A Knowledge Graph-Based Intelligent Method and System for Detecting Software Backdoors
By constructing a temporal knowledge graph and performing cross-chain constraint analysis, the problem of inaccurate identification of parent process deception backdoors in traditional software process detection systems is solved, achieving accurate interception of parent process deception backdoors and improving system security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHENZHEN HAIYUNAN NETWORK SECURITY TECH CO LTD
- Filing Date
- 2026-04-16
- Publication Date
- 2026-06-30
AI Technical Summary
Traditional software process detection systems struggle to accurately identify backdoors that deceive parent processes, leading to unstable detection results and an inability to detect abnormal links that forge parent processes in a timely manner, thus affecting system security.
A knowledge graph-based approach is adopted to intercept system kernel events, generate time-series interaction logs, construct a time-series knowledge graph, extract process nodes, token nodes and relationships, perform cross-chain constraint analysis, calculate the lineage forgery index, and identify parent process deception backdoors.
It improves the ability to identify backdoors that deceive parent processes, reduces the probability of mistakenly intercepting normal processes, and enhances the accuracy and stability of system kernel-level security protection.
Smart Images

Figure CN122046358B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of software detection technology, and relates to a method and system for intelligent detection of software backdoors based on knowledge graphs. Background Technology
[0002] In traditional software process detection systems, process parent-child relationships, handle access status, and permission transfer results are often scattered across different monitoring modules, making it difficult to form a unified correlation for judgment. For normal system operation, handle inheritance and permission propagation are indispensable fundamental behaviors during process creation, and their accurate identification directly affects the reliability of system security auditing, resource management, and abnormal behavior tracking. Meanwhile, the information contained in handle access permissions, such as process control, memory writes, and thread creation, can reflect the true intensity of interaction and control relationships between processes; therefore, handle chains play a crucial role in determining process legitimacy.
[0003] It's important to note that process parent-child relationships don't always accurately reflect the underlying creation chain, especially in backdoor scenarios involving parent process deception. Malicious programs can use legitimate service processes as the apparent parent process, making the process identifier appear consistent with normal business logic. In this case, handle inheritance and token transfer relationships often deviate from the apparent parent process information, manifesting as inconsistencies between the parent process's access and inheritance capabilities and its actual operational behavior. Therefore, relying solely on static comparison using the parent process ID is insufficient to accurately identify backdoor process masquerading; further analysis of handle chains, permission states, and inter-process interactions is necessary to uncover the true correlation characteristics.
[0004] Traditional detection methods often rely on single-point handle verification or simple parent process whitelist checks, easily overlooking the logical loop of relationships within the handle inheritance chain. This makes it difficult to detect abnormal links that forge parent processes in a timely manner. Secondly, while some methods can record handle access permissions, they lack the linked analysis of handle pointing relationships and permission combination characteristics, making it difficult to distinguish between legitimate process creation and malicious creation exploiting permission mismatches. Consequently, the identification of parent process deception backdoors remains at the superficial feature comparison stage, affecting the accuracy and stability of detection. Summary of the Invention
[0005] In view of the problems existing in the prior art, the present invention provides a knowledge graph-based intelligent detection method and system for software backdoors to solve the above-mentioned technical problems.
[0006] To achieve the above and other objectives, the technical solution adopted by the present invention is as follows:
[0007] The first aspect of this invention provides a knowledge graph-based intelligent detection method for software backdoors, the method comprising:
[0008] The system kernel events are intercepted and the object handle table is read to generate a time-series interaction log. The time-series interaction log includes process identifier, handle access permissions, token identifier, memory write operations, and time points.
[0009] The time-series interaction logs are structured into a time-series knowledge graph. The nodes of the time-series knowledge graph include process nodes and token nodes. The edges of the time-series knowledge graph include handle holding relationships with time points, token copying relationships, and memory write relationships.
[0010] Extract newly added process nodes with process creation time points from the time-series knowledge graph as target process nodes, and extract the nominal parent process nodes associated with the target process nodes based on the parent process identifier;
[0011] A lineage consistency check loop is triggered for the target process node. The check loop includes:
[0012] Extract the first holding relationship from the nominal parent process node to the target process node in the time-series knowledge graph;
[0013] The source tracing time window is defined based on the process creation time point. Within the source tracing time window, the second holding relationship and memory write relationship from the anonymous process node to the target process node are extracted.
[0014] Extract the first token node associated with the nominal parent process node and the second token node associated with the target process node from the time-series knowledge graph;
[0015] Cross-chain constraint analysis is performed on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship;
[0016] If the analysis results show that the nominal parent process node lacks the first holding relationship containing the thread creation permission bit, while the anonymous process node has the second holding relationship containing the thread creation permission bit, and there is no token copying relationship between the first token node and the second token node, plus the anonymous process node has a memory write relationship pointing to the target process node within the tracing time window, then the lineage forgery index is calculated cumulatively and the verification loop is exited.
[0017] If there is a token replication relationship between the first token node and the second token node and the nominal parent process node has the first holding relationship, then the target process node is determined to be legitimate and the verification loop is exited.
[0018] The lineage forgery index after exiting the verification loop is compared with a preset threshold. If the lineage forgery index is greater than the preset threshold, the target process node is determined to be the parent process deceiving the backdoor process, and a threat interception command is output.
[0019] A second aspect of this invention provides a knowledge graph-based intelligent software backdoor detection system, the system comprising:
[0020] The data acquisition module is used to intercept system kernel events and read the object handle table to generate a time-series interaction log containing process identifiers, handle access permissions, token identifiers, memory operation data, and time points.
[0021] The graph construction module is used to structure the time-series interaction log into a time-series knowledge graph, extract the newly added process nodes with process creation time points from the time-series knowledge graph as target process nodes, and then extract the nominal parent process node associated with the target process node based on the parent process identifier of the newly added process node.
[0022] The verification execution module is used to trigger a lineage consistency verification loop for the target process node. The verification loop includes: extracting the first holding relationship from the nominal parent process node to the target process node in the time-series knowledge graph; defining the tracing time window based on the process creation time point; extracting the second holding relationship from the anonymous process node to the target process node and the memory write relationship from the anonymous process node to the target process node within the tracing time window; extracting the first token node associated with the nominal parent process node and the second token node associated with the target process node; and performing cross-chain constraint analysis on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship.
