drive objects, providing a comprehensive data basis for subsequent screening and filtering of malicious drivers. The extracted malicious drivers are more accurate, effectively avoiding false negatives and false negatives.

[0051] According to the above principles, the malicious driver detection method is introduced, such as figure 1 As shown, the malicious driver detection method specifically includes the following steps:

[0052] S1: De...

Embodiment 2

[0083] This embodiment discloses a device corresponding to the malicious drive detection method in Embodiment 1, please refer to Figure 5 shown, including:

[0084] The malicious driving object detection module 510 is used to detect the intercepted function pointer in the SSDT, locate the first driving object that intercepts the function pointer through the function pointer, and then actively intercept the unintercepted function pointer in the SSDT To detect the second driving object hidden by Rootkit technology, merge the first driving object and the second driving object, and obtain the driving object set P1;

[0085] A normal driving object detection module 520, configured to traverse the operating system to obtain normal driving objects, and merge the normal driving objects to establish the driving object set P2;

[0086] The memory drive object detection module 530 is used to traverse and analyze the memory structure data by double pointer dereferencing to obtain the driv...

Embodiment 3

[0091] Figure 6 A schematic structural diagram of an electronic device provided by Embodiment 3 of the present invention, such as Figure 6 As shown, the electronic device includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of processors 610 in a computer device may be one or more, Figure 6 A processor 610 is used as an example; the processor 610, memory 620, input device 630 and output device 640 in the electronic device can be connected through a bus or other methods, Figure 6 Take connection via bus as an example.

[0092] The memory 620, as a computer-readable storage medium, can be used to store software programs, computer executable programs and modules, such as program instructions / modules corresponding to the malicious drive detection method in the embodiment of the present invention (for example, the malicious drive detection device in the Malicious drive object detection module 510, normal drive object detection modu...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for detecting malicious drivers, which relates to the technical field of network security and aims at detecting and extracting malicious drivers in various aspects and reducing the false alarm rate of malicious drivers. The method includes the following steps: detecting a driver object hidden by Rootkit technology, Create a drive object set P1; traverse the operating system to obtain normal drive objects, merge the normal drive objects to establish the drive object set P2; use double pointer dereference to traverse and analyze the memory structure data to obtain the drive object set P3; The object set P1, the drive object set P2 and the drive object set P3 are calculated to obtain a target malicious drive set. The invention also discloses a malicious drive detection device, electronic equipment and computer storage medium.

Description

technical field [0001] The present invention relates to the technical field of network security, in particular to a malicious drive detection method, device, equipment and medium. Background technique [0002] With the increasingly fierce confrontation of network security trends, malicious code technology has become more mature and difficult to detect and kill, which has brought great harm to network security. Common mining Trojan horses, ransomware viruses, and remote control viruses all have malicious drivers attached to them for self-protection, C&C stealing private data and communications, etc. Most of the current malicious drivers use Rootkit technology to bypass security mechanisms by exploiting system vulnerabilities and run them in the kernel state. It can attack and confront the operating system under the control of the operating system, realize the concealment of its own existence and reside in the memory to launch persistent attacks on the computer, which poses a ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
CPCG06F21/566
Inventor 陈震宇
Owner GUANGTONGTIANXIA NETWORK TECH CO LTD