CN102799804A - Comprehensive identification method and system for security of unknown file - Google Patents
Comprehensive identification method and system for security of unknown file Download PDFInfo
- Publication number
- CN102799804A CN102799804A CN2012101315921A CN201210131592A CN102799804A CN 102799804 A CN102799804 A CN 102799804A CN 2012101315921 A CN2012101315921 A CN 2012101315921A CN 201210131592 A CN201210131592 A CN 201210131592A CN 102799804 A CN102799804 A CN 102799804A
- Authority
- CN
- China
- Prior art keywords
- file
- information
- comprehensive
- unknown
- unknown file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a comprehensive identification method for the security of an unknown file. According to the comprehensive identification method, black and white determination is finally obtained by acquiring the content information, the environmental information, the attribute information and the behavioral information of the unknown file, respectively identifying the content information, the environmental information, the attribute information and the behavioral information of the unknown file, and performing comprehensive analysis and judgment. The invention also discloses a comprehensive identification system for the security of the unknown file. The system comprises an unknown file detection device, a file material acquisition device, a material packaging and uploading device, a server end identification device, a comprehensive judgment device, a database updating device, a judgment result issuing device and the like. By the method and the system, the three-dimensional multi-aspect identification is realized; and a judgment result is reliable.
Description
Technical field
The present invention relates to the computer security technical field, be specifically related to the method and system that the security of unknown file is identified.
Background technology
At present, computing machine and software engineering thereof have obtained great development, and the thing followed also has the appearance of virus.We know that computer virus is artificial special program code, and it has the of self-replication capacity, very strong infectivity, certain latency, specific triggering property and very big destructiveness.
Traditional method for detecting virus is the method for condition code coupling: mainly be to set up virus base in user end computer; From virus base, take out the condition code and the side-play amount thereof of a virus earlier, extract the condition code of file to be detected again according to side-play amount, compare with this viral condition code; If the coupling would judge that this document is such virus document; Otherwise from virus base, get the condition code of next virus, finish, then judge this document safety until all virus comparisons.Traditional character code is identified has several shortcomings: 1. must there be the feature database of antivirus software this locality, and the accuracy of judgement depends on whether whether feature database is comprehensive, upgrade; 2. feature database needs frequent upgrading, and expired virus base identification capacity can't satisfy demand for security; 3. viral species increases very soon, and local feature database makes the scan efficiency of antivirus software descend also in rapid expansion, antivirus software to the demand of system resource also in continuous increase; 4. new virus there is not identification capacity.
In order to solve the above-mentioned defective of conventional art, the up-to-date employing " cloud killing " technology is simply said; Be exactly that user side is no longer set up virus base; But mainly be responsible for scanning and find local new file, and extracting the condition code information of new file, end uploads onto the server; Through the virus base of querying server end, declare poison after relatively.
Yet, no matter be the local virus library or the virus base of server end, all be dynamic, as to need a continual renovation database; For up-to-date unknown file (or most current virus); Can't directly make monochrome determining, also need carry out Analysis and Identification, promptly also need be tested and appraised device file (or being called by the evaluation sample) is done further evaluation whole file; Make at last and declare malicious result, and according to the virus base of declaring malicious device end of update service as a result or user side.
Existing evaluation mode is that whole unknown file is all uploaded to identification systems, file is identified that there is following defective in such evaluation mode by assessor: (1) when file was bigger, more resource is grown, taken to uplink time; (2) in fact, the total data that the evaluation of file itself is not needed file; (3) an authenticating document content information is perfect not enough.
Summary of the invention
The objective of the invention is the defective of the mode of identifying to the existing file security, a kind of more perfect comprehensive authentication method of unknown file security and system are provided.The technical scheme that realizes above-mentioned purpose is following:
The comprehensive authentication method of a kind of unknown file security is characterized in that, may further comprise the steps:
(1) user side is gathered the file material to unknown file, and the file material comprises the content information of file itself, the environmental information of file, the attribute information of file, the behavioural information of file;
(2) above-mentioned information package is become packets of information, end uploads onto the server;
(3) server end decomposes said packets of information, and all kinds of materials are identified respectively;
(4) set a comprehensive discriminant function, the qualification result of the described all kinds of materials of step (3) is calculated, and set a threshold value, result of calculation and this threshold value are compared, confirm that file is white or black;
(5) comprehensive judged result is upgraded the corresponding data in the assessor database, and comprehensive judged result is handed down to user side.
Wherein, the content information of said file itself comprises: the condition code of being extracted for the PE file, the bag in-list file structure of extracting for compressed package files.
Wherein, the environmental information of said file comprises: the routing information of depositing, the website information of network download.
Wherein, the attribute information of said file comprises: file version information, joint table information, icon and signing messages.
