63results about "Platform integrity maintainance" patented technology

The invention discloses a virtual environment trust building method, which belongs to the trusted computing field in information security. The invention uses a single TPM to realize the trust of one or a plurality of virtual domains and comprises the following steps: firstly, measuring hardware, a virtual layer, a management virtual domain and one or a plurality of application virtual domains in turn by the TPM, realizing the trust of the application virtual domains, secondly, receiving and processing TPM command requests from each virtual domain, and establishing and maintaining TPM context for each virtual domain. The invention has the advantages that firstly, the platform safety and credibility are intensified through a complete trusted isolating mechanism, the trusted application service is better supported, and secondly, the safe sharing of each virtual domain to a trusted hardware root TPM is realized.

Network based intrusion detection analyzes DB access attempts prior to transport into the host computer system and accordingly, mitigate resource overhead. However, host computer systems often employ local access such as a DBA account. Monitoring access attempts via the network monitor may not encompass such local access attempts. A data security device which intercepts both local and remote access attempts to the database resource monitors all database access attempts for auditing and security analysis. The data security device receives local access transactions via a local agent on the host. The local agent identifies and integrates with an interprocess communication (IPC) mechanism on the host computer system. The local agent implements an IPC interception mechanism to direct local database access attempts to the local agent, which then forwards the intercepted attempts to the data security device for further analysis. The network data security device therefore observes local access attempts via interception and transmission to the data security device, thereby consolidating analysis and logging of the data access attempts via the data security device.

The present invention automates the operation of multiple malware removal software products using a computerized system that systematically operates the multiple selected software products. These products are operated them in a customized “Safe Mode” using a shell that is different than the computer's other shell environments. Unlike the ordinary Safe Modes shells, the Custom Safe Mode prevents malware from functioning that ties itself to the normal shell, such as the Windows Explorer shell. In addition, the Custom Safe Mode allows the automation of tasks beyond that which is available under the standard command line shell.

A system and method for using hierarchical policy levels for distribution of software in a computer network. In one embodiment, computers of the network are arranged into a hierarchy. A management policy server with access to the network queries the hierarchy to identify computers at or below its own level within the hierarchy. Once a set of computers is identified, software programs, updates or policies are distributed, bypassing human intervention.

The invention discloses an efficient Android malware detection model DroidDet based on rotating forest and belongs to the technical field of information security. According to the invention, a decompilation tool is used to decompile the Apk file in an Android application program and a combination of four groups of features is analyzed and extracted as the input for building a rotating forest classifier model. The model is characterized in that 1) the integrated learning method-rotating forest algorithm is initially adopted; further, each base learning device is trained through adopting PCA major constituent analysis and self-service sampling method and using a whole training set; accordingly, the model created in the invention has superior generalization performance; 2) the rotating forest algorithm has the feature of selecting the optimal characteristics so as to avoid noise data. The 10-fold cross-validation method is used for verifying the validity of the model created in the invention and the predicting accuracy of the model in the invention reaches 88.26%, which is 3.13% higher than the 84.93% of typical support vector machines. The model of the invention has wide application prospect in user information security.

The invention provides an abnormality detection method and device based on log graph modeling. The method and the device are applied to a nonsocial network. The method particularly includes: buildinga bipartite graph according to a key field of abnormal data annotated in advance in the nonsocial network, wherein left-side nodes of the bipartite graph correspond to multiple user accounts while right-side nodes of the same correspond to parameter combinations during business interface requesting; extracting features from the bipartite graph, and splicing the extracted features to form a featurevector; performing k-means cluster processing on the basis of the abnormal data and the feature vector to acquire optimal cluster number; according to the optimal cluster number, using a Gaussian mixing model to fit dark industry feature probability distribution; when receiving incoming data, calculating dark industry probability of the data according to feature vector of the incoming data and the Gaussian mixing model, and judging whether the data are abnormal or not according to the dark industry probability and the dark industry feature probability distribution. When the data are judged abnormal, access behaviors of users can be intervened timely, so that network attacks by hackers can be avoided.

The invention is applicable to the technical field of mobile terminals and provides a method and a device for intercepting malicious advertisements of an application program. The method includes scanning an application program installed on a mobile terminal; judging whether malicious advertisement platform codes are inlaid in the application program; and isolating a malicious advertisement platform in the application program when the malicious advertisement platform codes are inlaid in the application program so that the malicious advertisement platform codes are invalidated and the malicious advertisement platform can not operate. According to the method and the device for intercepting the malicious advertisements of the application program, when the malicious advertisement platform codes are detected to be inlaid in the application program, the malicious advertisement platform is isolated by means of a technical means so that when the application program is operated, code sections corresponding to the malicious advertisement platform are not executed, the problems of automatic networking and popping up of the malicious advertisements can be prevented, simultaneously, using of the application program can not be influenced, problems existing in background operation of the malicious advertisements are thoroughly solved, and a good using environment of the mobile terminal is provided for a user.