[0023] The analysis and calculation module is used to calculate the lineage forgery index when the analysis results of cross-chain constraint analysis show that the nominal parent process node lacks the first holding relationship containing the thread creation permission bit, the anonymous process node has the second holding relationship containing the thread creation permission bit, the first token node and the second token node lack the token replication relationship, and the anonymous process node has a memory write relationship within the tracing time window. When there is a token replication relationship between the first token node and the second token node and the nominal parent process node has the first holding relationship, the target process node is determined to be legitimate and the verification loop is exited.
[0024] The output processing module compares the lineage forgery index after exiting the verification loop with a preset interception threshold. If the lineage forgery index is greater than the preset interception threshold, the target process node is determined to be a parent process deceiving a backdoor process, and a threat interception command is output.
[0025] As described above, the knowledge graph-based intelligent detection method and system for software backdoors provided by the present invention have at least the following beneficial effects:
[0026] This invention extracts newly added process nodes with process creation timestamps from a time-series knowledge graph as target process nodes. It then extracts the nominal parent process node associated with the target process node based on its parent process identifier. Based on this, a lineage consistency verification loop is triggered for the target process node. This verification loop uses the process creation time as its core, combining a tracing time window to extract the first holding relationship between the nominal parent process node and the target process node, as well as the second holding relationship and memory write relationship between the anonymous process node and the target process node. Simultaneously, it extracts the first token node associated with the nominal parent process node and the second token node associated with the target process node, and performs cross-chain constraint analysis on these relationships. This multi-relationship joint verification mechanism not only identifies cases where the nominal parent process appears legitimate but has an abnormal lineage, but also connects handle permission differences, token inheritance breaks, and memory write behaviors, improving the ability to identify parent process deception-type backdoor processes and ensuring that the detection results are no longer limited to single-point attribute judgments.
[0027] This invention, when the cross-chain constraint analysis results meet abnormal conditions, further accumulates and calculates a lineage forgery index, which is then compared with a preset threshold to determine whether the target process node is a parent process deception backdoor process. Since the lineage forgery index integrates multiple dimensions such as missing thread creation permission bits, broken token replication relationships, and abnormal memory write timing, it can accurately reflect the degree of deception and attack risk of the target process node, avoiding missed detections caused by relying solely on the parent process identifier. Furthermore, when the analysis results indicate a token replication relationship between the first and second token nodes and the nominal parent process node has a first holding relationship, the target process node is determined to be legitimate and the verification loop is exited, thereby reducing the probability of normal business processes being falsely intercepted. This achieves closed-loop identification and precise interception of parent process deception backdoors, improving the stability of abnormal process detection and enhancing compatibility with legitimate processes, providing more targeted threat handling basis for system kernel-level security protection. Attached Figure Description
[0028] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0029] Figure 1 This is a schematic diagram showing the connections between the steps of the method of the present invention.
[0030] Figure 2 This is a schematic diagram showing the connections of the various modules in the system of the present invention. Detailed Implementation
[0031] The following description, in conjunction with the implementation of this invention, is merely an example and illustration of the concept of this invention. Those skilled in the art can make various modifications or additions to the specific embodiments described, or use similar methods to replace them, as long as they do not deviate from the inventive concept or exceed the scope defined in these claims, all of which should fall within the protection scope of this invention.
[0032] In traditional software backdoor detection systems, fixed handle verification rules and static parent-child process comparison mechanisms are ill-suited to the dynamically changing inheritance relationships and permission transfer states within the process creation chain. When a backdoor process disguises itself as a legitimate process by deceiving its parent process, if the system relies solely on the parent process identifier for single-point judgment, it cannot establish a unified data association between handle holding relationships, token copying relationships, and memory write relationships. This results in critical anomalies in the lineage chain being hidden within the normal process graph. This static comparison mechanism reduces the accuracy of cross-process correlation analysis, causing detection results to remain at the superficial parent-child relationship level, ultimately affecting the timeliness and reliability of backdoor process identification.
[0033] For example, in a parent process deception attack scenario, malicious process A first obtains a handle to target process B and performs a memory write operation on it, while simultaneously forging B's parent process identifier to point to a legitimate service process C. At this point, the traditional system only sees C as B's parent process, but cannot confirm whether C actually participated in B's creation and inheritance process, nor can it identify the actual handle interaction and memory tampering between A and B. If B is still considered a normal process based on static thresholds, the backdoor payload loading process will be misjudged as a normal service startup process, causing the malicious process to continue running in the system.
[0034] If the above issues are not addressed, the spoofing chain of backdoor processes will continue to be concealed by the appearance of legitimate processes, causing the system to mistakenly allow anonymous processes with unauthorized handles and memory manipulation capabilities to run. When there is a lack of consistency constraints between the handle and the token, the detection engine cannot determine whether the nominal parent process truly possesses the conditions for creating the target process, nor can it confirm whether the target process's token originates from any inheritance anomalies. Such misjudgments not only weaken the threat interception effect but also allow backdoor processes to leverage normal business processes to achieve residency, privilege escalation, and execution, further amplifying system security risks.
[0035] When faced with the aforementioned problems, traditional systems use a single parent process identifier for screening, making it impossible to distinguish between the genuine creation chain and the forged chain. To address this, this application structures the time-series interaction logs into a time-series knowledge graph, using process nodes, token nodes, handle holding relationships, token replication relationships, and memory write relationships as unified analysis objects. Furthermore, a tracing time window is constructed using the process creation time point to perform cross-chain constraint verification on the inheritance relationships between the nominal parent process, anonymous process, and target process. Further analysis reveals that relying solely on a single process lineage cannot capture the permission loop anomaly after parent process deception. It is necessary to introduce the joint calculation of handle permissions, token consistency, and memory write timing to form a lineage forgery index. By designing a linkage mechanism between the time-series knowledge graph construction module, the lineage consistency verification module, and the forgery index calculation module, the process detection criteria are dynamically adjusted according to the genuine relationship chain, thereby solving the problems of delayed parent process forgery identification and single-point misjudgment.
