Topsec Tianxuan Lab

The lab research on detection technologies for dynamic actions and deeply mines and tracks real-time events of APT organizations. Its researchers use cutting-edge AI technologies to refine extraction, separation, association, and indexing from multiple dimensions, and also trace the source of security attacks comprehensively from all dimensions through comprehensive sample analysis based on visual modeless.

The lab analyzes the behavioral characteristics of malicious code, conducts in-depth research on anti-debugging, obfuscation, virtualization methods used in malicious code to bypass detection, and provides malicious code analysis reports.

The lab has accumulated various detection methods for malicious network behaviors over years, which can timely detect popular viruses such as mining and ransomware and provide a complete evidence chain.

The lab is engaged in technical research on system source code security to analyze the behavior characteristics and network characteristics of malicious samples on mobile terminals, research on static analysis and dynamic debugging technologies, and research on reinforcement, enshelling, and hook technologies on mobile terminals.

Deep learning-based malicious sample detection: The lab tracks the cutting-edge deep learning-based malicious sample detection methods to generate detection models based on sandbox operation logs and identify and classify blacklisted and whitelisted samples. The researchers also study the adaptive dynamic model update technology to update models online in the environment with mass samples.

The lab applies the achievements of deep learning technology in the image detection and classification field to detect and classify malicious software. The researchers construct various types of deep neural networks to classify malicious software samples of the PE and ELF types, which effectively copes with the increased detection difficulty and challenge caused by malicious software variants and confusion.

Currently, the botnet Trojan program tends to use the DGA algorithm to generate domain names to avoid blacklist-based detection. The lab uses the deep neural network to build a deep learning detection model for detecting more than 50 domain names generated using the DGA algorithm. This effectively makes up for the limitations of domain name detection technology based on the blacklist and plays an important role in preventing the spread of botnets.

The lab introduces NLP cutting-edge hotspot technologies to detect malicious web shell scripts based on the essential similarity between web shell scripts and natural language texts. Its researchers also studies and develops highly reliable web shell deep detection models. These advanced NLP deep detection models can precisely detect and kill various malicious web shell scripts such as PHP.

Malicious botnet traffic detection based on the encrypted communication protocol is the main difficulty in malicious traffic monitoring. The lab builds a complete set of malicious encrypted traffic detection methods, models, and software based on machine learning technology and builds a fingerprint signature database for encrypted traffic to better identify and authenticate malicious traffic using encrypted communication protocols.

The lab uses deep learning and machine learning algorithms to extract features from hidden communication and train and optimize models for various hidden tunnels including but not limited to covert HTTP tunnel, DNS tunnel, and ICMP tunnel. This technology makes up for the limitations of traditional hidden tunnel detection based on rules, enhancing network information security.

By tracking common attack injection points, the lab combines traditional feature- and rule-based detection methods with NLP-based machine learning detection methods to effectively detect SQL injection and XSS attacks. It also introduces the ensemble learning concept to improve detection accuracy and stability.

Security tools cover the following aspects: vulnerability batch verification platform, binary vulnerability mining tool, and virus and Trojan horse behavior detection system