Abstract: Embodiments of this disclosure provide a malicious traffic identification method and a related apparatus. The malicious traffic identification method may include: determining a receiving time of first alarm traffic; obtaining, according to a preset policy, a plurality of pieces of second alarm traffic corresponding to the first alarm traffic within a target time period, where the target time period is a time period determined based on the receiving time, and a similarity between each of the plurality of pieces of second alarm traffic and the first alarm traffic is greater than a preset threshold; performing feature extraction on the plurality of pieces of second alarm traffic to obtain first feature information; and determining, based on the first feature information, whether the first alarm traffic is malicious traffic. In embodiments of this disclosure, accuracy of malicious traffic identification on a live network can be improved by using a multi-flow traceback method.

Abstract: This application provides a key distribution method, an apparatus, and a system, includes: determining, by an identity management server based on AAA authentication information, whether AAA authentication on the terminal succeeds; if the AAA authentication succeeds, sending the ID of the terminal to a key management server; and generating, by the key management server, a private key of the terminal and returning the private key to the management server. After negotiating with the terminal to generate a first key, the identity management server encrypts the ID and the private key of the terminal, and sends an encrypted ID and an encrypted private key to the terminal. The terminal obtains the ID and the private key of the terminal. According to the key distribution method, apparatus, and system provided in this application, communication security performance of the terminal during ID-based registration authentication is improved.

Abstract: This application provides a key distribution method, an apparatus, and a system, includes: determining, by an identity management server based on AAA authentication information, whether AAA authentication on the terminal succeeds; if the AAA authentication succeeds, sending the ID of the terminal to a key management server; and generating, by the key management server, a private key of the terminal and returning the private key to the management server. After negotiating with the terminal to generate a first key, the identity management server encrypts the ID and the private key of the terminal, and sends an encrypted ID and an encrypted private key to the terminal. The terminal obtains the ID and the private key of the terminal. According to the key distribution method, apparatus, and system provided in this application, communication security performance of the terminal during ID-based registration authentication is improved.

Abstract: A virtual machine kernel protection method and apparatus are disclosed. The method includes: trapping a system call function initiated by an application program (S301); and pointing the system call function to a shadow kernel based on an offset value between a base address of an original kernel of a virtual machine and a base address of the shadow kernel, and determining a corresponding entry address of the system call function in the shadow kernel based on a shadow SSDT in the shadow kernel (S302), where the shadow kernel is constructed in a nonpaged pool of the original kernel of the virtual machine, and the shadow kernel is executable kernel code constructed based on an image file of the original kernel of the virtual machine.

Abstract: A virtual machine kernel protection method and apparatus are disclosed. The method includes: trapping a system call function initiated by an application program (S301); and pointing the system call function to a shadow kernel based on an offset value between a base address of an original kernel of a virtual machine and a base address of the shadow kernel, and determining a corresponding entry address of the system call function in the shadow kernel based on a shadow SSDT in the shadow kernel (S302), where the shadow kernel is constructed in a nonpaged pool of the original kernel of the virtual machine, and the shadow kernel is executable kernel code constructed based on an image file of the original kernel of the virtual machine.