Wherein, the behavioural information of said file comprises: file carries out self-replacation, hide self, revise registration table crucial key assignments, self-regeneration, insert the operation information of other process, deception, load driver.
The comprehensive identification systems of a kind of unknown file security is characterized in that, comprising:
Unknown file investigation device is used for the search client file and finds out new unknown file;
File material collection device comprises: the content information acquisition module, gather the content information of unknown file itself; The environmental information acquisition module, the environmental information of collection unknown file; The attribute information acquisition module is gathered the attribute information of unknown file; The behavioural information acquisition module, the behavioural information of collection unknown file;
Material is packed and is uploaded device, is used for said content information, environmental information, attribute information, behavioural information packing and the end that uploads onto the server;
The server end identification apparatus comprises: the content information assessor, corresponding qualification result is identified and exported to said content information; Corresponding evaluation structure is identified and exported to the environmental information assessor to said environmental information; Corresponding qualification result is identified and exported to the attribute information assessor to said attribute information; Corresponding qualification result is identified and exported to the behavioural information assessor to said behavioural information;
Comprehensive judgment means is calculated said each qualification result through a comprehensive discriminant function, and a result of calculation and a threshold value is compared, and confirms that file is white or black;
The database update device according to the output result of comprehensive judgment means, upgrades the database of each assessor;
Transmitting apparatus under the judged result is handed down to user side with the output result of comprehensive judgment means.
Beneficial effect of the present invention is: through gathering content information, environmental information, attribute information and the behavioural information of unknown file; And after identifying respectively, comprehensive analysis and judgement draw its monochrome determining at last; Realized three-dimensional many-sided evaluation, it is more reliable to declare malicious result.
Description of drawings
Fig. 1 constitutes block diagram for the main body of the identification systems that the embodiment of the invention provides.
The formation block diagram of the identification systems file material collection device that Fig. 2 provides for the embodiment of the invention.
The formation block diagram of server end identification apparatus in the identification systems that Fig. 3 provides for the embodiment of the invention.
The process flow diagram of the authentication method that Fig. 4 provides for the embodiment of the invention.
Embodiment
As shown in Figure 1; The comprehensive identification systems of unknown file security that present embodiment provides; It is characterized in that, comprising: unknown file is investigated device, file material collection device, material packing and is uploaded transmitting apparatus under device, server end identification apparatus, comprehensive judgment means, database update device and the judged result.Wherein, unknown file investigation device is used for the search client file and finds out new unknown file; File material collection device is used to gather the material information of unknown file; Material packing and upload device and be used for the material information package that collects and be uploaded to server end; The server end identification apparatus is used for identifying through many assessors the information of a plurality of types of material information, and the output qualification result; Comprehensive judgment means is calculated said each qualification result through a comprehensive discriminant function, and a result of calculation and a threshold value is compared, and confirms that file is white or black; The database update device is used for the output result according to comprehensive judgment means, upgrades the database of each assessor.Transmitting apparatus is used for the output result of comprehensive judgment means is handed down to user side under the judged result.
In the present embodiment; The file material comprises content information, environmental information, attribute information and behavioural information; File material collection device specifically comprises: content information acquisition module, environmental information acquisition module, attribute information acquisition module and behavioural information acquisition module, and as shown in Figure 2.Described content information comprises: the condition code of being extracted (for the PE file), the bag in-list file structure of extracting (for compressed package files); Environmental information generally includes: the routing information of depositing and the website information of network download; Attribute information generally includes: file version information, joint table information, icon and signing messages; Behavioural information generally includes: file carries out self-replacation, hide self, revise registration table crucial key assignments, self-regeneration, insert the operation information of other process, deception, load driver.
Similarly; The server end identification apparatus comprises: content information assessor, environmental information assessor, attribute information assessor, behavioural information assessor; Be respectively applied for and identify content information, environmental information, attribute information and behavioural information, and export corresponding qualification result respectively, as shown in Figure 3.
In conjunction with shown in Figure 4, the authentication method based on above-mentioned identification systems may further comprise the steps:
(1) user side is gathered the file material to unknown file, and the file material comprises the content information of file itself, the environmental information of file, the attribute information of file, the behavioural information of file;
(2) above-mentioned information package is become packets of information, end uploads onto the server;
(3) server end decomposes said packets of information, and all kinds of materials are identified respectively;
(4) set a comprehensive discriminant function, the qualification result of the described all kinds of materials of step (3) is calculated, and set a threshold value, result of calculation and this threshold value are compared, confirm that file is white or black;
(5) comprehensive judged result is upgraded the corresponding data in the assessor database, and comprehensive judged result is handed down to user side.