[0036] After introducing the basic concept of the present invention, the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
[0037] Example 1:
[0038] Please see Figure 1 As shown, a knowledge graph-based intelligent detection method for software backdoors includes:
[0039] The system intercepts kernel events and reads the object handle table to generate a time-series interaction log. The time-series interaction log includes process identifier, handle access permissions, token identifier, memory write operations, and time points.
[0040] In this embodiment of the invention, by registering object callback functions and event tracking micro-filter drivers at the operating system kernel layer, the system's internal call instructions are intercepted in real time. From these, the original process identifier, 32-bit integer handle access permission mask, token identifier, and scattered memory write operation data are initially extracted. Considering that massive kernel events in a high-concurrency environment at the system's lower level can cause log sizes to expand exponentially, and that directly recording the original data cannot highlight transient anomalies during malicious code injection, this solution uses the process identifier and token identifier as the aggregation primary key, introducing a dynamic adaptive aggregation model for event dimensionality reduction and feature extraction. The system first calculates the size of the adaptive aggregation time window at the current moment, using the following formula: ,in The size of the adaptive aggregation time window is in milliseconds. This is the initial time window baseline value, in milliseconds. 10 milliseconds is recommended and can be dynamically adjusted according to system load. This represents the real-time kernel event arrival rate of the current system, measured in events per millisecond. It is obtained by counting the number of times the system kernel event callback function is triggered per unit time, with a sampling period of 100 milliseconds. The baseline event arrival rate under steady-state conditions is expressed in "events / millisecond" and is the statistical average of the event arrival rate after the system has been running continuously for 72 hours without any business load. tanh is the hyperbolic tangent function used to map the difference to the interval [-1,1].
[0041] After confirming After the time window, all memory write operations falling within that window are merged and analyzed to calculate the quantitative characteristics of the memory write operations, i.e., the write operation threat momentum. The custom aggregation calculation formula is as follows: ,in Threat momentum for write operations, expressed in bytes per millisecond; The total number of bytes written to memory within the time window is calculated directly from the write operation load, and the unit is bytes. The absolute time difference between the first and last writes within the time window, in milliseconds; The range of memory addresses spanned by the write operation (i.e., the highest write address minus the lowest write address), in bytes; This is the standard memory page size for the operating system, fixed at 4096 bytes, and dynamically obtained by calling system interfaces. A logarithmic approach is used to smooth out the impact of address spans, preventing excessive amplification of momentum from a single large-span write.
[0042] Finally, the access permission mask of the handle with the highest execution permission bit in the aggregation window is extracted, and it is encapsulated in a structured manner with the write operation threat momentum, deduplicated process identifier, and token identifier output from the previous steps. The absolute time point of the time window termination is then uniformly added to output the time-series interaction log.
[0043] The time-series interaction logs are structured into a time-series knowledge graph. The nodes of the time-series knowledge graph include process nodes and token nodes. The edges of the time-series knowledge graph include handle holding relationships with time points, token copying relationships, and memory write relationships.
[0044] Preferably, structuring time-series interaction logs into a time-series knowledge graph includes:
[0045] Extract process identifiers and token identifiers from the time-series interaction logs, perform entity deduplication, and then establish corresponding process nodes and corresponding token nodes respectively.
[0046] Generate handle holding relationships based on handle access permissions in the time-series interaction log, generate memory write relationships based on memory write operations in the time-series interaction log, and generate token copying relationships by extracting the operation transfer trajectories of different process identifiers associated with the same token identifier in the time-series interaction log.
[0047] Using handle holding relationships, memory write relationships, and token copying relationships as associated edges, the corresponding process nodes and corresponding token nodes are connected according to the operation transfer trajectory, and merged to form an initial relationship graph.
[0048] Calculate the time span of each associated edge from the current detection time based on the time points in the time-series interaction log, calculate the time retention weight of each associated edge based on the time span, bind the time retention weight and the time point together to the corresponding associated edge, and use the associated edges with the time points and time retention weights to transform the initial relationship graph into a time-series knowledge graph.
[0049] In this embodiment of the invention, the process identifier and token identifier recorded in the time-series interaction log are extracted, a secure hash algorithm is used to calculate the unique hash digest of each identifier, and a memory deduplication mechanism based on a hash table is used to perform entity deduplication to eliminate redundant node records generated by high-frequency concurrent operations. For the deduplicated unique hash digest, process nodes and corresponding token nodes with independent storage states are established in the graph database.
[0050] Next, the relationship topology between entities is constructed. The handle access permission mask field in the time-series interaction log is parsed. If the mask field indicates the existence of read, write, and execute permissions, a directed handle holding relationship is generated between the subject and object process nodes. The memory write operation records in the time-series interaction log are parsed, and a memory write relationship is generated between the corresponding process nodes based on the mapping result of the operation source address and destination address. At the same time, cross-log entry context tracing is performed based on the time-series interaction log to extract the operation transfer trajectory of different process identifiers calling the security context structure of the same token identifier for permission inheritance. Based on the operation transfer trajectory, a directed token replication relationship is generated between the source process node, the target process node, and the corresponding token node. The generated handle holding relationship, memory write relationship, and token replication relationship are unified as directed association edges in the graph data structure. The corresponding process nodes and the corresponding token nodes are connected according to the start and end points of the operation transfer trajectory. The edges are merged in the memory working area of the graph database to form an initial relationship graph that does not contain time-series states.
[0051] Subsequently, to counter the self-destructing anti-reconnaissance tactics employed by advanced stealth backdoor programs (i.e., the malicious process quickly calls the kernel interface to close the handle and destroy evidence after initiating injection), this embodiment introduces a temporal decay mechanism to perform evolution calculations on graph edge attributes. First, the trigger times of each operation event recorded in the temporal interaction log are extracted. Then, by subtracting the trigger times of each operation event from the current system detection absolute timestamp, the time span of each associated edge from the current detection time is calculated. The unit is milliseconds. The time retention weight of each associated edge is calculated based on the time span. The calculation formula adopts a time decay control function derived from a variation of the Weibull distribution reliability model, expressed as:
[0052]
[0053] in, The weight is retained for timeliness, representing the confidence level of the historical interaction record in the current detection period. The value range is a dimensionless continuous value greater than zero and less than or equal to one. The basic time reference window, in milliseconds, is fixed at 10,000 milliseconds and represents the maximum effective memory period for normal interactive behavior. The risk coefficient for associated edges is a dimensionless parameter, which is obtained by looking up a table based on the business attributes of the associated edges. The handle holding relationship with regular read-only permissions is assigned a value of 1.0, the token replication relationship is assigned a value of 1.5, and the handle holding relationship and memory write relationship with thread creation permission bit are assigned a value of 2.0. The shape control factor is a dimensionless constant, with a recommended value of 1.5; it is used to adjust the steepness of the decay curve, and the larger the value, the faster the early decay.