The embodiment of the invention discloses an establishing method and system of a trust chain. The method comprises the steps of starting a BMC module and a TCM module before a server is powered on; adopting the TCM module to scale BMC firmware in the BMC module to obtain a first scaling result, and judging whether or not the BMC firmware is tampered according to the first scaling result; if the BMC firmware is not tampered, adopting the BMC firmware to scale BIOS-Boot-Block to obtain a second scaling result, and judging whether or not the BIOS-Boot-Block is tampered according to the second scaling result; if the BIOS-Boot-Block is not tampered, controlling a power control module to power on the server, and adopting a BIOS to establish the subsequent trust chain. According to the establishing method and system of the trust chain, the safety of the trust chain is improved when the trust chain is established, and accordingly the safety of the system is improved.

The invention provides a file tamper detecting and repairing method and system. The method includes the steps of firstly, conducting scanning to obtain HASH values and file routes of all credible files in the system, and storing the HASH values and the file routes; secondly, monitoring all the files in the system, comparing all the files in the system with an HASH base, judging whether abnormal files or newly-added files exist or not, conducting matching according to a normal state rule base and a normal state model, if matching is successful according to the normal state model, adding rules of the matching result to the normal state rule base, and if matching fails, reminding a user to conduct processing. Through the method, the tampered files or the newly-added files in the system can be effectively identified; through the combination of the normal state rule base and the normal state model, files or catalogues which are changed in real time can be added to the normal state rule base in time, and self-learning of normal state rules is achieved, and user operation is reduced.

The invention provides a malicious software API (Application Program Interface) call sequence detection method based on graph convolution. The method comprises the following steps: acquiring and recording API call sequence information of processes and sub-processes when a large number of software samples run; performing vectorization processing on the API calling sequence information; extracting aparameter relationship, a dependency relationship and a sequence relationship of the API function; establishing an API call graph; inputting the API call graph into a graph convolutional neural network for training to obtain a malicious software detection network model; collecting API calling sequence information of processes and sub-processes when the executable file to be detected runs; constructing an API call graph of the executable file to be detected, then inputting the API call graph of the executable file to be detected into the malicious software detection network model, If the output result of the malicious software detection network model is 1, indicating that the judgment result is malicious software; If the output result of the malicious software detection network model is 0,indicating that the judgment result is normal software.

The invention discloses a detection method and apparatus for a memory leak bug. The method comprises: obtaining a memory object record currently selected in memory data, wherein the memory data are recorded by a memory of a terminal and generated during use of an application in the terminal, and the memory data comprise one or more memory object records; drawing an object picture indicated by the currently selected memory object record in a predetermined display region; judging whether the object picture is stored in a cache of the terminal or the object picture is displayed by a current interface of the application to obtain a judgment result; and determining whether the application has the memory leak bug or not by using the judgment result. Through embodiments of the invention, the problem of low detection accuracy of detecting a memory leak bug by querying code logic of a picture object in the prior art is solved, so that the effect of accurately detecting the memory leak bug generated by the picture is achieved.

The present invention discloses a method and a system for preventing structured query language (SQL) implantation, wherein the method comprises the steps of: configuring a reverse proxy module, and recording all request logs; performing SQL implantation detection on requests by using an implantation detection module, and recording request parameters with implantation vulnerabilities; parsing the request parameters, extracting corresponding parameter names, and generating a URL abstract collection; acquiring an SQL implantation request to URL by an attacker; transmitting the SQL implantation request to an implantation defense module by the reverse proxy module; determining whether the address of the SQL implantation request is in the URL abstract collection or not by the implantation defense module; if so, replacing parameter values and related keywords of the address of the SQL implantation request by the implantation defense module to acquire a secure request; and transmitting the secure request to a WEB site of a target server. By adopting the method and the system, the requirements for programmers can be reduced, the security of a website can be improved, and the website can be automatically protected without modification of source codes.

The present invention provides an operating system secure startup method, a startup manager and an operating system secure startup system. The method comprises: determining a software measurement policy, a hardware measurement standard value and a software measurement standard value, and determining a hardware measurement value in an operating system startup process; according to the software measurement policy, measuring software information related to operating system startup, and generating a software measurement value; and comparing the hardware measurement value and the software measurement value with the hardware measurement standard value and the software measurement standard value respectively, and if the hardware measurement value is consistent with the hardware measurement standard value and the software measurement value is consistent with the software measurement standard value, determining the operating system to be secure and starting up the operating system, otherwise, disabling the startup of the operating system, thereby ensuring secure startup of the operating system.