The present invention is through content information, environmental information, attribute information and the behavioural information of collection unknown file, and after identifying respectively, comprehensive analysis and judgement draw its monochrome determining at last, have realized three-dimensional many-sided evaluation, and it is more reliable to declare malicious result.
Claims (6)
1. the comprehensive authentication method of unknown file security is characterized in that, may further comprise the steps:
(1) user side is gathered the file material to unknown file, and the file material comprises the content information of file itself, the environmental information of file, the attribute information of file, the behavioural information of file;
(2) above-mentioned information package is become packets of information, end uploads onto the server;
(3) server end decomposes said packets of information, and all kinds of materials are identified respectively;
(4) set a comprehensive discriminant function, the qualification result of the described all kinds of materials of step (3) is calculated, and set a threshold value, result of calculation and this threshold value are compared, confirm that file is white or black;
(5) comprehensive judged result is upgraded the corresponding data in the assessor database, and comprehensive judged result is handed down to user side.
2. the comprehensive authentication method of unknown file security according to claim 1 is characterized in that: the content information of said file itself comprises: the condition code of being extracted for the PE file, the bag in-list file structure of extracting for compressed package files.
3. the comprehensive authentication method of unknown file security according to claim 1, it is characterized in that: the environmental information of said file comprises: the routing information of depositing, the website information of network download.
4. the comprehensive authentication method of unknown file security according to claim 1, it is characterized in that: the attribute information of said file comprises: file version information, joint table information, icon and signing messages.
5. the comprehensive authentication method of unknown file security according to claim 1, it is characterized in that: the behavioural information of said file comprises: file carries out self-replacation, hide self, revise registration table crucial key assignments, self-regeneration, insert the operation information of other process, deception, load driver.
6. the comprehensive identification systems of unknown file security is characterized in that, comprising:
Unknown file investigation device is used for the search client file and finds out new unknown file;
File material collection device comprises: the content information acquisition module, gather the content information of unknown file itself; The environmental information acquisition module, the environmental information of collection unknown file; The attribute information acquisition module is gathered the attribute information of unknown file; The behavioural information acquisition module, the behavioural information of collection unknown file;
Material is packed and is uploaded device, is used for said content information, environmental information, attribute information, behavioural information packing and the end that uploads onto the server;
The server end identification apparatus comprises: the content information assessor, corresponding qualification result is identified and exported to said content information; Corresponding evaluation structure is identified and exported to the environmental information assessor to said environmental information; Corresponding qualification result is identified and exported to the attribute information assessor to said attribute information; Corresponding qualification result is identified and exported to the behavioural information assessor to said behavioural information;
Comprehensive judgment means is calculated said each qualification result through a comprehensive discriminant function, and a result of calculation and a threshold value is compared, and confirms that file is white or black;
The database update device according to the output result of comprehensive judgment means, upgrades the database of each assessor;
Transmitting apparatus under the judged result is handed down to user side with the output result of comprehensive judgment means.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101315921A CN102799804A (en) | 2012-04-30 | 2012-04-30 | Comprehensive identification method and system for security of unknown file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101315921A CN102799804A (en) | 2012-04-30 | 2012-04-30 | Comprehensive identification method and system for security of unknown file |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102799804A true CN102799804A (en) | 2012-11-28 |
Family
ID=47198910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101315921A Pending CN102799804A (en) | 2012-04-30 | 2012-04-30 | Comprehensive identification method and system for security of unknown file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102799804A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103177217A (en) * | 2013-04-08 | 2013-06-26 | 腾讯科技(深圳)有限公司 | File scan method, file scan system, client-side and server |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN104598816A (en) * | 2014-12-22 | 2015-05-06 | 安一恒通(北京)科技有限公司 | File scanning method and device |
| US9471782B2 (en) | 2013-04-08 | 2016-10-18 | Tencent Technology (Shenzhen) Company Limited | File scanning method and system, client and server |
| CN106203102A (en) * | 2015-05-06 | 2016-12-07 | 北京金山安全管理***技术有限公司 | A kind of checking and killing virus method and device of the whole network terminal |