[0054] Finally, the calculated retention weights and the original time points are extracted and encapsulated into attribute key-value pairs, and then bound to the corresponding associated edge entity objects in the initial relationship graph. The static initial relationship graph is then transformed into a time-series knowledge graph with time-dimensional evolution characteristics using the associated edges with time points and retention weights.
[0055] Extract newly added process nodes with process creation time points from the time-series knowledge graph as target process nodes, and extract the nominal parent process nodes associated with the target process nodes based on the parent process identifier, specifically including:
[0056] Traverse each process node in the temporal knowledge graph, extract the creation time point bound to each process node, and calculate the time difference between the creation time point and the current detection time.
[0057] Select process nodes whose time difference is less than the preset active window difference as new process nodes, and set the new process nodes with creation time points as target process nodes.
[0058] Parse the process attribute data of the target process node and extract the parent process identifier used to indicate the association and inheritance relationship from the process attribute data;
[0059] Using the parent process identifier as the matching key, global node addressing is performed in the time-series knowledge graph. The historical process nodes corresponding to the parent process identifier are compared and confirmed as the nominal parent process nodes associated with the target process node.
[0060] In this embodiment of the invention, the process of extracting newly added process nodes with process creation time points from the temporal knowledge graph as target process nodes and extracting the nominal parent process node associated with the target process node based on the parent process identifier firstly involves accessing each process node in the temporal knowledge graph one by one through the traversal engine of the graph database, reading the process creation time point bound to the attributes of each process node, and calculating the time difference between each process node and the process creation time point by performing a subtraction operation on the obtained current system detection absolute time. The unit is milliseconds. To avoid the problems of "backdoor process missed detection" or "false kill of normal business processes" caused by using a fixed time window under high concurrency or high load conditions, this embodiment does not use a simple fixed value comparison truncation. Instead, based on the calculated time difference, it introduces a system load adaptive activity evaluation model to calculate the real-time activity probability of each process node. The adaptive calculation formula is expressed as follows:
[0061]
[0062] in, The real-time activity probability is a dimensionless continuous value ranging from 0 to 1, representing the confidence that the process node belongs to a newly added node in the current active detection period. The preset base time decay constant is in milliseconds. It is recommended to set this preset parameter to an adjustable range of 1000 milliseconds to 10000 milliseconds. To prevent the window from being too narrow and missing backdoor programs in a dormant avoidance state, and to avoid the window from being too large and introducing too many old and redundant processes that consume tracing computing power, it is recommended to set it to 5000 milliseconds, which represents the active period of normal processes under no load. The current system global resource utilization rate is a dimensionless value ranging from 0 to 1, representing the combined CPU and physical memory usage ratio collected in real-time via the operating system's performance counter interface. It is obtained by collecting CPU and physical memory utilization rates in real-time and taking a weighted average, with CPU weighting at 0.6 and memory weighting at 0.4. This formula is derived from a variation of the standard time exponential decay function. The necessity and advantage of this variation are that advanced backdoor programs, under high system load, are forced to prolong the process initialization and thread attribute forgery. Using a static time window would easily lead to missed detection due to passive time difference exceeding limits. The formula innovatively introduces a logarithmic compensation term for system resource utilization into the denominator decay term. When the system load As the value increases, the logarithmic calculation result increases, making the denominator larger overall. This leads to a slower decay rate of the entire exponent, which in a physical sense enables the adaptive widening of the time window under high-pressure conditions, greatly improving the detection robustness under extreme operating conditions.
[0063] Subsequently, the calculated real-time activity probability of each process node is compared one by one with the preset activity threshold. Process nodes with a real-time activity probability greater than the preset activity threshold are selected as new process nodes, and these new process nodes with the corresponding process creation time are set as target process nodes in the memory analysis space. Next, the process environment block parsing interface at the system application layer is called to deeply parse the process attribute data of the target process node. Bypassing the conventional system API disguise, the parent process identifier used to indicate its surface association and inheritance relationship is directly extracted from the read-only structure fields at the underlying process attribute data. Finally, considering the circular reuse mechanism of process identifiers in modern operating systems, directly relying on identifier matching can easily point to irrelevant processes that have been destroyed and whose identifiers have been reassigned. Therefore, the extracted parent process identifier is used as the primary matching key, and the process creation time of the target process node is used as the auxiliary spatiotemporal constraint key. Global node addressing is performed in the temporal knowledge graph. The specific comparison logic is strictly limited as follows: the historical process node being addressed not only needs to have its process identifier in its node attributes be completely consistent with the parent process identifier in terms of value, but also requires that the absolute creation timestamp of the historical process node must be earlier than the process creation time of the target process node in terms of time sequence. Through this dual-key joint filtering mechanism, the registration and comparison are completed, and the historical process node that fully conforms to the above spatiotemporal consistency logic is identified as the nominal parent process node associated with the target process node.
[0064] A lineage consistency check loop is triggered for the target process node. The check loop includes:
[0065] Extract the first holding relationship from the nominal parent process node to the target process node in the time-series knowledge graph;
[0066] The source tracing time window is defined based on the process creation time point. Within the source tracing time window, the second holding relationship and memory write relationship from the anonymous process node to the target process node are extracted.
[0067] Extract the first token node associated with the nominal parent process node and the second token node associated with the target process node from the time-series knowledge graph;
[0068] Cross-chain constraint analysis is performed on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship;
[0069] If the analysis results show that the nominal parent process node lacks the first holding relationship containing the thread creation permission bit, while the anonymous process node has the second holding relationship containing the thread creation permission bit, and there is no token copying relationship between the first token node and the second token node, plus the anonymous process node has a memory write relationship pointing to the target process node within the tracing time window, then the lineage forgery index is calculated cumulatively and the verification loop is exited.
