Abstract: In recent years, memorybased attack methods are increasing, including fileless attacks, memory Webshells, buffer overflows etc., can easily bypass the existing security detection mechanism. These memorybased attacks has brought great challenges to the existing security solutions. In the memory level, the current host environment, cloud environment or terminal environment are exposed in danger. Under this context, new defense systems are needed to mitigate the risks of memorylevel attack. Studies have shown that these advanced attacks have little trace in APIbased surveillance detection methods, but will eventually be performed and executed in memory. Therefore, memory can be considered as s a gathering point for all threats. Feng. In Neumann’s computer architecture points out that any data needs to be operated by the CPU and stored in memory, so theoretically, a security solution based on the CPU instruction set and memory levels is effective against all threats.

Key words: advanced threat protection, vulnerability detection and defense, fileless attack, memory Webshell attack, advanced threat traceability

摘要： 近年来，基于内存的攻击手段日益增多，包括无文件攻击、内存Webshell、缓冲区溢出等，这些新的攻击手段可以轻松绕过现有的安全检测机制，给现有安全防护体系带来了极大挑战.当前的主机环境、云环境或终端环境在内存防护层面均处于“裸奔”状态，需要新的技术手段来应对，同时需要建立程序运行时的安全保障能力，不断提升主动防护能力，尽量减少在攻击完成后再采取安全措施的“亡羊补牢”局面.通过研究发现，上述的高级威胁攻击在基于API监控的检测方法上蛛丝马迹甚少，但是最终会在内存中“展现”和执行，所以内存成为所有威胁的汇聚点.在冯·诺依曼计算机体系结构中，任何数据都需要经过CPU进行运算、都需要经过内存进行存储，理论上基于CPU指令集和内存这一层面实现的安全防护可以有效防护所有威胁.

关键词: 高级威胁防护, 漏洞检测与防御, 无文件攻击, 内存Webshell攻击, 高级威胁溯源