| CN106682505A (en) * | 2016-05-04 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003006028A (en) * | 2001-06-19 | 2003-01-10 | Jeol Ltd | Electronic document handling system |
| CN101127638A (en) * | 2007-06-07 | 2008-02-20 | 飞塔信息科技(北京)有限公司 | Active virus automatic prevention and control system and method |
| CN101610152A (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Content identification method and system and content management client and server |
| CN101710374A (en) * | 2009-12-12 | 2010-05-19 | 珠海市君天电子科技有限公司 | Method and device for automatically extracting features of nonviral file |
| US20100142756A1 (en) * | 2008-12-10 | 2010-06-10 | Canon Kabushiki Kaisha | Document security method |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
| CN101924760A (en) * | 2010-08-17 | 2010-12-22 | 优视科技有限公司 | Method and system for downloading executable file securely |
-
2012
- 2012-04-30 CN CN2012101315921A patent/CN102799804A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003006028A (en) * | 2001-06-19 | 2003-01-10 | Jeol Ltd | Electronic document handling system |
| CN101127638A (en) * | 2007-06-07 | 2008-02-20 | 飞塔信息科技(北京)有限公司 | Active virus automatic prevention and control system and method |
| CN101610152A (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Content identification method and system and content management client and server |
| US20100142756A1 (en) * | 2008-12-10 | 2010-06-10 | Canon Kabushiki Kaisha | Document security method |
| CN101710374A (en) * | 2009-12-12 | 2010-05-19 | 珠海市君天电子科技有限公司 | Method and device for automatically extracting features of nonviral file |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
| CN101924760A (en) * | 2010-08-17 | 2010-12-22 | 优视科技有限公司 | Method and system for downloading executable file securely |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014166266A1 (en) * | 2013-04-08 | 2014-10-16 | Tencent Technology (Shenzhen) Company Limited | File scanning method and system, client and server |
| CN103177217A (en) * | 2013-04-08 | 2013-06-26 | 腾讯科技(深圳)有限公司 | File scan method, file scan system, client-side and server |
| CN103177217B (en) * | 2013-04-08 | 2015-08-26 | 腾讯科技(深圳)有限公司 | A kind of file scanning method, system and client and server |
| US9471782B2 (en) | 2013-04-08 | 2016-10-18 | Tencent Technology (Shenzhen) Company Limited | File scanning method and system, client and server |
| CN103634306B (en) * | 2013-11-18 | 2017-09-15 | 北京奇虎科技有限公司 | The safety detection method and safety detection server of network data |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN104598816A (en) * | 2014-12-22 | 2015-05-06 | 安一恒通(北京)科技有限公司 | File scanning method and device |
| CN104598816B (en) * | 2014-12-22 | 2017-07-04 | 安一恒通(北京)科技有限公司 | A kind of file scanning method and device |
| CN106203102A (en) * | 2015-05-06 | 2016-12-07 | 北京金山安全管理***技术有限公司 | A kind of checking and killing virus method and device of the whole network terminal |
| CN106203102B (en) * | 2015-05-06 | 2019-10-11 | 北京金山安全管理***技术有限公司 | A kind of checking and killing virus method and device of the whole network terminal |
| CN106682505A (en) * | 2016-05-04 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| CN106682505B (en) * | 2016-05-04 | 2020-06-12 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| US10803171B2 (en) | 2016-05-04 | 2020-10-13 | Tencent Technology (Shenzhen) Company Limited | Virus detection method, terminal and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102799804A (en) | Comprehensive identification method and system for security of unknown file | |
| CN104700033B (en) | The method and device of viral diagnosis | |
| US20120297063A1 (en) | Method and apparatus for populating a software catalogue with software knowledge gathering | |
| KR101582601B1 (en) | Method for detecting malignant code of android by activity string analysis | |
| CN101304426A (en) | Method and device for recognizing and reporting questionable document | |
| CN103051627B (en) | A kind of detection method of rebound trojan horse | |
| CN103294951B (en) | A kind of malicious code sample extracting method based on document type bug and system | |
| CN103297267B (en) | A kind of methods of risk assessment of network behavior and system | |
| CN101923617A (en) | Cloud-based sample database dynamic maintaining method | |
| CN104520871A (en) | Vulnerability vector information analysis | |
| CN103530557B (en) | Method and system for scanning virus apk based on cloud terminal mass samples | |
| CN103607381B (en) | White list generation method, malicious program detection method, client and server | |
| US20150317479A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| CN104866764B (en) | A kind of Android phone malware detection method based on object reference figure | |
| CN103294952A (en) | Method and system for detecting webshell based on page relation | |
| CN109992969A (en) | A kind of malicious file detection method, device and detection platform | |
| KR20150124020A (en) | System and method for setting malware identification tag, and system for searching malware using malware identification tag | |
| CN103475671A (en) | Method for detecting rogue programs | |
| CN104360837A (en) | Method for realizing evidence collection and analysis of electronic data in evidence collection software based on custom scripts | |
| CN103177022A (en) | Method and device of malicious file search | |
| CN104317857A (en) | House information acquisition service system | |
| CN102984162B (en) | The recognition methods of credible website and gathering system | |
| CN107766342A (en) | A kind of recognition methods of application and device | |
| CN110674832A (en) | Method, device and terminal for identifying enterprise to which Internet user belongs | |
| CN102890717B (en) | Webpage category knowledge base set up system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20121128 |