[0070] If there is a token replication relationship between the first token node and the second token node and the nominal parent process node has the first holding relationship, then the target process node is determined to be legitimate and the verification loop is exited.
[0071] Preferably, extracting the second holding relationship from the anonymous process node to the target process node and the memory write relationship from the anonymous process node to the target process node within the tracing time window includes:
[0072] The lower limit time point for tracing is obtained by subtracting the preset offset time point from the process creation time point, and the upper limit time point for tracing is obtained by adding the preset offset time point to the process creation time point. The lower limit time point and the upper limit time point are combined to form the tracing time window. The preset offset time point is 2000 milliseconds, which is used to cover the delay range of system context switching before and after process creation.
[0073] In the temporal knowledge graph, all input-related edges ending at the target process node are traversed in reverse order, and input-related edges within the source tracing time window are extracted as candidate anomaly edges.
[0074] Identify the starting node of candidate abnormal edges, remove candidate abnormal edges whose starting node is the nominal parent process node, and mark the starting node of the remaining candidate abnormal edges as the anonymous process node.
[0075] Separate the second holding relationship indicating handle allocation and the memory write relationship indicating memory modification from the remaining candidate exception edges.
[0076] Preferably, the cross-chain constraint analysis of the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship includes a first decision branch, which includes:
[0077] Parse the first permission mask matrix contained in the first holding relationship, and check whether there is a thread creation permission bit in the first permission mask matrix;
[0078] Parse the second permission mask matrix contained in the second holding relationship, and check whether the above thread creation permission bit exists in the second permission mask matrix;
[0079] If the thread creation permission bit is missing in the first permission mask matrix but exists in the second permission mask matrix, then an asymmetric handle trigger signal is generated and the process proceeds to the next analysis node.
[0080] Preferably, the cross-chain constraint analysis of the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship also includes a second decision branch, which executes after receiving the handle asymmetric trigger signal:
[0081] Extract the first session identifier feature and the first privilege enumeration list of the first token node;
[0082] Extract the second session identifier feature and the second privilege enumeration list of the second token node;
[0083] Compare the consistency between the first session identifier feature and the second session identifier feature, and compare the overlap between the first privilege enumeration list and the second privilege enumeration list;
[0084] If the first session identifier feature and the second session identifier feature are inconsistent and the overlap is lower than the preset overlap threshold, it is determined that there is a missing token copying relationship between the first token node and the second token node, and a token conflict trigger signal is generated and the process proceeds to the final confirmation node.
[0085] Preferably, the cross-chain constraint analysis of the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship also includes a third decision branch at the final confirmation node, which executes after receiving the token conflict trigger signal:
[0086] Extract the first write time point corresponding to the memory write relationship, and extract the second holding time point corresponding to the second holding relationship;
[0087] Compare the order in which the first write time point and the second holding time point occur;
[0088] If the sequence of events satisfies that the second holding time point is earlier than the first writing time point, and the first writing time point is earlier than the process creation time point, then it is confirmed that the anonymous process node has a memory write relationship that is consistent with the timing logic, and an output signal indicating that the associated attack chain is closed is generated.
[0089] Preferably, the bloodline forgery index is obtained by cumulative calculation including:
[0090] The system receives a signal indicating the establishment of a closed loop in the associated attack chain and retrieves the basic risk scores configured for different analysis branches. Among them, the handle asymmetric trigger signal corresponds to the first basic risk score of 20, the token conflict trigger signal corresponds to the second basic risk score of 30, and the memory write relationship corresponds to the third basic risk score of 50. All of these are dimensionless constants and are determined based on offline attack sample statistics.
[0091] The initial forgery index is obtained by summing the first basic risk score corresponding to the handle asymmetric trigger signal, the second basic risk score corresponding to the token conflict trigger signal, and the third basic risk score corresponding to the memory write relationship.
[0092] Extract the retention weight of the second holding relationship, use the retention weight to perform exponential amplification calculation on the initial forgery index, and confirm the final value produced by the exponential amplification calculation as the bloodline forgery index.
[0093] Preferably, if a token replication relationship exists between the first token node and the second token node and the nominal parent process node has a first holding relationship, then determining the target process node as legitimate and exiting the verification loop includes:
[0094] Identify the token-derived edges in the temporal knowledge graph that point from the first token node to the second token node, and read the copy time periods recorded in the token derivation table;
[0095] Compare the range of the replication time period with the process creation time;
[0096] If the process creation time falls within the replication period, and the nominal parent process node has a first holding relationship with sufficient execution permissions, then the loop termination operation is executed, the memory verification cache queue allocated to the target process node is cleared, and a normal business program identifier is output.
[0097] The lineage forgery index after exiting the verification loop is compared with a preset threshold. If the lineage forgery index is greater than the preset threshold, the target process node is determined to be a parent process deceiving a backdoor process, and a threat interception command is output. The preset interception threshold is 80, determined based on the index distribution statistics of offline attack samples and normal samples.
[0098] In this embodiment of the invention, the anonymous process node is not a pre-defined independent entity, but rather an intermediate analysis object dynamically generated after filtering the starting nodes of the input association edges within the tracing time window of the target process node. Specifically, firstly, the tracing time window is constructed based on the process creation time of the target process node and a preset offset time amount. Then, all input association edges pointing to the target process node are traversed in reverse in the temporal knowledge graph to extract their starting nodes and corresponding relationship types. Subsequently, the starting nodes of the input association edges are compared for identity, and input association edges whose starting nodes are identical to the nominal parent process node are removed, because such input association edges correspond to known legitimate inheritance links and are not considered abnormal tracing objects. The starting nodes of the remaining input association edges after removing the nominal parent process node are uniformly marked as anonymous process nodes. Here, anonymous process nodes represent potential associated processes that participate in the target process node's handle holding, memory writing, or other input association behaviors in time, but whose process identity is not reflected in the surface parent-child relationship of the target process node. Furthermore, to avoid duplicate counting of multiple input-related edges from the same anonymous source, the system performs entity deduplication on anonymous process nodes. This involves uniquely merging processes based on the union key of the process identifier and the process creation time, ensuring that only one anonymous process node instance is retained for each process from the same source. Through this method, the source of anonymous process nodes is limited to process entities within the tracing time window that are not nominal parent process nodes and have an actual input association with the target process node. This allows for accurate identification of the true source of the abnormal link when extracting the second holding relationship from the anonymous process node to the target process node, providing a reliable analytical basis for lineage consistency verification.