The invention relates to the technical field of vulnerability scanning and provides a vulnerability scanning method and a vulnerability scanning device. The method is applied to a detector which is mounted between terminal equipment and a server. The method includes: the detector acquires an asset vulnerability scanning request sent by a user, wherein the asset vulnerability scanning request includes asset name information; the detector reads asset address information according to the name information, wherein the address information is established in advance on the basis of historical access information of the user, and the historical access information includes historical access asset name information and address information; the detector pushes the address information to an asset vulnerability scanner to make it convenient for the vulnerability scanner to perform asset vulnerability scanning. The vulnerability scanning method and the vulnerability scanning device have advantages that the technical problem of high manpower cost in vulnerability scanning with a traditional vulnerability scanner is alleviated.

Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.

The method of inquiring and storing IoC information of the present disclosure is performed by at least one user terminal in an environment including a plurality of user terminals and an IoC information providing server. The user terminals are respectively provided with an event processing module, an IoC inquiry agent module, an encryption socket communication module and a P2P socket communication module.

The method comprises a first step of determining IoC information to be identification target when an event occurs, which is performed by the event processing module; a second step of requesting the encryption socket communication module and the P2P socket communication module to inquire the IoC information, which is performed by the IoC inquiry agent module; a third step of requesting IoC information to the IoC information providing server, which is performed by the encryption socket communication module; a fourth step of requesting IoC information to a P2P socket communication module of the other user terminal, which is performed by the P2P socket communication module; and a fifth step of storing IoC information receiving first among the IoC information requested at the third and fourth steps.

The invention discloses a binary-based system for detecting a memory modifying attack and positioning a bug, which comprises a code converting unit, a basic block data dependency relation recording unit, a code inserting unit and a bug positioning unit, wherein the code converting unit is used for converting x86 binary codes into VEX in the form of Valgrind intermediate codes; the code inserting unit comprises a color transmission code inserting part, an attack detecting code inserting part and a memory pollution command recording code inserting part, is used for dynamic staining analysis and can effectively detect the abnormal condition of memory data with the implementation of a program and record a writing command of a polluted memory; and the bug positioning unit comprises a modified memory address positioning part and a memory modifying command positioning part and is used for finding a memory address modified by an outer input and finding the address of the writing command modifying the memory to complete final positioning. The binary-based system can effectively detect the memory modifying attack and position the bug accurately.

The invention discloses a sandbox technology-based safe operation method and system for shell scripts. The shell script security operating system of the sandbox technology includes a controllable environment, a security manager, security policies and resources; the controllable environment is used to identify controllable commands, uncontrollable commands or custom permissions from shell scripts; dynamically Create a sandbox and implement the security policy of the controllable command, uncontrollable command or custom permission; the security manager is used to extract the security policy of the controllable command, uncontrollable command or custom permission; the security policy is used Used to define the commands that are allowed to execute, and the resources that the commands can access. The invention runs the shell script in a controllable environment, and can effectively prevent malicious commands in the shell script from harming the system. The security manager provides a variety of security policies for the operation of shell commands, which limits the access rights of commands to resources in the sandbox and greatly enhances the security of script execution.

The embodiment of the invention provides a Root detection processing method and device, and a terminal. The Root detection processing method comprises the following steps: obtaining target system partition information which is used for carrying out Root detection processing and is stored in a target terminal; judging whether the obtained target system partition information is the same with preset target verification system partition information or not; and if the obtained target system partition information is not the same with the preset target verification system partition information, detecting that the target terminal carries out Root. The Root detection processing method can be adopted to improve the practicality and the convenience of the Root detection processing.

A system and method are provided for diagnosing, remedying and blocking harmful information including computer viruses online over a computer network via which a web server and a client are linked to each other. The method includes, on a computer network through which a web server and a client system are linked to each other, the web server receiving a connection request from the client system over the computer network. Then, the web server transmits a harmful information blocking code module to the client system. Once the transmission of the harmful information blocking code module is completed the harmful information blocking code module automatically runs on the client system to block in real time harmful information including computer viruses. The harmful information blocking code module is automatically transmitted to and installed in the client system only by online connecting to the harmful information management server, so that the harmful information detected on the client system can be actively blocked in real time without requiring a manual installation process.

The invention discloses a mobile operation and maintenance management platform safe operation and big data application system under cloud environment, comprising a cloud operation and maintenance service resource integration layer for integrating various network resources, a cloud operation and maintenance service technical support layer for providing technology and security as a service, and a cloud operation and maintenance service management support layer for providing management as a service to manage and monitor various resources; the cloud operation and maintenance service resource integration layer comprises a cloud operation and maintenance service resource integration layer for integrating various network resources, a cloud operation and maintenance service technical support layerfor providing technology and security as a service, and a cloud operation and maintenance service management support layer for providing management as a service to monitor various resources; Using Searchable public key encryption scheme, sandbox mechanism, identity authentication service and other security measures; provide cloud service whole process management, including cloud service deliverymanagement, real-time monitoring and management, cloud service billing and pricing support. Through the modular software system structure, the robustness, maintainability and scalability of the systemare enhanced, and the application system can be quickly built and deployed according to the user's needs, so that the public, private or hybrid cloud computing environment can be automatically deployed; Using virtualization investments and traditional IT service applications, you can increase agility and reduce costs and increase server utilization.

