85 results about "Attack analysis" patented technology

Systems and methods for detection and prevention of Return-Oriented-Programming (ROP) attacks in one or more applications, including an attack detection device and a stack inspection device for performing stack inspection to detect ROP gadgets in a stack. The stack inspection includes stack walking from a stack frame at a top of the stack toward a bottom of the stack to detect one or more failure conditions, determining whether a valid stack frame and return code address is present; and determining a failure condition type if no valid stack frame and return code is present, with Type III failure conditions indicating an ROP attack. The ROP attack is contained using a containment device, and the ROP gadgets detected in the stack during the ROP attack are analyzed using an attack analysis device.

The invention discloses a homologous attack analysis method for an industrial control honeypot, and the method comprises the steps: introducing coarse-grained and fine-grained attack behavior featuresthrough the physical position features of an attacker, converting the information of the attacker into a group of multi-dimensional attack behavior feature vectors, finding an optimal K value by using a Canopy method according to the coarse-grained attack information of the attacker, and determining attackers or attack organizations with close Euclidean distances as homologous attacks by using animproved K-means clustering method according to the fine-grained attack information of the attacker. According to the method and the system, the behavior characteristics of the homologous attacker can be modeled into the characteristic vector based on the function code sequence, and the method and the system are suitable for analyzing various industrial control protocol honeypot data with function code characteristics; a verification method is provided for solving the problem that it is difficult to judge and verify the same attack source of honeypot data, for some unknown enterprise scannersor attackers, an open source abuse IP database is used for query, and the traditional attacker information of the other unknown attackers is verified.

The invention provides a method and device for analyzing an attack on a smart card chip. The method comprises the following steps: starting the smart card chip, so that the algorithm of the smart card chip is in an operation state; obtaining the operation position of the algorithm on the smart card chip and a critical time point when the algorithm is operated based on analysis of a side channel; and introducing error into the operation process of the algorithm in the position at the critical time point based on analysis of error injection so as to initiate an error attack, and obtaining and analyzing operation encryption data of the algorithm after the error attack is initiated so as to protect the attack. By means of the manner, in combination with the side channel attack and the error injection attack, the attack is precisely controlled in time and space; the error injection precision can be controlled; the attack analysis cost is reduced; the analysis efficiency and the success rate are increased; and thus, effective protection to the attack can be realized.

Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received from an administrator of a network security device. The configuration information includes information indicative of a quantity of packets to be captured for post attack analysis. Responsive to receipt of the configuration information, a size of a circular buffer is configured based thereon. Multiple packets directed to a network protected by the network security device are received from an external network. The received packets are temporarily buffered within the circular buffer. An analysis is performed to determine whether one of the received packets is potentially associated with a threat or undesired activity (“trigger packet”). Responsive to an affirmative determination, contextual information is captured by extracting information regarding at least a portion of the configured quantity of packets from the circular buffer and storing the contextual information within a log.

Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received from an administrator of a network security device. The configuration information includes information indicative of a quantity of packets to be captured for post attack analysis. Responsive to receipt of the configuration information, a size of a circular buffer is configured based thereon. Multiple packets directed to a network protected by the network security device are received from an external network. The received packets are temporarily buffered within the circular buffer. An analysis is performed to determine whether one of the received packets is potentially associated with a threat or undesired activity (“trigger packet”). Responsive to an affirmative determination, contextual information is captured by extracting information regarding at least a portion of the configured quantity of packets from the circular buffer and storing the contextual information within a log.

In a log analysis cooperation system including a logger that collects a log of a communication device and stores the log in a storage device, a SIEM apparatus that detects an attack, and a log analysis apparatus that analyzes the log collected by the logger, a log analysis cooperation apparatus stores an attack scenario in a storage device, receives from the SIEM apparatus warning information including information on the detected attack, computes a predicted occurrence time of an attack predicted to occur subsequent to the detected attack based on the warning information and the attack scenario, and transmits to the log analysis apparatus a scheduled search to search the log at predicted occurrence time computed. The log analysis apparatus transmits a scheduled search to the logger to search the log at the predicted occurrence time.