[0099] In this embodiment of the invention, the process creation time of the target process node is extracted. A preset offset time is subtracted from this process creation time to obtain the lower limit time for tracing the source. Simultaneously, the preset offset time is added to this process creation time to obtain the upper limit time for tracing the source. The lower and upper limits together form a closed tracing time window. The preset offset time is recommended to be set to an adjustable range of 500 to 5000 milliseconds. This is to accommodate the context switching latency caused by the underlying operating system creating threads under extremely high concurrency, and to avoid introducing a large amount of irrelevant background system event noise due to excessively large time slices. A preferred setting is 2000 milliseconds. Subsequently, the graph computing engine traverses backwards in the time-series knowledge graph, with all input-related edges ending at the target process node. Input-related edges whose timestamps strictly fall within the aforementioned tracing time window are extracted as candidate anomaly edges. Next, the starting nodes of these candidate abnormal edges are identified. Using the unique identifier comparison logic of graph nodes, candidate abnormal edges whose starting nodes are nominal parent process nodes are directly eliminated. The starting nodes of the remaining candidate abnormal edges are uniformly marked as anonymous process nodes (i.e., processes that do not have a parent-child relationship in nominal lineage but have engaged in entity interaction at the underlying level). The second holding relationship indicating handle allocation and the memory write relationship indicating memory modification are accurately separated from the remaining candidate abnormal edges.
[0100] Next, the system enters the deeper logic of cross-chain constraint analysis. This process first enters the first decision branch to verify handle asymmetry. The system parses the first permission mask matrix contained in the first holding relationship and the second permission mask matrix contained in the second holding relationship. Through low-level bitwise AND operations, it checks whether there is a thread creation permission bit in these two permission mask matrices that indicates the core capability of cross-process control. If the low-level operation results show that the thread creation permission bit is completely missing in the first permission mask matrix of the legitimate nominal parent process, while it is clearly present in the second permission mask matrix of the anonymous process node, this constitutes a serious control inversion phenomenon in the system's low-level logic. The system then generates a handle asymmetry trigger signal and enters the next second decision branch.
[0101] In the second decision branch, after receiving the handle asymmetric trigger signal, the system begins extracting the first session identifier feature and the first privilege enumeration list bound to the first token node, and simultaneously extracts the second session identifier feature and the second privilege enumeration list bound to the second token node. The system first compares the consistency between the first and second session identifier features, and then calculates the privilege drift degree between the first and second privilege enumeration lists. The privilege drift degree is calculated using a weighted, constrained variant Jaccard distance model, expressed as:
[0102]
[0103] in, The calculated privilege drift is a dimensionless continuous value ranging from 0 to 1; N is the total length of the operating system privilege enumeration list, which is 35 items under Windows and 40 items under Linux, and is dynamically obtained through system calls. and These are the Boolean placeholder values for the i-th privilege item in the first privilege enumeration list and the second privilege enumeration list, respectively, where 1 is set to exist and 0 is set to be missing; Represents the XOR logical operation, used to extract the difference item; Represents or logical operations, used to extract union items; Let be the pre-set risk weight corresponding to the i-th privileged item, preset based on the security sensitivity of the privileged item, and be a dimensionless coefficient. The above formula introduces risk weights. Then, only when the privileges of the high-risk system undergo abnormal drift (i.e., the nominal parent and child processes are inconsistent in high-risk privileges) will the numerator accumulate value increase dramatically, thus accurately quantifying the high-risk privilege mutation caused by the backdoor process using token theft technology.
[0104] The calculated privilege drift is converted into a percentage and then compared with a preset overlap threshold (overlap is defined as...). If the first session identifier features and the second session identifier features are inconsistent and the calculated overlap is lower than the preset overlap threshold, it is determined that there is no substantial token copying relationship between the first token node and the second token node. The system then generates a token conflict trigger signal and drives the analysis link to the third decision branch of the final confirmation node.
[0105] In the third decision branch, the system extracts the first write time point corresponding to the memory write relationship and the second hold time point corresponding to the second hold relationship, and compares their absolute order of occurrence within a nanosecond clock cycle. If the timing check satisfies that the second hold time point is earlier than the first write time point, and the first write time point is earlier than the process creation time point, this means that the anonymous process obtained an unauthorized handle and performed memory code segment tampering before the target process body was created. This timing perfectly matches the underlying attack logic of "parent process deception combined with process shell hollowing". Based on this, the system confirms that the anonymous process node has a memory write relationship that matches the timing logic and outputs a signal that the associated attack chain is closed.
[0106] Upon receiving the signal indicating the establishment of a closed loop in the associated attack chain, the system initiates the quantitative calculation process for the lineage forgery index. First, it retrieves pre-allocated basic risk scores from the system configuration library. Then, it performs a linear summation operation on the first basic risk score corresponding to the handle asymmetric trigger signal, the second basic risk score corresponding to the token conflict trigger signal, and the third basic risk score corresponding to the memory write relationship (the three basic risk scores are preset dimensionless constants, representing the baseline threat intensity of the corresponding abnormal behavior, typically assigned values of 20, 30, and 50 respectively). This summation yields the initial forgery index. To reflect the time value of transient high-risk evidence, the system extracts the time retention weight bound to the second holding relationship (this weight is generated in the previous graph evolution step and is a dimensionless value between 0 and 1). This time retention weight is used to perform a nonlinear exponential amplification calculation on the initial forgery index. The amplification calculation formula is as follows:
[0107]
[0108] in, The final output is the bloodline forgery index, which is a dimensionless comprehensive score. The initial forgery index, calculated by the summation above, is a dimensionless constant. The time-preservation weight for the binding of the two holding relationships is a dimensionless value; The preset sensitivity surge coefficient is used to adjust the expansion curvature of the hyperbolic sine function. A recommended optimal value is 2.5, determined through offline simulated attack sample training. At a magnification of 0.8 or higher, the amplification factor exceeds 3 times to highlight high-confidence attack evidence; sinh is a hyperbolic sine function, defined as... This function grows slowly near zero and rapidly in the high-value region, avoiding over-penalizing low-confidence evidence while highlighting high-confidence attack evidence. The advantage of using a variation of the hyperbolic sine function for amplification is that the hyperbolic sine curve grows slowly near zero and rapidly in the high-value region; this means that the weight is preserved when the time-to-market. At extremely low levels (i.e., when the evidence is in a state of ambiguity, nearing its expiration date), the magnification approaches 1, avoiding false positives caused by over-punishment of ambiguous evidence; while when When the attack is at a high level (i.e., a high-confidence attack that has just occurred), the index will be amplified dramatically to ensure that high-risk backdoors can break through the blocking threshold instantly.