The invention belongs to the technical field of digital forensics, and particularly relates to a malicious code fragment intelligent forensics method and system, and the method comprises the steps: constructing a code fragment training set and a code fragment test set for training and testing through extracting the underlying data features of a storage medium; training the set full-connection neural network model by using the data in the code fragment training set, the input being a feature vector, and the output being a normal or malicious prediction result; for the code fragment test set, performing test output by utilizing the trained full-connection neural network model to judge whether model input is a malicious code fragment; and performing feature extraction on the target code snippets, and inputting the target code snippets into a fully-connected neural network model generated through training and testing to obtain an intelligent malicious code recognition result of the targetcode snippets. According to the method, malicious code fragments in storage media such as computers, mobile phones and tablets and evidence containers such as RAW, E01 and AFF can be recognized, and the method has a good application prospect in the field of digital evidence collection such as crime event evidence underlying data automatic analysis.

The present application discloses an automatic verification method and apparatus for remote Windows operating system security rules. The method comprises: first, by remotely logging on to the Windowsoperating system, acquiring the type of operating system, system path, Windows path and defense level. Then, depending on the operating system type and defense level, get security rules, Next, according to the system path, Windows path and security rules, to obtain the path of security rules, and then, under the path, to build a test file, and to obtain its permission value, and finally, using thepermission value and the actual protection results of the path of security rules for comparison, to verify whether the permission value conforms to the security rules, to obtain the verification results. As will be seen, after that remote Windows operate system security rules and their paths have been determined, By comparing the privilege value of the test file constructed under the security rule path with the actual protection result of the security rule path, the automatic verification of the remote Windows operating system security rules is realized, and the system information security isensured.

The embodiment of the invention provides a ransomware detection method. The ransomware detection method comprises the following steps: determining a sequence of traversing terminal files by historicalransomware; deploying a stain file on the terminal according to the determined sequence of traversing the terminal file by the historical ransomware so as to ensure that the stain file is traversed before any important file of the terminal is traversed by the ransomware; when it is monitored that the operation state of the stain file is abnormal, obtaining all processes of the terminal at present; and if a certain process meets any specific attribute of the ransomware library, determining a fact that the software corresponding to the process is ransomware. Compared with a method of deployinga stain file on a terminal device and monitoring the ransomware through the API interfaces and monitoring the API interfaces corresponding to the I/O operations, on one hand, when the operation stateof the stain file is monitored, the frequency of obtaining the operation state of the stain file is far lower than the frequency of the I/O operations, so that the monitoring cost is low, and the system operation loss is low; and on the other hand, the operation state monitoring and I/O operation of the taint file are mutually independent, the I/O operation speed is not influenced, and the methodhas relatively high feasibility and is suitable for popularization and application.

The invention provides a link library function name recognition method and device for a computer binary program. The method comprises the steps of archiving and sorting a static link library is collected; the collected static link libraries; writing the trained machine learning model into an IDA plug-in, and loading and using the IDA plug-in in IDA; and enabling the IDA to receive a suspicious malicious binary program input by a user, call the IDA plug-in compiled by the trained machine learning model to perform automatic analysis and detection, and displays a detection result in an IDA interface. According to the scheme, reverse analysis personnel can conveniently analyze unknown malicious software performance functions in a targeted mode. under the condition that the static link libraryis insufficient, the trained machine learning model can actively distinguish the static link library function from the performance function of the malicious program, the accuracy of static link library function recognition can be improved, and the situation that an attacker maliciously constructs the malicious function consistent with the static link library function signature and cannot recognizethe malicious program is avoided.

The invention provides an MPK technology-based inter-microkernel-module communication method and system, and a medium, and the method comprises the steps: an execution domain step based on MPK technology: controlling the read-write authority of a memory domain through the MPK technology, and separating the resources and states of execution domains from each other; a checkpoint function step of communication between the kernel modules, wherein a checkpoint function modifies the read-write permission of a memory domain at the current moment through a WRPKRU instruction, and switching of an execution domain is carried out; and in the execution domain to which the kernel module of the requested service belongs, requesting the service of the kernel module in the checkpoint function in the formof function call. According to the invention, the IPC performance overhead of a microkernel is effectively reduced, and the microkernel applying the invention has the same safety guarantee as the traditional microkernel through the MPK technology.