[0109] For verification scenarios involving legitimate and normal procedures, if the system detects a clear token replication relationship between the first and second token nodes and that the nominal parent process node possesses a legitimate first holding relationship, the system further identifies the token derivation edges in the temporal knowledge graph pointing from the first token node to the second token node, and reads the replication time period recorded in its underlying structure. By comparing the replication time period with the process creation time, if the process creation time falls entirely within the replication time period, and the nominal parent process node possesses a first holding relationship with sufficient execution permissions, this indicates a normal system startup behavior. The system then performs a loop termination operation, proactively releasing the memory verification cache queue allocated to the target process node to reclaim system computing resources, and outputs a normal business program identifier.
[0110] Finally, the system compares the calculated lineage spoofing index with a preset interception threshold in absolute value. If the lineage spoofing index exceeds the preset interception threshold, the engine determines that the target process node is actually a backdoor process disguised using parent process deception technology. The system kernel-level security driver will immediately generate a process termination signal and a memory page isolation signal for the target process node. At the same time, it will trace the abnormal edges of the knowledge graph and extract the binary process path and corresponding digital fingerprint digest of the anonymous process node as the source. The above blocking parameters are uniformly encapsulated into standardized threat interception instructions and sent to the executor at the operating system kernel level to perform mandatory process blocking and parent file deletion operations.
[0111] Example 2:
[0112] like Figure 2 As shown, the software backdoor intelligent detection system based on knowledge graph includes a data acquisition module, a graph construction module, a verification execution module, an analysis and calculation module, and an output processing module.
[0113] The various modules are connected via wired and / or wireless connections to enable data transmission between them;
[0114] The data acquisition module is used to intercept system kernel events and read the object handle table to generate a time-series interaction log containing process identifiers, handle access permissions, token identifiers, memory operation data, and time points.
[0115] The graph construction module is used to structure the time-series interaction log into a time-series knowledge graph, extract the newly added process nodes with process creation time points from the time-series knowledge graph as target process nodes, and then extract the nominal parent process node associated with the target process node based on the parent process identifier of the newly added process node.
[0116] The verification execution module is used to trigger a lineage consistency verification loop for the target process node. The verification loop includes: extracting the first holding relationship from the nominal parent process node to the target process node in the time-series knowledge graph; defining the tracing time window based on the process creation time point; extracting the second holding relationship from the anonymous process node to the target process node and the memory write relationship from the anonymous process node to the target process node within the tracing time window; extracting the first token node associated with the nominal parent process node and the second token node associated with the target process node; and performing cross-chain constraint analysis on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship.
[0117] The analysis and calculation module is used to calculate the lineage forgery index when the analysis results of cross-chain constraint analysis show that the nominal parent process node lacks the first holding relationship containing the thread creation permission bit, the anonymous process node has the second holding relationship containing the thread creation permission bit, the first token node and the second token node lack the token replication relationship, and the anonymous process node has a memory write relationship within the tracing time window. When there is a token replication relationship between the first token node and the second token node and the nominal parent process node has the first holding relationship, the target process node is determined to be legitimate and the verification loop is exited.
[0118] The output processing module compares the lineage forgery index after exiting the verification loop with a preset interception threshold. If the lineage forgery index is greater than the preset interception threshold, the target process node is determined to be a parent process deceiving a backdoor process, and a threat interception command is output.
[0119] It should be noted that the interval and threshold sizes are set for ease of comparison. The size of the threshold depends on the amount of sample data and the base number set by those skilled in the art for each set of sample data, as long as it does not affect the proportional relationship between the parameter and the quantized value. Furthermore, the above formulas are all dimensionless calculations, and the formulas are derived from software simulations using a large amount of collected data to obtain the most recent real-world results. The preset parameters in the formulas are set by those skilled in the art according to the actual situation.
[0120] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0121] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0122] In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A knowledge graph-based intelligent detection method for software backdoors, characterized in that, include: Intercept system kernel events and read object handle tables to generate timing interaction logs; Structure the time-series interaction logs into a time-series knowledge graph; Extract newly added process nodes with process creation time points from the time-series knowledge graph as target process nodes, and extract the nominal parent process node associated with the target process node based on the parent process identifier of the newly added process node; A lineage consistency check loop is triggered for the target process node. The check loop includes: Extract the first holding relationship from the nominal parent process node to the target process node in the time-series knowledge graph; define the tracing time window based on the process creation time point, and extract the second holding relationship from the anonymous process node to the target process node and the memory write relationship from the anonymous process node to the target process node within the tracing time window; Extract the first token node associated with the nominal parent process node and the second token node associated with the target process node from the time-series knowledge graph; perform cross-chain constraint analysis on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship; If the analysis results of cross-chain constraint analysis show that the nominal parent process node lacks the first holding relationship containing the thread creation permission bit, while the anonymous process node has the second holding relationship containing the thread creation permission bit, and there is no token copying relationship between the first token node and the second token node, plus the anonymous process node has a memory write relationship within the tracing time window, then the lineage forgery index is calculated cumulatively and the verification loop is exited. If there is a token replication relationship between the first token node and the second token node and the nominal parent process node has the first holding relationship, then the target process node is determined to be legitimate and the verification loop is exited. The lineage forgery index after exiting the verification loop is compared with the preset interception threshold. If the lineage forgery index is greater than the preset interception threshold, the target process node is determined to be the parent process deceiving the backdoor process, and a threat interception command is output. 2.The knowledge graph-based software backdoor intelligent detection method according to claim 1, characterized in that, Structured temporal interaction logs into a temporal knowledge graph includes: Extract process identifiers and token identifiers from the time-series interaction logs, perform entity deduplication, and then establish corresponding process nodes and corresponding token nodes respectively. Generate handle holding relationships based on handle access permissions in the time-series interaction log, generate memory write relationships based on memory write operations in the time-series interaction log, and generate token copying relationships by extracting the operation transfer trajectories of different process identifiers associated with the same token identifier in the time-series interaction log. Using handle holding relationships, memory write relationships, and token copying relationships as associated edges, the corresponding process nodes and corresponding token nodes are connected according to the operation transfer trajectory, and merged to form an initial relationship graph. Calculate the time span of each associated edge from the current detection time based on the time points in the time-series interaction log, calculate the time retention weight of each associated edge based on the time span, bind the time retention weight and the time point together to the corresponding associated edge, and use the associated edges with the time points and time retention weights to transform the initial relationship graph into a time-series knowledge graph.
3. The intelligent detection method for software backdoors based on knowledge graphs according to claim 1, characterized in that, Newly added process nodes with process creation timestamps are extracted from the time-series knowledge graph as target process nodes. The nominal parent process nodes associated with the target process nodes are then extracted based on the parent process identifier of the newly added process nodes. Traverse each process node in the temporal knowledge graph, extract the creation time point bound to each process node, and calculate the time difference between the creation time point and the current detection time. Select process nodes whose time difference is less than the preset active window difference as new process nodes, and set the new process nodes with creation time points as target process nodes. Parse the process attribute data of the target process node and extract the parent process identifier used to indicate the association and inheritance relationship from the process attribute data; Using the parent process identifier as the matching key, global node addressing is performed in the time-series knowledge graph. The historical process nodes corresponding to the parent process identifier are compared and confirmed as the nominal parent process nodes associated with the target process node.
4. The intelligent detection method for software backdoors based on knowledge graphs according to claim 1, characterized in that, Extracting the second holding relationship from the anonymous process node to the target process node and the memory write relationship from the anonymous process node to the target process node within the tracing time window includes: Subtract the preset offset time from the process creation time to obtain the lower limit time for tracing the source; add the preset offset time to the process creation time to obtain the upper limit time for tracing the source; combine the lower limit time for tracing the source with the upper limit time for tracing the source to form a tracing time window. In the temporal knowledge graph, all input-related edges ending at the target process node are traversed in reverse order, and input-related edges within the source tracing time window are extracted as candidate anomaly edges. Identify the starting node of candidate abnormal edges, remove candidate abnormal edges whose starting node is the nominal parent process node, and mark the starting node of the remaining candidate abnormal edges as the anonymous process node. Separate the second holding relationship indicating handle allocation and the memory write relationship indicating memory modification from the remaining candidate exception edges.
5. The intelligent detection method for software backdoors based on knowledge graphs according to claim 1, characterized in that, Cross-chain constraint analysis is performed on the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship, including the first decision branch, which includes: Parse the first permission mask matrix contained in the first holding relationship, and check whether there is a thread creation permission bit in the first permission mask matrix; Parse the second permission mask matrix contained in the second holding relationship, and check whether the above thread creation permission bit exists in the second permission mask matrix; If the thread creation permission bit is missing in the first permission mask matrix but exists in the second permission mask matrix, then an asymmetric handle trigger signal is generated and the process proceeds to the next analysis node.
6. The intelligent detection method for software backdoors based on knowledge graphs according to claim 5, characterized in that, Cross-chain constraint analysis of the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship also includes a second decision branch, which executes after receiving the handle asymmetric trigger signal: Extract the first session identifier feature and the first privilege enumeration list of the first token node; Extract the second session identifier feature and the second privilege enumeration list of the second token node; Compare the consistency between the first session identifier feature and the second session identifier feature, and compare the overlap between the first privilege enumeration list and the second privilege enumeration list; If the first session identifier feature and the second session identifier feature are inconsistent and the overlap is lower than the preset overlap threshold, it is determined that there is a missing token copying relationship between the first token node and the second token node, and a token conflict trigger signal is generated and the process proceeds to the final confirmation node.
7. The intelligent detection method for software backdoors based on knowledge graphs according to claim 6, characterized in that, Cross-chain constraint analysis of the first holding relationship, the second holding relationship, the first token node, the second token node, and the memory write relationship also includes a third decision branch at the final confirmation node. The third decision branch executes after receiving the token conflict trigger signal: Extract the first write time point corresponding to the memory write relationship, and extract the second holding time point corresponding to the second holding relationship; Compare the order in which the first write time point and the second holding time point occur; If the sequence of events satisfies that the second holding time point is earlier than the first writing time point, and the first writing time point is earlier than the process creation time point, then it is confirmed that the anonymous process node has a memory write relationship that is consistent with the timing logic, and an output signal indicating that the associated attack chain is closed is generated.
8. The intelligent detection method for software backdoors based on knowledge graphs according to claim 7, characterized in that, The cumulative calculation to obtain the bloodline forgery index includes: Receive the signal that the closed loop of the associated attack chain has been established, and retrieve the basic risk scores configured for different analysis branches; The initial forgery index is obtained by summing the first basic risk score corresponding to the handle asymmetric trigger signal, the second basic risk score corresponding to the token conflict trigger signal, and the third basic risk score corresponding to the memory write relationship. Extract the retention weight of the second holding relationship, use the retention weight to perform exponential amplification calculation on the initial forgery index, and confirm the final value produced by the exponential amplification calculation as the bloodline forgery index.
9. The intelligent detection method for software backdoors based on knowledge graphs according to claim 1, characterized in that, If a token replication relationship exists between the first token node and the second token node, and the nominal parent process node has a first holding relationship, then determining the target process node as legitimate and exiting the verification loop includes: Identify the token-derived edges in the temporal knowledge graph that point from the first token node to the second token node, and read the copy time periods recorded in the token derivation table; Compare the range of the replication time period with the process creation time; If the process creation time falls within the replication period, and the nominal parent process node has a first holding relationship with sufficient execution permissions, then the loop termination operation is executed, the memory verification cache queue allocated to the target process node is cleared, and a normal business program identifier is output.
10. A knowledge graph-based intelligent software backdoor detection system, characterized in that, It is implemented based on the knowledge graph-based intelligent detection method for software backdoors as described in any one of claims 1-9, and includes a data acquisition module, a graph construction module, a verification execution module, an analysis and calculation module, and an output processing module.